Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32.IRCBot : Help on removal


  • This topic is locked This topic is locked
14 replies to this topic

#1 maxifire

maxifire

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 01 January 2010 - 11:08 PM

Hi guys,

My file server has been infected with W32.IRCBot virus four days ago and my attempts on removal has been unsuccessful - SAV tried cleaning it but Auto Protect keeps prompting me of infected files despite prior removals. I am on the verge of reformatting my computer but I would like to give this one last try.

Your assistance is greatly appreciated. Thank you and Happy New Year!

I have done a scan and the logs are below:


DDS

DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 11:27:53.03 on Sat 01/02/2010
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.511.154 [GMT 8:00]


============== Running Processes ===============

C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIProviders\HPAlertWMI.exe
C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIWDog.exe
C:\Program Files\Hewlett-Packard\TopToolsWMI\HPTrayIcon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\PC DVR-4-Net\PC DVR-4-Net\PC DVR-4-Net.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\Panasonic\Ncr3\ncrcore3.exe
C:\Program Files\Panasonic\Ncr3\Ncrwd.exe
C:\Program Files\PC DVR-4-Net\PC DVR-4-Net\WServer.exe
C:\Program Files\PC DVR-4-Net\PC DVR-4-Net\MediaServer.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Panasonic\Ncr3\ncr3.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\msdtc.exe
C:\WINNT\SoftwareDistribution\Download\094cb48add2362622ba4c3293b5a2f17\update\update.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\trojan killer 311209\dds.scr

============== Pseudo HJT Report ===============

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [Ncr3] c:\program files\panasonic\ncr3\ncrcore3.exe
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [HP Tray Icon WMI] c:\program files\hewlett-packard\toptoolswmi\HPTrayIcon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\winnt\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0\bin\jusched.exe"
mRun: [PCDVR] "c:\program files\pc dvr-4-net\pc dvr-4-net\PC DVR-4-Net.exe"
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\networ~1.lnk - c:\winnt\installer\{615c20ed-725c-4e0d-a417-e12e21e25d46}\_8DB1D86E8664740B17ADFF.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.1\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pcdvr-~1.lnk - c:\program files\pc dvr-4-net\pc dvr-4-net\PC DVR-4-Net.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
DPF: {33704B0F-9EB7-434B-B752-EA6CFFB87423} - hxxp://192.168.1.250/JpegInst.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174408920531
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: NavLogon - c:\winnt\system32\NavLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\59xmclk3.default\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 APCPBEAgent;APC PBE Agent;c:\progra~1\apc\powerc~1\agent\pbeagent.exe [2008-7-1 28672]
R2 APCPBEServer;APC PBE Server;c:\progra~1\apc\powerc~1\server\PBESER~1.EXE [2008-7-1 45134]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
R2 HPAlertWMI;HPAlertWMI;c:\program files\hewlett-packard\toptoolswmi\wmiproviders\HPAlertWMI.exe [2002-7-25 73728]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091224.002\naveng.sys [2009-12-25 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091224.002\navex15.sys [2009-12-25 1323568]
R3 TD3004F60v;TD3004F60v;c:\winnt\system32\drivers\TD3004F60v.sys [2007-4-12 15174]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]
S3 WinRT;WinRT;c:\winnt\system32\drivers\WinRT.sys [1998-12-1 35264]

=============== Created Last 30 ================

2010-01-02 03:27:54 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_37c.dat
2010-01-02 02:38:32 46640 ----a-w- c:\winnt\system32\msln.exe
2010-01-02 01:20:16 375658 ---h--w- c:\winnt\ShellIconCache
2009-12-31 05:29:54 91920 -c--a-w- c:\winnt\system32\dllcache\acq32.dll
2009-12-31 05:29:54 801072 -c--a-w- c:\winnt\system32\dllcache\3cpciadi.sys
2009-12-31 05:29:54 38320 -c--a-w- c:\winnt\system32\dllcache\8514a.dll
2009-12-31 05:29:54 10928 -c--a-w- c:\winnt\system32\dllcache\4mmdat.sys
2009-12-31 05:29:53 792176 -c--a-w- c:\winnt\system32\dllcache\3cisaadi.sys
2009-12-31 05:29:53 774928 -c--a-w- c:\winnt\system32\dllcache\3cisati.sys
2009-12-31 05:29:53 763024 -c--a-w- c:\winnt\system32\dllcache\3cwmcru.sys
2009-12-31 05:29:53 22992 -c--a-w- c:\winnt\system32\dllcache\15_16wdm.sys
2009-12-31 05:29:52 40752 -c--a-w- c:\winnt\system32\dllcache\1394bus.sys
2009-12-31 03:58:10 98816 ----a-w- c:\winnt\sed.exe
2009-12-31 03:58:10 77312 ----a-w- c:\winnt\MBR.exe
2009-12-31 03:58:10 261632 ----a-w- c:\winnt\PEV.exe
2009-12-31 03:58:10 161792 ----a-w- c:\winnt\SWREG.exe
2009-12-31 02:34:20 0 d-----w- C:\!KillBox

==================== Find3M ====================

2007-03-20 16:21:24 271 ---h--w- c:\program files\desktop.ini
2007-03-20 16:21:24 21952 ---h--w- c:\program files\folder.htt
1999-12-07 04:00:00 32528 ----a-w- c:\winnt\inf\wbfirdma.sys

============= FINISH: 11:28:27.21 ===============

Attached Files


Edited by maxifire, 01 January 2010 - 11:52 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:02 AM

Posted 10 January 2010 - 06:39 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 maxifire

maxifire
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 11 January 2010 - 08:52 PM

Hi,

Out of desperation, I installed Avira's Antivir and I believe it helped in clearing the trojan.
I have done a scan as per your instructions to be sure that the trojan had really been removed.

Thanks for your help!

OTL.txt

OTL logfile created on: 1/12/2010 8:27:58 AM - Run 1
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 31.00 Mb Available Physical Memory | 6.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 61.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 20.00 Gb Total Space | 15.87 Gb Free Space | 79.34% Space Free | Partition Type: NTFS
Drive D: | 212.88 Gb Total Space | 0.15 Gb Free Space | 0.07% Space Free | Partition Type: NTFS
Drive E: | 232.88 Gb Total Space | 202.14 Gb Free Space | 86.80% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SERVER
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/12 08:27:34 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/01/04 12:15:28 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2010/01/04 12:15:27 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/08/29 14:05:12 | 07,678,568 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/07/21 13:34:33 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/05/13 15:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/02 12:08:47 | 00,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2007/10/09 10:43:26 | 01,282,048 | ---- | M] (Panasonic Communications Co., Ltd.) -- C:\Program Files\Panasonic\Ncr3\ncr3.exe
PRC - [2007/10/09 10:40:38 | 00,073,728 | ---- | M] (Panasonic Communications Co., Ltd.) -- C:\Program Files\Panasonic\Ncr3\Ncrwd.exe
PRC - [2007/10/09 10:40:30 | 01,634,304 | ---- | M] (Panasonic Communications Co., Ltd.) -- C:\Program Files\Panasonic\Ncr3\ncrcore3.exe
PRC - [2006/11/30 15:54:50 | 02,486,272 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.1\program\soffice.bin
PRC - [2006/11/30 15:54:34 | 02,334,720 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
PRC - [2006/08/22 09:19:36 | 00,045,134 | ---- | M] (APC) -- C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
PRC - [2006/08/22 09:19:32 | 00,028,672 | ---- | M] (APC) -- C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
PRC - [2005/12/22 17:22:08 | 01,200,188 | ---- | M] () -- C:\Program Files\PC DVR-4-Net\PC DVR-4-Net\PC DVR-4-Net.exe
PRC - [2005/12/22 17:20:52 | 00,094,208 | ---- | M] (TVT) -- C:\Program Files\PC DVR-4-Net\PC DVR-4-Net\WServer.exe
PRC - [2005/12/22 17:20:00 | 00,098,304 | ---- | M] () -- C:\Program Files\PC DVR-4-Net\PC DVR-4-Net\MediaServer.exe
PRC - [2005/04/08 15:54:52 | 00,161,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2005/04/08 15:52:32 | 00,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2004/09/07 15:59:06 | 00,122,128 | R--- | M] (Microsoft Corporation) -- C:\WINNT\system32\mstask.exe
PRC - [2004/08/02 20:03:00 | 00,114,755 | ---- | M] (NVIDIA Corporation) -- C:\WINNT\system32\nvsvc32.exe
PRC - [2003/06/19 18:05:04 | 00,243,472 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe
PRC - [2003/06/19 18:05:04 | 00,196,706 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wbem\winmgmt.exe
PRC - [2003/06/19 18:05:04 | 00,068,368 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\regsvc.exe
PRC - [2002/07/25 16:29:22 | 00,032,768 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\TopToolsWMI\HPTrayIcon.exe
PRC - [2002/07/25 16:22:20 | 00,032,768 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIWDog.exe
PRC - [2002/07/25 16:22:18 | 00,073,728 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIProviders\HPAlertWMI.exe


========== Modules (SafeList) ==========

MOD - [2010/01/12 08:27:34 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2003/06/19 18:05:04 | 00,021,776 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wsock32.dll
MOD - [2003/06/19 18:05:04 | 00,010,000 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\lz32.dll
MOD - [1999/12/07 12:00:00 | 00,011,536 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\netrap.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Unknown | Stopped] -- -- (Symantec AntiVirus)
SRV - [2010/01/04 12:15:27 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/07/21 13:34:33 | 00,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/05/13 15:48:22 | 00,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2006/08/22 09:19:36 | 00,045,134 | ---- | M] (APC) [Auto | Running] -- C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe -- (APCPBEServer)
SRV - [2006/08/22 09:19:32 | 00,028,672 | ---- | M] (APC) [Auto | Running] -- C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe -- (APCPBEAgent)
SRV - [2005/04/08 15:54:52 | 00,161,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2005/04/08 15:54:50 | 00,083,568 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)
SRV - [2005/04/08 15:52:32 | 00,185,968 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2005/04/05 11:17:22 | 00,206,552 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2005/03/30 21:48:22 | 00,992,864 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2004/09/07 15:59:06 | 00,122,128 | R--- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\mstask.exe -- (Schedule)
SRV - [2004/08/02 20:03:00 | 00,114,755 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINNT\system32\nvsvc32.exe -- (NVSvc)
SRV - [2003/06/19 18:05:04 | 00,196,706 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\wbem\winmgmt.exe -- (WinMgmt)
SRV - [2003/06/19 18:05:04 | 00,147,728 | ---- | M] (VERITAS Software Corp.) [On_Demand | Stopped] -- C:\WINNT\System32\dmadmin.exe -- (dmadmin)
SRV - [2003/06/19 18:05:04 | 00,094,992 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\faxsvc.exe -- (Fax)
SRV - [2003/06/19 18:05:04 | 00,068,368 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\regsvc.exe -- (RemoteRegistry)
SRV - [2003/06/19 18:05:04 | 00,022,800 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\utilman.exe -- (UtilMan)
SRV - [2002/07/25 16:22:18 | 00,073,728 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIProviders\HPAlertWMI.exe -- (HPAlertWMI)


========== Driver Services (SafeList) ==========

DRV - [2009/05/11 09:12:24 | 00,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINNT\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/30 09:32:19 | 00,097,512 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINNT\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/03/24 15:07:23 | 00,065,240 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINNT\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/02/13 11:35:05 | 00,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2007/04/12 13:37:35 | 00,015,174 | ---- | M] ( Inc) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\TD3004F60v.sys -- (TD3004F60v)
DRV - [2007/03/21 02:24:25 | 00,058,000 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINNT\system32\drivers\cdr4_2K.sys -- (Cdr4_2K)
DRV - [2007/03/21 02:24:25 | 00,023,420 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINNT\system32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2005/06/13 13:13:06 | 00,152,336 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\e100bnt5.sys -- (E100B) Intel®
DRV - [2005/04/05 11:17:02 | 00,267,192 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINNT\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2005/04/05 11:17:00 | 00,017,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2005/04/01 20:36:04 | 00,123,200 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2005/03/30 21:48:20 | 00,372,832 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2004/08/02 20:03:00 | 02,627,328 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/08/02 20:03:00 | 00,007,012 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINNT\system32\drivers\pmemnt.sys -- (pmem)
DRV - [2003/06/19 18:05:04 | 00,369,104 | ---- | M] (VERITAS Software Corp.) [Kernel | Disabled | Stopped] -- C:\WINNT\system32\drivers\dmboot.sys -- (dmboot)
DRV - [2003/06/19 18:05:04 | 00,137,936 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\dmio.sys -- (dmio)
DRV - [2003/06/19 18:05:04 | 00,060,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\parallel.sys -- (Parallel)
DRV - [2003/06/19 18:05:04 | 00,027,440 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Running] -- C:\WINNT\system32\drivers\efs.sys -- (EFS)
DRV - [2003/06/19 18:05:04 | 00,017,680 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2003/06/19 18:05:04 | 00,007,728 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINNT\system32\drivers\diskperf.sys -- (Diskperf)
DRV - [2003/06/19 18:05:04 | 00,007,312 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\dmload.sys -- (dmload)
DRV - [2003/06/19 12:05:04 | 00,032,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\uhcd.sys -- (uhcd)
DRV - [2003/06/19 12:05:04 | 00,018,928 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\hidbatt.sys -- (HidBatt)
DRV - [2002/05/21 08:50:30 | 00,087,988 | ---- | M] (HP Invent France
5, Rue Raymond Chanas
F-38320 Eybens) [Kernel | Auto | Running] -- C:\WINNT\system32\drivers\hpgate.sys -- (HPGate)
DRV - [1999/12/07 12:00:00 | 00,021,712 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\rca.sys -- (RCA)
DRV - [1999/12/07 12:00:00 | 00,009,680 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\netdtect.sys -- (NetDetect)
DRV - [1999/10/22 14:54:42 | 00,032,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ichaud.sys -- (ichaud) Service for AC'97 Driver (WDM)
DRV - [1998/12/01 12:06:00 | 00,035,264 | ---- | M] (BlueWater Systems, Inc. (206)771-3610) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\WinRT.sys -- (WinRT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-746137067-2147135071-725345543-500\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKU\S-1-5-21-746137067-2147135071-725345543-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-746137067-2147135071-725345543-500\S-1-5-21-746137067-2147135071-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/08/29 14:05:19 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/04 12:15:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird

[2009/12/31 14:04:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\59xmclk3.default\extensions
[2008/06/05 15:28:51 | 00,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\59xmclk3.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/01/04 12:15:51 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/03/21 01:08:44 | 00,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
[2009/08/29 14:05:18 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org
[2009/08/29 14:05:00 | 00,067,688 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jar50.dll
[2009/08/29 14:05:00 | 00,054,368 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jsd3250.dll
[2009/08/29 14:05:00 | 00,034,944 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\myspell.dll
[2009/08/29 14:05:03 | 00,046,712 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\spellchk.dll
[2009/08/29 14:05:04 | 00,172,136 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\xpinstal.dll
[2006/11/09 15:20:00 | 02,111,096 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll

O1 HOSTS File: (734 bytes) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (@msdxmLC.dll,-1@1033,&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx ()
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [HP Tray Icon WMI] C:\Program Files\Hewlett-Packard\TopToolsWMI\HPTrayIcon.exe (Hewlett-Packard Co.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINNT\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINNT\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [PCDVR] C:\Program Files\PC DVR-4-Net\PC DVR-4-Net\PC DVR-4-Net.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Synchronization Manager] C:\WINNT\System32\mobsync.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-746137067-2147135071-725345543-500..\Run: [Ncr3] C:\Program Files\Panasonic\Ncr3\ncrcore3.exe (Panasonic Communications Co., Ltd.)
O4 - HKU\.DEFAULT..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Network Camera Recorder with Viewer Software.lnk = C:\WINNT\Installer\{615C20ED-725C-4E0D-A417-E12E21E25D46}\_8DB1D86E8664740B17ADFF.exe ()
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PC DVR-4-Net.lnk = C:\Program Files\PC DVR-4-Net\PC DVR-4-Net\PC DVR-4-Net.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-746137067-2147135071-725345543-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-746137067-2147135071-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-746137067-2147135071-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-21-746137067-2147135071-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-746137067-2147135071-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-746137067-2147135071-725345543-500_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINNT\system32\rnr20.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O16 - DPF: {33704B0F-9EB7-434B-B752-EA6CFFB87423} http://192.168.1.250/JpegInst.cab (pmjpegaudio Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1174408920531 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 165.21.100.88 165.21.83.88
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\system32\msdxm.ocx ()
O18 - Protocol\Filter\application/octet-stream - No CLSID value found
O18 - Protocol\Filter\application/x-complus - No CLSID value found
O18 - Protocol\Filter\application/x-msdownload - No CLSID value found
O18 - Protocol\Filter\Class Install Handler - No CLSID value found
O18 - Protocol\Filter\deflate - No CLSID value found
O18 - Protocol\Filter\gzip - No CLSID value found
O18 - Protocol\Filter\lzdhtml - No CLSID value found
O18 - Protocol\Filter\text/webviewhtml - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINNT\system32\NavLogon.dll - C:\WINNT\system32\NavLogon.dll (Symantec Corporation)
O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - C:\WINNT\System32\wzcdlg.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/03/21 00:22:03 | 00,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/12 08:26:44 | 00,544,256 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/01/04 12:25:06 | 00,028,520 | ---- | C] (Avira GmbH) -- C:\WINNT\System32\drivers\ssmdrv.sys
[2010/01/04 12:25:05 | 00,097,512 | ---- | C] (Avira GmbH) -- C:\WINNT\System32\drivers\avipbb.sys
[2010/01/04 12:25:05 | 00,065,240 | ---- | C] (Avira GmbH) -- C:\WINNT\System32\drivers\avgntflt.sys
[2010/01/04 12:25:05 | 00,064,488 | ---- | C] (Avira GmbH) -- C:\WINNT\System32\drivers\avgntdd.sys
[2010/01/04 12:25:05 | 00,018,520 | ---- | C] (Avira GmbH) -- C:\WINNT\System32\drivers\avgntmgr.sys
[2010/01/04 12:25:04 | 00,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/01/04 12:25:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2010/01/04 12:15:48 | 00,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINNT\System32\deploytk.dll
[2010/01/04 12:15:48 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINNT\System32\javaws.exe
[2010/01/04 12:15:47 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINNT\System32\javaw.exe
[2010/01/04 12:15:47 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINNT\System32\java.exe
[2010/01/04 09:28:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2010/01/02 17:21:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010/01/02 17:16:45 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2010/01/02 17:16:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\PsTools
[2010/01/02 15:58:50 | 00,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/01/02 08:56:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\trojan killer 311209
[2009/12/31 15:25:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
[2009/12/31 13:34:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Adobe
[2009/12/31 13:29:54 | 00,801,072 | ---- | C] (U.S. Robotics, Inc.) -- C:\WINNT\System32\dllcache\3cpciadi.sys
[2009/12/31 13:29:54 | 00,091,920 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\acq32.dll
[2009/12/31 13:29:54 | 00,038,320 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\8514a.dll
[2009/12/31 13:29:54 | 00,010,928 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\4mmdat.sys
[2009/12/31 13:29:53 | 00,792,176 | ---- | C] (U.S. Robotics, Inc.) -- C:\WINNT\System32\dllcache\3cisaadi.sys
[2009/12/31 13:29:53 | 00,774,928 | ---- | C] (U.S. Robotics, Inc.) -- C:\WINNT\System32\dllcache\3cisati.sys
[2009/12/31 13:29:53 | 00,763,024 | ---- | C] (3Com, Inc.) -- C:\WINNT\System32\dllcache\3cwmcru.sys
[2009/12/31 13:29:53 | 00,022,992 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\15_16wdm.sys
[2009/12/31 13:29:52 | 00,040,752 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\1394bus.sys
[2009/12/31 11:58:10 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINNT\SWXCACLS.exe
[2009/12/31 11:58:10 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINNT\SWREG.exe
[2009/12/31 11:58:10 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINNT\SWSC.exe
[2009/12/31 11:58:10 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINNT\NIRCMD.exe
[2009/12/31 11:58:05 | 00,000,000 | ---D | C] -- C:\WINNT\ERDNT
[2009/12/31 11:57:25 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/12/31 10:34:20 | 00,000,000 | ---D | C] -- C:\!KillBox
[2009/12/31 10:34:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\backups
[2009/12/31 10:31:08 | 00,092,672 | ---- | C] (Option^Explicit Software vbtechcd@gmail.com) -- C:\Documents and Settings\Administrator\Desktop\KillBox.exe
[2009/12/31 10:30:24 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
[5 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
[10 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/12 08:32:06 | 00,684,032 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/01/12 08:27:34 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/01/04 12:28:18 | 00,000,732 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PC DVR-4-Net.lnk
[2010/01/04 12:27:34 | 00,004,598 | ---- | M] () -- C:\WINNT\System32\nvapps.xml
[2010/01/04 12:27:34 | 00,002,234 | ---- | M] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Network Camera Recorder with Viewer Software.lnk
[2010/01/04 12:26:59 | 00,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT
[2010/01/04 12:26:52 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_234.dat
[2010/01/04 12:25:46 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/01/04 12:25:19 | 00,001,550 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/01/04 12:15:26 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINNT\System32\javaws.exe
[2010/01/04 12:15:26 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINNT\System32\javaw.exe
[2010/01/04 12:15:26 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINNT\System32\javacpl.cpl
[2010/01/04 12:15:25 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINNT\System32\deploytk.dll
[2010/01/04 12:15:25 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINNT\System32\java.exe
[2010/01/04 09:55:41 | 00,087,112 | ---- | M] () -- C:\WINNT\System32\FNTCACHE.DAT
[2010/01/04 09:50:29 | 00,001,391 | ---- | M] () -- C:\WINNT\imsins.BAK
[2010/01/04 09:42:56 | 00,429,230 | ---- | M] () -- C:\WINNT\System32\PerfStringBackup.INI
[2010/01/04 09:42:56 | 00,385,894 | ---- | M] () -- C:\WINNT\System32\perfh009.dat
[2010/01/04 09:42:56 | 00,057,488 | ---- | M] () -- C:\WINNT\System32\perfc009.dat
[2010/01/04 08:52:15 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_920.dat
[2010/01/04 07:44:10 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_54c.dat
[2010/01/02 15:58:46 | 02,672,312 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\esetsmartinstaller_enu.exe
[2010/01/02 12:47:10 | 00,001,600 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\ark.zip
[2010/01/02 11:31:02 | 00,001,555 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Attach.zip
[2010/01/02 11:27:54 | 00,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_37c.dat
[2010/01/02 09:02:53 | 00,000,227 | ---- | M] () -- C:\WINNT\system.ini
[2009/12/31 15:25:26 | 00,000,722 | ---- | M] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnk
[2009/12/31 13:15:28 | 00,001,481 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/12/31 10:31:04 | 00,092,672 | ---- | M] (Option^Explicit Software vbtechcd@gmail.com) -- C:\Documents and Settings\Administrator\Desktop\KillBox.exe
[2009/12/31 10:30:20 | 00,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
[5 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
[10 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/04 12:28:18 | 00,000,732 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PC DVR-4-Net.lnk
[2010/01/04 12:26:52 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_234.dat
[2010/01/04 12:25:19 | 00,001,550 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/01/04 08:52:15 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_920.dat
[2010/01/04 07:44:10 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_54c.dat
[2010/01/02 15:58:36 | 02,672,312 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\esetsmartinstaller_enu.exe
[2010/01/02 12:47:10 | 00,001,600 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\ark.zip
[2010/01/02 11:31:02 | 00,001,555 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Attach.zip
[2010/01/02 11:27:54 | 00,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_37c.dat
[2009/12/31 15:25:26 | 00,000,722 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnk
[2009/12/31 11:58:10 | 00,261,632 | ---- | C] () -- C:\WINNT\PEV.exe
[2009/12/31 11:58:10 | 00,098,816 | ---- | C] () -- C:\WINNT\sed.exe
[2009/12/31 11:58:10 | 00,080,412 | ---- | C] () -- C:\WINNT\grep.exe
[2009/12/31 11:58:10 | 00,077,312 | ---- | C] () -- C:\WINNT\MBR.exe
[2009/12/31 11:58:10 | 00,068,096 | ---- | C] () -- C:\WINNT\zip.exe
[2008/07/01 14:48:49 | 00,036,864 | ---- | C] () -- C:\WINNT\System32\APCSnmp.dll
[2007/05/17 02:11:46 | 00,155,648 | ---- | C] () -- C:\WINNT\System32\mp4spvd.dll
[2007/04/12 13:37:56 | 00,086,016 | ---- | C] () -- C:\WINNT\System32\AMD422Codec.dll
[2007/04/11 13:04:13 | 00,155,648 | ---- | C] () -- C:\WINNT\System32\xvidvfw.dll
[2007/04/11 13:03:55 | 00,524,288 | ---- | C] () -- C:\WINNT\System32\xvidcore.dll
[2007/03/21 03:19:58 | 00,010,752 | ---- | C] () -- C:\WINNT\System32\ff_vfw.dll
[2007/03/21 01:05:57 | 00,000,000 | ---- | C] () -- C:\WINNT\vpc32.INI
[2007/03/21 00:21:24 | 00,021,952 | -H-- | C] () -- C:\Program Files\folder.htt
[2004/08/02 20:03:00 | 00,102,441 | ---- | C] () -- C:\WINNT\System32\getvpd.dll
[2004/08/02 20:03:00 | 00,028,672 | ---- | C] () -- C:\WINNT\System32\pmemw.dll
[1999/12/07 12:00:00 | 00,176,400 | ---- | C] () -- C:\WINNT\System32\qcut.dll
[1999/12/07 12:00:00 | 00,033,552 | ---- | C] () -- C:\WINNT\System32\efsadu.dll
[1999/12/07 12:00:00 | 00,007,265 | ---- | C] () -- C:\WINNT\System32\iasperf.ini
[1999/12/07 12:00:00 | 00,001,505 | ---- | C] () -- C:\WINNT\System32\faxperf.ini
[1999/12/07 12:00:00 | 00,000,023 | ---- | C] () -- C:\WINNT\welcome.ini
[1999/09/25 18:36:24 | 00,088,816 | ---- | C] () -- C:\WINNT\System32\drivers\lvcam.sys
[1999/09/25 18:36:22 | 00,017,424 | ---- | C] () -- C:\WINNT\System32\drivers\lvsound.sys
< End of report >

Extras.txt

OTL Extras logfile created on: 1/12/2010 8:27:58 AM - Run 1
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 31.00 Mb Available Physical Memory | 6.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 61.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 20.00 Gb Total Space | 15.87 Gb Free Space | 79.34% Space Free | Partition Type: NTFS
Drive D: | 212.88 Gb Total Space | 0.15 Gb Free Space | 0.07% Space Free | Partition Type: NTFS
Drive E: | 232.88 Gb Total Space | 202.14 Gb Free Space | 86.80% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SERVER
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- %1
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UacDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0F86FD09-BA63-4E45-A70B-604C1106C2F2}" = APC PowerChute Business Edition Console
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java™ SE Runtime Environment 6
"{43983EB4-43DC-4C3D-9712-1EF592A31CA8}" = OpenOffice.org 2.1
"{555ADE0A-2AE2-4139-806A-9F98405E4813}" = Canon MF4600 Series
"{615C20ED-725C-4E0D-A417-E12E21E25D46}" = Network Camera Recorder with Viewer Software
"{6F716D8C-398F-11D3-85E1-005004838609}" = WebFldrs
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A6491A4A-AAA0-4892-BFEF-ECD6CECE2FF3}" = APC PowerChute Business Edition Server
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B8812263-EA2C-4831-AE6D-BE188A27F586}" = hp toptools agent
"{BCE9F441-9027-4911-82E0-5FB28057897D}" = APC PowerChute Business Edition Agent
"{DA427272-904E-4EC2-BCC8-07B39B8EFA78}" = PC DVR-4-Net
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"ESET Online Scanner" = ESET Online Scanner v3
"Foxit Reader" = Foxit Reader
"HijackThis" = HijackThis 2.0.2
"IE40" = Microsoft Internet Explorer 6 SP1
"KLiteCodecPack_is1" = K-Lite Codec Pack 2.85 Standard
"LiveUpdate" = LiveUpdate 2.6 (Symantec Corporation)
"Mozilla Firefox (2.0.0.20)" = Mozilla Firefox (2.0.0.20)
"NVIDIA Drivers" = NVIDIA Drivers
"PROSet" = Intel® PRO Network Connections Drivers
"Q828026" = Windows Media Player Hotfix [See Q828026 for more information]
"Update Rollup 1" = Update Rollup 1 for Windows 2000 SP4
"WinRAR archiver" = WinRAR archiver
"WMP7" = Windows Media Player system update (9 Series)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/30/2009 3:41:36 AM | Computer Name = SERVER | Source = Symantec AntiVirus | ID = 16711726
Description =

Error - 12/30/2009 3:41:36 AM | Computer Name = SERVER | Source = Symantec AntiVirus | ID = 16711685
Description =

Error - 12/30/2009 3:41:44 AM | Computer Name = SERVER | Source = Symantec AntiVirus | ID = 16711731
Description =

Error - 1/1/2010 9:21:26 PM | Computer Name = SERVER | Source = Userenv | ID = 1000
Description = Windows cannot unload your registry file. If you have a roaming profile,
your settings are not replicated. Contact your administrator. DETAIL - Access
is denied. , Build number ((2195)).

Error - 1/1/2010 9:24:08 PM | Computer Name = SERVER | Source = APCPBEAgent | ID = 16714685
Description = "Communication Not Established"

Error - 1/1/2010 9:40:31 PM | Computer Name = SERVER | Source = LoadPerf | ID = 3009
Description = Installing the performance counter strings for .NET Data Provider
for Oracle failed. The Error code is DWORD 0 of the Record Data.

Error - 1/1/2010 9:40:32 PM | Computer Name = SERVER | Source = LoadPerf | ID = 3009
Description = Installing the performance counter strings for .NET Data Provider
for SqlServer failed. The Error code is DWORD 0 of the Record Data.

Error - 1/1/2010 9:40:33 PM | Computer Name = SERVER | Source = LoadPerf | ID = 3009
Description = Installing the performance counter strings for .NET CLR Networking
failed. The Error code is DWORD 0 of the Record Data.

Error - 1/1/2010 9:40:33 PM | Computer Name = SERVER | Source = LoadPerf | ID = 3009
Description = Installing the performance counter strings for .NET CLR Data failed.
The Error code is DWORD 0 of the Record Data.

Error - 1/1/2010 9:40:33 PM | Computer Name = SERVER | Source = LoadPerf | ID = 3009
Description = Installing the performance counter strings for .NETFramework failed.
The Error code is DWORD 0 of the Record Data.

[ System Events ]
Error - 12/30/2009 9:32:32 PM | Computer Name = SERVER | Source = Removable Storage Service | ID = 262161
Description = RSM cannot manage library PhysicalDrive2. It encountered an unspecified
error. This can be caused by a number of problems including, but not limited to,
database corruption, failure communicating with the library, or insufficient system
resources.

Error - 12/30/2009 9:33:21 PM | Computer Name = SERVER | Source = Removable Storage Service | ID = 262161
Description = RSM cannot manage library PhysicalDrive2. It encountered an unspecified
error. This can be caused by a number of problems including, but not limited to,
database corruption, failure communicating with the library, or insufficient system
resources.


< End of report >

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:02 AM

Posted 11 January 2010 - 09:24 PM

Hi,

ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained.
It is intended by its creator to be used under the guidance and supervision of a Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please do not run Combofix on your own

If you still have the file C:\combofix.txt please post the content in your next reply.

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Symantec or Avira.
If you decide to remove Symantec, let me know, I will provide you with the proper removal tool for it.

Your OTL looks pretty fine, just to be sure I'd also like a rootkit scan:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 maxifire

maxifire
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 11 January 2010 - 11:37 PM

Hi,

I no longer have Combofix.txt. If you would like a new copy, I can run a new scan and post it up.
I had previously tried uninstalling SAV but the uninstall process froze and left traces of the program in the registry though I believe it no longer runs at the background. Please provide me the uninstall tool for removal SAV. Thank you.

GMER log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-12 12:29:54
Windows 5.0.2195 Service Pack 4
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uftdypob.sys


---- System - GMER 1.0.15 ----

SSDT 81B05C26 ZwCreateKey
SSDT 81B05C1C ZwCreateThread
SSDT 81B05C2B ZwDeleteKey
SSDT 81B05C35 ZwDeleteValueKey
SSDT 81B05C3A ZwLoadKey
SSDT 81B05C08 ZwOpenProcess
SSDT 81B05C0D ZwOpenThread
SSDT 81B05C44 ZwReplaceKey
SSDT 81B05C3F ZwRestoreKey
SSDT 81B05C30 ZwSetValueKey
SSDT 81B05C17 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINNT\system32\DRIVERS\TD3004F60v.sys entry point in "init" section [0xEB87DCE0]
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINNT\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\explorer.exe [KERNEL32.DLL!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\explorer.exe [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\explorer.exe [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\explorer.exe [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\explorer.exe [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessA] [4AD84AE3] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessA] [4AD84AE3] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [4AD84AE3] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\explorer.exe[120] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINNT\system32\MSTask.exe? (*** hidden *** ) [AUTO] Schedule <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:02 AM

Posted 12 January 2010 - 08:05 AM

Hi,

I would like you to run ComboFix again, please follow these instructions:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 maxifire

maxifire
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 14 January 2010 - 03:54 AM

Hi,

Sorry that I took a while to reply.
Could you please send me SAV Removal Tool?

Meanwhile, please check my Combofix log below.

Combofix Log
ComboFix 10-01-13.09 - Administrator 01/14/2010 14:42:28.6.1 - x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.511.255 [GMT 8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\comres.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-12-14 to 2010-01-14 )))))))))))))))))))))))))))))))
.

2010-01-14 06:41 . 2010-01-14 06:41 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_368.dat
2010-01-12 04:36 . 2010-01-12 04:36 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_2a0.dat
2010-01-04 04:25 . 2009-03-30 01:32 97512 ----a-w- c:\winnt\system32\drivers\avipbb.sys
2010-01-04 04:25 . 2009-03-24 07:07 65240 ----a-w- c:\winnt\system32\drivers\avgntflt.sys
2010-01-04 04:25 . 2009-02-13 03:28 18520 ----a-w- c:\winnt\system32\drivers\avgntmgr.sys
2010-01-04 04:25 . 2009-02-13 03:16 64488 ----a-w- c:\winnt\system32\drivers\avgntdd.sys
2010-01-04 04:25 . 2010-01-04 04:25 -------- d-----w- c:\program files\Avira
2010-01-04 04:25 . 2010-01-04 04:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-01-04 04:15 . 2010-01-04 04:15 411368 ----a-w- c:\winnt\system32\deploytk.dll
2010-01-04 01:28 . 2010-01-04 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-04 00:52 . 2010-01-04 00:52 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_920.dat
2010-01-03 23:44 . 2010-01-03 23:44 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_54c.dat
2010-01-02 09:21 . 2010-01-02 09:21 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-01-02 07:58 . 2010-01-04 04:21 -------- d-----w- c:\program files\ESET
2010-01-02 03:27 . 2010-01-02 03:27 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_37c.dat
2009-12-31 07:25 . 2010-01-12 04:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenOffice.org2
2009-12-31 05:29 . 2003-06-19 04:05 10928 -c--a-w- c:\winnt\system32\dllcache\4mmdat.sys
2009-12-31 05:29 . 1999-12-07 08:43 38320 -c--a-w- c:\winnt\system32\dllcache\8514a.dll
2009-12-31 05:29 . 1999-11-30 15:38 91920 -c--a-w- c:\winnt\system32\dllcache\acq32.dll
2009-12-31 05:29 . 1999-11-01 08:42 801072 -c--a-w- c:\winnt\system32\dllcache\3cpciadi.sys
2009-12-31 05:29 . 1999-10-07 07:29 22992 -c--a-w- c:\winnt\system32\dllcache\15_16wdm.sys
2009-12-31 05:29 . 1999-09-24 15:55 792176 -c--a-w- c:\winnt\system32\dllcache\3cisaadi.sys
2009-12-31 05:29 . 1999-09-24 15:55 774928 -c--a-w- c:\winnt\system32\dllcache\3cisati.sys
2009-12-31 05:29 . 1999-09-24 15:55 763024 -c--a-w- c:\winnt\system32\dllcache\3cwmcru.sys
2009-12-31 05:29 . 2003-06-19 04:05 40752 -c--a-w- c:\winnt\system32\dllcache\1394bus.sys
2009-12-31 02:34 . 2009-12-31 02:34 -------- d-----w- C:\!KillBox

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-04 04:15 . 2007-03-20 17:08 -------- d-----w- c:\program files\Java
2010-01-04 01:28 . 2007-03-20 16:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-20 07:05 . 2009-11-20 07:05 288528 ----a-w- c:\winnt\AppPatch\aclayers.dll
2009-10-27 04:54 . 2009-10-27 04:54 576512 ------w- c:\winnt\system32\WININET.DLL
2009-10-16 07:13 . 2009-10-16 07:13 1227264 ----a-w- c:\winnt\system32\quartz.dll
2007-03-20 16:21 . 2007-03-20 16:21 21952 ---h--w- c:\program files\folder.htt
2009-08-29 06:05 . 2007-03-20 16:59 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-08-29 06:05 . 2007-03-20 16:59 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-08-29 06:05 . 2007-03-20 16:59 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-08-29 06:05 . 2007-03-20 16:59 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-08-29 06:05 . 2007-03-20 16:59 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[-] 2002-11-26 11:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\winnt\system32\mspmsnsv.dll
.
((((((((((((((((((((((((((((( SnapShot_2010-01-12_04.09.14 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ncr3"="c:\program files\Panasonic\Ncr3\ncrcore3.exe" [2007-10-09 1634304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2003-06-19 111376]
"HP Tray Icon WMI"="c:\program files\Hewlett-Packard\TopToolsWMI\HPTrayIcon.exe" [2002-07-25 32768]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2004-08-02 4493312]
"nwiz"="nwiz.exe" [2004-08-02 917504]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-04 149280]
"PCDVR"="c:\program files\PC DVR-4-Net\PC DVR-4-Net\PC DVR-4-Net.exe" [2005-12-22 1200188]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Network Camera Recorder with Viewer Software.lnk - c:\winnt\Installer\{615C20ED-725C-4E0D-A417-E12E21E25D46}\_8DB1D86E8664740B17ADFF.exe [2008-6-23 4710]
OpenOffice.org 2.1.lnk - c:\program files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/4/2010 12:25 PM 108289]
R2 APCPBEAgent;APC PBE Agent;c:\progra~1\APC\POWERC~1\agent\pbeagent.exe [7/1/2008 2:48 PM 28672]
R2 APCPBEServer;APC PBE Server;c:\progra~1\APC\POWERC~1\server\PBESER~1.EXE [7/1/2008 2:53 PM 45134]
R2 HPAlertWMI;HPAlertWMI;c:\program files\Hewlett-Packard\TopToolsWMI\WMIProviders\HPAlertWMI.exe [7/25/2002 4:22 PM 73728]
R3 TD3004F60v;TD3004F60v;c:\winnt\system32\drivers\TD3004F60v.sys [4/12/2007 1:37 PM 15174]
S3 EraserUtilDrvI9;EraserUtilDrvI9;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys [?]
S3 WinRT;WinRT;c:\winnt\system32\drivers\WinRT.sys [12/1/1998 12:06 PM 35264]
.
.
------- Supplementary Scan -------
.
LSP: %SystemRoot%\system32\msafd.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\59xmclk3.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-14 14:46
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPS]
"ImagePath"=" "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(192)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(1792)
c:\winnt\system32\SHDOCVW.DLL
.
Completion time: 2010-01-14 14:47:35
ComboFix-quarantined-files.txt 2010-01-14 06:47
ComboFix2.txt 2010-01-12 04:10
ComboFix3.txt 2010-01-02 01:04
ComboFix4.txt 2009-12-31 05:21
ComboFix5.txt 2010-01-14 06:41

Pre-Run: 17,484,070,912 bytes free
Post-Run: 17,480,716,288 bytes free

- - End Of File - - C3CF747D7162ED388F08C352A9384ED9

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:02 AM

Posted 14 January 2010 - 07:26 AM

Hi,

the logs are looking rather good. Are you still seeing signs of infection?

The removal tool for Symantec can be found here:
Please click HERE and follow the instructions in STEP 3 to download and run the norton removal tool.
I forgot to add it into the last post.

Let me know if you have any problems with that.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 maxifire

maxifire
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 14 January 2010 - 08:05 PM

Hi,

Things are looking rather good now.

Just want to highlight,

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\comres.dll . . . is infected!!

.

Is 'comres.dll' infected by a trojan?
Thanks!

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:02 AM

Posted 14 January 2010 - 08:28 PM

Hi,

the entry first of all means that Combofix thinks it is not a legit microsoft file. Now depending on circumstances this can either be a false positive or happen when malware attacks it.

I am not aware of any current malware attacking this file and I am rather sure that if it was an old infection one of your anti virus programs would have picked it up. So I'm leaning towards the theory that the file is legit, but for some reason did not pass ComboFix verification process. As a next step I would have asked you to run sfc:

Go to the Run box on the Start Menu and type in:

sfc /scannow

Make sure to include the space between the first "c" and the "/".

This will run the System File checker and it will scan for corrupt or missing files. It may prompt you to insert the CD if it needs to obtain files.

Please post back when it has finished letting me know what it has reported.

More info on this process can be found here.

This should replace the comres.dll file, if your operating system thinks that the copy is not legit.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 maxifire

maxifire
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 18 January 2010 - 12:18 AM

Hi there,

I haven't been able to run the SFC because I cannot seem to find my Windows 2000 installation disc.
I will give it another try tomorrow and update you again.

Thank you for your patience.

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:02 AM

Posted 19 January 2010 - 09:43 AM

Hi,

if you can not find your discs, please run systemlook to look for a possible replacement copy on your system:

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    :filefind
    comres.*
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 maxifire

maxifire
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 20 January 2010 - 10:24 PM

Hi,

I've finally managed to locate my Windows 2000 SP4 installation disc.
Have done a SFC /scannow and the process completed successfully.

I am not quite sure what has SFC done because there is no log.
Everything is ok now?

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:02 AM

Posted 21 January 2010 - 06:37 AM

Hi,

sfc checks if all important system files are ok and replaces broken copies with backups from either the system itself or your Windows-CD automatically. This should have fixed the defective comres.dll mentioned earlier.

How is your PC doing?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:02 AM

Posted 29 January 2010 - 06:11 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users