Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer is running extremely slow with Windows and Internet Explorer crashing


  • This topic is locked This topic is locked
38 replies to this topic

#1 proliney

proliney

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 09 September 2009 - 06:40 PM

This is a computer that is used for our small business and it is running extremely slow. We will occasionally have Windows and Internet Explorer crash on us. Sometimes the computer is so slow that processing credit cards is hard.

I have run CCleaner, Register Mechanics, Adaware and Malware Bytes on it but to no avail. I have Norton 360 installed on the computer.

The computer is running Windows XP SP3

Any help would be appreciated.

Following is the HiJack This 2.0.2 log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:41 PM, on 9/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cherry\CDI\CDI.exe
C:\Program Files\Common Files\Intuit\Entitlement Client\v5.3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Cherry\KeyMan\KeyMan.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dynex G Desktop Card Adapter\DynexWCUI.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intuit\QuickBooks Point of Sale 8.0\qbpos.exe
C:\Program Files\Intuit\QuickBooks Point of Sale 8.0\EftSvr.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Intuit\QuickBooks Point of Sale 8.0\qbpos.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Intuit\QuickBooks 2006\qbw32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.135\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [CherryKeyMan] "C:\Program Files\Cherry\KeyMan\KeyMan.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Dynex Wireless Networking Utility.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to Keyman - C:\Program Files\Cherry\KeyMan\IEMenuExtKeyman.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab53083.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab53083.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab53083.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) -
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151255629937
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab53083.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - http://download-games.pogo.com/online2/pog...mesLauncher.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcams.mtu.edu/webcam6/AxisCamControl.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://192.168.1.3/NetCamPlayerWeb11gv2.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab53083.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio.../qdiagh.cab?326
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2006\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - C:\WINDOWS\system32\QBPOSProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cherry Device Interface - Cherry Gmbh, Auerbach Germany, www.cherry.de - C:\Program Files\Cherry\CDI\CDI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Entitlement Service v5.3 - Intuit, Inc. - C:\Program Files\Common Files\Intuit\Entitlement Client\v5.3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QBPOS Database Manager v8 (QBPOSDBServiceV8) - Intuit Inc. - C:\Program Files\Intuit\QuickBooks Point of Sale 8.0\DatabaseServer\QBPOSDBService.exe
O23 - Service: QuickBooksDB - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: QuickBooksDB19 - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 14049 bytes

BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:14 PM

Posted 10 September 2009 - 08:58 PM

Hello proliney :( Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.




I read where you said you ran MalwareBytes to no avail. Does that mean it did not find anything or it found something but did not fix the problem? If it did find something please open it back up and click on the button marked Logs and copy and paste the results from it in your next post along with the log from the following program.


Please perform the following:


We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.






Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 proliney

proliney
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 11 September 2009 - 08:30 AM

When I ran Malware Bytes it did not detect anything.

Here is the log from running GMER:

GMER 1.0.15.15077 [z71h8srm.exe] - http://www.gmer.net
Rootkit scan 2009-09-11 08:24:01
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 86CD2460 ZwAlertResumeThread
SSDT 868EACD8 ZwAlertThread
SSDT 86CC9618 ZwAllocateVirtualMemory
SSDT 86C88160 ZwAssignProcessToJobObject
SSDT 8671FB38 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xAA4B3130]
SSDT 86C8D110 ZwCreateMutant
SSDT 86C88EF0 ZwCreateSymbolicLinkObject
SSDT 86882400 ZwCreateThread
SSDT 86CA9E50 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xAA4B33B0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAA4B3910]
SSDT 8658B200 ZwDuplicateObject
SSDT 86BD72B0 ZwFreeVirtualMemory
SSDT 86C7BF88 ZwImpersonateAnonymousToken
SSDT 86C61E60 ZwImpersonateThread
SSDT 86731848 ZwLoadDriver
SSDT 86CA5638 ZwMapViewOfSection
SSDT 86CD58B0 ZwOpenEvent
SSDT 863961F8 ZwOpenProcess
SSDT 867100E8 ZwOpenProcessToken
SSDT 86C82558 ZwOpenSection
SSDT 865A3200 ZwOpenThread
SSDT 86C95BE0 ZwProtectVirtualMemory
SSDT 867616B8 ZwResumeThread
SSDT 8691C610 ZwSetContextThread
SSDT 86CB0D10 ZwSetInformationProcess
SSDT 86C91E50 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAA4B3B60]
SSDT 86C767D8 ZwSuspendProcess
SSDT 868635B8 ZwSuspendThread
SSDT 8687F188 ZwTerminateProcess
SSDT 865F60A8 ZwTerminateThread
SSDT 86927E90 ZwUnmapViewOfSection
SSDT 86CAAB30 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? SYMEFA.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device A8363D20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:14 PM

Posted 11 September 2009 - 08:48 AM

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 proliney

proliney
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 11 September 2009 - 06:46 PM

Here is the log from ComboFix:

ComboFix 09-09-11.01 - Lori Williams 09/11/2009 18:05.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.439 [GMT -5:00]
Running from: c:\documents and settings\Lori Williams\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Lori Williams\My Documents\cc_20080705_1544.reg
c:\documents and settings\Lori Williams\My Documents\cc_20080828_220252.reg
c:\windows\Downloaded Program Files\Install.inf
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Installer\1020835d.msp
c:\windows\Installer\13927ddb.msp
c:\windows\Installer\13927df0.msp
c:\windows\Installer\13e40c0f.msp
c:\windows\Installer\13e40c24.msp
c:\windows\Installer\13e40c39.msp
c:\windows\Installer\13e40c4e.msp
c:\windows\Installer\14b1e1f2.msp
c:\windows\Installer\16315.msp
c:\windows\Installer\183c69.msp
c:\windows\Installer\183c6a.msp
c:\windows\Installer\183c6b.msp
c:\windows\Installer\183c6c.msp
c:\windows\Installer\183c6d.msp
c:\windows\Installer\183c6e.msp
c:\windows\Installer\183c6f.msp
c:\windows\Installer\183c70.msp
c:\windows\Installer\183c71.msp
c:\windows\Installer\19148632.msp
c:\windows\Installer\19148647.msp
c:\windows\Installer\1914865a.msp
c:\windows\Installer\1914866f.msp
c:\windows\Installer\19148682.msp
c:\windows\Installer\19148697.msp
c:\windows\Installer\1914869f.msp
c:\windows\Installer\1b079de3.msp
c:\windows\Installer\1e0520f8.msp
c:\windows\Installer\1e05210b.msp
c:\windows\Installer\1e05211e.msp
c:\windows\Installer\1e052133.msp
c:\windows\Installer\1e05214a.msp
c:\windows\Installer\1e05215f.msp
c:\windows\Installer\1e6b1cb0.msp
c:\windows\Installer\1e6b1cb8.msp
c:\windows\Installer\1edb803a.msp
c:\windows\Installer\1edb8053.msp
c:\windows\Installer\23600bf9.msp
c:\windows\Installer\23600c0e.msp
c:\windows\Installer\23600c23.msp
c:\windows\Installer\23600c39.msp
c:\windows\Installer\24795eb6.msp
c:\windows\Installer\24795ec9.msp
c:\windows\Installer\25d7a417.msp
c:\windows\Installer\25d7a42b.msp
c:\windows\Installer\268f7b03.msp
c:\windows\Installer\2742dcc3.msp
c:\windows\Installer\28004cf.msp
c:\windows\Installer\28004e2.msp
c:\windows\Installer\28004f7.msp
c:\windows\Installer\2f67451a.msp
c:\windows\Installer\2fe27519.msp
c:\windows\Installer\30826eca.msp
c:\windows\Installer\3086afd7.msi
c:\windows\Installer\3086afd8.msp
c:\windows\Installer\3086afd9.msp
c:\windows\Installer\3086afda.msp
c:\windows\Installer\3086afdb.msp
c:\windows\Installer\3086afdc.msp
c:\windows\Installer\3086afdd.msp
c:\windows\Installer\3086afde.msp
c:\windows\Installer\3086afdf.msp
c:\windows\Installer\3086afe0.msp
c:\windows\Installer\30a22a4d.msi
c:\windows\Installer\30a22a4e.msp
c:\windows\Installer\30a22a4f.msp
c:\windows\Installer\30a22a50.msp
c:\windows\Installer\30a22a51.msp
c:\windows\Installer\30a22a52.msp
c:\windows\Installer\30a22a53.msp
c:\windows\Installer\30a22a54.msp
c:\windows\Installer\30a22a55.msp
c:\windows\Installer\30a22a56.msp
c:\windows\Installer\30a22a57.msp
c:\windows\Installer\30a69185.msi
c:\windows\Installer\30a69193.msp
c:\windows\Installer\30a6919d.msp
c:\windows\Installer\30a691a8.msp
c:\windows\Installer\31ccc4a.msp
c:\windows\Installer\326e08f.msp
c:\windows\Installer\326e0a4.msp
c:\windows\Installer\326e0b9.msp
c:\windows\Installer\349f880.msp
c:\windows\Installer\349f895.msp
c:\windows\Installer\349f8aa.msp
c:\windows\Installer\349f8bf.msp
c:\windows\Installer\349f8db.msp
c:\windows\Installer\349f8ef.msp
c:\windows\Installer\349f90c.msp
c:\windows\Installer\349f921.msp
c:\windows\Installer\349f934.msp
c:\windows\Installer\349f949.msp
c:\windows\Installer\349f95e.msp
c:\windows\Installer\374e17.msp
c:\windows\Installer\375520a.msp
c:\windows\Installer\375522f.msp
c:\windows\Installer\420d8877.msp
c:\windows\Installer\45d93.msp
c:\windows\Installer\493265eb.msp
c:\windows\Installer\493265ff.msp
c:\windows\Installer\49326613.msp
c:\windows\Installer\49326628.msp
c:\windows\Installer\4932663d.msp
c:\windows\Installer\49326651.msp
c:\windows\Installer\49326664.msp
c:\windows\Installer\4932666c.msp
c:\windows\Installer\49326675.msp
c:\windows\Installer\4932668a.msp
c:\windows\Installer\4932669d.msp
c:\windows\Installer\493266b0.msp
c:\windows\Installer\493266c3.msp
c:\windows\Installer\4c1f90.msp
c:\windows\Installer\4c20ed.msp
c:\windows\Installer\4c2102.msp
c:\windows\Installer\4d7b1b8c.msp
c:\windows\Installer\4e405.msp
c:\windows\Installer\4e419.msp
c:\windows\Installer\4e42f.msp
c:\windows\Installer\4e444.msp
c:\windows\Installer\4e459.msp
c:\windows\Installer\4e866d80.msp
c:\windows\Installer\4e866d94.msp
c:\windows\Installer\4e866da9.msp
c:\windows\Installer\4e866dbc.msp
c:\windows\Installer\4e866de5.msp
c:\windows\Installer\4e866dfb.msp
c:\windows\Installer\4e866e10.msp
c:\windows\Installer\4e866e24.msp
c:\windows\Installer\4e866e2c.msp
c:\windows\Installer\57a37.msp
c:\windows\Installer\57a4b.msp
c:\windows\Installer\57a5e.msp
c:\windows\Installer\57a73.msp
c:\windows\Installer\5b971b2.msp
c:\windows\Installer\5b971c7.msp
c:\windows\Installer\5b971dc.msp
c:\windows\Installer\5b971e4.msp
c:\windows\Installer\5b971f9.msp
c:\windows\Installer\5b97201.msp
c:\windows\Installer\5e7e6.msp
c:\windows\Installer\68636623.msp
c:\windows\Installer\6b6cbe.msp
c:\windows\Installer\6b6cd9.msp
c:\windows\Installer\6b6cf4.msp
c:\windows\Installer\7737d.msp
c:\windows\Installer\7737e.msp
c:\windows\Installer\7737f.msp
c:\windows\Installer\77380.msp
c:\windows\Installer\77381.msp
c:\windows\Installer\77382.msp
c:\windows\Installer\77383.msp
c:\windows\Installer\77384.msp
c:\windows\Installer\77385.msp
c:\windows\Installer\87b81c4.msp
c:\windows\Installer\87b81d9.msp
c:\windows\Installer\87b81ee.msp
c:\windows\Installer\87b8201.msp
c:\windows\Installer\87b8216.msp
c:\windows\Installer\87b822a.msp
c:\windows\Installer\87b8242.msp
c:\windows\Installer\87b8255.msp
c:\windows\Installer\8c7250e.msp
c:\windows\Installer\8c72523.msp
c:\windows\Installer\8c72536.msp
c:\windows\Installer\8c72549.msp
c:\windows\Installer\8c72568.msp
c:\windows\Installer\941c4d3.msi
c:\windows\Installer\941c4d6.msi
c:\windows\Installer\95b69.msi
c:\windows\Installer\a5615e6.msp
c:\windows\Installer\a5615fb.msp
c:\windows\Installer\a561610.msp
c:\windows\Installer\a561624.msp
c:\windows\Installer\a561639.msp
c:\windows\Installer\a56164e.msp
c:\windows\Installer\a561662.msp
c:\windows\Installer\a561675.msp
c:\windows\Installer\a56168a.msp
c:\windows\Installer\a56169f.msp
c:\windows\Installer\adb511a.msp
c:\windows\Installer\adb512f.msp
c:\windows\Installer\adb5136.msp
c:\windows\Installer\ba1a076.msp
c:\windows\Installer\d4af02c.msp
c:\windows\Installer\d4af040.msp
c:\windows\Installer\d4af053.msp
c:\windows\Installer\d4af068.msp
c:\windows\Installer\d4af07b.msp
c:\windows\Installer\d4af090.msp
c:\windows\Installer\d4af0a5.msp
c:\windows\Installer\d4af0ba.msp
c:\windows\Installer\d66cf8a.msp
c:\windows\Installer\d66cf9e.msp
c:\windows\Installer\d66cfe7.msp
c:\windows\Installer\d66cffa.msp
c:\windows\Installer\d66d00d.msp
c:\windows\Installer\d66d027.msp
c:\windows\Installer\d66d03a.msp
c:\windows\Installer\d66d04d.msp
c:\windows\Installer\d66d060.msp
c:\windows\Installer\d66d073.msp
c:\windows\Installer\d66d086.msp
c:\windows\Installer\d66d099.msp
c:\windows\Installer\d66d0ac.msp
c:\windows\Installer\e6cb3.msp
c:\windows\Installer\e6cbb.msp
c:\windows\Installer\e6cce.msp
c:\windows\Installer\e6ce3.msp
c:\windows\Installer\e6cf6.msp
c:\windows\Installer\f14dde9.msp
c:\windows\Installer\f177c2b.msp
c:\windows\Installer\f177c2c.msp
c:\windows\Installer\f177c2d.msp
c:\windows\Installer\f177c2e.msp
c:\windows\Installer\f177c2f.msp
c:\windows\Installer\f177c30.msp
c:\windows\Installer\f177c31.msp
c:\windows\Installer\f177c32.msp
c:\windows\Installer\f177c33.msp
c:\windows\Installer\fca7d2.msp
c:\windows\system32\bszip.dll

----- BITS: Possible infected sites -----

hxxp://download.yimg.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OREANS32
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))
.

2009-09-10 00:15 . 2009-08-22 08:13 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-09-09 23:36 . 2009-09-09 23:36 -------- d-----w- c:\program files\Trend Micro
2009-09-09 23:29 . 2009-09-09 23:29 -------- d-----w- c:\documents and settings\QBDataServiceUser19\Local Settings\Application Data\Intuit
2009-09-09 00:32 . 2009-09-09 00:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Downloaded Installations
2009-08-27 12:27 . 2009-08-27 12:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-08-21 00:05 . 2009-08-21 00:05 -------- d-----w- c:\documents and settings\QBPOSDBSrvUser\Local Settings\Application Data\Intuit
2009-08-18 15:26 . 2009-08-18 15:26 -------- d-----w- c:\temp\Convert
2009-08-18 15:18 . 2009-08-23 02:14 -------- d-----w- c:\program files\CITIZEN SYSTEMS JAPAN
2009-08-18 06:29 . 2009-08-18 06:29 -------- d-----w- c:\program files\Intuit2
2009-08-18 06:03 . 2009-08-18 06:08 -------- d-----w- C:\QuickBooks Point of Sale 5.0
2009-08-18 04:59 . 2009-08-18 05:00 -------- d-----w- c:\windows\system32\NtmsData
2009-08-17 15:05 . 2009-08-17 15:05 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-17 15:05 . 2009-08-17 15:05 -------- d-----w- c:\program files\Reference Assemblies
2009-08-17 15:00 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-17 15:00 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-17 15:00 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-17 15:00 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-17 15:00 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-17 15:00 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-17 15:00 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-17 15:00 . 2009-08-17 15:04 -------- d-----w- C:\e6e9aea96e15b650264680d1fe3499
2009-08-15 17:10 . 2009-08-15 17:10 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-11 23:02 . 2008-07-05 20:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-09 00:32 . 2009-03-26 00:12 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-09-09 00:31 . 2009-03-26 00:10 -------- d-----w- c:\program files\Symantec
2009-09-09 00:31 . 2009-03-26 00:10 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-09 00:31 . 2009-03-26 00:10 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-09 00:31 . 2009-03-26 00:10 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-09-09 00:31 . 2009-03-26 00:10 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-09 00:30 . 2009-03-26 00:12 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-09-09 00:30 . 2009-03-26 00:12 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2009-08-28 23:39 . 2006-08-16 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-23 02:25 . 2006-03-11 21:13 -------- d-----w- c:\program files\Dell
2009-08-18 15:22 . 2006-03-16 05:54 -------- d-----w- c:\program files\Common Files\Intuit
2009-08-18 15:17 . 2006-03-16 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-08-18 15:14 . 2006-03-16 05:54 -------- d-----w- c:\program files\Intuit
2009-08-18 15:08 . 2009-04-03 21:26 -------- d-----w- c:\documents and settings\Lori Williams\Application Data\Download Manager
2009-08-17 15:05 . 2009-06-13 19:22 -------- d-----w- c:\program files\MSBuild
2009-08-08 00:29 . 2009-01-04 16:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 09:01 . 2004-08-11 23:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 18:36 . 2009-01-04 16:53 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2009-01-04 16:53 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-17 19:01 . 2004-08-11 23:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-11 23:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-11 23:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2004-08-11 23:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-11 23:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2008-02-26 15:58 . 2008-02-26 15:58 0 ----a-w- c:\program files\temp01
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"CherryKeyMan"="c:\program files\Cherry\KeyMan\KeyMan.exe" [2004-05-07 176180]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-04 515416]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-01 148888]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2009-3-6 221247]
Camio Viewer 2000.lnk - c:\program files\Sierra Imaging\Image Expert 2000\IXApplet.exe [2006-5-3 49152]
Dynex Wireless Networking Utility.lnk - c:\program files\Dynex G Desktop Card Adapter\DynexWCUI.exe [2009-2-24 1462272]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-7-16 984352]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/24/2009 8:28 PM 64160]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0305020.00B\SymEFA.sys [9/8/2009 7:31 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0305020.00B\BHDrvx86.sys [9/8/2009 7:31 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0305020.00B\cchpx86.sys [9/8/2009 7:31 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090910.003\IDSXpx86.sys [9/10/2009 7:44 PM 276344]
R2 Cherry Device Interface;Cherry Device Interface;c:\program files\Cherry\CDI\CDI.exe [9/16/2004 7:59 AM 512046]
R2 Intuit Entitlement Service v5.3;Intuit Entitlement Service v5.3;c:\program files\Common Files\Intuit\Entitlement Client\v5.3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe [7/29/2008 11:26 AM 20480]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [8/18/2008 6:55 PM 13088]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe [9/8/2009 7:31 PM 117640]
R2 QBPOSDBServiceV8;QBPOS Database Manager v8;c:\program files\Intuit\QuickBooks Point of Sale 8.0\DatabaseServer\QBPOSDBService.exe [4/23/2009 2:45 PM 2734920]
R3 Ch2kHUB;Cherry USB Hub Driver for CDI;c:\windows\system32\drivers\Ch2kHUB.sys [7/15/2003 5:35 PM 82048]
R3 Ch2kUSB;Cherry USB Driver for CDI;c:\windows\system32\drivers\Ch2kUSB.sys [10/26/2004 3:03 PM 90702]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 2:07 AM 102448]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 951632]
S3 QuickBooksDB19;QuickBooksDB19;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to Keyman - c:\program files\Cherry\KeyMan\IEMenuExtKeyman.html
Trusted Zone: turbotax.com
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2006\HelpAsyncPluggableProtocol.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://download-games.pogo.com/online2/pogo/mahjong_escape_ancient_japan/SpinTopGamesLauncher.cab
DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} - hxxp://192.168.1.3/NetCamPlayerWeb11gv2.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-RegistryMechanic - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-11 18:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.5.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(1004)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1544)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\bcmwltry.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Intuit\QuickBooks Point of Sale 8.0\DatabaseServer\QBDBMgrN10.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\windows\system32\wscntfy.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
.
**************************************************************************
.
Completion time: 2009-09-11 18:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-11 23:36

Pre-Run: 47,621,976,064 bytes free
Post-Run: 47,794,409,472 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

435 --- E O F --- 2009-08-23 02:23

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:14 PM

Posted 12 September 2009 - 09:23 AM

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 proliney

proliney
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 12 September 2009 - 10:03 AM

It will probably be tomorrow before I can run this scan since this computer is used to run our business. This is the Point Of Sale computer.

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:14 PM

Posted 12 September 2009 - 10:15 AM

No problem, does it seem to be running better after we used ComboFix?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 proliney

proliney
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 14 September 2009 - 05:46 PM

Sorry it took so long to post this but our internet service was down all day.

The computer seems to be running a little bit better but not 100% yet.

Here is the log from the online scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, September 14, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, September 13, 2009 20:34:52
Records in database: 2802112
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 103722
Threats found: 2
Infected objects found: 1
Suspicious objects found: 5
Scan duration: 03:25:22


File name / Threat / Threats count
C:\Documents and Settings\Lori Williams\Local Settings\Application Data\Microsoft\Outlook\customer_service.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 4
C:\Documents and Settings\Lori Williams\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Program Files\MSN Games\Ciao Bella\Launch.exe Infected: Trojan.Win32.Inject.ttt 1

Selected area has been scanned.

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:14 PM

Posted 14 September 2009 - 08:10 PM

Special ComboFix script made for this computer only

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Documents and Settings\Lori Williams\Local Settings\Application Data\Microsoft\Outlook\customer_service.pst
C:\Documents and Settings\Lori Williams\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst
C:\Program Files\MSN Games\Ciao Bella\Launch.exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 proliney

proliney
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 14 September 2009 - 09:13 PM

Here is the log from the special CombFix run:

ComboFix 09-09-14.02 - Lori Williams 09/14/2009 20:50.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.466 [GMT -5:00]
Running from: c:\documents and settings\Lori Williams\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Lori Williams\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FILE ::
"c:\documents and settings\Lori Williams\Local Settings\Application Data\Microsoft\Outlook\customer_service.pst"
"c:\documents and settings\Lori Williams\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst"
"c:\program files\MSN Games\Ciao Bella\Launch.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Lori Williams\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
c:\documents and settings\Lori Williams\Application Data\Microsoft\Installer\{EDF5585A-DC14-49D0-AC30-AAAF4CE93D29}\NewShortcut1_53203B9B4F4E413EA56CC471379C1E46.exe
c:\documents and settings\Lori Williams\Application Data\Microsoft\Installer\{EDF5585A-DC14-49D0-AC30-AAAF4CE93D29}\NewShortcut2_53203B9B4F4E413EA56CC471379C1E46.exe
c:\documents and settings\Lori Williams\Application Data\Microsoft\Installer\{EDF5585A-DC14-49D0-AC30-AAAF4CE93D29}\NewShortcut3_53203B9B4F4E413EA56CC471379C1E46.exe
c:\documents and settings\Lori Williams\Local Settings\Application Data\Microsoft\Outlook\customer_service.pst
c:\documents and settings\Lori Williams\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst
c:\program files\MSN Games\Ciao Bella\Launch.exe

.
((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 )))))))))))))))))))))))))))))))
.

2009-09-10 00:15 . 2009-08-22 08:13 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-09-09 23:36 . 2009-09-09 23:36 -------- d-----w- c:\program files\Trend Micro
2009-09-09 23:29 . 2009-09-09 23:29 -------- d-----w- c:\documents and settings\QBDataServiceUser19\Local Settings\Application Data\Intuit
2009-09-09 00:32 . 2009-09-09 00:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Downloaded Installations
2009-08-27 12:27 . 2009-08-27 12:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-08-21 00:05 . 2009-08-21 00:05 -------- d-----w- c:\documents and settings\QBPOSDBSrvUser\Local Settings\Application Data\Intuit
2009-08-18 15:26 . 2009-08-18 15:26 -------- d-----w- c:\temp\Convert
2009-08-18 15:18 . 2009-08-23 02:14 -------- d-----w- c:\program files\CITIZEN SYSTEMS JAPAN
2009-08-18 06:29 . 2009-08-18 06:29 -------- d-----w- c:\program files\Intuit2
2009-08-18 06:03 . 2009-08-18 06:08 -------- d-----w- C:\QuickBooks Point of Sale 5.0
2009-08-18 04:59 . 2009-08-18 05:00 -------- d-----w- c:\windows\system32\NtmsData
2009-08-17 15:05 . 2009-08-17 15:05 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-17 15:05 . 2009-08-17 15:05 -------- d-----w- c:\program files\Reference Assemblies
2009-08-17 15:00 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-17 15:00 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-17 15:00 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-17 15:00 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-17 15:00 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-17 15:00 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-17 15:00 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-17 15:00 . 2009-08-17 15:04 -------- d-----w- C:\e6e9aea96e15b650264680d1fe3499

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-11 23:02 . 2008-07-05 20:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-09 00:32 . 2009-03-26 00:12 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-09-09 00:31 . 2009-03-26 00:10 -------- d-----w- c:\program files\Symantec
2009-09-09 00:31 . 2009-03-26 00:10 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-09 00:31 . 2009-03-26 00:10 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-09 00:31 . 2009-03-26 00:10 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-09-09 00:31 . 2009-03-26 00:10 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-09 00:30 . 2009-03-26 00:12 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-09-09 00:30 . 2009-03-26 00:12 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2009-08-28 23:39 . 2006-08-16 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-23 02:25 . 2006-03-11 21:13 -------- d-----w- c:\program files\Dell
2009-08-18 15:22 . 2006-03-16 05:54 -------- d-----w- c:\program files\Common Files\Intuit
2009-08-18 15:17 . 2006-03-16 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-08-18 15:14 . 2006-03-16 05:54 -------- d-----w- c:\program files\Intuit
2009-08-18 15:08 . 2009-04-03 21:26 -------- d-----w- c:\documents and settings\Lori Williams\Application Data\Download Manager
2009-08-17 15:05 . 2009-06-13 19:22 -------- d-----w- c:\program files\MSBuild
2009-08-15 17:10 . 2009-08-15 17:10 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-08 00:29 . 2009-01-04 16:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 09:01 . 2004-08-11 23:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 18:36 . 2009-01-04 16:53 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2009-01-04 16:53 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-17 19:01 . 2004-08-11 23:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-11 23:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-11 23:00 915456 ------w- c:\windows\system32\wininet.dll
2008-02-26 15:58 . 2008-02-26 15:58 0 ----a-w- c:\program files\temp01
.

((((((((((((((((((((((((((((( SnapShot@2009-09-11_23.29.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-12 00:47 . 2009-09-12 00:47 16384 c:\windows\Temp\Perflib_Perfdata_2a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"CherryKeyMan"="c:\program files\Cherry\KeyMan\KeyMan.exe" [2004-05-07 176180]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-04 515416]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-01 148888]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2009-3-6 221247]
Camio Viewer 2000.lnk - c:\program files\Sierra Imaging\Image Expert 2000\IXApplet.exe [2006-5-3 49152]
Dynex Wireless Networking Utility.lnk - c:\program files\Dynex G Desktop Card Adapter\DynexWCUI.exe [2009-2-24 1462272]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-7-16 984352]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/24/2009 8:28 PM 64160]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0305020.00B\SymEFA.sys [9/8/2009 7:31 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0305020.00B\BHDrvx86.sys [9/8/2009 7:31 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0305020.00B\cchpx86.sys [9/8/2009 7:31 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090910.003\IDSXpx86.sys [9/10/2009 7:44 PM 276344]
R2 Cherry Device Interface;Cherry Device Interface;c:\program files\Cherry\CDI\CDI.exe [9/16/2004 7:59 AM 512046]
R2 Intuit Entitlement Service v5.3;Intuit Entitlement Service v5.3;c:\program files\Common Files\Intuit\Entitlement Client\v5.3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe [7/29/2008 11:26 AM 20480]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [8/18/2008 6:55 PM 13088]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe [9/8/2009 7:31 PM 117640]
R2 QBPOSDBServiceV8;QBPOS Database Manager v8;c:\program files\Intuit\QuickBooks Point of Sale 8.0\DatabaseServer\QBPOSDBService.exe [4/23/2009 2:45 PM 2734920]
R3 Ch2kHUB;Cherry USB Hub Driver for CDI;c:\windows\system32\drivers\Ch2kHUB.sys [7/15/2003 5:35 PM 82048]
R3 Ch2kUSB;Cherry USB Driver for CDI;c:\windows\system32\drivers\Ch2kUSB.sys [10/26/2004 3:03 PM 90702]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 2:07 AM 102448]
R3 QuickBooksDB19;QuickBooksDB19;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 951632]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to Keyman - c:\program files\Cherry\KeyMan\IEMenuExtKeyman.html
Trusted Zone: turbotax.com
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2006\HelpAsyncPluggableProtocol.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://download-games.pogo.com/online2/pogo/mahjong_escape_ancient_japan/SpinTopGamesLauncher.cab
DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} - hxxp://192.168.1.3/NetCamPlayerWeb11gv2.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Image Expert 3.2 - c:\windows\IsUninst.exe -fc:\program files\Sierra Imaging\Image Expert 2000\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-14 21:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.5.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(1004)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-09-15 21:07
ComboFix-quarantined-files.txt 2009-09-15 02:07
ComboFix2.txt 2009-09-11 23:36

Pre-Run: 47,275,524,096 bytes free
Post-Run: 47,725,318,144 bytes free

184 --- E O F --- 2009-08-23 02:23

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:14 PM

Posted 15 September 2009 - 09:15 AM

Now that CF has eliminated a lot of things let's let MalwareBytes take another look. Open it up and do an update, after that perform a Quick Scan(important: only do a Quick Scan). If it finds anything let it remove what it finds and then post the log back here.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 proliney

proliney
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 15 September 2009 - 06:43 PM

Now that I have run the special ComboFix I can no longer bring up Microsoft Outlook because it can not find Outlook.pst. When I do a search for Outlook.pst I find Outlook.pst.vir in a quarantine folder. What do I need to do to solve this?

I will be posting the Malware log in a little bit.

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:14 PM

Posted 15 September 2009 - 06:57 PM

Sorry about that, :( guess it was a FP by Kaspersky. I'll put it in my things not to do in the future. When you get through with the log and posting it we'll see about getting the file put back.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 proliney

proliney
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 15 September 2009 - 07:24 PM

Here is the log from Malware:

Malwarebytes' Anti-Malware 1.41
Database version: 2805
Windows 5.1.2600 Service Pack 3

9/15/2009 7:20:04 PM
mbam-log-2009-09-15 (19-20-04).txt

Scan type: Quick Scan
Objects scanned: 140754
Time elapsed: 34 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users