Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijack - Redirect


  • This topic is locked This topic is locked
14 replies to this topic

#1 eddnewcon

eddnewcon

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 23 November 2009 - 06:56 PM

I use Window XP. When I do a yahoo or google search, and click on a link, the browser (either IE /Firefox) safe mode or not, goes to a page that is not what I clicked on. I have Norton 360. And I also tried to clean it with Malwarebytes, Superantispyware and Spybot but with no success. Please help. Here is the HJT log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:31:10 PM, on 11/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\PVSW\bin\w3dbsmgr.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Intuit\QuickBooks 2008\qbw32.exe
C:\PROGRA~1\Intuit\QUC24A~1\QBDBMgr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\ProWin08\32bit\QBPSEVNT08R.EXE
C:\PROGRA~1\Intuit\QUC25A~1\QBDBMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://riviera.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2071108
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.5.2.11\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [pdfFactory Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} - https://accounting.quickbooks.com/c3/v15.591/qboax9.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.3.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c3/v16.608/qboax10.cab
O16 - DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} - https://accounting.quickbooks.com/v12.289/qboax8.cab
O16 - DPF: {A80D199B-CFDD-4DA4-8C47-2310D5B8DD97} - https://accounting.quickbooks.com/v7.572/qboax5.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.3.2.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
O23 - Service: Pervasive PSQL Workgroup Engine (psqlWGE) - Unknown owner - C:\PVSW\bin\w3dbsmgr.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 8735 bytes

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:06 AM

Posted 29 November 2009 - 08:41 AM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log
  • GMER log


Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#3 eddnewcon

eddnewcon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 29 November 2009 - 11:41 PM

Hi Elise,

Thank you for your reply. I just got back from vacation and will send you the DDS and GMER log tomorrow.

eddnewcon

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:06 AM

Posted 30 November 2009 - 05:00 AM

Okay, I will wait for that :(

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 eddnewcon

eddnewcon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 30 November 2009 - 09:18 PM

Hi Elsie,

Sorry for the late reply. It took me 6 hours to do the gmer log. Please see below the DDS log and GMER log.

I use Window XP and Norton 360 for protection. When I do a yahoo or google search, and click on a link, the browser (either IE /Firefox) safe mode or not, goes to a page that is not what I clicked on. The redirected sites seem random. I tried to clean it with Adware, Malwarebytes, Superantispyware and Spybot but with no success.


DDS (Ver_09-11-29.01) - NTFSx86
Run by EDDIE KAM at 11:42:50.70 on Mon 11/30/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3061.2104 [GMT -8:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PVSW\bin\w3dbsmgr.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Intuit\QUC25A~1\QBDBMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\EDDIE KAM\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearchAssistant = hxxp://%72%69%76%69%65%72%61%2E%63%63
uSearchURL,(Default) = about:blank
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.5.2.11\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [pdfFactory Dispatcher v1] c:\windows\system32\spool\drivers\w32x86\3\fppdis1.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} - hxxp://www.ofoto.com/OfotoDND.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} - hxxps://accounting.quickbooks.com/c3/v15.591/qboax9.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} - hxxps://accounting.quickbooks.com/c3/v16.608/qboax10.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8CE3BAE6-AB66-40B6-9019-41E5282FF1E2} - hxxps://accounting.quickbooks.com/v12.289/qboax8.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A80D199B-CFDD-4DA4-8C47-2310D5B8DD97} - hxxps://accounting.quickbooks.com/v7.572/qboax5.cab
DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.2.cab
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.5.2.11\CoIEPlg.dll
Notify: !SASWinLogon -
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\eddiek~1\applic~1\mozilla\firefox\profiles\3ha22l5b.default\
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-17 64288]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0305020.00b\SymEFA.sys [2009-11-6 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0305020.00b\BHDrvx86.sys [2009-11-6 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0305020.00b\cchpx86.sys [2009-11-6 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20091111.001\IDSXpx86.sys [2009-11-12 329592]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-11 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-11 74480]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.5.2.11\ccSvcHst.exe [2009-11-6 117640]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\pvsw\bin\w3dbsmgr.exe -service -srde --> c:\pvsw\bin\w3dbsmgr.exe -service -srde [?]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2009-11-8 46768]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-27 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20091130.004\NAVENG.SYS [2009-11-30 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20091130.004\NAVEX15.SYS [2009-11-30 1323568]
S2 Ias;Windows Protected Network;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
S2 win;wins;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
S3 Intuit Fuse Service;Intuit Fuse Service;c:\program files\common files\intuit\fuse\service\Intuit Fuse Service.exe [2004-1-14 82944]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-11 7408]

=============== Created Last 30 ================

2009-11-26 01:14:52 0 d-sh--w- c:\documents and settings\eddie kam\PrivacIE
2009-11-26 01:14:51 0 d-sh--w- c:\documents and settings\eddie kam\IECompatCache
2009-11-24 18:38:24 0 d-----w- c:\docume~1\alluse~1\applic~1\{1C6FDDD8-FC9E-4C12-9FA5-1AAD377097B3}
2009-11-23 23:30:56 0 d-----w- c:\program files\Trend Micro
2009-11-19 22:42:26 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-19 22:42:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-11-17 22:48:10 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-17 22:34:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-17 22:34:48 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-17 22:32:30 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-17 22:32:10 0 d-----w- c:\program files\Lavasoft
2009-11-13 18:40:52 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-13 18:40:39 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-13 18:40:39 0 d-----w- c:\docume~1\eddiek~1\applic~1\SUPERAntiSpyware.com
2009-11-13 18:39:57 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-12 20:40:27 0 d-----w- c:\docume~1\eddiek~1\applic~1\Malwarebytes
2009-11-12 20:40:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-12 20:40:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-12 20:40:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-12 20:40:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-12 18:59:38 53472 ----a-w- c:\windows\system32\dllcache\wuauclt.exe
2009-11-12 18:58:41 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-11 01:46:52 0 d-----w- C:\de5486bc4a4cca47ad6c312d3b517a
2009-11-11 01:45:53 0 d-----w- C:\93508121da5efe588827a98d
2009-11-11 01:44:55 0 d-----w- C:\0f1cb1d1b43b1b8cf41bc98c27946c00
2009-11-09 00:11:34 46768 ----a-w- c:\windows\system32\drivers\pxrts.sys
2009-11-09 00:11:10 0 d-----w- c:\docume~1\alluse~1\applic~1\PrevxCSI
2009-11-07 02:08:15 33280 ----a-w- c:\windows\system32\rundll32.exe
2009-11-07 02:08:15 33280 ----a-w- c:\windows\system32\dllcache\rundll32.exe
2009-11-06 19:43:32 0 d-----r- c:\program files\Norton Support
2009-11-06 19:06:02 52 ----a-w- c:\windows\system32\E.tmp
2009-11-06 19:03:38 0 ----a-w- c:\windows\kbdnet.dll
2009-11-06 14:15:49 187188 ----a-w- c:\windows\system32\syslog.dat
2009-11-05 20:16:38 52 ----a-w- c:\windows\system32\D.tmp
2009-11-05 18:34:26 52 ----a-w- c:\windows\system32\4.tmp
2009-11-05 18:21:49 52 ----a-w- c:\windows\system32\2.tmp
2009-11-05 18:15:12 535781 ----a-w- c:\windows\system32\17e3db2.dll
2009-11-05 13:22:58 6144 ----a-w- c:\windows\system32\WinRAR.dll
2009-11-05 13:21:28 350 ----a-w- c:\windows\system32\uses32.dat
2009-11-05 13:21:28 100 ----a-w- c:\windows\system32\flags.ini
2009-11-05 13:19:47 0 ----a-w- c:\windows\system32\C.tmp
2009-11-05 13:19:41 868 ----a-w- c:\windows\system32\730221.exe
2009-11-05 13:19:34 0 ----a-w- c:\windows\SC.INS
2009-11-04 21:05:26 0 d-----w- c:\docume~1\alluse~1\applic~1\c3d1ce8
2009-11-04 18:36:37 0 d-sh--w- c:\documents and settings\eddie kam\IETldCache

==================== Find3M ====================

2009-11-06 23:14:12 2170880 ----a-w- c:\windows\MicCal.exe
2009-11-06 23:14:08 26624 ----a-w- c:\windows\keyhh.exe
2009-11-06 23:07:56 90112 -c--a-w- c:\windows\unvise32qt.exe
2009-11-06 23:07:56 51712 -c--a-w- c:\windows\unwash.exe
2009-11-06 23:07:55 60092 -c--a-w- c:\windows\uneng.exe
2009-11-06 23:01:16 313856 ----a-w- c:\windows\IsUninst.exe
2009-11-06 23:01:15 40960 -c--a-w- c:\windows\Q330994.exe
2009-11-06 23:01:14 86016 -c--a-w- c:\windows\pviewm.exe
2009-11-06 23:01:14 57856 -c--a-w- c:\windows\paycopy.exe
2009-11-06 23:01:13 49152 -c--a-w- c:\windows\NCUNINST.EXE
2009-11-06 23:01:13 40960 -c--a-w- c:\windows\oeuninst.exe
2009-11-06 23:01:12 40448 ----a-w- c:\windows\muninst.exe
2009-11-06 22:50:02 40960 -c--a-w- c:\windows\ieuninst.exe
2009-11-06 22:48:17 28672 -c--a-w- c:\windows\fntfresh.exe
2009-11-06 22:48:16 61952 -c--a-w- c:\windows\EasyPhoto Slide Show.scr
2009-11-06 22:48:16 20480 -c--a-w- c:\windows\espurge.exe
2009-11-06 22:47:28 45056 -c--a-w- c:\windows\AolCInUn.exe
2009-11-06 22:47:22 2818048 ----a-w- c:\windows\ALCWZRD.EXE
2009-11-06 22:47:16 1826816 ----a-w- c:\windows\SkyTel.exe
2009-11-06 22:47:13 73728 ----a-w- c:\windows\ALCMTR.EXE
2009-11-06 22:47:12 100952 -c--a-w- c:\windows\setpwr32.exe
2009-11-06 22:47:09 53248 -c--a-w- c:\windows\setdebug.exe
2009-11-06 22:45:35 1196032 ----a-w- c:\windows\RtlUpd.exe
2009-11-06 22:45:33 9723904 ----a-w- c:\windows\RTLCPL.EXE
2009-11-06 22:45:20 118784 -c--a-w- c:\windows\csasvc.exe
2009-11-06 22:44:54 90112 ----a-w- c:\windows\SOUNDMAN.EXE
2009-11-06 22:11:16 1343488 ----a-w- c:\windows\sview.exe
2009-11-06 21:47:10 126976 ----a-w- c:\windows\system32\winmine.exe
2009-11-06 20:58:14 39424 ----a-w- c:\windows\system32\wupdmgr.exe
2009-11-06 20:08:14 35840 ------w- c:\windows\system32\verclsid.exe
2009-11-06 19:50:12 545792 ----a-w- c:\windows\system32\spider.exe
2009-11-06 19:50:10 134144 ----a-w- c:\windows\system32\mshearts.exe
2009-11-06 19:33:58 38912 ----a-w- c:\windows\system32\ntsd.exe
2009-11-06 19:33:36 36864 ----a-w- c:\windows\system32\mnmsrvc.exe
2009-11-06 19:33:35 148480 ----a-w- c:\windows\system32\sessmgr.exe
2009-11-06 19:33:35 139776 ----a-w- c:\windows\system32\rsvp.exe
2009-11-06 19:33:35 133632 ----a-w- c:\windows\system32\wbem\wmiapsrv.exe
2009-11-06 19:33:34 296960 ----a-w- c:\windows\system32\vssvc.exe
2009-11-06 19:33:33 13312 ----a-w- c:\windows\system32\msdtc.exe
2009-11-06 19:30:09 12800 ----a-w- c:\windows\system32\write.exe
2009-11-06 19:30:03 306688 ----a-w- c:\windows\uninst.exe
2009-11-06 19:30:00 1142784 ----a-w- c:\windows\system32\ntbackup.exe
2009-11-06 19:29:54 235008 ----a-w- c:\windows\system32\wbem\wmiprvse.exe.tmp
2009-11-06 19:29:33 24576 ----a-w- c:\windows\system32\ControlSuite.exe
2009-11-06 19:29:05 339968 ----a-w- c:\windows\system32\WDBtnMgr.exe
2009-11-06 19:29:00 16141824 ----a-w- c:\windows\RTHDCPL.EXE
2009-11-06 19:27:29 428032 ----a-w- c:\windows\system32\ntvdm.exe
2009-11-06 19:25:37 142848 ----a-w- c:\windows\system32\taskmgr.exe
2009-11-06 19:23:15 46080 ----a-w- c:\windows\system32\userinit.exe
2009-11-06 19:23:06 52736 ----a-w- c:\windows\system32\drwtsn32.exe
2009-11-06 19:17:55 521728 ----a-w- c:\windows\system32\logonui.exe
2009-10-22 09:19:04 5939712 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-07-17 23:11:33 190 ----a-w- c:\program files\common files\psasetup.log
2004-04-19 10:10:18 65668 -c--a-w- c:\program files\common files\CABINET.DLL
2004-04-19 10:10:18 303236 -c--a-w- c:\program files\common files\setup.dll
2004-04-19 10:10:18 180356 -c--a-w- c:\program files\common files\IGdi.dll
2004-04-19 06:35:10 368640 -c--a-w- c:\program files\common files\_setup7int.dll
2004-04-19 06:35:08 147456 -c--a-w- c:\program files\common files\_setup7.dll
2004-04-19 06:35:04 380928 -c--a-w- c:\program files\common files\_setup2kint.dll
2004-04-19 06:35:02 159744 -c--a-w- c:\program files\common files\_setup2k.dll
2003-01-23 16:57:54 207759 -c--a-w- c:\program files\INSTALL.LOG

============= FINISH: 11:44:51.03 ===============






GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-30 18:16:26
Windows 5.1.2600 Service Pack 3
Running: 2h2pnbn5.exe; Driver: C:\DOCUME~1\EDDIEK~1\LOCALS~1\Temp\kxdiypow.sys


---- System - GMER 1.0.15 ----

SSDT 8ABC9428 ZwAlertResumeThread
SSDT 8A561D80 ZwAlertThread
SSDT 8ABFBDB8 ZwAllocateVirtualMemory
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwAssignProcessToJobObject [0xB8BAF1CC]
SSDT 8AE29978 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA7972130]
SSDT 8ABCC928 ZwCreateMutant
SSDT 8A5A2AC0 ZwCreateSymbolicLinkObject
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwCreateThread [0xB8BAF206]
SSDT 8ABDCB90 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA79723B0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA7972910]
SSDT 8ABEF6A0 ZwDuplicateObject
SSDT 8ABB7DB8 ZwFreeVirtualMemory
SSDT 8ABEF668 ZwImpersonateAnonymousToken
SSDT 8ABD5D80 ZwImpersonateThread
SSDT 8AC1E5F8 ZwLoadDriver
SSDT 8ABD38E8 ZwMapViewOfSection
SSDT 8ABD3D80 ZwOpenEvent
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenProcess [0xB8BAF51A]
SSDT 8AE2F4F8 ZwOpenProcessToken
SSDT 8ABC6290 ZwOpenSection
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenThread [0xB8BAF3F6]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwProtectVirtualMemory [0xB8BAF292]
SSDT 8AC2C260 ZwResumeThread
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetContextThread [0xB8BAF18E]
SSDT 8ABF12B8 ZwSetInformationProcess
SSDT 8ABB9378 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA7972B60]
SSDT 8ABDBD80 ZwSuspendProcess
SSDT 8ABB2810 ZwSuspendThread
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateProcess [0xB8BAF64E]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateThread [0xB8BAF316]
SSDT 8AE04718 ZwUnmapViewOfSection
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwWriteVirtualMemory [0xB8BAF34E]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2D74 80504610 4 Bytes CALL 82DB034D
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xB9F477AC]
? SYMEFA.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)
Device DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
Device \Driver\00002052 -> \Driver\atapi \Device\Harddisk0\DR0 8AF2B50C

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion@\xb9\xb1\xb8 1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:06 AM

Posted 01 December 2009 - 04:38 AM

Hello eddnewcon,

You have a nasty rookit which is causing these redirects. Please consider the following first...

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 eddnewcon

eddnewcon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 01 December 2009 - 02:37 PM

Hi Elise,

Thank you for your advise. I still would like to give it a try. I ran Comboxfix and here is the log:

ComboFix 09-12-01.01 - EDDIE KAM 12/01/2009 10:56.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3061.2434 [GMT -8:00]
Running from: c:\documents and settings\EDDIE KAM\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\program files\TBONAS
c:\program files\TBONAS\bestoffers_icon_01.ico
c:\program files\TBONAS\grb12.rtk
c:\recycler\NPROTECT
c:\windows\ALCMTR.EXE
c:\windows\Install.txt
c:\windows\kbdnet.dll
c:\windows\struct~.ini
c:\windows\sview.exe
c:\windows\system32\730221.exe
c:\windows\system32\bszip.dll
c:\windows\system32\flags.ini
c:\windows\system32\im64.dll
c:\windows\system32\Install.txt
c:\windows\system32\system
c:\windows\system32\uses32.dat
c:\windows\system32\WinRAR.dll
c:\windows\twain_16.dll
G:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

c:\windows\inf\unregmp2.exe . . . is infected!!

c:\windows\system32\drwtsn32.exe . . . is infected!!

Infected copy of c:\windows\system32\logonui.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\logonui.exe

Infected copy of c:\windows\system32\mnmsrvc.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mnmsrvc.exe

Infected copy of c:\windows\system32\msdtc.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\msdtc.exe

c:\windows\system32\mshearts.exe . . . is infected!!

c:\windows\system32\ntsd.exe . . . is infected!!

Infected copy of c:\windows\system32\ntvdm.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ntvdm.exe

c:\windows\system32\rsvp.exe . . . is infected!!

Infected copy of c:\windows\system32\sessmgr.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\sessmgr.exe

Infected copy of c:\windows\system32\spider.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\spider.exe

Infected copy of c:\windows\system32\taskmgr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\taskmgr.exe

Infected copy of c:\windows\system32\vssvc.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\vssvc.exe

c:\windows\system32\winmine.exe . . . is infected!!

c:\windows\system32\write.exe . . . is infected!!

c:\windows\system32\wupdmgr.exe . . . is infected!!

Infected copy of c:\windows\system32\wbem\wmiapsrv.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wmiapsrv.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_.NET_CLR
-------\Legacy_6TO4
-------\Legacy_IAS
-------\Legacy_NETLOGIN
-------\Legacy_WIN
-------\Service_6to4
-------\Service_Ias
-------\Service_win


((((((((((((((((((((((((( Files Created from 2009-11-01 to 2009-12-01 )))))))))))))))))))))))))))))))
.

2009-12-01 19:16 . 2009-08-22 08:26 165240 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2009-12-01 17:36 . 2009-11-06 11:28 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091201.006\NAVENG.SYS
2009-12-01 17:36 . 2009-11-06 11:28 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091201.006\EECTRL.SYS
2009-12-01 17:36 . 2009-11-06 11:28 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091201.006\ECMSVR32.DLL
2009-12-01 17:36 . 2009-11-06 11:28 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091201.006\NAVENG32.DLL
2009-12-01 17:36 . 2009-11-06 11:28 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091201.006\NAVEX32A.DLL
2009-12-01 17:36 . 2009-11-06 11:28 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091201.006\NAVEX15.SYS
2009-12-01 17:36 . 2009-11-06 11:28 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091201.006\ERASER.SYS
2009-12-01 17:36 . 2009-11-06 11:28 2747952 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091201.006\CCERASER.DLL
2009-11-26 01:14 . 2009-11-26 01:14 -------- d-sh--w- c:\documents and settings\EDDIE KAM\PrivacIE
2009-11-26 01:14 . 2009-11-26 01:14 -------- d-sh--w- c:\documents and settings\EDDIE KAM\IECompatCache
2009-11-24 18:38 . 2009-11-24 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\{1C6FDDD8-FC9E-4C12-9FA5-1AAD377097B3}
2009-11-23 23:30 . 2009-11-23 23:30 -------- d-----w- c:\program files\Trend Micro
2009-11-19 22:42 . 2009-11-19 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-19 22:42 . 2009-11-19 22:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-19 19:35 . 2009-11-19 19:35 0 ----a-w- c:\windows\nsreg.dat
2009-11-19 19:35 . 2009-11-19 19:35 -------- d-----w- c:\documents and settings\EDDIE KAM\Local Settings\Application Data\Mozilla
2009-11-19 19:35 . 2009-11-06 19:16 554352 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2009-11-18 20:23 . 2009-11-18 20:23 205576 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2009-11-18 20:23 . 2009-11-18 20:23 1087240 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
2009-11-18 20:18 . 2009-11-18 20:18 816392 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\Components\DownloadQB17\Patch\qbpatch2.exe
2009-11-17 22:48 . 2009-11-17 22:34 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-17 22:33 . 2009-11-23 22:07 1638640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-17 22:33 . 2009-11-23 22:07 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-17 22:33 . 2009-11-23 22:07 1184912 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-17 22:32 . 2009-11-17 22:32 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-17 22:32 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-17 22:32 . 2009-11-17 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-17 22:32 . 2009-11-17 22:32 -------- d-----w- c:\program files\Lavasoft
2009-11-13 18:41 . 2009-11-23 20:35 117760 ----a-w- c:\documents and settings\EDDIE KAM\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-13 18:40 . 2009-11-13 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-13 18:40 . 2009-11-17 18:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-13 18:40 . 2009-11-13 18:40 -------- d-----w- c:\documents and settings\EDDIE KAM\Application Data\SUPERAntiSpyware.com
2009-11-13 18:39 . 2009-11-13 18:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-12 20:58 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091111.001\IDSvix86.sys
2009-11-12 20:58 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091111.001\IDSXpx86.sys
2009-11-12 20:58 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091111.001\Scxpx86.dll
2009-11-12 20:58 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091111.001\IDSxpx86.dll
2009-11-12 20:58 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091111.001\IDSviA64.sys
2009-11-12 20:40 . 2009-11-12 20:40 -------- d-----w- c:\documents and settings\EDDIE KAM\Application Data\Malwarebytes
2009-11-12 20:40 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-12 20:40 . 2009-11-12 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-12 20:40 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-12 20:40 . 2009-11-12 20:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-12 18:59 . 2009-08-07 03:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-11-12 18:59 . 2009-08-07 03:24 53472 ----a-w- c:\windows\system32\dllcache\wuauclt.exe
2009-11-12 18:58 . 2009-11-03 04:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-11 01:46 . 2009-11-11 01:47 -------- d-----w- C:\de5486bc4a4cca47ad6c312d3b517a
2009-11-11 01:45 . 2009-11-11 01:46 -------- d-----w- C:\93508121da5efe588827a98d
2009-11-11 01:44 . 2009-11-11 01:45 -------- d-----w- C:\0f1cb1d1b43b1b8cf41bc98c27946c00
2009-11-10 18:57 . 2009-11-10 18:57 849184 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2008\Components\DownloadQB18\Patch\qbpatch.exe
2009-11-10 18:16 . 2009-11-10 18:16 496944 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlrsa10.dll
2009-11-10 18:16 . 2009-11-10 18:16 263472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlcrsa10.dll
2009-11-10 18:16 . 2009-11-10 18:16 423216 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbmlsync.exe
2009-11-10 18:16 . 2009-11-10 18:16 787760 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblgen10.dll
2009-11-10 18:16 . 2009-11-10 18:16 570672 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlhttps10.dll
2009-11-10 18:16 . 2009-11-10 18:16 296240 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlsock10.dll
2009-11-10 18:16 . 2009-11-10 18:16 1152304 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbtool10.dll
2009-11-10 18:16 . 2009-11-10 18:16 763184 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblib10.dll
2009-11-10 18:16 . 2009-11-10 18:16 398640 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbcon10.dll
2009-11-09 00:11 . 2009-11-09 00:11 46768 ----a-w- c:\windows\system32\drivers\pxrts.sys
2009-11-09 00:11 . 2009-11-09 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-11-07 02:08 . 2004-08-04 08:56 33280 ----a-w- c:\windows\system32\rundll32.exe
2009-11-07 02:08 . 2004-08-04 08:56 33280 ----a-w- c:\windows\system32\dllcache\rundll32.exe
2009-11-06 19:43 . 2009-11-06 19:43 -------- d-----r- c:\program files\Norton Support
2009-11-06 19:43 . 2009-11-06 19:43 -------- d-----w- c:\documents and settings\EDDIE KAM\Local Settings\Application Data\Symantec
2009-11-06 14:15 . 2009-11-12 20:44 187188 ----a-w- c:\windows\system32\syslog.dat
2009-11-05 18:15 . 2009-11-05 18:15 535781 ----a-w- c:\windows\system32\17e3db2.dll
2009-11-05 13:21 . 2009-11-05 13:21 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-11-04 21:05 . 2009-11-04 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\c3d1ce8
2009-11-04 18:36 . 2009-11-04 18:36 -------- d-sh--w- c:\documents and settings\EDDIE KAM\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-01 09:00 . 2007-11-14 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Retrospect
2009-12-01 00:12 . 2007-11-14 03:08 -------- d-----w- c:\program files\Britannica
2009-11-30 19:42 . 2008-03-22 16:50 24657 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2008\qbbackup.sys
2009-11-24 21:50 . 2007-11-14 04:02 -------- d-----w- c:\program files\RealRhapsody
2009-11-24 20:28 . 2009-07-21 01:21 -------- d-----w- c:\program files\Symantec
2009-11-24 02:05 . 2008-01-09 23:35 21720 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2009-11-23 22:08 . 2009-11-17 22:34 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-11-23 22:08 . 2009-11-17 22:34 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-11-23 22:08 . 2009-11-17 22:34 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-11-23 22:08 . 2009-11-17 22:34 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-11-23 22:08 . 2009-11-17 22:34 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-11-23 22:08 . 2009-11-17 22:34 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-11-23 22:08 . 2009-11-17 22:34 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-11-23 22:08 . 2009-11-17 22:34 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-11-23 22:08 . 2009-11-17 22:34 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-11-23 22:07 . 2009-11-17 22:34 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-11-23 22:07 . 2009-11-17 22:34 641632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-23 22:07 . 2009-11-17 22:34 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-23 22:07 . 2009-11-17 22:34 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-17 22:34 . 2009-11-17 22:34 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-17 22:34 . 2009-11-17 22:34 93360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2009-11-17 22:34 . 2009-11-17 22:34 554280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2009-11-17 22:34 . 2009-11-17 22:34 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-11-17 22:34 . 2009-11-17 22:34 212480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2009-11-17 22:34 . 2009-11-17 22:34 283944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Vipre.dll
2009-11-17 22:34 . 2009-11-17 22:34 1223976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2009-11-17 22:34 . 2009-11-17 22:34 242984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2009-11-17 22:34 . 2009-11-17 22:34 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-11-12 19:15 . 2007-11-15 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-10 19:24 . 2009-03-02 18:16 11838 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2009-11-06 23:14 . 2007-11-08 21:13 2170880 ----a-w- c:\windows\MicCal.exe
2009-11-06 23:14 . 2009-07-17 23:11 26624 ----a-w- c:\windows\keyhh.exe
2009-11-06 23:07 . 2003-04-16 04:09 51712 -c--a-w- c:\windows\unwash.exe
2009-11-06 23:07 . 2003-01-23 16:54 90112 -c--a-w- c:\windows\unvise32qt.exe
2009-11-06 23:07 . 2003-01-23 17:02 60092 -c--a-w- c:\windows\uneng.exe
2009-11-06 23:01 . 2004-08-10 19:12 313856 ----a-w- c:\windows\IsUninst.exe
2009-11-06 23:01 . 2003-03-03 16:24 40960 -c--a-w- c:\windows\Q330994.exe
2009-11-06 23:01 . 2004-08-26 22:23 86016 -c--a-w- c:\windows\pviewm.exe
2009-11-06 23:01 . 2004-08-26 22:23 57856 -c--a-w- c:\windows\paycopy.exe
2009-11-06 23:01 . 2003-07-07 20:41 40960 -c--a-w- c:\windows\oeuninst.exe
2009-11-06 23:01 . 2003-01-23 16:47 49152 -c--a-w- c:\windows\NCUNINST.EXE
2009-11-06 23:01 . 2004-06-18 21:40 40448 ----a-w- c:\windows\muninst.exe
2009-11-06 22:50 . 2003-03-03 17:24 40960 -c--a-w- c:\windows\ieuninst.exe
2009-11-06 22:48 . 2006-10-02 19:19 28672 -c--a-w- c:\windows\fntfresh.exe
2009-11-06 22:48 . 2006-12-07 23:38 20480 -c--a-w- c:\windows\espurge.exe
2009-11-06 22:48 . 2003-08-05 23:07 61952 -c--a-w- c:\windows\EasyPhoto Slide Show.scr
2009-11-06 22:47 . 2003-01-23 16:52 45056 -c--a-w- c:\windows\AolCInUn.exe
2009-11-06 22:47 . 2007-11-08 21:13 2818048 ----a-w- c:\windows\ALCWZRD.EXE
2009-11-06 22:47 . 2007-11-08 21:13 1826816 ----a-w- c:\windows\SkyTel.exe
2009-11-06 22:47 . 2007-11-08 21:13 100952 -c--a-w- c:\windows\setpwr32.exe
2009-11-06 22:47 . 2003-04-10 17:22 53248 -c--a-w- c:\windows\setdebug.exe
2009-11-06 22:45 . 2007-11-08 21:13 1196032 ----a-w- c:\windows\RtlUpd.exe
2009-11-06 22:45 . 2007-11-08 21:13 9723904 ----a-w- c:\windows\RTLCPL.EXE
2009-11-06 22:45 . 2006-12-07 23:39 118784 -c--a-w- c:\windows\csasvc.exe
2009-11-06 22:44 . 2007-11-08 21:13 90112 ----a-w- c:\windows\SOUNDMAN.EXE
2009-11-06 22:41 . 2004-08-10 19:12 1081344 ----a-w- c:\windows\Help\SBSI\Training\orun32.exe
2009-11-06 21:47 . 2004-08-10 19:01 126976 ----a-w- c:\windows\system32\winmine.exe
2009-11-06 20:58 . 2004-08-10 18:51 39424 ----a-w- c:\windows\system32\wupdmgr.exe
2009-11-06 20:08 . 2007-11-08 21:33 35840 ------w- c:\windows\system32\verclsid.exe
2009-11-06 19:50 . 2004-08-10 19:01 134144 ----a-w- c:\windows\system32\mshearts.exe
2009-11-06 19:33 . 2004-08-10 18:51 38912 ----a-w- c:\windows\system32\ntsd.exe
2009-11-06 19:33 . 2004-08-10 18:51 139776 ----a-w- c:\windows\system32\rsvp.exe
2009-11-06 19:30 . 2004-08-10 19:01 12800 ----a-w- c:\windows\system32\write.exe
2009-11-06 19:30 . 2003-07-01 00:37 306688 ----a-w- c:\windows\uninst.exe
2009-11-06 19:30 . 2001-08-18 05:36 1142784 ----a-w- c:\windows\system32\ntbackup.exe
2009-11-06 19:29 . 2004-08-10 19:01 235008 ----a-w- c:\windows\system32\wbem\wmiprvse.exe.tmp
2009-11-06 19:29 . 2002-09-09 21:05 24576 ----a-w- c:\windows\system32\ControlSuite.exe
2009-11-06 19:29 . 2005-09-22 21:50 339968 ----a-w- c:\windows\system32\WDBtnMgr.exe
2009-11-06 19:29 . 2007-11-08 21:13 16141824 ----a-w- c:\windows\RTHDCPL.EXE
2009-11-06 19:23 . 2004-08-10 18:51 52736 ----a-w- c:\windows\system32\drwtsn32.exe
2009-11-06 19:06 . 2009-11-06 19:06 52 ----a-w- c:\windows\system32\E.tmp
2009-11-05 20:16 . 2009-11-05 20:16 52 ----a-w- c:\windows\system32\D.tmp
2009-11-05 20:14 . 2007-11-14 03:07 -------- d-----w- c:\program files\ATX2001
2009-11-05 18:34 . 2009-11-05 18:34 52 ----a-w- c:\windows\system32\4.tmp
2009-11-05 18:21 . 2009-11-05 18:21 52 ----a-w- c:\windows\system32\2.tmp
2009-11-05 13:19 . 2009-11-05 13:19 0 ----a-w- c:\windows\system32\C.tmp
2009-11-02 19:23 . 2007-11-14 00:28 113752 ----a-w- c:\documents and settings\EDDIE KAM\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-02 19:06 . 2007-11-08 21:42 -------- d-----w- c:\program files\Microsoft Works
2009-10-28 22:37 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-10-28 22:37 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSXpx86.sys
2009-10-28 22:37 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSviA64.sys
2009-10-21 19:17 . 2007-11-14 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-10-20 19:56 . 2007-11-14 04:00 -------- d-----w- c:\program files\QUICKENW
2009-10-20 00:44 . 2007-11-08 21:42 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-23 12:55 . 2009-11-17 22:34 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-11 14:18 . 2004-08-10 18:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-10 18:51 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-07-17 23:11 . 2009-07-17 23:10 190 ----a-w- c:\program files\Common Files\psasetup.log
2004-04-19 10:10 . 2006-07-20 17:23 303236 -c--a-w- c:\program files\Common Files\setup.dll
2004-04-19 10:10 . 2006-07-20 17:23 65668 -c--a-w- c:\program files\Common Files\CABINET.DLL
2004-04-19 10:10 . 2006-07-20 17:23 180356 -c--a-w- c:\program files\Common Files\IGdi.dll
2004-04-19 06:35 . 2006-07-20 17:23 368640 -c--a-w- c:\program files\Common Files\_setup7int.dll
2004-04-19 06:35 . 2006-07-20 17:23 147456 -c--a-w- c:\program files\Common Files\_setup7.dll
2004-04-19 06:35 . 2006-07-20 17:23 380928 -c--a-w- c:\program files\Common Files\_setup2kint.dll
2004-04-19 06:35 . 2006-07-20 17:23 159744 -c--a-w- c:\program files\Common Files\_setup2k.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup" [X]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"pdfFactory Dispatcher v1"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis1.exe" [2009-11-06 368640]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2009-11-06 339968]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-11-06 16141824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-04-25 19:40 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 8.0\\QBDBMgrN.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 7.0\\QBDBMgrN.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\PVSW\\bin\\w3dbsmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/17/2009 2:34 PM 64288]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0305020.00B\SymEFA.sys [11/6/2009 11:16 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0305020.00B\BHDrvx86.sys [11/6/2009 11:16 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0305020.00B\cchpx86.sys [11/6/2009 11:16 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091111.001\IDSXpx86.sys [11/12/2009 12:58 PM 329592]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/11/2009 10:44 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 10:44 AM 74480]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 3:17 AM 1184912]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe [11/6/2009 11:16 AM 117640]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\pvsw\bin\w3dbsmgr.exe -service -srde --> c:\pvsw\bin\w3dbsmgr.exe -service -srde [?]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [11/8/2009 4:11 PM 46768]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 8:19 AM 102448]
S3 Intuit Fuse Service;Intuit Fuse Service;c:\program files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe [1/14/2004 11:49 AM 82944]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 10:44 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
.Net CLR REG_MULTI_SZ .Net CLR

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchURL,(Default) = about:blank
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} - hxxp://www.ofoto.com/OfotoDND.cab
FF - ProfilePath - c:\documents and settings\EDDIE KAM\Application Data\Mozilla\Firefox\Profiles\3ha22l5b.default\
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKLM-Run-WinPatrol - c:\program files\BillP Studios\WinPatrol\winpatrol.exe
Notify-!SASWinLogon - (no file)
AddRemove-Ad-Aware - c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-QcDrv - c:\program files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE UNINSTALL REMOVEPROMPT
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
AddRemove-WinPatrol - c:\progra~1\BILLPS~1\WINPAT~1\Setup.exe
AddRemove-{08082023-2a50-4196-8196-a6f86d6e8f12} - c:\program files\Installshield Installation Information\{08082023-2a50-4196-8196-a6f86d6e8f12}\QBReplace.exe {08082023-2a50-4196-8196-a6f86d6e8f12}#{01288593-26bb-4b3a-a04e-0a4ed28cc937}
AddRemove-{237a4b23-78c3-11d6-a394-00104bd190b1} - c:\program files\Installshield Installation Information\{237a4b23-78c3-11d6-a394-00104bd190b1}\QBReplace.exe {237a4b23-78c3-11d6-a394-00104bd190b1}#{AD46C591-FB19-11D5-A316-00104BD190B1}
AddRemove-{2b02f823-a9b9-458c-80e5-3ea8c0de8471} - c:\program files\Installshield Installation Information\{2b02f823-a9b9-458c-80e5-3ea8c0de8471}\QBReplace.exe {2b02f823-a9b9-458c-80e5-3ea8c0de8471}#{2B02F82E-A9B9-458C-80E5-3EA8C0DE8471}



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-01 11:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.5.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,72,46,24,53,52,3a,f8,4c,b5,33,28,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,72,46,24,53,52,3a,f8,4c,b5,33,28,\

[HKEY_USERS\S-1-5-21-696843040-475731448-2992866002-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\]NeV*S*\miHr]
"Order"=hex:08,00,00,00,02,00,00,00,a2,03,00,00,01,00,00,00,08,00,00,00,74,00,
00,00,00,00,00,00,66,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,54,00,32,\

[HKEY_USERS\S-1-5-21-696843040-475731448-2992866002-1006\Software\Q9 Technology Company Limited\]NeV*S*\miHr(*3*2*B*i*t*)*\{92F0DA0B-674E-AE29-D5A1-5343128C159B}]
"_C470AC27FD1647E68486F3D803705A89"="c:\\Documents and Settings\\All Users\\Start Menu\\Programs\\??VS???\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(992)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(748)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\pvsw\bin\w3dbsmgr.exe
c:\program files\Dantz\Retrospect\retrorun.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-12-01 11:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-01 19:29

Pre-Run: 240,586,838,016 bytes free
Post-Run: 240,575,082,496 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - D87B6847A55280DF9D16716EF666F9CF

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:06 AM

Posted 01 December 2009 - 03:02 PM

Hello eddnewcon,

Unfortunately this is not looking too good. You might have a file infector there. To see if this is the case or not, please do the following.

UPLOAD A FILE
--------------------
We need to check a file. Please click this link VirusTotal

When the page has finished loading, click the Choose file button and navigate to the following file and click Send file.

c:\windows\system32\drwtsn32.exe
c:\windows\system32\ntsd.exe
c:\windows\system32\rsvp.exe

If you get the message that the file has already been scanned before, please click Reanalyse file now.
Please post back the results of the scan in your next post.


In your next reply, please include the following:
  • Scan results of the uploaded file

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 eddnewcon

eddnewcon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 01 December 2009 - 03:22 PM

Hi Elise,

Here you go:


File drwtsn32.exe received on 2009.12.01 20:15:03 (UTC)Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.01 Virus.Win32.Virut.bo!IK
AhnLab-V3 5.0.0.2 2009.12.01 -
AntiVir 7.9.1.88 2009.12.01 TR/Patched.Gen2
Antiy-AVL 2.0.3.7 2009.12.01 -
Authentium 5.2.0.5 2009.12.01 -
Avast 4.8.1351.0 2009.12.01 -
AVG 8.5.0.426 2009.12.01 -
BitDefender 7.2 2009.12.01 -
CAT-QuickHeal 10.00 2009.12.01 -
ClamAV 0.94.1 2009.12.01 -
Comodo 3103 2009.12.01 -
DrWeb 5.0.0.12182 2009.12.01 -
eSafe 7.0.17.0 2009.12.01 -
eTrust-Vet 35.1.7150 2009.12.01 -
F-Prot 4.5.1.85 2009.12.01 -
F-Secure 9.0.15370.0 2009.11.29 -
Fortinet 4.0.14.0 2009.12.01 -
GData 19 2009.12.01 -
Ikarus T3.1.1.74.0 2009.12.01 Virus.Win32.Virut.bo
Jiangmin 11.0.800 2009.12.01 -
K7AntiVirus 7.10.906 2009.11.27 -
Kaspersky 7.0.0.125 2009.12.01 -
McAfee 5819 2009.12.01 -
McAfee+Artemis 5819 2009.12.01 -
McAfee-GW-Edition 6.8.5 2009.12.01 Trojan.Patched.Gen2
Microsoft 1.5302 2009.12.01 -
NOD32 4652 2009.12.01 -
Norman 6.03.02 2009.12.01 -
nProtect 2009.1.8.0 2009.11.28 -
Panda 10.0.2.2 2009.12.01 -
PCTools 7.0.3.5 2009.12.01 -
Prevx 3.0 2009.12.01 -
Rising 22.24.01.09 2009.12.01 -
Sophos 4.48.0 2009.12.01 -
Sunbelt 3.2.1858.2 2009.12.01 -
Symantec 1.4.4.12 2009.12.01 -
TheHacker 6.5.0.2.082 2009.11.30 -
TrendMicro 9.100.0.1001 2009.12.01 -
VBA32 3.12.12.0 2009.11.30 -
ViRobot 2009.12.1.2065 2009.12.01 -
VirusBuster 5.0.21.0 2009.12.01 -

Additional information
File size: 52736 bytes
MD5...: 223cf4e6e21a7d115e4e825203c104f2
SHA1..: 378b3b7b2af28481ad394a29188eeb9ee0e6fa38
SHA256: 28d7474d7b6cf95d3aa275ea63541a1122d6f5dc1f5b79350ddbc0d96c8f8a38
ssdeep: 768:JTK+ex9NrWZXLFaCj3m8YuTeFQBgAu9GkuvYUoD+kgvrFe:Juv9rWZXUCj3m<BR>8BTwQYAmLgzI<BR>
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x6eb3<BR>timedatestamp.....: 0xc46e2590L (invalid)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x7072 0x7200 6.15 1d8ce9aa062272010b21d858c1b290d3<BR>.data 0x9000 0x13ac 0x200 0.46 ad7ae68292f9b92f2507acdcc72b15b1<BR>.rsrc 0xb000 0x8a00 0x5600 5.71 b317e6acb6b37ab8aaae8494777fc105<BR><BR>( 6 imports ) <BR>&gt; msvcrt.dll: calloc, strchr, swprintf, free, malloc, wprintf, isprint, sprintf, _snwprintf, _vsnwprintf, wcsncpy, swscanf, _wtoi, wcscmp, _wgetcwd, _wcsicmp, tolower, realloc, _wtol, _wsplitpath, _wmakepath, _c_exit, _exit, _XcptFilter, _cexit, exit, __initenv, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, wcscat, isdigit, wcscpy, wcslen<BR>&gt; ADVAPI32.dll: RegOpenKeyExA, RegQueryValueExA, IsTextUnicode, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegOpenKeyExW, RegQueryValueExW, RegCloseKey, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, RegisterEventSourceW, ReportEventW, DeregisterEventSource, ReadEventLogW, OpenEventLogW, ClearEventLogW, CloseEventLog, GetUserNameW<BR>&gt; KERNEL32.dll: SetFilePointer, ReadFile, ReleaseSemaphore, WriteFile, GetModuleFileNameW, CreateDirectoryW, GetLastError, LocalFree, SetErrorMode, SetEvent, GetLocalTime, GetDateFormatW, OpenProcess, CreateFileW, WideCharToMultiByte, MultiByteToWideChar, CreateThread, DeleteFileW, GetFileAttributesW, LoadResource, FindResourceExW, ExpandEnvironmentStringsW, GetProcAddress, FreeLibrary, InterlockedCompareExchange, LoadLibraryA, GetModuleHandleA, CreateSemaphoreW, OpenSemaphoreW, TerminateThread, TerminateProcess, GetCommandLineW, DelayLoadFailureHook, GetModuleHandleW, FormatMessageW, ExitProcess, GetComputerNameW, GetVersion, GetSystemInfo, ProcessIdToSessionId, CloseHandle, WaitForSingleObject, Sleep<BR>&gt; GDI32.dll: SelectObject, GetTextMetricsW, GetTextExtentPointW, GetStockObject<BR>&gt; USER32.dll: CallWindowProcW, GetCursorPos, ScreenToClient, ChildWindowFromPoint, GetDlgCtrlID, WinHelpW, IsDlgButtonChecked, SendDlgItemMessageW, SetDlgItemTextA, GetDlgItemTextW, GetSystemMenu, AppendMenuW, GetDC, ReleaseDC, LoadIconW, LoadCursorW, RegisterClassW, CreateDialogParamW, MessageBeep, GetMessageW, IsDialogMessageW, TranslateMessage, DispatchMessageW, DialogBoxParamW, GetDlgItem, ShowWindow, EnableWindow, DefDlgProcW, KillTimer, PostQuitMessage, DefWindowProcW, SetTimer, EndDialog, SetDlgItemTextW, MessageBoxW, EnumChildWindows, SetWindowLongW, GetWindowLongW, UpdateWindow, SendMessageW, PostMessageW, SetForegroundWindow, GetParent, SetFocus<BR>&gt; dbgeng.dll: DebugCreate<BR><BR>( 0 exports ) <BR>
RDS...: NSRL Reference Data Set<BR>-
pdfid.: -
sigcheck:<BR>publisher....: Microsoft Corporation<BR>copyright....: © Microsoft Corporation. All rights reserved.<BR>product......: Microsoft_ Windows_ Operating System<BR>description..: DrWatson Postmortem Debugger<BR>original name: drwtsn32.exe<BR>internal name: drwtsn32.exe<BR>file version.: 5.1.2600.0 (XPClient.010817-1148)<BR>comments.....: n/a<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR>
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)<BR>Win32 Executable Generic (14.7%)<BR>Win32 Dynamic Link Library (generic) (13.1%)<BR>Generic Win/DOS Executable (3.4%)<BR>DOS Executable Generic (3.4%)



File ntsd.exe received on 2009.12.01 20:19:07 (UTC)Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.01 -
AhnLab-V3 5.0.0.2 2009.12.01 -
AntiVir 7.9.1.88 2009.12.01 TR/Patched.Gen2
Antiy-AVL 2.0.3.7 2009.12.01 -
Authentium 5.2.0.5 2009.12.01 -
Avast 4.8.1351.0 2009.12.01 -
AVG 8.5.0.426 2009.12.01 -
BitDefender 7.2 2009.12.01 -
CAT-QuickHeal 10.00 2009.12.01 -
ClamAV 0.94.1 2009.12.01 -
Comodo 3103 2009.12.01 -
DrWeb 5.0.0.12182 2009.12.01 -
eSafe 7.0.17.0 2009.12.01 -
eTrust-Vet 35.1.7150 2009.12.01 -
F-Prot 4.5.1.85 2009.12.01 -
F-Secure 9.0.15370.0 2009.11.29 -
Fortinet 4.0.14.0 2009.12.01 -
GData 19 2009.12.01 -
Ikarus T3.1.1.74.0 2009.12.01 -
Jiangmin 11.0.800 2009.12.01 -
K7AntiVirus 7.10.906 2009.11.27 -
Kaspersky 7.0.0.125 2009.12.01 -
McAfee 5819 2009.12.01 -
McAfee+Artemis 5819 2009.12.01 -
McAfee-GW-Edition 6.8.5 2009.12.01 Heuristic.LooksLike.Win32.Suspicious.H!85
Microsoft 1.5302 2009.12.01 -
NOD32 4652 2009.12.01 -
Norman 6.03.02 2009.12.01 -
nProtect 2009.1.8.0 2009.11.28 -
Panda 10.0.2.2 2009.12.01 -
PCTools 7.0.3.5 2009.12.01 -
Prevx 3.0 2009.12.01 -
Rising 22.24.01.09 2009.12.01 -
Sophos 4.48.0 2009.12.01 -
Sunbelt 3.2.1858.2 2009.12.01 -
Symantec 1.4.4.12 2009.12.01 -
TheHacker 6.5.0.2.082 2009.11.30 -
TrendMicro 9.100.0.1001 2009.12.01 -
VBA32 3.12.12.0 2009.11.30 -
ViRobot 2009.12.1.2065 2009.12.01 -
VirusBuster 5.0.21.0 2009.12.01 -

Additional information
File size: 38912 bytes
MD5...: ac712d766aa35f82059008f90ebc40ff
SHA1..: ca800ba808b79a063fc358b8948061bc93cf0c17
SHA256: 972a378828d4242d28d292ae900f50ff534bbd00f5422247a5c02bfb57e26440
ssdeep: 768:K1Km0FKdvpjTJiHOyXcdCubTWMYInsqdzFpoGsQbSdWCvDMs4hpImXPF:K4m<BR>bvRTJiHjcd5bT1jTzFpHb+f4U4d<BR>
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x6a0c<BR>timedatestamp.....: 0xc46e2590L (invalid)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x6a04 0x6c00 6.34 f89428c90729ff90d562e7050ba4ac61<BR>.data 0x8000 0x1898 0x400 1.53 382a4435e05fe33b65b7a5a92d00ed42<BR>.rsrc 0xa000 0x5800 0x2400 7.45 66c3ad0fdeda114132c351cf09496f4b<BR><BR>( 4 imports ) <BR>&gt; msvcrt.dll: exit, _cexit, _XcptFilter, __initenv, _c_exit, _stricmp, atoi, __getmainargs, _exit, _initterm, __setusermatherr, strrchr, sscanf, _strnicmp, strtoul, rewind, calloc, fgetc, tolower, _strcmpi, getenv, printf, isspace, fopen, _snprintf, strncpy, _iob, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, fgets, fclose, sprintf, _spawnlp, _vsnprintf<BR>&gt; KERNEL32.dll: FormatMessageA, LocalAlloc, FreeLibrary, InterlockedExchange, GetModuleFileNameA, CreateEventA, GetModuleHandleA, SetPriorityClass, GetCurrentThread, GetCommandLineA, GetEnvironmentVariableA, SetConsoleCtrlHandler, GetCurrentProcess, DuplicateHandle, GetStdHandle, GetPriorityClass, CreateProcessA, SetStdHandle, SetLastError, GetVersionExA, LoadLibraryA, GetProcAddress, InitializeCriticalSection, RaiseException, CreateNamedPipeA, CreateFileA, GetLastError, AllocConsole, OutputDebugStringA, WriteFile, ExitProcess, InterlockedDecrement, ReadFile, GetCurrentProcessId, SetEvent, Sleep, LeaveCriticalSection, InterlockedIncrement, EnterCriticalSection, WaitForSingleObject, CloseHandle, SetThreadPriority, CreateThread<BR>&gt; dbgeng.dll: DebugCreate, DebugConnect<BR>&gt; ADVAPI32.dll: RegCloseKey, RegOpenKeyExA, RegQueryValueExA<BR><BR>( 0 exports ) <BR>
RDS...: NSRL Reference Data Set<BR>-
pdfid.: -
trid..: Win64 Executable Generic (59.6%)<BR>Win32 Executable MS Visual C++ (generic) (26.2%)<BR>Win32 Executable Generic (5.9%)<BR>Win32 Dynamic Link Library (generic) (5.2%)<BR>Generic Win/DOS Executable (1.3%)
sigcheck:<BR>publisher....: Microsoft Corporation<BR>copyright....: © Microsoft Corporation. All rights reserved.<BR>product......: Microsoft_ Windows_ Operating System<BR>description..: Symbolic Debugger for Windows 2000<BR>original name: NTSD.Exe<BR>internal name: NTSD.Exe<BR>file version.: 5.1.2600.0 (XPClient.010817-1148)<BR>comments.....: n/a<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR>


File rsvp.exe received on 2009.12.01 20:21:13 (UTC)Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.01 Virus.Win32.Virut!IK
AhnLab-V3 5.0.0.2 2009.12.01 -
AntiVir 7.9.1.88 2009.12.01 TR/Patched.Gen2
Antiy-AVL 2.0.3.7 2009.12.01 -
Authentium 5.2.0.5 2009.12.01 -
Avast 4.8.1351.0 2009.12.01 -
AVG 8.5.0.426 2009.12.01 -
BitDefender 7.2 2009.12.01 -
CAT-QuickHeal 10.00 2009.12.01 -
ClamAV 0.94.1 2009.12.01 -
Comodo 3103 2009.12.01 -
DrWeb 5.0.0.12182 2009.12.01 -
eSafe 7.0.17.0 2009.12.01 -
eTrust-Vet 35.1.7150 2009.12.01 -
F-Prot 4.5.1.85 2009.12.01 -
F-Secure 9.0.15370.0 2009.11.29 -
Fortinet 4.0.14.0 2009.12.01 -
GData 19 2009.12.01 -
Ikarus T3.1.1.74.0 2009.12.01 Virus.Win32.Virut
Jiangmin 11.0.800 2009.12.01 -
K7AntiVirus 7.10.906 2009.11.27 -
Kaspersky 7.0.0.125 2009.12.01 -
McAfee 5819 2009.12.01 -
McAfee+Artemis 5819 2009.12.01 -
McAfee-GW-Edition 6.8.5 2009.12.01 Heuristic.LooksLike.Win32.Suspicious.H
Microsoft 1.5302 2009.12.01 -
NOD32 4652 2009.12.01 -
Norman 6.03.02 2009.12.01 -
nProtect 2009.1.8.0 2009.11.28 -
Panda 10.0.2.2 2009.12.01 -
PCTools 7.0.3.5 2009.12.01 -
Prevx 3.0 2009.12.01 -
Rising 22.24.01.09 2009.12.01 -
Sophos 4.48.0 2009.12.01 -
Sunbelt 3.2.1858.2 2009.12.01 -
Symantec 1.4.4.12 2009.12.01 -
TheHacker 6.5.0.2.082 2009.11.30 -
TrendMicro 9.100.0.1001 2009.12.01 -
VBA32 3.12.12.0 2009.11.30 -
ViRobot 2009.12.1.2065 2009.12.01 -
VirusBuster 5.0.21.0 2009.12.01 -

Additional information
File size: 139776 bytes
MD5...: d32c9f8b7fcc34fb6a4ceee7ae8ccfa6
SHA1..: dcc678e658fea09670eb03606fee0b66ea1bbeb9
SHA256: 42ed6830f11e03b9277d98d44aa86251078fbc7a262ecd0c296c8a1c0361748d
ssdeep: 3072:f5r9lG6TZ9WqfkA/ar9xMS/TEcxYPpsCmOPsy3TMELkRB/QDrhT:fvXTZpp<BR>yx7hx+rPsGo7RByFT<BR>
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x1ed92<BR>timedatestamp.....: 0xc46e2590L (invalid)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x1ef8a 0x1f000 6.69 f341bed58633121d9e5bdd082693dab3<BR>.data 0x20000 0x22bd4 0xe00 3.41 fc8e2377d2ae60a33f4422f36bc3774f<BR>.rsrc 0x43000 0x5400 0x2000 7.73 d23036399524b29413780eae39f044dc<BR><BR>( 8 imports ) <BR>&gt; msvcrt.dll: sprintf, wcscpy, wcscat, wcslen, wcscmp, _snprintf, floor, strncpy, atoi, _strnicmp, _iob, strtoul, _vsnprintf, fprintf, free, malloc, perror, memmove, _stricmp, _wcsicmp, rand, wcsrchr, _snwprintf, wcsncat, wcschr, wcsstr, _c_exit, _exit, _XcptFilter, _cexit, __initenv, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _ftol, exit<BR>&gt; ADVAPI32.dll: RegisterServiceCtrlHandlerExA, SetServiceStatus, AllocateAndInitializeSid, GetLengthSid, InitializeAcl, AddAccessAllowedAce, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, FreeSid, RegNotifyChangeKeyValue, RegQueryValueExW, RegSetValueExA, RegCloseKey, CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, OpenSCManagerA, OpenServiceA, QueryServiceStatus, CloseServiceHandle, RegOpenKeyExA, RegQueryValueExA, ReportEventA, RegisterEventSourceA, StartServiceCtrlDispatcherA<BR>&gt; KERNEL32.dll: IsBadWritePtr, InterlockedExchangeAdd, InterlockedDecrement, OpenProcess, CreateFileA, ReadFile, GetStdHandle, WriteFile, IsBadReadPtr, GetLocalTime, SystemTimeToFileTime, UnmapViewOfFile, CreateSemaphoreA, CreateFileMappingA, MapViewOfFile, WaitForMultipleObjects, GetTickCount, WaitForSingleObject, DeleteCriticalSection, FormatMessageA, LocalFree, CreateEventA, InitializeCriticalSection, ResetEvent, SetProcessWorkingSetSize, GetCurrentProcess, GetSystemTime, HeapDestroy, HeapCreate, CreateDirectoryW, CompareFileTime, GetFileAttributesExW, SetFilePointer, CreateFileW, WideCharToMultiByte, LoadLibraryExW, GetSystemDirectoryW, GetVersionExA, HeapSize, OpenEventA, FlushViewOfFile, ReleaseSemaphore, GetModuleHandleA, LocalAlloc, OpenFileMappingA, CloseHandle, ExitProcess, HeapAlloc, HeapFree, FreeLibrary, GetProcAddress, GetLastError, MultiByteToWideChar, ExpandEnvironmentStringsW, SetEvent, LeaveCriticalSection, EnterCriticalSection, CreateThread<BR>&gt; ntdll.dll: DbgBreakPoint, RtlRandomEx, DbgPrint<BR>&gt; RPCRT4.dll: NdrServerCall2, RpcAsyncCompleteCall, UuidCreate, RpcServerUnregisterIfEx, RpcServerListen, RpcServerRegisterIf, RpcServerUseProtseqEpA, RpcServerRegisterAuthInfoA, RpcAsyncAbortCall, RpcServerTestCancel, RpcRevertToSelfEx, RpcImpersonateClient, RpcMgmtWaitServerListen, RpcMgmtStopServerListening, NdrAsyncServerCall<BR>&gt; Secur32.dll: GetUserNameExA<BR>&gt; USER32.dll: DefWindowProcA, PostQuitMessage, DispatchMessageA, GetMessageA, CreateWindowExA, RegisterClassA<BR>&gt; WS2_32.dll: WSACreateEvent, WSAWaitForMultipleEvents, -, -, -, -, -, -, WSACloseEvent, -, -, WSAIoctl, -, WSCEnumProtocols, -, WSASocketW, -, -, -, -, WSAEnumNetworkEvents, WSAEventSelect<BR><BR>( 0 exports ) <BR>
RDS...: NSRL Reference Data Set<BR>-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)<BR>Win32 Executable Generic (14.7%)<BR>Win32 Dynamic Link Library (generic) (13.1%)<BR>Generic Win/DOS Executable (3.4%)<BR>DOS Executable Generic (3.4%)
sigcheck:<BR>publisher....: Microsoft Corporation<BR>copyright....: © Microsoft Corporation. All rights reserved.<BR>product......: Microsoft_ Windows_ Operating System<BR>description..: Microsoft RSVP<BR>original name: rsvp.exe<BR>internal name: rsvp.exe<BR>file version.: 5.1.2600.0 (xpclient.010817-1148)<BR>comments.....: n/a<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR>

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:06 AM

Posted 01 December 2009 - 03:52 PM

Hello eddnewcon,

I am really sorry to tell you this :(

Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Virux is an even more complex file infector which can embed an iframe into the body of web-related files and infect script files (.php, .asp, and .html). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable.

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutThis kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smrgsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#11 eddnewcon

eddnewcon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 01 December 2009 - 04:50 PM

Hi Elise,

It sounds like my computer has cancer. In that case, I will reformat my drive.

Questions:
1. I have two separate folders that contain my data. I suppose they are not infected and can be safely move back to the computer after reformat. Do you know?

2. Can I use Intellimover to move the programs to an external drive and then move them back after the computer is reformated.

eddnewcon

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:06 AM

Posted 02 December 2009 - 02:23 AM

Hi eddnewcon,

As long as your folders do not contain files with the extensions I mentioned in my previous post, you can move them. However take great care with this! One infected file is enough to start the whole thing again after you reformat!

I am sorry I do not know about IntelliMover, but as long as it just moves the files, I can't see the harm of it.

If you have any more questions, let me know, otherwise I will close this topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#13 eddnewcon

eddnewcon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 02 December 2009 - 02:42 AM

Hi Elise,

Actually since I used the Combofix today, there has been no redirection with my browser. Should I wait and see?

eddnewcon

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:06 AM

Posted 02 December 2009 - 05:04 AM

The browser redirection was caused by a rootkit and not by Virut. That rootkit is gone. But the Virut not.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:06 AM

Posted 06 December 2009 - 08:08 AM

Due to lack of feedback, this topic is now closed.

If you are the original topic starter and you need this topic to be re-opened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users