Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirection issues with Firefox - MBR found


  • This topic is locked This topic is locked
20 replies to this topic

#1 serimral

serimral

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 12 January 2010 - 03:18 PM

Hi,

I have had this issue with firefox redirecting me to advert sites when I click on a wesite link that I searched with Google.
I ran a scan with MBR and the log stated:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x01D1C06C0
malicious code @ sector 0x01D1C06C3 !
PE file found in sector at 0x01D1C06D9 !

I also have a folder called Help assistant and it looks as if my whole profile and folders are in there. A copy of my desktop.

Please can I have help in eradicating the issue. I have all my work files on this computer so I am desperate to disinfect it.
I have Spysweeper and Norton Internet Security 2009 and run XP Pro.

Thanks

Edited by serimral, 12 January 2010 - 03:19 PM.


BC AdBot (Login to Remove)

 


#2 pdtnelson

pdtnelson

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tacoma, WA
  • Local time:09:12 AM

Posted 12 January 2010 - 03:42 PM

Hi! We'll be happy to help you with this issue.

Please download MBAM Antimalware and save it to your desktop.
NOTE: Rename the file to ZZToy.exe before saving it to your desktop.

Next, prepare to run MBAM:

* Make sure you are connected to the Internet.
* Double-click on mbam-setup.exe to install the application.
* When the installation begins, follow the prompts and do not make any changes to default settings.
* When installation has finished, make sure you leave both of these checked:
o Update Malwarebytes' Anti-Malware
o Launch Malwarebytes' Anti-Malware
* Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

* If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.

On the Scanner tab:

* Make sure the "Perform Quick Scan" option is selected.
* Then click on the Scan button.
* If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
* The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
* When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
* Click OK to close the message box and continue with the removal process.

Once you have completed all of this, please post the log file in a reply. Thanks and good luck!

#3 serimral

serimral
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 12 January 2010 - 04:48 PM

How Bizarre that nothing is found!



Malwarebytes' Anti-Malware 1.44
Database version: 3550
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

12/01/2010 21:46:22
mbam-log-2010-01-12 (21-46-22).txt

Scan type: Quick Scan
Objects scanned: 171043
Time elapsed: 8 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#4 pdtnelson

pdtnelson

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tacoma, WA
  • Local time:09:12 AM

Posted 12 January 2010 - 06:55 PM

You MBAM is slightly out of date which may cause issues. Please have it search and install updates. If the update fails, try manually installing it with this



#5 serimral

serimral
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 13 January 2010 - 04:51 AM

Updated the Malware program and scanned again.
It is not picking up anything even though my browser is being redirected and I still have a mirror of my profile in the Help assistant folder.




Malwarebytes' Anti-Malware 1.44
Database version: 3553
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

13/01/2010 09:50:22
mbam-log-2010-01-13 (09-50-22).txt

Scan type: Quick Scan
Objects scanned: 171428
Time elapsed: 12 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by serimral, 13 January 2010 - 04:54 AM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:12 PM

Posted 13 January 2010 - 01:36 PM

Hello serimral,

To verify if the MBR rootkit is still there, please let me know how your computer is runnin generally and if you are able to delete the Help Assistant folder/account.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 serimral

serimral
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 13 January 2010 - 02:37 PM

Hi,

Generally slow, cannot delete help assistant folder even though it is disabled in users.
Still receive misdirection on browsers. I would say I am still infected.



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:12 PM

Posted 13 January 2010 - 02:47 PM

Hi, thats enough indication the MBR is indeed infected. I am going to move this topic to the HJT forum, so we can take proper care of it. We can't do that in Am I Infected since the tools we need to use are not allowed there.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 serimral

serimral
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 13 January 2010 - 04:41 PM

ComboFix 10-01-13.07 - paul 13/01/2010 21:31:30.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3324.2520 [GMT 0:00]
Running from: c:\documents and settings\paul\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2009-12-13 to 2010-01-13 )))))))))))))))))))))))))))))))
.

2010-01-13 21:13 . 2009-10-29 02:31 784752 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn\components\coFFPlgn.dll
2010-01-13 21:13 . 2009-10-01 09:19 164216 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\IPSFFPlgn\components\IPSFFPl.dll
2010-01-13 21:13 . 2010-01-13 21:13 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-01-13 21:13 . 2010-01-13 21:13 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-01-13 21:13 . 2009-10-05 17:34 929648 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\OCS\hsplayer.dll
2010-01-13 21:12 . 2009-11-07 01:08 893296 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\CLT\cltLMSx.dll
2010-01-13 21:12 . 2010-01-13 21:12 -------- d-----w- c:\windows\system32\drivers\NIS
2010-01-13 21:12 . 2010-01-13 21:12 -------- d-----w- c:\program files\Norton Internet Security
2010-01-13 21:11 . 2010-01-13 21:11 -------- d-----w- c:\program files\NortonInstaller
2010-01-13 21:10 . 2010-01-13 21:11 -------- d-----w- c:\windows\LastGood
2010-01-13 21:03 . 2010-01-13 21:08 -------- d-----w- c:\windows\system32\wbem\Repository.001
2010-01-13 20:55 . 2004-08-02 14:20 4569 ------w- c:\windows\system32\secupd.dat
2010-01-13 18:56 . 2004-08-04 07:56 351232 ----a-w- c:\windows\system32\winhttp.dll
2010-01-13 18:56 . 2004-08-04 07:56 18944 ----a-w- c:\windows\system32\qmgrprxy.dll
2010-01-13 18:42 . 2004-08-03 14:04 185624 -c--a-w- c:\windows\system32\dllcache\iuengine.dll
2010-01-13 18:42 . 2004-08-03 14:04 185624 ----a-w- c:\windows\system32\iuengine.dll
2010-01-13 18:32 . 2001-08-17 22:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2010-01-13 18:31 . 2003-03-31 12:00 18944 -c--a-w- c:\windows\system32\dllcache\cprofile.exe
2010-01-13 18:27 . 2003-03-31 12:00 28160 -c--a-w- c:\windows\system32\dllcache\msoobe.exe
2010-01-13 18:27 . 2004-08-04 07:56 45568 ----a-w- c:\windows\system32\safrslv.dll
2010-01-13 18:27 . 2004-08-04 07:56 43520 ----a-w- c:\windows\system32\safrcdlg.dll
2010-01-13 18:27 . 2004-08-04 07:56 43520 ----a-w- c:\windows\system32\racpldlg.dll
2010-01-13 18:27 . 2004-08-04 07:56 29696 ----a-w- c:\windows\system32\safrdm.dll
2010-01-13 18:27 . 2003-03-31 12:00 11264 -c--a-w- c:\windows\system32\dllcache\atrace.dll
2010-01-13 18:27 . 2003-03-31 12:00 11264 ----a-w- c:\windows\system32\atrace.dll
2010-01-13 18:27 . 2004-08-04 07:56 32768 ----a-w- c:\windows\system32\mnmsrvc.exe
2010-01-13 18:27 . 2004-08-04 07:56 32768 ----a-w- c:\windows\system32\isrdbg32.dll
2010-01-13 18:25 . 2004-08-04 07:56 183808 ----a-w- c:\windows\system32\accwiz.exe
2010-01-13 18:23 . 2004-08-04 06:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-01-13 18:23 . 2004-08-04 05:59 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-01-13 18:22 . 2004-08-04 08:01 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2010-01-13 18:22 . 2004-08-04 06:01 196864 ----a-w- c:\windows\system32\drivers\rdpdr.sys
2010-01-13 11:48 . 2010-01-13 11:48 52224 ----a-w- c:\documents and settings\paul\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-13 11:48 . 2010-01-13 11:48 117760 ----a-w- c:\documents and settings\paul\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-13 11:47 . 2010-01-13 11:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-13 11:47 . 2010-01-13 11:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-13 11:47 . 2010-01-13 11:47 -------- d-----w- c:\documents and settings\paul\Application Data\SUPERAntiSpyware.com
2010-01-13 11:47 . 2010-01-13 11:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-12 22:25 . 2010-01-12 22:25 -------- d-----w- c:\windows\system32\scripting
2010-01-12 22:25 . 2010-01-12 22:25 -------- d-----w- c:\windows\l2schemas
2010-01-12 22:25 . 2010-01-12 22:25 -------- d-----w- c:\windows\system32\en
2010-01-12 21:53 . 2010-01-12 21:53 -------- d-sh--w- c:\documents and settings\paul\IECompatCache
2010-01-12 21:36 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-12 21:36 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-12 07:07 . 2010-01-12 07:07 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-01-11 22:59 . 2010-01-11 22:59 -------- d-----w- c:\program files\TrendMicro
2010-01-11 22:22 . 2010-01-11 22:22 -------- d-----w- c:\documents and settings\paul\Application Data\Malwarebytes
2010-01-11 22:22 . 2010-01-11 22:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-11 22:22 . 2010-01-13 09:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-10 23:00 . 2010-01-10 23:00 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-01-10 22:48 . 2010-01-10 22:48 -------- d-sh--w- c:\documents and settings\paul\PrivacIE
2010-01-10 22:46 . 2010-01-10 22:46 -------- d-sh--w- c:\documents and settings\paul\IETldCache
2010-01-10 22:45 . 2010-01-10 22:45 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-10 22:41 . 2010-01-12 00:09 -------- d-----w- c:\windows\ie8updates
2010-01-10 22:38 . 2010-01-10 22:40 -------- dc-h--w- c:\windows\ie8
2010-01-08 21:32 . 2010-01-08 21:32 -------- d-----w- c:\documents and settings\paul\Local Settings\Application Data\Tific
2010-01-08 21:31 . 2010-01-08 21:31 -------- d-----w- c:\documents and settings\paul\Application Data\Tific
2010-01-08 21:31 . 2010-01-08 21:31 -------- d-----w- c:\documents and settings\paul\Local Settings\Application Data\Symantec
2010-01-03 23:23 . 2010-01-03 23:23 -------- d-----w- c:\documents and settings\paul\Local Settings\Application Data\Copy of MEDIEVAL_INSPIRATIONS
2010-01-02 17:45 . 2010-01-10 21:48 -------- d-----w- c:\documents and settings\paul\Local Settings\Application Data\MEDIEVAL_INSPIRATIONS
2010-01-01 17:22 . 2010-01-01 17:22 -------- d-----w- c:\program files\nuttyrivers.com
2009-12-24 23:13 . 2009-12-24 23:13 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2009-12-24 23:13 . 2009-12-24 23:13 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2009-12-24 23:13 . 2009-12-24 23:13 -------- d-----w- c:\documents and settings\HelpAssistant\Tracing
2009-12-24 23:13 . 2009-12-24 23:13 -------- d-----w- c:\documents and settings\HelpAssistant\System
2009-12-24 23:12 . 2009-12-24 23:12 -------- d-----w- c:\documents and settings\HelpAssistant\Problems
2009-12-24 17:18 . 2008-07-14 06:11 557056 ----a-w- c:\documents and settings\HelpAssistant\GoToAssist_phone__317_en.exe
2009-12-24 17:18 . 2008-07-09 20:33 61480 ----a-w- c:\documents and settings\HelpAssistant\GoToAssistDownloadHelper.exe
2009-12-24 17:12 . 2009-12-24 17:12 -------- d-----w- c:\documents and settings\HelpAssistant\Contacts
2009-12-24 17:12 . 2009-12-24 17:12 -------- d-----w- c:\documents and settings\HelpAssistant\Citrix
2009-12-19 21:12 . 2009-03-22 15:05 888832 ----a-w- c:\windows\system32\SaveTo.dll
2009-12-19 21:11 . 2009-11-22 02:46 30208 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\ActPrint.dll
2009-12-19 21:11 . 2009-12-06 03:11 883200 ----a-w- c:\windows\system32\PrintDisp.exe
2009-12-19 21:11 . 2009-10-29 11:59 65536 ----a-w- c:\windows\system32\PrintCtrl.exe
2009-12-19 21:11 . 2009-06-16 22:19 2519040 ----a-w- c:\windows\system32\CPDF.dll
2009-12-19 21:11 . 2008-01-18 23:36 1391616 ----a-w- c:\windows\system32\ActPDF.dll
2009-12-19 21:10 . 2007-09-10 10:32 524288 ----a-w- c:\windows\system32\PrtPass.exe
2009-12-19 21:10 . 2009-11-10 03:16 375296 ----a-w- c:\windows\system32\SetPrinter.exe
2009-12-19 21:10 . 2009-02-02 22:43 691200 ----a-w- c:\windows\system32\PrintLog.exe
2009-12-19 21:10 . 2009-10-01 05:31 740864 ----a-w- c:\windows\system32\PrtTools.exe
2009-12-19 21:10 . 2009-11-11 10:47 1170944 ----a-w- c:\windows\system32\PrtClient.exe
2009-12-19 21:10 . 2009-12-10 12:04 826880 ----a-w- c:\windows\system32\SetupDrv.exe
2009-12-19 18:55 . 2009-12-19 18:55 -------- d-----w- c:\documents and settings\paul\Local Settings\Application Data\xmlnvmc32
2009-12-19 12:49 . 2009-12-19 12:49 10134 ----a-r- c:\documents and settings\paul\Application Data\Microsoft\Installer\{A778A787-08A4-4089-CB68-02A9737DE532}\ARPPRODUCTICON.exe
2009-12-19 12:49 . 2009-12-21 19:10 -------- d-----w- c:\program files\ATI
2009-12-17 22:06 . 2009-12-17 22:06 10534 ----a-w- c:\documents and settings\All Users\rndismp.sys
2009-12-17 18:38 . 2009-12-17 18:38 -------- d-----w- c:\documents and settings\paul\Local Settings\Application Data\ScanToPDF
2009-12-17 18:35 . 2009-12-17 18:35 -------- d-----w- c:\program files\O Imaging Corporation
2009-12-17 18:09 . 2009-12-17 18:09 -------- d-----w- c:\documents and settings\paul\Application Data\Lexmark Productivity Studio
2009-12-17 18:08 . 2009-12-17 18:08 -------- d-----w- c:\documents and settings\All Users\lx_cats
2009-12-17 18:06 . 2009-12-17 18:06 -------- d-----w- C:\logs
2009-12-17 18:05 . 2006-08-01 01:53 40960 ----a-w- c:\windows\system32\lxdivs.dll
2009-12-17 18:05 . 2007-03-30 10:13 344064 ----a-w- c:\windows\system32\lxdicoin.dll
2009-12-17 18:05 . 2007-03-15 23:08 113664 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\lxdidrpp.dll
2009-12-17 18:04 . 2001-08-17 22:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2009-12-17 18:04 . 2007-03-23 15:44 692224 ----a-w- c:\windows\system32\lxdidrs.dll
2009-12-17 18:04 . 2007-02-09 14:07 69632 ----a-w- c:\windows\system32\lxdicnv4.dll
2009-12-17 18:04 . 2007-01-23 19:40 65536 ----a-w- c:\windows\system32\lxdicaps.dll
2009-12-14 22:32 . 2009-11-03 16:07 2309120 ----a-w- c:\windows\system32\pdftk.exe
2009-12-14 22:31 . 2009-11-03 16:08 204848 ----a-w- c:\windows\system32\gswin32c.exe
2009-12-14 22:31 . 2009-11-03 16:08 196608 ----a-w- c:\windows\system32\Utility.dll
2009-12-14 22:31 . 2009-12-14 22:32 -------- d-----w- c:\windows\system32\gs
2009-12-14 22:31 . 2009-11-03 16:07 116224 ----a-w- c:\windows\system32\Execute.dll
2009-12-14 22:31 . 2009-11-03 16:07 102469 ----a-w- c:\windows\system32\VBPrnDlg.dll
2009-12-14 22:31 . 2009-11-03 16:08 45056 ----a-w- c:\windows\system32\unredmon.exe
2009-12-14 22:31 . 2009-11-03 16:08 116224 ----a-w- c:\windows\system32\utility3.dll
2009-12-14 22:31 . 1998-04-24 00:00 368912 ----a-w- c:\windows\system32\vbar332.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-13 21:24 . 2010-01-13 21:24 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100112.053\naveng.sys
2010-01-13 21:24 . 2010-01-13 21:24 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100112.053\eeCtrl.sys
2010-01-13 21:24 . 2010-01-13 21:24 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100112.053\ecmsvr32.dll
2010-01-13 21:24 . 2010-01-13 21:24 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100112.053\naveng32.dll
2010-01-13 21:24 . 2010-01-13 21:24 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100112.053\navex32a.dll
2010-01-13 21:24 . 2010-01-13 21:24 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100112.053\navex15.sys
2010-01-13 21:24 . 2010-01-13 21:24 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100112.053\eraser.sys
2010-01-13 21:24 . 2010-01-13 21:24 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100112.053\cceraser.dll
2010-01-13 21:21 . 2006-12-31 02:45 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-13 21:13 . 2006-12-31 02:46 -------- d-----w- c:\program files\Symantec
2010-01-13 21:13 . 2010-01-13 21:13 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-01-13 21:13 . 2010-01-13 21:13 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-01-13 21:12 . 2009-12-05 14:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-01-13 21:08 . 2007-01-20 06:45 -------- d-----w- c:\program files\Google
2010-01-13 20:38 . 2007-02-15 22:37 -------- d-----w- c:\program files\Java
2010-01-13 20:36 . 2008-02-17 02:52 -------- d-----w- c:\program files\Champfoot
2010-01-13 18:25 . 2006-12-31 00:14 23348 -c--a-w- c:\windows\system32\emptyregdb.dat
2010-01-13 14:18 . 2009-09-19 17:32 -------- d-----w- c:\program files\FontLab
2010-01-12 22:29 . 2006-12-31 00:16 86327 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-01-10 22:38 . 2007-03-26 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-01-03 14:49 . 2006-12-31 02:31 67352 ----a-w- c:\documents and settings\paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-02 23:38 . 2009-01-04 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-24 18:08 . 2006-12-31 00:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-22 15:38 . 2007-01-06 16:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-20 14:32 . 2009-08-10 20:36 -------- d-----w- c:\program files\EGOSOFT
2009-12-19 21:29 . 2009-12-19 21:18 2901 ----a-w- c:\documents and settings\All Users\Application Data\actmask.log.zip
2009-12-19 18:06 . 2009-12-24 17:18 0 ----a-w- c:\documents and settings\HelpAssistant\dos2usb.tmp
2009-12-19 12:50 . 2008-05-01 19:33 -------- d-----w- c:\program files\ATI Technologies
2009-12-19 12:03 . 2009-03-15 17:12 164 ----a-w- c:\windows\install.dat
2009-12-17 18:05 . 2009-12-17 18:03 -------- d-----w- c:\program files\Lexmark 3500-4500 Series
2009-12-05 14:31 . 2009-12-05 14:31 -------- d-----w- c:\program files\Windows Sidebar
2009-12-05 14:12 . 2006-12-31 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-05 04:54 . 2009-12-05 04:54 529456 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091205.001\BHDrvx86.sys
2009-12-05 04:54 . 2009-12-05 04:54 201616 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091205.001\BHRules.dll
2009-12-05 04:54 . 2009-12-05 04:54 1405840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091205.001\BHEngine.dll
2009-12-05 04:54 . 2009-12-05 04:54 668720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091205.001\BHDrvx64.sys
2009-12-05 04:54 . 2009-12-05 04:54 610704 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091205.001\bbRGen.dll
2009-11-25 03:50 . 2007-12-18 02:46 4463104 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2009-11-25 03:27 . 2008-05-01 19:27 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-11-25 03:26 . 2007-12-18 01:53 300032 ----a-w- c:\windows\system32\ati2dvag.dll
2009-11-25 03:11 . 2007-12-18 01:46 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2009-11-25 03:11 . 2007-10-12 05:01 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2009-11-25 03:10 . 2007-12-18 01:46 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2009-11-25 03:10 . 2007-12-18 01:46 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2009-11-25 03:10 . 2007-12-18 01:45 155648 ----a-w- c:\windows\system32\ati2evxx.dll
2009-11-25 03:09 . 2007-12-18 01:44 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2009-11-25 03:07 . 2007-12-18 01:43 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2009-11-25 02:59 . 2008-05-01 19:27 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2009-11-25 02:59 . 2007-12-18 01:36 3538496 ----a-w- c:\windows\system32\ati3duag.dll
2009-11-25 02:44 . 2009-05-16 02:55 13533184 ----a-w- c:\windows\system32\atioglxx.dll
2009-11-25 02:43 . 2007-12-18 01:25 2142848 ----a-w- c:\windows\system32\ativvaxx.dll
2009-11-25 02:42 . 2008-05-01 19:27 887724 ----a-w- c:\windows\system32\ativva6x.dat
2009-11-25 02:42 . 2008-05-01 19:27 3 ----a-w- c:\windows\system32\ativva5x.dat
2009-11-25 02:26 . 2009-05-16 02:38 65024 ----a-w- c:\windows\system32\atimpc32.dll
2009-11-25 02:26 . 2007-12-18 01:15 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2009-11-25 02:21 . 2007-12-18 01:11 565248 ----a-w- c:\windows\system32\atikvmag.dll
2009-11-25 02:20 . 2009-05-16 01:35 45056 ----a-w- c:\windows\system32\aticalrt.dll
2009-11-25 02:20 . 2009-05-16 01:34 45056 ----a-w- c:\windows\system32\aticalcl.dll
2009-11-25 02:19 . 2009-05-16 02:31 176128 ----a-w- c:\windows\system32\atiadlxx.dll
2009-11-25 02:18 . 2007-12-18 01:10 17408 ----a-w- c:\windows\system32\atitvo32.dll
2009-11-25 02:18 . 2009-05-16 01:33 3612672 ----a-w- c:\windows\system32\aticaldd.dll
2009-11-25 02:18 . 2007-12-18 01:07 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2009-11-25 02:17 . 2007-12-18 01:08 397312 ----a-w- c:\windows\system32\atiok3x2.dll
2009-11-25 02:12 . 2007-12-18 01:04 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2009-11-21 21:51 . 2009-11-21 21:44 -------- d-----w- c:\program files\XBrow
2009-11-10 14:18 . 2006-12-31 06:02 14 -c--a-w- c:\windows\popcinfo.dat
2009-11-06 15:19 . 2007-10-26 22:22 1563008 ----a-w- c:\windows\WRSetup.dll
2009-11-06 12:00 . 2007-10-26 22:22 23152 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2009-11-06 12:00 . 2007-10-26 22:22 176752 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2009-11-06 12:00 . 2008-07-28 15:44 29808 ----a-w- c:\windows\system32\drivers\ssfs0bbc.sys
2009-10-28 22:37 . 2010-01-13 21:24 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100106.001\IDSvix86.sys
2009-10-28 22:37 . 2010-01-13 21:24 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100106.001\IDSXpx86.sys
2009-10-28 22:37 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-10-28 22:37 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\IDSXpx86.sys
2009-10-28 22:37 . 2010-01-13 21:24 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100106.001\Scxpx86.dll
2009-10-28 22:37 . 2010-01-13 21:24 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100106.001\IDSxpx86.dll
2009-10-28 22:37 . 2010-01-13 21:24 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100106.001\IDSviA64.sys
2009-10-28 22:37 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\IDSxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\IDSviA64.sys
2009-10-27 21:23 . 2009-10-27 21:23 3988 ----a-w- c:\documents and settings\paul\MENU.DAT
2009-10-22 15:59 . 2008-05-01 19:27 196565 ----a-w- c:\windows\system32\atiicdxx.dat
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2002-08-01 02:55 . 2008-03-17 01:43 106 --sh--w- c:\windows\WSYS049.SYS
.

------- Sigcheck -------

[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\wscntfy.exe
[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\wscntfy.exe
[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe
[7] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\wscntfy.exe
[7] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wscntfy.exe

[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\xmlprov.dll
[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\xmlprov.dll
[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll
[7] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\xmlprov.dll
[7] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\xmlprov.dll

[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ip6fw.sys
[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ip6fw.sys
[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ip6fw.sys
[7] 2004-08-04 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\ip6fw.sys
[7] 2004-08-04 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ip6fw.sys

[-] 2006-10-19 05:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\ERDNT\cache\mspmsnsv.dll
[-] 2006-10-19 05:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
[7] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
[7] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\ServicePackFiles\i386\mspmsnsv.dll
[7] 2004-08-04 07:56 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\mspmsnsv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]
"xmlnvmc32"="c:\documents and settings\paul\Local Settings\Application Data\xmlnvmc32\xmlnvmc32.dll" [2009-10-05 54272]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-28 221184]
"razer"="c:\program files\Razer\razerhid.exe" [2005-05-18 147456]
"CTHelper"="c:\windows\CTHELPER.EXE" [2006-08-11 17920]
"CTxfiHlp"="c:\windows\system32\CTXFIHLP.EXE" [2006-08-11 18944]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"Norton Ghost 9.0"="c:\program files\Symantec\Norton Ghost\Agent\GhostTray.exe" [2004-11-10 1126400]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-03-13 517768]
"lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-07-16 434864]
"lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-07-16 25264]
"PrintDisp"="c:\windows\system32\PrintDisp.exe" [2009-12-06 883200]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-11-06 6515784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-9-28 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\cybered\\WinPAT\\WinPAT.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\LMabcoms.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\lxdicoms.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"c:\\Program Files\\O Imaging Corporation\\ScanToPDF\\ScanToPDF.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=
"c:\\WINDOWS\\system32\\lxdicfg.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [10/11/2004 18:30 138801]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [28/07/2008 15:44 29808]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1101000.013\SymDS.sys [13/01/2010 21:13 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1101000.013\SymEFA.sys [13/01/2010 21:13 171056]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091205.001\BHDrvx86.sys [05/12/2009 04:54 529456]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1101000.013\cchpx86.sys [13/01/2010 21:13 501888]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [10/11/2004 18:49 46800]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 07:56 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 74480]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1101000.013\Ironx86.sys [13/01/2010 21:13 114736]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe [13/01/2010 21:12 126392]
R2 Printer Control;Printer Control;c:\windows\system32\PrintCtrl.exe [19/12/2009 21:11 65536]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [28/11/2008 23:54 1201640]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100106.001\IDSXpx86.sys [13/01/2010 21:24 329592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 7408]
S2 gupdate1c9b7cb69c6e4ba;Google Update Service (gupdate1c9b7cb69c6e4ba);c:\program files\Google\Update\GoogleUpdate.exe [07/04/2009 21:53 133104]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [17/12/2009 18:05 99248]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\rt2500usb.sys [02/06/2008 17:10 140416]
S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [31/12/2006 04:22 13225]
S3 SaiH0464;SaiH0464;c:\windows\system32\drivers\SaiH0464.sys [31/12/2006 05:08 132232]
S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;c:\windows\system32\DRIVERS\wg121nd5.sys --> c:\windows\system32\DRIVERS\wg121nd5.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BHDRVX86
*NewlyCreated* - NAVENG
*NewlyCreated* - NAVEX15
*NewlyCreated* - NIS
*NewlyCreated* - SRTSP
*NewlyCreated* - SRTSPX
*NewlyCreated* - SYMIRON
*Deregistered* - EraserUtilDrvI9
.
Contents of the 'Scheduled Tasks' folder

2010-01-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 11:34]

2010-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-07 21:53]

2010-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-07 21:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://bbc.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: toontown.com
DPF: {FF791555-FDAC-43AB-B792-389E4CC0A6E5} - hxxp://download.test.toontown.com/sv1.0.30.4.test/tt_test.cab
FF - ProfilePath - c:\documents and settings\paul\Application Data\Mozilla\Firefox\Profiles\lrrqt824.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Microsoft Works Update Detection - c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-13 21:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.1.0.19\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1614895754-573735546-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:19,20,cf,ef,5d,c8,e4,6f,fc,1e,cc,da,fb,c7,8e,d7,6a,0a,e2,56,b9,21,9a,
1f,ad,96,94,94,7c,0a,1f,02,1f,0b,48,bc,b5,82,83,85,59,c2,fd,5b,0d,58,94,14,\
"??"=hex:81,d7,06,db,64,1d,a3,ec,b3,e8,5a,c2,80,d2,e7,76
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(816)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3564)
c:\documents and settings\paul\Local Settings\Application Data\xmlnvmc32\xmlnvmc32.dll
c:\windows\system32\msi.dll
c:\windows\System32\shdoclc.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\browselc.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\program files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll
c:\program files\ATI Technologies\ATI.ACE\Core-Static\atiamENU.dll
.
Completion time: 2010-01-13 21:41:06
ComboFix-quarantined-files.txt 2010-01-13 21:41

Pre-Run: 206,238,482,432 bytes free
Post-Run: 206,235,144,192 bytes free

- - End Of File - - 2AF70F1040B675132AC6762A5C5D5D12


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:12 PM

Posted 14 January 2010 - 06:53 AM

This is certainly strange... Lets check out some files that seem patched.

UPLOAD A FILE
--------------------
We need to check a file. Please click this link VirusTotal

When the page has finished loading, click the Choose file button and navigate to the following file and click Send file.

c:\windows\system32\wscntfy.exe
c:\windows\system32\xmlprov.dll
c:\windows\system32\drivers\ip6fw.sys
c:\windows\system32\mspmsnsv.dll

If you get the message that the file has already been scanned before, please click Reanalyse file now.
Please post back the results of the scan in your next post.



regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 serimral

serimral
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 14 January 2010 - 04:28 PM


wscntfy.exe

Antivirus Version Last Update Result
a-squared 4.5.0.48 2010.01.14 -
AhnLab-V3 5.0.0.2 2010.01.14 -
AntiVir 7.9.1.142 2010.01.14 -
Antiy-AVL 2.0.3.7 2010.01.12 -
Authentium 5.2.0.5 2010.01.14 -
Avast 4.8.1351.0 2010.01.14 -
AVG 9.0.0.725 2010.01.14 -
BitDefender 7.2 2010.01.14 -
CAT-QuickHeal 10.00 2010.01.14 -
ClamAV 0.94.1 2010.01.14 -
Comodo 3584 2010.01.14 -
DrWeb 5.0.1.12222 2010.01.14 -
eSafe 7.0.17.0 2010.01.14 -
eTrust-Vet 35.2.7236 2010.01.14 -
F-Prot 4.5.1.85 2010.01.14 -
F-Secure 9.0.15370.0 2010.01.14 -
Fortinet 4.0.14.0 2010.01.14 -
GData 19 2010.01.14 -
Ikarus T3.1.1.80.0 2010.01.14 -
Jiangmin 13.0.900 2010.01.14 -
K7AntiVirus 7.10.946 2010.01.13 -
Kaspersky 7.0.0.125 2010.01.14 -
McAfee 5861 2010.01.14 -
McAfee+Artemis 5861 2010.01.14 -
McAfee-GW-Edition 6.8.5 2010.01.14 -
Microsoft 1.5302 2010.01.14 -
NOD32 4772 2010.01.14 -
Norman 6.04.03 2010.01.14 -
nProtect 2009.1.8.0 2010.01.14 -
Panda 10.0.2.2 2010.01.14 -
PCTools 7.0.3.5 2010.01.14 -
Prevx 3.0 2010.01.14 -
Rising 22.30.03.04 2010.01.14 -
Sophos 4.49.0 2010.01.14 -
Sunbelt 3.2.1858.2 2010.01.14 -
Symantec 20091.2.0.41 2010.01.14 -
TheHacker 6.5.0.3.150 2010.01.14 -
TrendMicro 9.120.0.1004 2010.01.14 -
VBA32 3.12.12.1 2010.01.14 -
ViRobot 2010.1.14.2136 2010.01.14 -
VirusBuster 5.0.21.0 2010.01.14 -
Additional information
File size: 13824 bytes
MD5...: f92e1076c42fcd6db3d72d8cfe9816d5
SHA1..: 549f0a01848375d03159fc74171ed97790fa9650
SHA256: 94135acf2d9426bb78e4522429120b03d94b541422c277b9aca31410874a464c
ssdeep: 192:JmvFvF8NbUW94QtMXREaELt2y1PT6zu7R3bolyk+gahQQMnvLAIguynlmsWT
1PWK:Wd8NQWzk5ELt7P/hkQqLde7WT1PWS
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x27f2
timedatestamp.....: 0x48025335 (Sun Apr 13 18:38:45 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x27e0 0x2800 6.16 6b938c455457f7d1b5c5a674b8ebf6f1
.data 0x4000 0x6c 0x200 0.62 a46ea3afddd245a4720f45eb859ddfbf
.rsrc 0x5000 0x6e0 0x800 3.99 98ba1bbfda46d37793d588959529ce08

( 5 imports )
> msvcrt.dll: __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _adjust_fdiv, __setusermatherr, _initterm, __wgetmainargs, _wcmdln, exit, _cexit, _XcptFilter, _exit, _c_exit
> KERNEL32.dll: GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetUserDefaultUILanguage, GetLocaleInfoW, CreateProcessW, GetProcessHeap, HeapFree, HeapAlloc, LoadLibraryExW, GetStartupInfoW, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetLastError, CreateMutexW, CloseHandle, FormatMessageW, CreateEventW, GetCurrentProcessId
> USER32.dll: PeekMessageW, DispatchMessageW, MsgWaitForMultipleObjects, RegisterWindowMessageW, LoadStringW, LoadImageW, PostQuitMessage, PostMessageW, DestroyMenu, TrackPopupMenu, SetMenuDefaultItem, SetMenuItemInfoW, AppendMenuW, CreatePopupMenu, SetForegroundWindow, GetCursorPos, DefWindowProcW, CreateWindowExW, LoadCursorW, LoadIconW, ShowWindow, RegisterClassExW
> SHELL32.dll: SHGetFolderPathW, ShellExecuteW, Shell_NotifyIconW
> RPCRT4.dll: RpcBindingFromStringBindingW, RpcStringBindingComposeW, RpcBindingFree, RpcSsDestroyClientContext, NdrClientCall2, RpcStringFreeW

( 0 exports )
RDS...: NSRL Reference Data Set
-
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows Security Center Notification App
original name: wscntfy.exe
internal name: wscntfy.exe
file version.: 5.1.2600.5512 (xpsp.080413-2108)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)


xmlprov.dll

Antivirus Version Last Update Result
a-squared 4.5.0.48 2010.01.14 -
AhnLab-V3 5.0.0.2 2010.01.14 -
AntiVir 7.9.1.142 2010.01.14 -
Antiy-AVL 2.0.3.7 2010.01.12 -
Authentium 5.2.0.5 2010.01.14 -
Avast 4.8.1351.0 2010.01.14 -
AVG 9.0.0.725 2010.01.14 -
BitDefender 7.2 2010.01.14 -
CAT-QuickHeal 10.00 2010.01.14 -
ClamAV 0.94.1 2010.01.14 -
Comodo 3584 2010.01.14 -
DrWeb 5.0.1.12222 2010.01.14 -
eSafe 7.0.17.0 2010.01.14 -
eTrust-Vet 35.2.7236 2010.01.14 -
F-Prot 4.5.1.85 2010.01.14 -
F-Secure 9.0.15370.0 2010.01.14 -
Fortinet 4.0.14.0 2010.01.14 -
GData 19 2010.01.14 -
Ikarus T3.1.1.80.0 2010.01.14 -
Jiangmin 13.0.900 2010.01.14 -
K7AntiVirus 7.10.946 2010.01.13 -
Kaspersky 7.0.0.125 2010.01.14 -
McAfee 5861 2010.01.14 -
McAfee+Artemis 5861 2010.01.14 -
McAfee-GW-Edition 6.8.5 2010.01.14 -
Microsoft 1.5302 2010.01.14 -
NOD32 4772 2010.01.14 -
Norman 6.04.03 2010.01.14 -
nProtect 2009.1.8.0 2010.01.14 -
Panda 10.0.2.2 2010.01.14 -
PCTools 7.0.3.5 2010.01.14 -
Prevx 3.0 2010.01.14 -
Rising 22.30.03.04 2010.01.14 -
Sophos 4.49.0 2010.01.14 -
Sunbelt 3.2.1858.2 2010.01.14 -
Symantec 20091.2.0.41 2010.01.14 -
TheHacker 6.5.0.3.150 2010.01.14 -
TrendMicro 9.120.0.1004 2010.01.14 -
VBA32 3.12.12.1 2010.01.14 -
ViRobot 2010.1.14.2136 2010.01.14 -
VirusBuster 5.0.21.0 2010.01.14 -
Additional information
File size: 129024 bytes
MD5...: 295d21f14c335b53cb8154e5b1f892b9
SHA1..: 090e95953f71d654ea885af74d491ad1e6a0f8c7
SHA256: 9418477c2e3ea93e93d931a4edd4500da568fad6040204b5201d1080203b0bbc
ssdeep: 3072:K/IvBpoLMlwcXZznLt02SJW3gADcCAJud:t7oLM2mMlCd
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x16275
timedatestamp.....: 0x4802a12c (Mon Apr 14 00:11:24 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1c9e4 0x1ca00 6.47 747443081460292df346889068115d90
.data 0x1e000 0x1c8 0x200 1.80 b62cd350158fbbe46e93f101d823e152
.rsrc 0x1f000 0x718 0x800 3.95 c12db74733218834ea913973eeef7c1d
.reloc 0x20000 0x1e46 0x2000 5.66 721c28ab2d9a2d9c714d8a294ac146c0

( 13 imports )
> msvcrt.dll: memmove, _wtoi, _vsnwprintf, __0exception@@QAE@ABV0@@Z, _CxxThrowException, wcsrchr, _wfullpath, wcstoul, _wcsdup, wcslen, free, realloc, __CxxFrameHandler, _purecall, _vsnprintf, __2@YAPAXI@Z, malloc, _initterm, _adjust_fdiv, _terminate@@YAXXZ, _except_handler3, __1type_info@@UAE@XZ, __3@YAXPAX@Z
> MSVCP60.dll: __0bad_alloc@std@@QAE@PBD@Z, __1bad_alloc@std@@UAE@XZ, __0bad_alloc@std@@QAE@ABV01@@Z
> ATL.DLL: -, -, -, -, -, -, -, -, -
> ADVAPI32.dll: UnlockServiceDatabase, RegisterServiceCtrlHandlerExW, SetServiceStatus, OpenSCManagerW, OpenServiceW, CloseServiceHandle, LockServiceDatabase, ChangeServiceConfigW, QueryServiceConfigW, RegEnumKeyExW, RegisterEventSourceW, ReportEventW, DeregisterEventSource, RegSetValueExW, RegQueryValueExW, RegOpenKeyExW, RegCreateKeyExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW
> KERNEL32.dll: GetDiskFreeSpaceExW, LocalFree, LocalAlloc, GetFileAttributesExW, HeapFree, GetProcessHeap, CreateTimerQueueTimer, RemoveDirectoryW, FileTimeToSystemTime, EnumUILanguagesW, InitializeCriticalSection, GetCurrentThreadId, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, DeleteFileW, FormatMessageW, DeleteTimerQueueTimer, InterlockedExchange, CopyFileW, Sleep, WaitForSingleObject, QueueUserWorkItem, WideCharToMultiByte, HeapAlloc, DisableThreadLibraryCalls, MultiByteToWideChar, lstrlenW, GetStringTypeExW, GetThreadLocale, lstrcmpW, InterlockedDecrement, InterlockedIncrement, EnterCriticalSection, LeaveCriticalSection, lstrlenA, GetLastError, CreateEventW, CloseHandle, SetEvent, InterlockedCompareExchange, DeleteCriticalSection, GetSystemTimeAsFileTime, lstrcmpiW, DebugBreak, OutputDebugStringW, FindNextFileW, FindClose, SetFileAttributesW, CreateDirectoryW, lstrcpyW, InitializeCriticalSectionAndSpinCount, SetLastError, FindFirstFileW, MoveFileExW
> ole32.dll: CoTaskMemFree, CLSIDFromString, CoTaskMemAlloc, CoCreateInstance, CoInitializeEx, StringFromCLSID, IIDFromString, CoUninitialize, CoSwitchCallContext
> OLEAUT32.dll: -, -, -, -, -, -, -
> rtutils.dll: TraceRegisterExW, TracePrintfA, TraceDeregisterW
> SHELL32.dll: SHGetFolderPathW
> SHLWAPI.dll: PathCanonicalizeW, PathIsRelativeW, PathRemoveExtensionW, PathFileExistsW, PathStripPathW, PathCreateFromUrlW, UrlIsW
> USER32.dll: LoadStringW, CharNextW, CharUpperW, CharLowerW, wvsprintfW
> WINHTTP.dll: WinHttpCrackUrl
> ntdll.dll: RtlReleaseResource, RtlAcquireResourceExclusive, RtlAcquireResourceShared, RtlDeleteResource, RtlInitializeResource

( 3 exports )
DllRegisterServer, DllUnregisterServer, ServiceMain
RDS...: NSRL Reference Data Set
-
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Network Provisioning Service
original name: xmlprov.dll
internal name: xmlprov.dll
file version.: 5.1.2600.5512 (xpsp.080413-0852)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
pdfid.: -

mspmsnsv.dll

Antivirus Version Last Update Result
a-squared 4.5.0.48 2010.01.14 -
AhnLab-V3 5.0.0.2 2010.01.14 -
AntiVir 7.9.1.142 2010.01.14 -
Antiy-AVL 2.0.3.7 2010.01.12 -
Authentium 5.2.0.5 2010.01.14 -
Avast 4.8.1351.0 2010.01.14 -
AVG 9.0.0.725 2010.01.14 -
BitDefender 7.2 2010.01.14 -
CAT-QuickHeal 10.00 2010.01.14 -
ClamAV 0.94.1 2010.01.14 -
Comodo 3584 2010.01.14 -
DrWeb 5.0.1.12222 2010.01.14 -
eSafe 7.0.17.0 2010.01.14 -
eTrust-Vet 35.2.7236 2010.01.14 -
F-Prot 4.5.1.85 2010.01.14 -
F-Secure 9.0.15370.0 2010.01.14 -
Fortinet 4.0.14.0 2010.01.14 -
GData 19 2010.01.14 -
Ikarus T3.1.1.80.0 2010.01.14 -
Jiangmin 13.0.900 2010.01.14 -
K7AntiVirus 7.10.946 2010.01.13 -
Kaspersky 7.0.0.125 2010.01.14 -
McAfee 5861 2010.01.14 -
McAfee+Artemis 5861 2010.01.14 -
McAfee-GW-Edition 6.8.5 2010.01.14 -
Microsoft 1.5302 2010.01.14 -
NOD32 4772 2010.01.14 -
Norman 6.04.03 2010.01.14 -
nProtect 2009.1.8.0 2010.01.14 -
Panda 10.0.2.2 2010.01.14 -
PCTools 7.0.3.5 2010.01.14 -
Prevx 3.0 2010.01.14 -
Rising 22.30.03.04 2010.01.14 -
Sophos 4.49.0 2010.01.14 -
Sunbelt 3.2.1858.2 2010.01.14 -
Symantec 20091.2.0.41 2010.01.14 -
TheHacker 6.5.0.3.150 2010.01.14 -
TrendMicro 9.120.0.1004 2010.01.14 -
VBA32 3.12.12.1 2010.01.14 -
ViRobot 2010.1.14.2136 2010.01.14 -
VirusBuster 5.0.21.0 2010.01.14 -
Additional information
File size: 27136 bytes
MD5...: c51b4a5c05a5475708e3c81c7765b71d
SHA1..: c61095f51df41e64b3f034458958c918f0d6f8a8
SHA256: f776d2680bd3407307b7072626f78460361fc5bc38623c9e16f394d300ab25de
ssdeep: 768:DQrdsm8STScNCFnyXESZ9AAWng/WVRf+TSp+C:DQrdsm8STSXFncyAyoM+T9
C
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3b1e
timedatestamp.....: 0x453711a3 (Thu Oct 19 05:48:19 2006)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x51c7 0x5200 6.53 fe7844e8d31ea87cacf25b675f903c2c
.data 0x7000 0x68c 0x400 5.83 05e48ce95c056451a34b5764dd77504f
.rsrc 0x8000 0x7f8 0x800 3.36 376cc5d3206409d33610ff4a71293149
.reloc 0x9000 0x72c 0x800 4.27 a977a9009663c9ef81e9d15c87be2eec

( 3 imports )
> msvcrt.dll: _adjust_fdiv, _amsg_exit, _initterm, free, malloc, _XcptFilter, ___U@YAPAXI@Z, ___V@YAXPAX@Z, __2@YAPAXI@Z, memmove, memset, memcpy, __3@YAXPAX@Z, _purecall
> KERNEL32.dll: WideCharToMultiByte, WaitNamedPipeW, CreateFileA, CreateFileW, DeviceIoControl, CompareStringA, GetVersionExA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, QueryPerformanceCounter, RtlUnwind, InterlockedCompareExchange, InterlockedExchange, GetModuleFileNameA, FormatMessageA, LoadLibraryExA, GetProcAddress, FormatMessageW, FreeLibrary, LeaveCriticalSection, EnterCriticalSection, GetDriveTypeW, GetLastError, CreateEventA, DisconnectNamedPipe, WaitForSingleObject, CancelIo, CloseHandle, SetEvent, ConnectNamedPipe, ReadFile, WriteFile, WaitForMultipleObjects, GetOverlappedResult, ResetEvent, LocalFree, CreateNamedPipeA, LocalAlloc, DeleteCriticalSection, DisableThreadLibraryCalls, InitializeCriticalSection, SetLastError, Sleep, GetTickCount
> ADVAPI32.dll: StartServiceA, TraceMessage, CreateServiceA, RegSetValueExA, RegCreateKeyA, RegQueryValueExW, RegSetValueExW, RegCloseKey, ControlService, DeleteService, RegDeleteKeyA, QueryServiceStatus, GetSecurityInfo, SetSecurityInfo, RegisterServiceCtrlHandlerA, AllocateAndInitializeSid, SetEntriesInAclA, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, FreeSid, ImpersonateNamedPipeClient, RevertToSelf, SetServiceStatus, RegisterEventSourceA, ReportEventA, DeregisterEventSource, OpenSCManagerA, OpenServiceA, CloseServiceHandle

( 4 exports )
DllMain, DllRegisterServer, DllUnregisterServer, ServiceMain
RDS...: NSRL Reference Data Set
-
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Windows Media Device Manager
description..: Microsoft Media Device Service Provider
original name: MsPMSNSv.dll
internal name: MsPMSNSv.dll
file version.: 11.0.5721.5145
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)

ip6fw.sys

-squared 4.5.0.48 2010.01.14 -
AhnLab-V3 5.0.0.2 2010.01.14 -
AntiVir 7.9.1.142 2010.01.14 -
Antiy-AVL 2.0.3.7 2010.01.12 -
Authentium 5.2.0.5 2010.01.14 -
Avast 4.8.1351.0 2010.01.14 -
AVG 9.0.0.725 2010.01.14 -
BitDefender 7.2 2010.01.14 -
CAT-QuickHeal 10.00 2010.01.14 -
ClamAV 0.94.1 2010.01.14 -
Comodo 3584 2010.01.14 -
DrWeb 5.0.1.12222 2010.01.14 -
eSafe 7.0.17.0 2010.01.14 -
eTrust-Vet 35.2.7236 2010.01.14 -
F-Prot 4.5.1.85 2010.01.14 -
F-Secure 9.0.15370.0 2010.01.14 -
Fortinet 4.0.14.0 2010.01.14 -
GData 19 2010.01.14 -
Ikarus T3.1.1.80.0 2010.01.14 -
Jiangmin 13.0.900 2010.01.14 -
K7AntiVirus 7.10.946 2010.01.13 -
Kaspersky 7.0.0.125 2010.01.14 -
McAfee-GW-Edition 6.8.5 2010.01.14 -
Microsoft 1.5302 2010.01.14 -
NOD32 4772 2010.01.14 -
Norman 6.04.03 2010.01.14 -
nProtect 2009.1.8.0 2010.01.14 -
Panda 10.0.2.2 2010.01.14 -
PCTools 7.0.3.5 2010.01.14 -
Prevx 3.0 2010.01.14 -
Rising 22.30.03.04 2010.01.14 -
Sophos 4.49.0 2010.01.14 -
Sunbelt 3.2.1858.2 2010.01.14 -
Symantec 20091.2.0.41 2010.01.14 -
TheHacker 6.5.0.3.150 2010.01.14 -
TrendMicro 9.120.0.1004 2010.01.14 -
VBA32 3.12.12.1 2010.01.14 -
ViRobot 2010.1.14.2136 2010.01.14 -
VirusBuster 5.0.21.0 2010.01.14 -
Additional information
File size: 36608 bytes
MD5 : 3bb22519a194418d5fec05d800a19ad0
SHA1 : 4755dd23eb1780211f8ccf27966f78907d2eb851
SHA256: f6662f440950596dc1382dd1db5d7891ccea30a6062bea942c18445b5f0d8b16
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x171AA
timedatestamp.....: 0x480256AC (Sun Apr 13 20:53:32 2008)
machinetype.......: 0x14C (Intel I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x300 0x5754 0x5780 6.37 9019e1fe5238ba1ba959f4c746afcfa7
.rdata 0x5A80 0x3C4 0x400 4.53 20531d7d6d0c7452bfaee097b7331d39
.data 0x5E80 0x964 0x980 0.43 4d957aa1cd3c86d1622558f376d01204
PAGE 0x6800 0x17E 0x180 5.60 b43bd25ecd09129a4adadd0107811744
INIT 0x6980 0xF78 0xF80 6.18 4853ff7eab7e42528ac6074726842a32
.rsrc 0x7900 0xA20 0xA80 6.27 3c19e8752b2fbc98024c9721f95202d1
.reloc 0x8380 0xB5A 0xB80 6.17 a62455e5f0755f8f0db618c2f49378f9

( 0 imports )


( 0 exports )
TrID : File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md...fec05d800a19ad0
ssdeep: 384:N4AgBbM15FuO+s1w0FOksQOhaKPI+c5FZcOs/cERbw86v9T2FnYp9rZDroAu9EZ0:yZSU0FLlOhDgkBmrEhGFdjtuHJ
PEiD : -
packers (Kaspersky): PE_Patch
RDS : NSRL Reference Data Set


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:12 PM

Posted 14 January 2010 - 04:46 PM

Please click start > run, type sfc /scannow in the run box and press enter. Note, there is a space between sfc and /scannow.

Let the system file checker run unhindered. You might be prompted for you Windows CD.

After this reboot your computer and let me know how everything is running now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 serimral

serimral
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 14 January 2010 - 05:53 PM

my browser is still being hijacked

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:12 PM

Posted 15 January 2010 - 02:09 AM

Can you please re-run Combofix and post me the log?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 serimral

serimral
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 15 January 2010 - 04:50 PM

I can't the log file is larger than 512k and my browser keep freezing.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users