Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

smart virus eliminator


  • This topic is locked This topic is locked
12 replies to this topic

#1 Terry Smith

Terry Smith

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 01 September 2009 - 10:22 AM

Hello and thanks in advance for the help. I've removed this infection (a virus referred to as "smart virus eliminator) a couple of times now using Malwarebytes, but it never seems to get it all (thus prompting a return). It prevented access to Task Managaer and regedit and any other administrative tools, although now use of regedit has returned. The following are the logs requested in your tutorial:

DDS.txt


DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 8:46:16.03 on 01/09/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.362 [GMT -6:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Smart Virus Eliminator *On-access scanning enabled* (Updated) {B9F77C86-40C9-4391-8575-62B017970E79}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Smart Virus Eliminator *enabled* {FC7C69EF-A04C-48B2-AAC2-5E3F3362B37D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\WINDOWS\system32\rserver30\RServer3.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\rserver30\FamItrfc.Exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.dell.ca/myway
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.5.0.135\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [<NO NAME>]
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by138fd.bay138.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1214519097858
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} - hxxp://www.imgag.com/cp/install/AxCtp2.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://70.64.192.253/xplugLiteTW.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://mtistudios.webex.com/client/T25L/sales/ieatgpc.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.5.0.135\CoIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\chsgyphq.default\
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1005000.087\SymEFA.sys [2009-8-29 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1005000.087\BHDrvx86.sys [2009-8-29 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1005000.087\cchpx86.sys [2009-8-29 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090810.001\IDSXpx86.sys [2009-8-29 276344]
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2008-4-24 45848]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.5.0.135\ccSvcHst.exe [2009-8-29 115560]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [2008-4-24 1238344]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-29 102448]
R3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2006-11-1 3328]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090831.041\NAVENG.SYS [2009-9-1 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090831.041\NAVEX15.SYS [2009-9-1 1323568]

=============== Created Last 30 ================

2009-09-01 08:37 <DIR> --d----- c:\program files\Trend Micro
2009-08-31 11:01 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-08-31 11:01 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-08-31 11:00 <DIR> --d----- C:\acd3b0bab68c1154bd8721257c
2009-08-31 11:00 21,504 a------- c:\windows\system32\drivers\hidserv.dll
2009-08-29 16:27 <DIR> --d----- c:\program files\SmartClose
2009-08-29 13:58 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-08-29 13:58 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-29 13:58 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-08-29 13:58 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-29 13:58 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-29 13:58 <DIR> --d----- c:\program files\Symantec
2009-08-29 13:58 <DIR> --d----- c:\windows\system32\drivers\NIS
2009-08-29 13:58 <DIR> --d----- c:\program files\Norton Internet Security
2009-08-29 13:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-08-29 13:57 <DIR> --d----- c:\program files\NortonInstaller
2009-08-29 13:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-08-29 12:08 <DIR> --dsh--- c:\documents and settings\administrator\IECompatCache
2009-08-26 16:07 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-08-25 13:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-24 14:14 <DIR> --d----- c:\docume~1\admini~1\applic~1\Windows Search
2009-08-24 13:30 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-08-24 13:30 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-24 13:30 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-24 13:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-24 13:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-24 13:26 <DIR> --dsh--- c:\documents and settings\administrator\PrivacIE
2009-08-24 13:24 <DIR> --dsh--- c:\documents and settings\administrator\IETldCache
2009-08-13 11:06 <DIR> --d----- c:\program files\common files\ODBC
2009-08-12 11:23 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 11:23 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-05 03:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-05 03:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 07:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 13:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 13:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-03 11:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 11:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 11:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 11:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 11:09 206,848 -------- c:\windows\system32\dllcache\occache.dll
2009-07-03 11:09 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 11:09 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 11:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 11:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 11:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 11:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 11:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 05:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-07-01 01:08 101,376 -------- c:\windows\system32\dllcache\iecompat.dll
2009-06-29 10:12 133,120 a------- c:\windows\system32\dllcache\extmgr.dll
2009-06-29 05:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-06-25 02:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 02:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 02:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 02:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 02:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 02:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-25 02:25 730,112 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 02:25 301,568 -------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 02:25 147,456 -------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 02:25 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 02:25 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-06-25 02:25 54,272 -------- c:\windows\system32\dllcache\wdigest.dll
2009-06-24 05:18 92,928 -------- c:\windows\system32\dllcache\ksecdd.sys
2009-06-16 08:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 08:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 08:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 08:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 06:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 06:31 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 06:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 06:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:19 2,066,432 -------- c:\windows\system32\dllcache\mstscax.dll
2009-06-10 08:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 08:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 00:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-10 00:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2009-06-03 13:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 13:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2006-03-02 11:50 664 a------- c:\program files\INSTALL.LOG
1998-10-07 17:16 148,480 a------- c:\program files\UNWISE.EXE
2006-03-29 15:15 104 ---shr-- c:\windows\system32\BAFD25DE35.sys
2006-03-29 15:15 4,184 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-04-14 05:42 413,696 a--sh--- c:\windows\system32\msvcp60.dll
2008-04-14 05:42 551,936 ---sh--- c:\windows\system32\oleaut32.dll
2008-04-14 05:42 84,992 ---sh--- c:\windows\system32\olepro32.dll
2008-04-14 05:42 11,776 ---sh--- c:\windows\system32\regsvr32.exe
2008-06-26 15:45 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008062620080627\index.dat

============= FINISH: 8:47:03.40 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:41 PM

Posted 16 September 2009 - 06:12 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 Terry Smith

Terry Smith
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 16 September 2009 - 11:26 PM

all right I've runa fresh scan of the computer in question (which has not been powered on at all for the past 2 weeks). I doubt there should be much change from my initial post. The owner of this computer is eager to get it back, so any input you might have to offer would be a blessing, and of course, the sooner the blissinger! Regardless of the timing or the outcome, I appreciate your help.

Terry



DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 22:16:32.96 on 16/09/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.375 [GMT -6:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Smart Virus Eliminator *On-access scanning enabled* (Updated) {B9F77C86-40C9-4391-8575-62B017970E79}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Smart Virus Eliminator *enabled* {FC7C69EF-A04C-48B2-AAC2-5E3F3362B37D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\WINDOWS\system32\rserver30\RServer3.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rserver30\FamItrfc.Exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.dell.ca/myway
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.5.0.135\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [<NO NAME>]
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by138fd.bay138.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1214519097858
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} - hxxp://www.imgag.com/cp/install/AxCtp2.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://70.64.192.253/xplugLiteTW.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://mtistudios.webex.com/client/T25L/sales/ieatgpc.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.5.0.135\CoIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1005000.087\SymEFA.sys [2009-8-29 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1005000.087\BHDrvx86.sys [2009-8-29 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1005000.087\cchpx86.sys [2009-8-29 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090810.001\IDSXpx86.sys [2009-8-29 276344]
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2008-4-24 45848]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.5.0.135\ccSvcHst.exe [2009-8-29 115560]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [2008-4-24 1238344]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-29 102448]
R3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2006-11-1 3328]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090901.054\NAVENG.SYS [2009-9-2 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090901.054\NAVEX15.SYS [2009-9-2 1323568]

=============== Created Last 30 ================

2009-09-01 08:37 <DIR> --d----- c:\program files\Trend Micro
2009-08-31 11:01 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-08-31 11:01 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-08-31 11:00 <DIR> --d----- C:\acd3b0bab68c1154bd8721257c
2009-08-31 11:00 21,504 a------- c:\windows\system32\drivers\hidserv.dll
2009-08-29 16:27 <DIR> --d----- c:\program files\SmartClose
2009-08-29 13:58 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-08-29 13:58 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-29 13:58 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-08-29 13:58 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-29 13:58 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-29 13:58 <DIR> --d----- c:\program files\Symantec
2009-08-29 13:58 <DIR> --d----- c:\windows\system32\drivers\NIS
2009-08-29 13:58 <DIR> --d----- c:\program files\Norton Internet Security
2009-08-29 13:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-08-29 13:57 <DIR> --d----- c:\program files\NortonInstaller
2009-08-29 13:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-08-29 12:08 <DIR> --dsh--- c:\documents and settings\administrator\IECompatCache
2009-08-26 16:07 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-08-25 13:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-24 14:14 <DIR> --d----- c:\docume~1\admini~1\applic~1\Windows Search
2009-08-24 13:30 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-08-24 13:30 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-24 13:30 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-24 13:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-24 13:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-24 13:26 <DIR> --dsh--- c:\documents and settings\administrator\PrivacIE
2009-08-24 13:24 <DIR> --dsh--- c:\documents and settings\administrator\IETldCache

==================== Find3M ====================

2009-08-05 03:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 03:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 07:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 13:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 13:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 07:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-07-03 11:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 11:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 11:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 11:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 11:09 206,848 -------- c:\windows\system32\dllcache\occache.dll
2009-07-03 11:09 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 11:09 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 11:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 11:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 11:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 11:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 11:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 05:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-07-01 01:08 101,376 -------- c:\windows\system32\dllcache\iecompat.dll
2009-06-29 10:12 133,120 a------- c:\windows\system32\dllcache\extmgr.dll
2009-06-29 05:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-06-25 02:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 02:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 02:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 02:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 02:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 02:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-25 02:25 730,112 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 02:25 301,568 -------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 02:25 147,456 -------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 02:25 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 02:25 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-06-25 02:25 54,272 -------- c:\windows\system32\dllcache\wdigest.dll
2009-06-24 05:18 92,928 -------- c:\windows\system32\dllcache\ksecdd.sys
2006-03-02 11:50 664 a------- c:\program files\INSTALL.LOG
1998-10-07 17:16 148,480 a------- c:\program files\UNWISE.EXE
2006-03-29 15:15 104 ---shr-- c:\windows\system32\BAFD25DE35.sys
2006-03-29 15:15 4,184 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-04-14 05:42 413,696 a--sh--- c:\windows\system32\msvcp60.dll
2008-04-14 05:42 551,936 ---sh--- c:\windows\system32\oleaut32.dll
2008-04-14 05:42 84,992 ---sh--- c:\windows\system32\olepro32.dll
2008-04-14 05:42 11,776 ---sh--- c:\windows\system32\regsvr32.exe
2008-06-26 15:45 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008062620080627\index.dat

============= FINISH: 22:19:37.50 ===============

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:41 PM

Posted 17 September 2009 - 12:04 PM

Hi Terry Smith,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Download RootRepeal.exe from one of these download locations and save it to your desktop:
http://download.bleepingcomputer.com/rootr.../RootRepeal.exe
http://ad13.geekstogo.com/RootRepeal.exe
http://rootrepeal.psikotick.com/RootRepeal.exe
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Click Ok.
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


#5 Terry Smith

Terry Smith
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 17 September 2009 - 12:56 PM

hey there farbar! Thanks for your help. Here's the results of the scan you requested.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/17 11:22
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3D4E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B24000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF1639000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF73B4000 Size: 323584 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\administrator\local settings\temp\~df27ad.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\administrator\local settings\temp\~df3494.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\leyou.LEWOFFICE\Local Settings\Local Settings\Apps\2.0\HOX0VE4H.2DN\8GT8WNCE.MQO\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\leyou.LEWOFFICE\Local Settings\Local Settings\Apps\2.0\HOX0VE4H.2DN\8GT8WNCE.MQO\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x86e505a8

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x87082e20

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x86b28978

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x86b20108

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x86bf54d0

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf402a040

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x86c30170

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x86ac0008

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x86c811f0

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x86b25108

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf402a2c0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf402a820

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x86b2ae90

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x86b338d0

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x86eda008

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x86ee9808

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x86bbc608

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x86b33548

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x86ed9c90

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x86b2e5b8

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x86efc1d0

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x86aea108

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x86b2b5d0

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x86ae8450

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8708c8f8

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x86ef5e30

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x86b32be8

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x86b0c050

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf402aa70

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x86a97050

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x86f17168

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x86f0c1d0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x86d2c1e8

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x86eeefd0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x86b346f8

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x87094ab8

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x86c7c100

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x86c71db0

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x86c79490

#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x870aead8

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x86eef520

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x86ee45e0

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x86bdb9d0

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x86ca7df8

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x86bef2f0

==EOF==

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:41 PM

Posted 17 September 2009 - 03:13 PM

  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#7 Terry Smith

Terry Smith
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 17 September 2009 - 06:14 PM

thanks for the follow-up. As requested, the following are the two logs:

MBAM
Malwarebytes' Anti-Malware 1.40
Database version: 2713
Windows 5.1.2600 Service Pack 3

17/09/2009 4:18:00 PM
mbam-log-2009-09-17 (16-18-00).txt

Scan type: Quick Scan
Objects scanned: 149571
Time elapsed: 11 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Combofix


ComboFix 09-09-17.04 - Administrator 17/09/2009 17:01.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.468 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\kejon\cookies.txt
c:\documents and settings\laher\cookies.txt
c:\documents and settings\leyou.LEWOFFICE\Application Data\Microsoft\Installer\{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}\DPS_DTLink.CAA7B2BB_F373_4C0B_8C62_D4147E5C816B.exe
c:\documents and settings\leyou.LEWOFFICE\Application Data\Microsoft\Installer\{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}\DPS_SMLink.CAA7B2BB_F373_4C0B_8C62_D4147E5C816B.exe
c:\documents and settings\leyou\Application Data\Microsoft\Installer\{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}\DPS_DTLink.CAA7B2BB_F373_4C0B_8C62_D4147E5C816B.exe
c:\documents and settings\leyou\Application Data\Microsoft\Installer\{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}\DPS_SMLink.CAA7B2BB_F373_4C0B_8C62_D4147E5C816B.exe
c:\program files\INSTALL.LOG
c:\recycler\S-1-5-21-586913285-1961704955-1192319586-1005

.
((((((((((((((((((((((((( Files Created from 2009-08-17 to 2009-09-17 )))))))))))))))))))))))))))))))
.

2009-09-17 04:35 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-01 14:37 . 2009-09-01 14:37 -------- d-----w- c:\program files\Trend Micro
2009-08-31 17:00 . 2009-08-31 17:01 -------- d-----w- C:\acd3b0bab68c1154bd8721257c
2009-08-31 17:00 . 2008-04-14 11:41 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2009-08-29 22:27 . 2009-08-29 22:52 -------- d-----w- c:\program files\SmartClose
2009-08-29 19:58 . 2009-08-29 19:58 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-08-29 19:58 . 2009-09-17 17:30 -------- d-----w- c:\program files\Symantec
2009-08-29 19:58 . 2009-09-17 17:30 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-08-29 19:58 . 2009-09-17 17:30 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-29 19:58 . 2009-09-17 17:29 -------- d-----w- c:\windows\system32\drivers\NIS
2009-08-29 19:58 . 2009-08-29 19:58 -------- d-----w- c:\program files\Norton Internet Security
2009-08-29 19:58 . 2009-08-29 19:58 -------- d-----w- c:\program files\Windows Sidebar
2009-08-29 19:57 . 2009-08-29 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-29 19:57 . 2009-08-29 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-29 19:57 . 2009-08-29 19:57 -------- d-----w- c:\program files\NortonInstaller
2009-08-29 19:46 . 2009-08-29 19:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2009-08-29 19:41 . 2009-08-29 19:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-08-29 19:25 . 2009-08-29 19:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-29 18:08 . 2009-08-29 18:08 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-08-26 22:07 . 2009-08-27 07:01 -------- d-----w- C:\$AVG8.VAULT$
2009-08-25 19:06 . 2009-08-29 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-24 20:14 . 2009-08-24 20:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2009-08-24 19:43 . 2009-08-24 19:43 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\Malwarebytes
2009-08-24 19:30 . 2009-08-24 19:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-24 19:30 . 2009-08-03 19:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-24 19:30 . 2009-08-03 19:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-24 19:30 . 2009-08-24 19:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-24 19:30 . 2009-08-24 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-24 19:26 . 2009-08-24 19:26 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-24 19:24 . 2009-08-24 19:24 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-17 17:30 . 2009-08-29 19:58 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-17 17:30 . 2009-08-29 19:58 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-17 12:38 . 2008-06-26 22:41 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-31 17:01 . 2009-08-31 17:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-08-31 17:01 . 2009-08-31 17:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-08-31 01:31 . 2006-01-20 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-29 20:10 . 2006-01-20 05:39 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-05 09:01 . 2004-08-11 23:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-23 03:39 . 2007-12-07 19:47 -------- d-----w- c:\program files\QuickTime
2009-07-23 03:39 . 2006-02-14 21:19 -------- d-----w- c:\program files\OfficeUpdate11
2009-07-23 03:39 . 2006-01-20 05:34 -------- d-----w- c:\program files\Modem Helper
2009-07-23 03:39 . 2006-01-20 05:35 -------- d-----w- c:\program files\Common Files\AOL
2009-07-23 03:39 . 2006-12-19 17:50 -------- d-----w- c:\program files\ACD Systems
2009-07-22 23:36 . 2009-07-22 23:36 59152 ----a-w- c:\documents and settings\leyou.LEWOFFICE\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-22 20:04 . 2009-07-22 20:04 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\ACD Systems
2009-07-22 20:04 . 2009-07-22 20:04 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\Apple Computer
2009-07-22 20:04 . 2009-07-22 20:04 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\AdobeUM
2009-07-22 20:04 . 2009-07-22 20:04 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\Corel
2009-07-22 20:04 . 2009-07-22 20:04 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\HP
2009-07-22 20:04 . 2009-07-22 20:04 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\CyberLink
2009-07-22 20:04 . 2009-07-22 20:04 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\Corel Photo Album
2009-07-22 20:04 . 2009-07-22 20:04 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\Leadertech
2009-07-22 20:04 . 2009-07-22 20:04 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\InstallShield
2009-07-22 20:03 . 2009-07-22 20:03 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\Microsoft Web Folders
2009-07-22 20:03 . 2009-07-22 20:03 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\Sonic
2009-07-22 20:03 . 2009-07-22 20:03 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\Skinux
2009-07-22 20:03 . 2009-07-22 20:03 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\Share-to-Web Upload Folder
2009-07-22 20:03 . 2009-07-22 20:03 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\Windows Search
2009-07-22 20:03 . 2009-07-22 20:03 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\Windows Desktop Search
2009-07-22 20:03 . 2009-07-22 20:03 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\U3
2009-07-22 19:23 . 2007-03-01 18:56 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-22 19:21 . 2006-04-17 16:55 -------- d-----w- c:\program files\Print Professional
2009-07-22 19:21 . 2006-01-20 05:34 -------- d-----w- c:\program files\NetWaiting
2009-07-22 19:21 . 2006-01-20 05:37 -------- d-----w- c:\program files\Microsoft Plus! Photo Story 2 LE
2009-07-22 19:20 . 2008-02-27 20:15 -------- d-----w- c:\program files\iTunes
2009-07-22 19:20 . 2008-02-27 20:15 -------- d-----w- c:\program files\iPod
2009-07-22 19:19 . 2009-07-22 19:19 -------- d-----w- c:\program files\Dell Support
2009-07-22 19:19 . 2006-01-20 05:34 -------- d-----w- c:\program files\Classic PhoneTools
2009-07-22 19:14 . 2006-01-20 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\GTek
2009-07-22 18:14 . 2006-01-20 05:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-22 18:13 . 2009-07-22 18:13 59152 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-22 18:12 . 2009-07-22 18:15 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\Gtek
2009-07-22 18:12 . 2006-04-14 00:34 -------- d--h--w- c:\documents and settings\Administrator.WJJONES\Application Data\Gtek
2009-07-22 18:12 . 2006-01-20 05:44 -------- d--h--w- c:\documents and settings\Administrator\Application Data\Gtek
2009-07-22 18:12 . 2006-04-14 00:44 -------- d-----w- c:\documents and settings\leyou\Application Data\Gtek
2009-07-22 18:10 . 2006-01-20 05:45 -------- d-----w- c:\program files\Dell
2009-07-17 19:01 . 2004-08-11 23:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 05:43 . 2004-08-11 23:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-11 23:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-11 23:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-11 23:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-11 23:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-11 23:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-11 23:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-11 23:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-11 23:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
1998-10-07 23:16 . 2006-03-02 17:50 148480 ----a-w- c:\program files\UNWISE.EXE
2006-03-29 21:15 . 2006-02-20 19:10 104 --sh--r- c:\windows\system32\BAFD25DE35.sys
2006-03-29 21:15 . 2006-02-20 19:10 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-04-14 11:42 . 2004-08-11 23:00 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 11:42 . 2004-08-11 23:00 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 11:42 . 2004-08-11 23:00 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 11:42 . 2004-08-11 23:00 11776 --sh--w- c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-29 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-58316868-3914423799-2227292941-1105\Scripts\Logon\0\0]
"Script"=\\wjjones.com\sysvol\wjjones.com\scripts\login.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-58316868-3914423799-2227292941-1106\Scripts\Logon\0\0]
"Script"=\\wjjones.com\sysvol\wjjones.com\scripts\login.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-58316868-3914423799-2227292941-1107\Scripts\Logon\0\0]
"Script"=\\wjjones.com\sysvol\wjjones.com\scripts\login.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-58316868-3914423799-2227292941-1108\Scripts\Logon\0\0]
"Script"=\\wjjones.com\sysvol\wjjones.com\scripts\login.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-58316868-3914423799-2227292941-1125\Scripts\Logon\0\0]
"Script"=\\wjjones.com\sysvol\wjjones.com\scripts\login.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-58316868-3914423799-2227292941-500\Scripts\Logon\0\0]
"Script"=\\wjjones.com\sysvol\wjjones.com\scripts\login.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare Software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\leyou.LEWOFFICE\\Desktop\\WS_FTP32.EXE"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1007020.00B\SymEFA.sys [17/09/2009 11:30 AM 310320]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090916.003\IDSXpx86.sys [16/09/2009 10:34 PM 329080]
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [24/04/2008 8:49 AM 45848]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe [17/09/2009 11:30 AM 117640]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [24/04/2008 8:44 AM 1238344]
R3 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1005000.087\BHDrvx86.sys [29/08/2009 1:58 PM 258608]
R3 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1005000.087\cchpx86.sys [29/08/2009 1:58 PM 482352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [29/08/2009 2:00 AM 102448]
R3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [01/11/2006 6:01 AM 3328]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]

2009-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-586913285-1961704955-1192319586-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-29 19:44]

2009-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-586913285-1961704955-1192319586-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-29 19:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://70.64.192.253/xplugLiteTW.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\chsgyphq.default\
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-17 17:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.7.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-586913285-1961704955-1192319586-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e0,80,a2,55,62,35,b9,4b,be,80,5e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e0,80,a2,55,62,35,b9,4b,be,80,5e,\
.
Completion time: 2009-09-17 17:11
ComboFix-quarantined-files.txt 2009-09-17 23:11

Pre-Run: 188,238,110,720 bytes free
Post-Run: 188,636,921,856 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

214 --- E O F --- 2009-09-17 04:47

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:41 PM

Posted 18 September 2009 - 02:29 AM

MBAM
Malwarebytes' Anti-Malware 1.40
Database version: 2713
Windows 5.1.2600 Service Pack 3

It is not updated. The current Database version is 2818.
Please redo it again and post the log.

#9 Terry Smith

Terry Smith
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 18 September 2009 - 08:21 AM

my apologies farbar. I noticed that I had forgotten to update the DB before the scan shortly after I ran it, so I ran it again after I updated. Here is the log from that scan:

Malwarebytes' Anti-Malware 1.41
Database version: 2818
Windows 5.1.2600 Service Pack 3

17/09/2009 6:01:08 PM
mbam-log-2009-09-17 (18-01-08).txt

Scan type: Quick Scan
Objects scanned: 147696
Time elapsed: 4 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:41 PM

Posted 18 September 2009 - 08:37 AM

  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    No apology is needed Terry Smith.

    RegLock::
    [HKEY_USERS\S-1-5-21-586913285-1961704955-1192319586-500\Software\Microsoft\Internet Explorer\User Preferences]

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Please tell me how is the computer running?


#11 Terry Smith

Terry Smith
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 18 September 2009 - 09:32 AM

Here's the log you asked for. In answer to your second question, the computer appears to be a little sluggish, but otherwise is running well. Thanks again!


ComboFix 09-09-17.04 - Administrator 18/09/2009 8:13.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.625 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFscript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))
.

2009-09-17 04:35 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-01 14:37 . 2009-09-01 14:37 -------- d-----w- c:\program files\Trend Micro
2009-08-31 17:00 . 2009-08-31 17:01 -------- d-----w- C:\acd3b0bab68c1154bd8721257c
2009-08-31 17:00 . 2008-04-14 11:41 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2009-08-29 22:27 . 2009-08-29 22:52 -------- d-----w- c:\program files\SmartClose
2009-08-29 19:58 . 2009-08-22 07:21 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-08-29 19:58 . 2009-09-17 17:30 -------- d-----w- c:\program files\Symantec
2009-08-29 19:58 . 2009-09-17 17:30 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-08-29 19:58 . 2009-09-17 17:30 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-29 19:58 . 2009-09-18 14:05 -------- d-----w- c:\windows\system32\drivers\NIS
2009-08-29 19:58 . 2009-08-29 19:58 -------- d-----w- c:\program files\Norton Internet Security
2009-08-29 19:58 . 2009-08-29 19:58 -------- d-----w- c:\program files\Windows Sidebar
2009-08-29 19:57 . 2009-08-29 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-29 19:57 . 2009-08-29 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-29 19:57 . 2009-08-29 19:57 -------- d-----w- c:\program files\NortonInstaller
2009-08-29 19:46 . 2009-08-29 19:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2009-08-29 19:41 . 2009-08-29 19:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-08-29 19:25 . 2009-08-29 19:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-29 18:08 . 2009-08-29 18:08 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-08-26 22:07 . 2009-08-27 07:01 -------- d-----w- C:\$AVG8.VAULT$
2009-08-25 19:06 . 2009-08-29 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-24 20:14 . 2009-08-24 20:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2009-08-24 19:43 . 2009-08-24 19:43 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\Malwarebytes
2009-08-24 19:30 . 2009-08-24 19:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-24 19:30 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-24 19:30 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-24 19:30 . 2009-09-17 23:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-24 19:30 . 2009-08-24 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-24 19:26 . 2009-08-24 19:26 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-24 19:24 . 2009-08-24 19:24 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-17 17:30 . 2009-08-29 19:58 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-17 17:30 . 2009-08-29 19:58 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-17 12:38 . 2008-06-26 22:41 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-31 17:01 . 2009-08-31 17:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-08-31 17:01 . 2009-08-31 17:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-08-31 01:31 . 2006-01-20 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-29 20:10 . 2006-01-20 05:39 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-05 09:01 . 2004-08-11 23:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-23 03:39 . 2007-12-07 19:47 -------- d-----w- c:\program files\QuickTime
2009-07-23 03:39 . 2006-02-14 21:19 -------- d-----w- c:\program files\OfficeUpdate11
2009-07-23 03:39 . 2006-01-20 05:34 -------- d-----w- c:\program files\Modem Helper
2009-07-23 03:39 . 2006-01-20 05:35 -------- d-----w- c:\program files\Common Files\AOL
2009-07-23 03:39 . 2006-12-19 17:50 -------- d-----w- c:\program files\ACD Systems
2009-07-22 23:36 . 2009-07-22 23:36 59152 ----a-w- c:\documents and settings\leyou.LEWOFFICE\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-22 20:04 . 2009-07-22 20:04 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\ACD Systems
2009-07-22 20:04 . 2009-07-22 20:04 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\Apple Computer
2009-07-22 20:04 . 2009-07-22 20:04 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\AdobeUM
2009-07-22 20:04 . 2009-07-22 20:04 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\Corel
2009-07-22 20:04 . 2009-07-22 20:04 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\HP
2009-07-22 20:04 . 2009-07-22 20:04 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\CyberLink
2009-07-22 20:04 . 2009-07-22 20:04 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\Corel Photo Album
2009-07-22 20:04 . 2009-07-22 20:04 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\Leadertech
2009-07-22 20:04 . 2009-07-22 20:04 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\InstallShield
2009-07-22 20:03 . 2009-07-22 20:03 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\Microsoft Web Folders
2009-07-22 20:03 . 2009-07-22 20:03 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\Sonic
2009-07-22 20:03 . 2009-07-22 20:03 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\Skinux
2009-07-22 20:03 . 2009-07-22 20:03 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\Share-to-Web Upload Folder
2009-07-22 20:03 . 2009-07-22 20:03 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\Windows Search
2009-07-22 20:03 . 2009-07-22 20:03 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\Windows Desktop Search
2009-07-22 20:03 . 2009-07-22 20:03 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\U3
2009-07-22 19:23 . 2007-03-01 18:56 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-22 19:21 . 2006-04-17 16:55 -------- d-----w- c:\program files\Print Professional
2009-07-22 19:21 . 2006-01-20 05:34 -------- d-----w- c:\program files\NetWaiting
2009-07-22 19:21 . 2006-01-20 05:37 -------- d-----w- c:\program files\Microsoft Plus! Photo Story 2 LE
2009-07-22 19:20 . 2008-02-27 20:15 -------- d-----w- c:\program files\iTunes
2009-07-22 19:20 . 2008-02-27 20:15 -------- d-----w- c:\program files\iPod
2009-07-22 19:19 . 2009-07-22 19:19 -------- d-----w- c:\program files\Dell Support
2009-07-22 19:19 . 2006-01-20 05:34 -------- d-----w- c:\program files\Classic PhoneTools
2009-07-22 19:14 . 2006-01-20 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\GTek
2009-07-22 18:14 . 2006-01-20 05:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-22 18:13 . 2009-07-22 18:13 59152 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-22 18:12 . 2009-07-22 18:15 -------- d-----w- c:\documents and settings\leyou.LEWOFFICE\Application Data\Gtek
2009-07-22 18:12 . 2006-04-14 00:34 -------- d--h--w- c:\documents and settings\Administrator.WJJONES\Application Data\Gtek
2009-07-22 18:12 . 2006-01-20 05:44 -------- d--h--w- c:\documents and settings\Administrator\Application Data\Gtek
2009-07-22 18:12 . 2006-04-14 00:44 -------- d-----w- c:\documents and settings\leyou\Application Data\Gtek
2009-07-22 18:10 . 2006-01-20 05:45 -------- d-----w- c:\program files\Dell
2009-07-17 19:01 . 2004-08-11 23:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 05:43 . 2004-08-11 23:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-11 23:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-11 23:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-11 23:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-11 23:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-11 23:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-11 23:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-11 23:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-11 23:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
1998-10-07 23:16 . 2006-03-02 17:50 148480 ----a-w- c:\program files\UNWISE.EXE
2006-03-29 21:15 . 2006-02-20 19:10 104 --sh--r- c:\windows\system32\BAFD25DE35.sys
2006-03-29 21:15 . 2006-02-20 19:10 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-04-14 11:42 . 2004-08-11 23:00 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 11:42 . 2004-08-11 23:00 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 11:42 . 2004-08-11 23:00 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 11:42 . 2004-08-11 23:00 11776 --sh--w- c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-09-17_23.08.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-18 14:07 . 2009-09-18 14:07 16384 c:\windows\Temp\Perflib_Perfdata_3c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-29 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-58316868-3914423799-2227292941-1105\Scripts\Logon\0\0]
"Script"=\\wjjones.com\sysvol\wjjones.com\scripts\login.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-58316868-3914423799-2227292941-1106\Scripts\Logon\0\0]
"Script"=\\wjjones.com\sysvol\wjjones.com\scripts\login.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-58316868-3914423799-2227292941-1107\Scripts\Logon\0\0]
"Script"=\\wjjones.com\sysvol\wjjones.com\scripts\login.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-58316868-3914423799-2227292941-1108\Scripts\Logon\0\0]
"Script"=\\wjjones.com\sysvol\wjjones.com\scripts\login.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-58316868-3914423799-2227292941-1125\Scripts\Logon\0\0]
"Script"=\\wjjones.com\sysvol\wjjones.com\scripts\login.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-58316868-3914423799-2227292941-500\Scripts\Logon\0\0]
"Script"=\\wjjones.com\sysvol\wjjones.com\scripts\login.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare Software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\leyou.LEWOFFICE\\Desktop\\WS_FTP32.EXE"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1007020.00B\SymEFA.sys [17/09/2009 11:30 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1007020.00B\BHDrvx86.sys [17/09/2009 11:30 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1007020.00B\cchpx86.sys [17/09/2009 11:29 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090916.003\IDSXpx86.sys [16/09/2009 10:34 PM 329080]
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [24/04/2008 8:49 AM 45848]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe [17/09/2009 11:30 AM 117640]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [24/04/2008 8:44 AM 1238344]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [29/08/2009 2:00 AM 102448]
R3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [01/11/2006 6:01 AM 3328]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]

2009-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-586913285-1961704955-1192319586-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-29 19:44]

2009-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-586913285-1961704955-1192319586-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-29 19:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} - hxxp://70.64.192.253/xplugLiteTW.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\chsgyphq.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-18 08:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.7.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3416)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-18 8:23
ComboFix-quarantined-files.txt 2009-09-18 14:23
ComboFix2.txt 2009-09-17 23:11

Pre-Run: 188,664,721,408 bytes free
Post-Run: 188,634,443,776 bytes free

201 --- E O F --- 2009-09-17 04:47

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:41 PM

Posted 18 September 2009 - 09:49 AM

The log looks clean. :(

Go to Start => Run => copy and paste next command in the field then hit enter:

ComboFix /u

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

Remove any other tools we used.

***********
About the slowness please consult this: Slow Computer/browser? Check Here First; It May Not Be Malware

A few tips from the given link I would certainly recommend:

1. Install and run CCleaner. Keep it and use it regularly.

2. Do a disk check to correct volume errors. To do that:

To check the volume for errors:
  • Click start and then My Computer.
  • Right click the drive C and select Properties.
  • Under Tools tab press Check Now...
  • Put a check mark in both items and press start.
  • If you get a message click Yes to schedule the disk check and click OK and then restart your computer to start the disk check. Please be patient and let the system run. In some cases it might take a couple of hours and you don't have to sit there the whole time.
3. Defragment your computer regularly.

***********
Please consult this article by Miekiemoes on How To Prevent Malware.

Happy Surfing. :(

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:41 PM

Posted 24 September 2009 - 06:41 PM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users