Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Tidserv Request


  • This topic is locked This topic is locked
12 replies to this topic

#1 Reeyees

Reeyees

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 19 March 2010 - 08:06 PM

I think my computer has been hit with the Tidserv infection. Norton says it found it and removed it but it is still blocking incoming Tidserv Request attacks with every Google quiery and also seemingly after a set amount of time/inactivity. Norton hasn't found anything with subsequent scans and Spybot also comes up empty. Here's the DDS and Gmr logs. Help with removal most appreciated, thanks.


DDS (Ver_10-03-17.01) - NTFSx86
Run by user at 18:49:05.18 on Sat 03/20/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.485.77 [GMT -4:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Divx Player\DivxPlayer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ZyXEL G-220v3 Wireless USB Adapter Utility\ZyXEL G-220v3.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uWindow Title = Microsoft Internet Explorer
uSearch Bar = hxxp://start.earthlink.net/AL/Search
mDefault_Page_URL = hxxp://my.att.net
mSearchAssistant = hxxp://start.earthlink.net/AL/Search
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat

6.0\reader\activex\AcroIEHelper.dll
BHO: ElnkPubBHO Class: {512acf1b-64d9-4928-b382-a80556f28db4} - c:\program files\earthlink\toolbar\ElnkPub.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
BHO: Accelerator Plugin: {656ec4b7-072b-4698-b504-2a414c1f0037} - c:\progra~1\earthl~2\PRPL_I~1.DLL
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton

360\engine\3.8.0.41\IPSBHO.DLL
BHO: ElnkProtectionBHO Class: {9579d574-d4d8-4335-9560-fe8641a013bd} - c:\program files\earthlink\toolbar\ProtctIE.dll
BHO: ElnkLegacyUninstBHO Class: {e713904c-df05-4c79-bbad-02db923253be} - c:\program files\earthlink\toolbar\uninsttb.dll
TB: EarthLink Toolbar: {c7768536-96f8-4001-b1a2-90ee21279187} - c:\program files\earthlink\toolbar\Toolbar.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
uRun: [Divx Player] "c:\program files\divx player\DivxPlayer.exe" hmw
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
mRun: [PRONoMgrWired] c:\program files\intel\prosetwired\ncs\proset\PRONoMgr.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [Mixersel] c:\program files\realtek\installshield\mixersel.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\j2re1.4.2_13\bin\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital

imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft

office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zyxelg~1.lnk - c:\program files\zyxel g-220v3 wireless usb

adapter utility\ZyXEL G-220v3.exe
IE: EarthLink Google Search - c:\program files\earthlink\toolbar\SearchUI.dll/search.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\008wffwf.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\java\j2re1.4.2_13\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_13\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_13\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_13\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_13\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_13\bin\NPJPI142_13.dll
FF - plugin: c:\program files\java\j2re1.4.2_13\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-3-18 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-3-18 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-3-18 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100312.001\IDSXpx86.sys [2010-3-17 329592]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-3-18 117640]
R2 ZDCNDIS5;ZDCNDIS5 NDIS5.1 Protocol Driver;c:\windows\system32\ZDCndis5.sys [2010-2-7 20736]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys

[2010-3-16 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100319.003\NAVENG.SYS [2010-3-20 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100319.003\NAVEX15.SYS [2010-3-20 1324720]
R3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;c:\windows\system32\drivers\WlanGZXP.SYS [2010-2-7 735232]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2010-2-7 20608]

=============== Created Last 30 ================

2010-03-17 21:55:06 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-03-17 21:55:00 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-17 21:55:00 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-17 21:55:00 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-03-17 21:55:00 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-17 21:55:00 0 d-----w- c:\program files\Symantec
2010-03-17 21:55:00 0 d-----w- c:\program files\common files\Symantec Shared
2010-03-17 21:54:17 0 d-----w- c:\windows\system32\drivers\N360
2010-03-17 21:54:15 0 d-----w- c:\program files\Norton 360
2010-03-17 21:52:42 0 d-----w- c:\program files\NortonInstaller
2010-03-15 21:37:05 7680 ----a-w- c:\windows\system32\drivers\nd.sys
2010-03-15 21:36:45 20 ----a-w- c:\windows\system32\crt.dat
2010-03-15 21:36:41 98304 ----a-w- c:\windows\system32\kbvdt.dll
2010-03-15 21:36:41 119 ----a-w- c:\windows\system32\kboem32.dat
2010-03-15 21:36:41 110080 ----a-w- c:\windows\system32\kbddta.dll
2010-03-12 05:38:14 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-12 00:22:45 0 d-----w- c:\program files\Windows Media Connect 2
2010-03-12 00:20:40 0 d-----w- c:\windows\system32\LogFiles
2010-03-11 22:50:48 0 d-----w- c:\program files\Combined Community Codec Pack
2010-03-08 00:43:24 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2010-03-07 20:05:33 0 d-----w- c:\windows\system32\XPSViewer
2010-03-07 20:04:04 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-03-07 20:04:04 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-03-07 20:04:04 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-03-07 20:04:04 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-03-07 20:04:04 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-03-07 20:04:04 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-03-07 20:04:04 117760 ------w- c:\windows\system32\prntvpt.dll
2010-03-07 20:04:04 0 d-----w- C:\8e5a334cfd8aa27d3f706faf329412
2010-03-04 03:22:20 0 d-----w- c:\program files\ZyX
2010-03-04 01:25:05 0 d-----w- c:\program files\AnyToISO
2010-03-03 22:20:15 4178264 ----a-w- c:\windows\system\D3DX9_41.dll
2010-03-03 21:18:11 0 d-----w- c:\program files\Gratuitous Space Battles

==================== Find3M ====================

2010-03-17 21:54:49 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-17 21:54:42 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20:58 81920 ----a-w- c:\windows\system32\ieencode.dll

============= FINISH: 18:50:26.53 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Reeyees

Reeyees
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 20 March 2010 - 07:13 PM

Update: After posting this yesterday and shutting down, upon restart today just after windows was loading startup progams like MSN and the wireless adapter, i got the BSoD Page Fault in NonPaged Area Stop 0x00000050 (0xE55F5FD8, 0x00000000, 0x806230a1, 0x00000001)

Is this further proof that I've still got Tidserv on my computer?

#3 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:43 AM

Posted 22 March 2010 - 10:20 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

PW

#4 Reeyees

Reeyees
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 22 March 2010 - 06:19 PM

Thanks for responding. My situation has not changed. I am still experiencing attacks upon first connecting to the internet(at start-up) and with every Google query or other search engine. Also every so often a new tab will open to some ad page of its own accord, but not nearly as frequently as the Tidserv attacks. no more BSoD yet, though I have been shutting the computer down at night instead of leaving it on. The DDS log has barely changed. Given this I think the Gmer log will also be very similar, but that log took a LONG time to run. If you really need that one again I can do that, but for now here is the new DDS log.


DDS (Ver_10-03-17.01) - NTFSx86
Run by user at 19:09:48.92 on Tue 03/23/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.485.53 [GMT -4:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Divx Player\DivxPlayer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ZyXEL G-220v3 Wireless USB Adapter Utility\ZyXEL G-220v3.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uWindow Title = Microsoft Internet Explorer
uSearch Bar = hxxp://start.earthlink.net/AL/Search
mDefault_Page_URL = hxxp://my.att.net
mSearchAssistant = hxxp://start.earthlink.net/AL/Search
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat

6.0\reader\activex\AcroIEHelper.dll
BHO: ElnkPubBHO Class: {512acf1b-64d9-4928-b382-a80556f28db4} - c:\program files\earthlink\toolbar\ElnkPub.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
BHO: Accelerator Plugin: {656ec4b7-072b-4698-b504-2a414c1f0037} - c:\progra~1\earthl~2\PRPL_I~1.DLL
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton

360\engine\3.8.0.41\IPSBHO.DLL
BHO: ElnkProtectionBHO Class: {9579d574-d4d8-4335-9560-fe8641a013bd} - c:\program files\earthlink\toolbar\ProtctIE.dll
BHO: ElnkLegacyUninstBHO Class: {e713904c-df05-4c79-bbad-02db923253be} - c:\program files\earthlink\toolbar\uninsttb.dll
TB: EarthLink Toolbar: {c7768536-96f8-4001-b1a2-90ee21279187} - c:\program files\earthlink\toolbar\Toolbar.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
uRun: [Divx Player] "c:\program files\divx player\DivxPlayer.exe" hmw
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
mRun: [PRONoMgrWired] c:\program files\intel\prosetwired\ncs\proset\PRONoMgr.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [Mixersel] c:\program files\realtek\installshield\mixersel.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\j2re1.4.2_13\bin\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital

imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft

office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zyxelg~1.lnk - c:\program files\zyxel g-220v3 wireless usb

adapter utility\ZyXEL G-220v3.exe
IE: EarthLink Google Search - c:\program files\earthlink\toolbar\SearchUI.dll/search.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\008wffwf.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\java\j2re1.4.2_13\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_13\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_13\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_13\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_13\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_13\bin\NPJPI142_13.dll
FF - plugin: c:\program files\java\j2re1.4.2_13\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-3-18 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-3-18 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-3-18 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100312.001\IDSXpx86.sys [2010-3-17 329592]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-3-18 117640]
R2 ZDCNDIS5;ZDCNDIS5 NDIS5.1 Protocol Driver;c:\windows\system32\ZDCndis5.sys [2010-2-7 20736]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys

[2010-3-16 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100321.020\NAVENG.SYS [2010-3-22 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100321.020\NAVEX15.SYS [2010-3-22 1324720]
R3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;c:\windows\system32\drivers\WlanGZXP.SYS [2010-2-7 735232]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2010-2-7 20608]

=============== Created Last 30 ================

2010-03-17 21:55:06 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-03-17 21:55:00 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-17 21:55:00 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-17 21:55:00 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-03-17 21:55:00 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-17 21:55:00 0 d-----w- c:\program files\Symantec
2010-03-17 21:55:00 0 d-----w- c:\program files\common files\Symantec Shared
2010-03-17 21:54:17 0 d-----w- c:\windows\system32\drivers\N360
2010-03-17 21:54:15 0 d-----w- c:\program files\Norton 360
2010-03-17 21:52:42 0 d-----w- c:\program files\NortonInstaller
2010-03-15 21:37:05 7680 ----a-w- c:\windows\system32\drivers\nd.sys
2010-03-15 21:36:45 20 ----a-w- c:\windows\system32\crt.dat
2010-03-15 21:36:41 98304 ----a-w- c:\windows\system32\kbvdt.dll
2010-03-15 21:36:41 119 ----a-w- c:\windows\system32\kboem32.dat
2010-03-15 21:36:41 110080 ----a-w- c:\windows\system32\kbddta.dll
2010-03-12 05:38:14 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-12 00:22:45 0 d-----w- c:\program files\Windows Media Connect 2
2010-03-12 00:20:40 0 d-----w- c:\windows\system32\LogFiles
2010-03-11 22:50:48 0 d-----w- c:\program files\Combined Community Codec Pack
2010-03-08 00:43:24 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2010-03-07 20:05:33 0 d-----w- c:\windows\system32\XPSViewer
2010-03-07 20:04:04 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-03-07 20:04:04 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-03-07 20:04:04 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-03-07 20:04:04 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-03-07 20:04:04 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-03-07 20:04:04 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-03-07 20:04:04 117760 ------w- c:\windows\system32\prntvpt.dll
2010-03-07 20:04:04 0 d-----w- C:\8e5a334cfd8aa27d3f706faf329412
2010-03-04 03:22:20 0 d-----w- c:\program files\ZyX
2010-03-04 01:25:05 0 d-----w- c:\program files\AnyToISO
2010-03-03 22:20:15 4178264 ----a-w- c:\windows\system\D3DX9_41.dll
2010-03-03 21:18:11 0 d-----w- c:\program files\Gratuitous Space Battles

==================== Find3M ====================

2010-03-17 21:54:49 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-17 21:54:42 107368 ----a-r- c:\windows\system32\GEARAspi.dll

============= FINISH: 19:12:11.60 ===============



#5 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:43 AM

Posted 23 March 2010 - 08:27 AM

Hello Reeyees

I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy.

As you can see the logs we ask for are very extensive and take a lot of time to investigate. In addition, since I am still in training all of my responses have to be reviewed by our excellent expert staff so there may be a delay in response time. The advantage is that your log will be evaluated by two sets of eyes and two brains.

If you haven't already, you can keep the link to this topic in your Favorites. Alternatively, you can click the Options button at the top bar of this topic and Track this Topic, where you can choose email notifications.

Please make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box.
Please do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.

Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP and How to show hidden files in Windows 7

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

Again, keep in mind that it may take a couple of days or more before I can reply but once we get started the process should speed up.

Thank you for your patience!!
PW

#6 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:43 AM

Posted 24 March 2010 - 03:28 PM

Hello Reeyees,

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to proceed with cleaning your machine please do the following.

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy
Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. <----Important
    Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

In your next reply pleas let me know if you wish to continue the cleaning process and post the following:

C:\ComboFix.txt.

NOTE: Please turn WordWrap off in Notepad. <---Important
  • Open Notepad | Format
  • Click WordWrap to remove the checkmark
Thanks!!
PW

#7 Reeyees

Reeyees
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 25 March 2010 - 09:06 PM

ComboFix 10-03-25.04 - user 03/26/2010 21:36:49.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.485.129 [GMT -4:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\crt.dat
c:\windows\system32\drivers\nd.sys
c:\windows\system32\kbddta.dll
c:\windows\system32\kboem32.dat
c:\windows\system32\kbvdt.dll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-02-27 to 2010-03-27 )))))))))))))))))))))))))))))))
.

2010-03-20 22:24 . 2010-03-20 22:24 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-03-17 21:55 . 2010-03-17 21:54 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-03-17 21:55 . 2010-03-17 22:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-17 21:55 . 2010-03-17 21:55 -------- d-----w- c:\program files\Symantec
2010-03-17 21:55 . 2010-03-17 21:55 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-03-17 21:55 . 2010-03-17 21:55 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-17 21:54 . 2010-03-18 05:18 -------- d-----w- c:\windows\system32\drivers\N360
2010-03-17 21:54 . 2010-03-17 21:54 -------- d-----w- c:\program files\Norton 360
2010-03-17 21:54 . 2010-03-17 21:54 -------- d-----w- c:\program files\Windows Sidebar
2010-03-17 21:52 . 2010-03-17 21:52 -------- d-----w- c:\program files\NortonInstaller
2010-03-12 05:38 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-12 00:22 . 2010-03-12 00:22 -------- d-----w- c:\program files\Windows Media Connect 2
2010-03-12 00:20 . 2010-03-12 00:21 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-03-12 00:20 . 2010-03-12 00:20 -------- d-----w- c:\windows\system32\LogFiles
2010-03-11 22:51 . 2010-03-11 22:51 -------- d-----w- c:\documents and settings\user\Application Data\Media Player Classic
2010-03-11 22:50 . 2010-03-11 22:50 -------- d-----w- c:\program files\Combined Community Codec Pack
2010-03-07 20:05 . 2010-03-07 20:05 -------- d-----w- c:\windows\system32\XPSViewer
2010-03-07 20:05 . 2010-03-07 20:05 -------- d-----w- c:\program files\MSBuild
2010-03-07 20:05 . 2010-03-07 20:05 -------- d-----w- c:\program files\Reference Assemblies
2010-03-07 20:04 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-03-07 20:04 . 2010-03-07 20:04 -------- d-----w- C:\8e5a334cfd8aa27d3f706faf329412
2010-03-07 20:04 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-03-07 20:04 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-03-07 20:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-03-07 20:04 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-03-07 20:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-03-07 20:04 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-03-07 20:04 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-03-07 20:04 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-03-04 03:22 . 2010-03-04 03:22 -------- d-----w- c:\program files\ZyX
2010-03-04 01:25 . 2010-03-04 01:25 -------- d-----w- c:\program files\AnyToISO
2010-03-03 22:20 . 2009-05-20 20:23 4178264 ----a-w- c:\windows\system\D3DX9_41.dll
2010-03-03 21:18 . 2010-03-03 21:18 -------- d-----w- c:\program files\Gratuitous Space Battles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-18 23:21 . 2009-05-18 04:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-17 21:55 . 2010-03-17 21:55 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-17 21:55 . 2010-03-17 21:55 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-17 21:54 . 2010-02-06 15:08 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-17 21:54 . 2010-02-06 15:08 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-03-17 21:54 . 2009-02-05 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-03-17 21:53 . 2009-02-05 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-03-13 01:55 . 2008-12-24 20:13 22368 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-04 14:09 . 2010-02-07 16:31 -------- d-----w- c:\program files\ZyXEL G-220v3 Wireless USB Adapter Utility
2010-02-07 16:31 . 2008-07-30 22:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-07 16:30 . 2010-02-07 16:30 -------- d-----w- c:\documents and settings\user\Application Data\InstallShield
2010-02-06 15:02 . 2010-02-06 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Divx Player"="c:\program files\Divx Player\DivxPlayer.exe" [2007-08-31 629760]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-09-04 6856704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-03-02 86016]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-13 61952]
"Mixersel"="c:\program files\Realtek\InstallShield\mixersel.exe" [2003-11-11 369664]
"SoundMan"="SOUNDMAN.EXE" [2004-10-22 77824]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-22 2744832]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_13\bin\jusched.exe" [2006-10-18 32881]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
ZyXEL G-220v3 Wireless USB Adapter Utility.lnk - c:\program files\ZyXEL G-220v3 Wireless USB Adapter Utility\ZyXEL G-220v3.exe [2010-2-7 10792960]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\ZyXEL G-220v3 Wireless USB Adapter Utility\\ZyXEL G-220v3.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [3/18/2010 12:11 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [3/18/2010 12:11 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [3/18/2010 12:11 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100317.002\IDSXpx86.sys [3/24/2010 6:20 PM 329592]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [3/18/2010 12:11 AM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/16/2010 2:48 AM 102448]
R3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;c:\windows\system32\drivers\WlanGZXP.SYS [2/7/2010 12:31 PM 735232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: EarthLink Google Search - c:\program files\EarthLink\Toolbar\SearchUI.dll/search.html
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\008wffwf.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Java\j2re1.4.2_13\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_13\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_13\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_13\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_13\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_13\bin\NPJPI142_13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_13\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-26 21:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-746137067-842925246-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4CF4FE1F-DF44-D3FC-7D83-6C562EBE46A2}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4580)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\SOUNDMAN.EXE
c:\windows\ALCWZRD.EXE
c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 2010-03-26 21:57:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-27 01:56

Pre-Run: 109,894,381,568 bytes free
Post-Run: 109,984,194,560 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut

- - End Of File - - 2F867F1068FC3769D3D12925DDF77A36


#8 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:43 AM

Posted 27 March 2010 - 05:14 PM

Hello Reeyees,

Sorry for the delay. I missed the email notification on your response.

Do you know what this program is?
c:\program files\ZyX

Step 1.

Update programs

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 18.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Your Adobe Reader is out of date. Please go here to update.

http://get.adobe.com/reader/

Step 2.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Step 3.

We need to run a Combofix Script

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <<----Important
3. Open notepad and copy/paste the text in the codebox below into it:

CODE
RegNull::
[HKEY_USERS\S-1-5-21-746137067-842925246-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4CF4FE1F-DF44-D3FC-7D83-6C562EBE46A2}*]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

If Combofix prompts you to update the program please allow it to do so.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


How is your computer running? Any significant problems?

In your next reply please include the following.

Information about program
MBAM report
Combofix.txt


Thanks!!
PW

#9 Reeyees

Reeyees
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 28 March 2010 - 09:17 PM

The program in question is a game folder, I don't believe it poses any risk. I really don't need that Java program, it was for only one website that i no longer use. And I prefer the older and smaller adobe reader as it suits my needs. Since running ComboFix the first time, I have not been getting reports of blocked attacks, which is good (seeing as how even though they were supposedly blocked, I would get those pop-up tabs that displayed content based on my Google queries)

Incidentally, Norton now detects the remnants of Backdoor.Tidserv in C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir saying it requires manual removal. Other than that, no other problems and symptoms are now present.

Malwarebytes' Anti-Malware 1.44
Database version: 3925
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

3/29/2010 8:54:05 PM
mbam-log-2010-03-29 (20-54-05).txt

Scan type: Quick Scan
Objects scanned: 115695
Time elapsed: 7 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\win32upd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


Combo Fix updated, ran again, and found something else. Here is the log followed by the ComboFix.txt

ComboFix 10-03-28.01 - user 03/29/2010 21:12:59.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.485.241 [GMT -4:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-30 )))))))))))))))))))))))))))))))
.

2010-03-30 00:40 . 2010-03-30 00:40 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2010-03-30 00:39 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 00:39 . 2010-03-30 00:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-30 00:39 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-30 00:39 . 2010-03-30 00:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-20 22:24 . 2010-03-20 22:24 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-03-17 21:55 . 2010-03-17 21:54 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-03-17 21:55 . 2010-03-17 22:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-17 21:55 . 2010-03-17 21:55 -------- d-----w- c:\program files\Symantec
2010-03-17 21:55 . 2010-03-17 21:55 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-03-17 21:55 . 2010-03-17 21:55 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-17 21:54 . 2010-03-18 05:18 -------- d-----w- c:\windows\system32\drivers\N360
2010-03-17 21:54 . 2010-03-17 21:54 -------- d-----w- c:\program files\Norton 360
2010-03-17 21:54 . 2010-03-17 21:54 -------- d-----w- c:\program files\Windows Sidebar
2010-03-17 21:52 . 2010-03-17 21:52 -------- d-----w- c:\program files\NortonInstaller
2010-03-12 05:38 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-12 00:22 . 2010-03-12 00:22 -------- d-----w- c:\program files\Windows Media Connect 2
2010-03-12 00:20 . 2010-03-12 00:21 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-03-12 00:20 . 2010-03-12 00:20 -------- d-----w- c:\windows\system32\LogFiles
2010-03-11 22:51 . 2010-03-11 22:51 -------- d-----w- c:\documents and settings\user\Application Data\Media Player Classic
2010-03-11 22:50 . 2010-03-11 22:50 -------- d-----w- c:\program files\Combined Community Codec Pack
2010-03-07 20:05 . 2010-03-07 20:05 -------- d-----w- c:\windows\system32\XPSViewer
2010-03-07 20:05 . 2010-03-07 20:05 -------- d-----w- c:\program files\MSBuild
2010-03-07 20:05 . 2010-03-07 20:05 -------- d-----w- c:\program files\Reference Assemblies
2010-03-07 20:04 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-03-07 20:04 . 2010-03-07 20:04 -------- d-----w- C:\8e5a334cfd8aa27d3f706faf329412
2010-03-07 20:04 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-03-07 20:04 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-03-07 20:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-03-07 20:04 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-03-07 20:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-03-07 20:04 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-03-07 20:04 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-03-07 20:04 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-03-04 03:22 . 2010-03-04 03:22 -------- d-----w- c:\program files\ZyX
2010-03-04 01:25 . 2010-03-04 01:25 -------- d-----w- c:\program files\AnyToISO
2010-03-03 22:20 . 2009-05-20 20:23 4178264 ----a-w- c:\windows\system\D3DX9_41.dll
2010-03-03 21:18 . 2010-03-03 21:18 -------- d-----w- c:\program files\Gratuitous Space Battles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-30 00:41 . 2010-03-30 00:41 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-18 23:21 . 2009-05-18 04:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-17 21:55 . 2010-03-17 21:55 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-17 21:55 . 2010-03-17 21:55 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-17 21:54 . 2010-02-06 15:08 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-17 21:54 . 2010-03-17 21:54 1291104 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2010-03-17 21:54 . 2010-03-17 21:54 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2010-03-17 21:54 . 2010-02-06 15:08 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-03-17 21:54 . 2010-03-17 21:54 771440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2010-03-17 21:54 . 2009-02-05 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-03-17 21:53 . 2009-02-05 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-03-16 06:48 . 2010-03-29 23:20 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100328.020\NAVENG.SYS
2010-03-16 06:48 . 2010-03-29 23:20 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100328.020\EECTRL.SYS
2010-03-16 06:48 . 2010-03-29 23:20 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100328.020\CCERASER.DLL
2010-03-16 06:48 . 2010-03-29 23:20 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100328.020\ECMSVR32.DLL
2010-03-16 06:48 . 2010-03-29 23:20 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100328.020\NAVENG32.DLL
2010-03-16 06:48 . 2010-03-29 23:20 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100328.020\NAVEX32A.DLL
2010-03-16 06:48 . 2010-03-29 23:20 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100328.020\NAVEX15.SYS
2010-03-16 06:48 . 2010-03-29 23:20 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100328.020\ERASER.SYS
2010-03-13 01:55 . 2008-12-24 20:13 22368 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-04 14:09 . 2010-02-07 16:31 -------- d-----w- c:\program files\ZyXEL G-220v3 Wireless USB Adapter Utility
2010-02-12 21:41 . 2010-03-30 01:21 558448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-02-07 16:31 . 2008-07-30 22:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-07 16:30 . 2010-02-07 16:30 -------- d-----w- c:\documents and settings\user\Application Data\InstallShield
2010-02-06 15:02 . 2010-02-06 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2010-02-01 23:20 . 2010-03-30 01:21 165240 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-03-27_01.47.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-10 23:33 . 2010-03-28 21:29 2248192 c:\windows\Installer\425267.msi
- 2008-12-10 23:33 . 2010-03-25 04:05 2248192 c:\windows\Installer\425267.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Divx Player"="c:\program files\Divx Player\DivxPlayer.exe" [2007-08-31 629760]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-09-04 6856704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-03-02 86016]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-13 61952]
"Mixersel"="c:\program files\Realtek\InstallShield\mixersel.exe" [2003-11-11 369664]
"SoundMan"="SOUNDMAN.EXE" [2004-10-22 77824]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-22 2744832]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_13\bin\jusched.exe" [2006-10-18 32881]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
ZyXEL G-220v3 Wireless USB Adapter Utility.lnk - c:\program files\ZyXEL G-220v3 Wireless USB Adapter Utility\ZyXEL G-220v3.exe [2010-2-7 10792960]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\ZyXEL G-220v3 Wireless USB Adapter Utility\\ZyXEL G-220v3.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [3/18/2010 12:11 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [3/18/2010 12:11 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [3/18/2010 12:11 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100326.001\IDSXpx86.sys [3/27/2010 5:35 PM 329592]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [3/18/2010 12:11 AM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/16/2010 2:48 AM 102448]
R3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;c:\windows\system32\drivers\WlanGZXP.SYS [2/7/2010 12:31 PM 735232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: EarthLink Google Search - c:\program files\EarthLink\Toolbar\SearchUI.dll/search.html
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\008wffwf.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Java\j2re1.4.2_13\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_13\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_13\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_13\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_13\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_13\bin\NPJPI142_13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_13\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-29 21:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2092)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\SOUNDMAN.EXE
c:\windows\ALCWZRD.EXE
c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 2010-03-29 21:30:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-30 01:30
ComboFix2.txt 2010-03-27 01:57

Pre-Run: 106,256,715,776 bytes free
Post-Run: 106,239,946,752 bytes free

- - End Of File - - 3DC975022790F5DC5A2EE1488BABF132



ComboFix.txt

ComboFix 10-03-28.01 - user 03/29/2010 21:40:07.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.485.160 [GMT -4:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-30 )))))))))))))))))))))))))))))))
.

2010-03-30 01:21 . 2010-02-12 21:41 558448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-03-30 01:21 . 2010-02-01 23:20 165240 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2010-03-30 00:41 . 2010-03-30 00:41 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 00:40 . 2010-03-30 00:40 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2010-03-30 00:39 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 00:39 . 2010-03-30 00:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-30 00:39 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-30 00:39 . 2010-03-30 00:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-29 23:20 . 2010-03-16 06:48 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100328.020\NAVENG.SYS
2010-03-29 23:20 . 2010-03-16 06:48 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100328.020\EECTRL.SYS
2010-03-29 23:20 . 2010-03-16 06:48 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100328.020\CCERASER.DLL
2010-03-29 23:20 . 2010-03-16 06:48 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100328.020\ECMSVR32.DLL
2010-03-29 23:20 . 2010-03-16 06:48 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100328.020\NAVENG32.DLL
2010-03-29 23:20 . 2010-03-16 06:48 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100328.020\NAVEX32A.DLL
2010-03-29 23:20 . 2010-03-16 06:48 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100328.020\NAVEX15.SYS
2010-03-29 23:20 . 2010-03-16 06:48 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100328.020\ERASER.SYS
2010-03-27 21:35 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100326.001\IDSvix86.sys
2010-03-27 21:35 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100326.001\Scxpx86.dll
2010-03-27 21:35 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100326.001\IDSxpx86.dll
2010-03-27 21:35 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100326.001\IDSviA64.sys
2010-03-27 21:35 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100326.001\IDSXpx86.sys
2010-03-24 22:20 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100317.002\IDSvix86.sys
2010-03-24 22:20 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100317.002\IDSXpx86.sys
2010-03-24 22:20 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100317.002\Scxpx86.dll
2010-03-24 22:20 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100317.002\IDSxpx86.dll
2010-03-24 22:20 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100317.002\IDSviA64.sys
2010-03-20 22:24 . 2010-03-20 22:24 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-03-17 21:55 . 2010-03-17 21:54 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-03-17 21:55 . 2010-03-17 22:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-17 21:55 . 2010-03-17 21:55 -------- d-----w- c:\program files\Symantec
2010-03-17 21:55 . 2010-03-17 21:55 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-03-17 21:55 . 2010-03-17 21:55 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-17 21:54 . 2010-03-17 21:54 1291104 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2010-03-17 21:54 . 2010-03-17 21:54 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2010-03-17 21:54 . 2010-03-17 21:54 771440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2010-03-17 21:54 . 2010-03-18 05:18 -------- d-----w- c:\windows\system32\drivers\N360
2010-03-17 21:54 . 2010-03-17 21:54 -------- d-----w- c:\program files\Norton 360
2010-03-17 21:54 . 2010-03-17 21:54 -------- d-----w- c:\program files\Windows Sidebar
2010-03-17 21:52 . 2010-03-17 21:52 -------- d-----w- c:\program files\NortonInstaller
2010-03-12 05:38 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-12 01:30 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-03-12 00:22 . 2010-03-12 00:22 -------- d-----w- c:\program files\Windows Media Connect 2
2010-03-12 00:20 . 2010-03-12 00:21 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-03-12 00:20 . 2010-03-12 00:20 -------- d-----w- c:\windows\system32\LogFiles
2010-03-11 22:51 . 2010-03-11 22:51 -------- d-----w- c:\documents and settings\user\Application Data\Media Player Classic
2010-03-11 22:50 . 2010-03-11 22:50 -------- d-----w- c:\program files\Combined Community Codec Pack
2010-03-07 20:05 . 2010-03-07 20:05 -------- d-----w- c:\windows\system32\XPSViewer
2010-03-07 20:05 . 2010-03-07 20:05 -------- d-----w- c:\program files\MSBuild
2010-03-07 20:05 . 2010-03-07 20:05 -------- d-----w- c:\program files\Reference Assemblies
2010-03-07 20:04 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-03-07 20:04 . 2010-03-07 20:04 -------- d-----w- C:\8e5a334cfd8aa27d3f706faf329412
2010-03-07 20:04 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-03-07 20:04 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-03-07 20:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-03-07 20:04 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-03-07 20:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-03-07 20:04 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-03-07 20:04 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-03-07 20:04 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-03-04 03:22 . 2010-03-04 03:22 -------- d-----w- c:\program files\ZyX
2010-03-04 01:25 . 2010-03-04 01:25 -------- d-----w- c:\program files\AnyToISO
2010-03-03 22:20 . 2009-05-20 20:23 4178264 ----a-w- c:\windows\system\D3DX9_41.dll
2010-03-03 21:18 . 2010-03-03 21:18 -------- d-----w- c:\program files\Gratuitous Space Battles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-18 23:21 . 2009-05-18 04:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-17 21:55 . 2010-03-17 21:55 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-17 21:55 . 2010-03-17 21:55 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-17 21:54 . 2010-02-06 15:08 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-17 21:54 . 2010-02-06 15:08 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-03-17 21:54 . 2009-02-05 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-03-17 21:53 . 2009-02-05 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-03-13 01:55 . 2008-12-24 20:13 22368 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-04 14:09 . 2010-02-07 16:31 -------- d-----w- c:\program files\ZyXEL G-220v3 Wireless USB Adapter Utility
2010-02-07 16:31 . 2008-07-30 22:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-07 16:30 . 2010-02-07 16:30 -------- d-----w- c:\documents and settings\user\Application Data\InstallShield
2010-02-06 15:02 . 2010-02-06 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-03-27_01.47.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-30 01:22 . 2010-03-30 01:22 16384 c:\windows\Temp\Perflib_Perfdata_2d8.dat
+ 2008-12-10 23:33 . 2010-03-28 21:29 2248192 c:\windows\Installer\425267.msi
- 2008-12-10 23:33 . 2010-03-25 04:05 2248192 c:\windows\Installer\425267.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Divx Player"="c:\program files\Divx Player\DivxPlayer.exe" [2007-08-31 629760]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-09-04 6856704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-03-02 86016]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-13 61952]
"Mixersel"="c:\program files\Realtek\InstallShield\mixersel.exe" [2003-11-11 369664]
"SoundMan"="SOUNDMAN.EXE" [2004-10-22 77824]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-22 2744832]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_13\bin\jusched.exe" [2006-10-18 32881]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
ZyXEL G-220v3 Wireless USB Adapter Utility.lnk - c:\program files\ZyXEL G-220v3 Wireless USB Adapter Utility\ZyXEL G-220v3.exe [2010-2-7 10792960]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\ZyXEL G-220v3 Wireless USB Adapter Utility\\ZyXEL G-220v3.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [3/18/2010 12:11 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [3/18/2010 12:11 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [3/18/2010 12:11 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100326.001\IDSXpx86.sys [3/27/2010 5:35 PM 329592]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [3/18/2010 12:11 AM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/16/2010 2:48 AM 102448]
R3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;c:\windows\system32\drivers\WlanGZXP.SYS [2/7/2010 12:31 PM 735232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: EarthLink Google Search - c:\program files\EarthLink\Toolbar\SearchUI.dll/search.html
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\008wffwf.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Java\j2re1.4.2_13\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_13\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_13\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_13\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_13\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_13\bin\NPJPI142_13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_13\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-29 21:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5636)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-29 21:49:36
ComboFix-quarantined-files.txt 2010-03-30 01:49
ComboFix2.txt 2010-03-30 01:30
ComboFix3.txt 2010-03-27 01:57

Pre-Run: 106,246,193,152 bytes free
Post-Run: 106,234,368,000 bytes free

- - End Of File - - 94851D9753F24178C8ECF4314A00C195



#10 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:43 AM

Posted 29 March 2010 - 06:12 PM

Hello Reeyees,

QUOTE
I really don't need that Java program, it was for only one website that i no longer use
  • Click "start" on the taskbar and then click on the "Control Panel" icon.
  • Please doubleclick the "Add or Remove Programs" icon
  • A list of programs installed will be "populated" this may take a bit of time.
  • If they exist, uninstall the following by clicking on the following entries and selecting "remove":
Java 2 Runtime Environment, SE v1.4.2_13

QUOTE
And I prefer the older and smaller adobe reader as it suits my needs.

When programs such as Adobe Reader are updated it is often because older versions contain vulnerabilities that can be exploited by malware. In this case
your version of Adobe Reader has numerous vulnerabilities as you can see from the following links.

http://secunia.com/advisories/23483/
http://kb2.adobe.com/cps/321/321644.html
http://www.securityfocus.com/bid/21858
http://www.securityfocus.com/bid/29420

When you do not keep these programs updated you do yourself and the rest of the commuting community a disservice. Malware can exploit a vulnerability on your computer then spread itself to others when you connect to the internet.

An alternative to Adobe Reader is FOXIT READER. If you decide to try Foxit Reader please uninstall Adobe Reader 6.0.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Note: If nothing is found there will be no log

How is your computer running? Any problems?

In your next reply please include the ESET scan results.

Thanks!!
PW

#11 Reeyees

Reeyees
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 29 March 2010 - 09:17 PM

ESETScan results:

C:\Documents and Settings\user\My Documents\My eBooks\sag\Uninstall.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\Program Files\Gratuitous Space Battles\Uninstall.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbddta.dll.vir Win32/Lukicsel.F trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbvdt.dll.vir Win32/Lukicsel.F trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{E7C370F6-F60A-4C59-92E0-358C97BDE7D2}\RP176\A0188781.dll Win32/Lukicsel.F trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{E7C370F6-F60A-4C59-92E0-358C97BDE7D2}\RP176\A0188782.dll Win32/Lukicsel.F trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{E7C370F6-F60A-4C59-92E0-358C97BDE7D2}\RP179\A0189213.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined


Did this program really find anything? Its quarantined 2 copies of an uninstall program and some previously quarantined files. Were the last 3 items real trojans? My computer is running fine, no slowdown, no popups, no BSoD, no alerts from Norton for a couple of days now.

#12 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:43 AM

Posted 30 March 2010 - 11:22 AM

Hello Reeyees,

QUOTE
Did this program really find anything? Its quarantined 2 copies of an uninstall program and some previously quarantined files. Were the last 3 items real trojans?


Win32/Agent is a generic name for a variety of malware that has certain characteristics and structure that the ESET scanner flagged.
To learn more about trojans and other malware see here and here

From ThreatExpert:
Lukicsel.F trojan - (kbddta.dll)
QUOTE
  • A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
  • A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
  • A potentially unwanted adware program designed to deliver various advertisements to the users' systems


The entries in Qoobox and System Restore will be taken care of when you complete the following cleanup procedures.

The following two procedures need to be done in the order listed. If you can not do so please let me know.

Step 1.

Uninstall ComboFix

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall Note the space between the X and the /U.

Note: If prompted allow Combofix to update.

Please advise if this step is missed for any reason as it performs some important functions.

Step 2.

Please open OTL
  • Double click on the icon on your desktop.
  • Click the "Cleanup" checkbox.
  • You will be asked, "Begin Cleanup Process"
  • Select Yes
  • You will be prompted to restart your computer.
You can now uninstall any other programs we have used and delete any logs that remain.

If you wish to reactivate Spybot S&D TeaTimer reverse the process in Post #6. Please do not get into the habit of automatically allowing all changes when the TeaTimer warning appears.

Here are some more steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of them, however by following the rest you will reduce the risk of becoming re-infected.

Keep Windows updated.

Microsoft has released the latest upgrades to the XP OS platform, which can be referenced here
It is critical to stay up to date with the latest upgrades to your Operating System, as this can help prevent future problems.

I see you are using IE6. Internet Explorer 8 is the latest version and includes updates that make surfing the net safer. I strongly recommend you update to IE8.

It is essential that you keep your antivirus program updated and have the latest signatures to provide you with the best possible protection from malicious software. Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

Install Spyware Blaster and update it regularly
If you wish, the commercial version provides automatic updating.

Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
SuperAntiSpyware is another good scanner with high detection and removal rates.
Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions. I personally prefer and highly recommend the licensed version of MBAM.

Please read and follow How did I get infected?, With steps so it does not happen again! as well as How to prevent Malware by Miekiemoes

Safe surfing and have a great day!!! smile.gif

PW
PW

#13 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:43 PM

Posted 03 April 2010 - 09:43 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users