Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HTTP Tidserv Request/HTTPS Tidserv Request 2 Infection


  • This topic is locked This topic is locked
14 replies to this topic

#1 D Speights

D Speights

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, CO
  • Local time:12:13 PM

Posted 09 April 2010 - 01:54 PM

First of all, thanks in advance to those willing to help.

A couple of days ago, I was infected with Antimalware Doctor, and XP Antimalware (I think those were the names). I am pretty sure I took care of those. Meanwhile, every time I use Mozilla Firefox, I have a notification from Norton 360 stating that "A recent attempt to attack your computer was blocked." When I look at it in more detail, Norton tells me the risk name is either HTTP Tidserv Request or HTTPS Tidserv Request 2. In addition to the constant attacks, I am redirected when clicking on google links and random tabs open in Firefox to random websites as well.

-If the Risk name is HTTP Tidserv Request the application path is \DEVICE\HARDDISKVOLUME2\PROGRAMFILES\MOZILLAFIREFOX\FIREFOX.EXE
-If the Risk name is HTTPS Tidserv Request 2 the application path is \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SVCHOST.EXE

In addition to that, Norton 360 has blocked or quarantined the following within the past couple of days:
Spyware.Keylogger
Trojan.Gen
Trojan.FakeAV
AntiVirus2010

Here is the DDS LOG:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 10:45:47.12 on Fri 04/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.291 [GMT -6:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\MCUI32.EXE
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.8.0.41\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRunOnce: [<NO NAME>]
mExplorerRun: [<NO NAME>] 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1243742562058
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1243742542464
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\xplmqurp.default\
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-1-27 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-1-27 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-1-27 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100402.001\IDSXpx86.sys [2010-4-5 329592]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-1-27 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-27 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100408.039\NAVENG.SYS [2010-4-9 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100408.039\NAVEX15.SYS [2010-4-9 1324720]
S3 jumi;%Jumi%;c:\windows\system32\drivers\jumi.sys [2009-7-23 6528]

=============== Created Last 30 ================

2010-04-09 16:43:57 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-04-09 05:39:43 54016 ----a-w- c:\windows\system32\drivers\ulojyon.sys
2010-04-07 21:45:22 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-04-07 21:45:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-07 21:45:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-07 21:45:03 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 21:45:03 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 02:42:56 0 d-----w- c:\docume~1\owner\applic~1\D6E1C258247C7EEFF1502F3AFD6721B4

==================== Find3M ====================

2010-04-08 14:45:01 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll

============= FINISH: 10:47:43.00 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:02:13 PM

Posted 12 April 2010 - 12:59 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 D Speights

D Speights
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, CO
  • Local time:12:13 PM

Posted 15 April 2010 - 10:29 PM

I haven't taken any steps since my last post. Nothing has really changed since then either.

Here are new logs:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 14:52:20.09 on Thu 04/15/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.751 [GMT -6:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.8.0.41\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRunOnce: [<NO NAME>]
mExplorerRun: [<NO NAME>] 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1243742562058
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1243742542464
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\xplmqurp.default\
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-1-27 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-1-27 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-1-27 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100409.001\IDSXpx86.sys [2010-4-12 329592]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-1-27 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-27 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100414.038\NAVENG.SYS [2010-4-15 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100414.038\NAVEX15.SYS [2010-4-15 1324720]
S3 jumi;%Jumi%;c:\windows\system32\drivers\jumi.sys [2009-7-23 6528]

=============== Created Last 30 ================

2010-04-14 00:26:16 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-14 00:26:15 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-09 16:43:57 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-04-07 21:45:22 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-04-07 21:45:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-07 21:45:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-07 21:45:03 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 21:45:03 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 02:42:56 0 d-----w- c:\docume~1\owner\applic~1\D6E1C258247C7EEFF1502F3AFD6721B4

==================== Find3M ====================

2010-04-11 17:29:24 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 15:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 14:53:46.15 ===============

Attached Files



#4 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:02:13 PM

Posted 16 April 2010 - 12:46 PM

Hi, D Speights-

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

There may be a delay in my response to your posts as I am still currently in training. I will be helping you with supervision of the teachers and they will approve every posts before I present them to you.

Please don't make any further changes or run any other tools unless instructed to. Additional changes may hinder the cleaning of your machine.

Please Track this topic - On the top right on this tread, click on the Option button, and, in the drop-down list, click on 'Track this topic'. Under Subscription Information, click on 'Immediate Email Notification' and then click on the Proceed button at the bottom.

Please give me some time to look over your log. I will post the reply as soon as possible.
Shannon

#5 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:02:13 PM

Posted 16 April 2010 - 08:33 PM

Hi-

Important - The infection identified by Norton is a backdoor trojan. A backdoor trojan can allow hackers to remotely control your computer, steal critical system information and download and execute files. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be to reformat the hard drive and reinstall the operating system. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
If you wish to continue, let's get started on cleaning up your machine.

First, download Combofix from either of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. To disable Norton 360 -
  • Right-click the Norton 360 icon in the system tray and select Open Tasks and Settings Window.
  • On the right side, under Settings, click on Change advanced settings.
  • Next, click on the Virus & Spyware Protection Settings.
  • Uncheck Turn on Auto-Protect and select Apply.
  • You will be asked to select a time for Norton to reactivate.
  • Choose Until I turn it back on.
--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Next, let's run GMER from wherever you installed it earlier.
  • Disconnect from the Internet and close all running programs.
  • Your Norton 360 should be disabled for this step as well.
  • Double-click on gmer.exe to start the program.
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • On the menu on the right side of the window, uncheck the Devices by clicking on it.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

If you decided to go forward with a cleanup, please copy in to your reply the ComboFix log and the GMER report.

Thanks

Shannon

#6 D Speights

D Speights
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, CO
  • Local time:12:13 PM

Posted 18 April 2010 - 10:42 AM

Okay,

Here is the requested logs from ComboFix and GMER...

ComboFix 10-04-15.05 - Owner 04/17/2010 20:33:57.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1278.610 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\D6E1C258247C7EEFF1502F3AFD6721B4
c:\documents and settings\Owner\Application Data\D6E1C258247C7EEFF1502F3AFD6721B4\enemies-names.txt
c:\windows\system32\AutoRun.inf
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 )))))))))))))))))))))))))))))))
.

2010-04-18 02:24 . 2010-02-03 09:00 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100417.020\NAVENG.SYS
2010-04-18 02:24 . 2010-02-03 09:00 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100417.020\NAVEX15.SYS
2010-04-18 02:24 . 2009-12-09 09:00 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100417.020\CCERASER.DLL
2010-04-18 02:24 . 2009-12-01 18:35 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100417.020\EECTRL.SYS
2010-04-18 02:24 . 2009-12-01 18:35 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100417.020\ECMSVR32.DLL
2010-04-18 02:24 . 2009-12-01 18:35 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100417.020\NAVENG32.DLL
2010-04-18 02:24 . 2009-12-01 18:35 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100417.020\NAVEX32A.DLL
2010-04-18 02:24 . 2009-12-01 18:35 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100417.020\ERASER.SYS
2010-04-17 04:50 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100415.001\IDSvix86.sys
2010-04-17 04:50 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100415.001\IDSXpx86.sys
2010-04-17 04:50 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100415.001\Scxpx86.dll
2010-04-17 04:50 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100415.001\IDSxpx86.dll
2010-04-17 04:50 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100415.001\IDSviA64.sys
2010-04-17 04:39 . 2010-02-13 00:41 558448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-04-17 04:39 . 2010-02-02 02:20 165240 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2010-04-16 00:42 . 2010-02-17 16:11 10752 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xplmqurp.default\extensions\{FFA36170-80B1-4535-B0E3-A4569E497DD0}\platform\WINNT_x86-msvc\components\mgMouseService.dll
2010-04-14 00:26 . 2010-04-14 00:26 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-14 00:26 . 2010-04-18 02:15 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-14 00:25 . 2010-04-14 00:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-04-12 21:10 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100409.001\IDSvix86.sys
2010-04-12 21:10 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100409.001\Scxpx86.dll
2010-04-12 21:10 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100409.001\IDSxpx86.dll
2010-04-12 21:10 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100409.001\IDSviA64.sys
2010-04-12 21:10 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100409.001\IDSXpx86.sys
2010-04-09 23:38 . 2010-04-16 00:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-08 14:20 . 2010-04-08 14:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-07 21:45 . 2010-04-07 21:45 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-04-07 21:45 . 2010-03-30 06:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-07 21:45 . 2010-04-07 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-07 21:45 . 2010-04-07 21:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 21:45 . 2010-03-30 06:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 17:00 . 2010-04-07 17:00 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 02:14 . 2009-06-01 18:51 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-04-14 21:24 . 2009-09-04 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-11 17:29 . 2003-07-16 20:24 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-22 01:04 . 2009-06-01 18:51 -------- d-----w- c:\documents and settings\Owner\Application Data\Thunderbird
2010-03-10 06:15 . 2003-07-16 20:49 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-04 21:02 . 2009-06-02 19:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-04 21:02 . 2010-03-04 21:02 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-04 21:02 . 2010-02-22 18:47 38784 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-04 20:59 . 2010-03-04 20:59 -------- d-----w- c:\documents and settings\Owner\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-02-25 06:24 . 2003-07-16 20:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2003-07-16 20:34 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 19:32 . 2010-02-19 19:32 50354 ----a-w- c:\documents and settings\Owner\Application Data\Facebook\uninstall.exe
2010-02-19 19:32 . 2010-02-19 19:31 -------- d-----w- c:\documents and settings\Owner\Application Data\Facebook
2010-02-17 15:10 . 2003-07-16 20:39 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2002-08-29 01:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2003-07-16 20:23 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2003-07-16 20:47 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-11 04:00 . 2009-05-31 05:04 69624 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-11 03:02 . 2010-02-11 03:01 29589992 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2008\Update\US62017101eupd.exe
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\Owner\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_1.dll
2009-04-01 04:47 . 2009-06-01 17:26 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-22 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-22 126976]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
2004-10-22 19:42 45056 ----a-w- c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]
2004-11-19 15:15 1216512 ----a-w- c:\program files\D-Link\AirPlus G\AirGCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [1/27/2010 8:16 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [1/27/2010 8:16 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [1/27/2010 8:16 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100415.001\IDSXpx86.sys [4/16/2010 10:50 PM 329592]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [1/27/2010 8:15 PM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 10:19 AM 102448]
S3 jumi;%Jumi%;c:\windows\system32\drivers\jumi.sys [7/23/2009 1:07 PM 6528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xplmqurp.default\
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-17 20:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x896D0AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74c6852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(940)
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-17 20:50:27
ComboFix-quarantined-files.txt 2010-04-18 02:50

Pre-Run: 14,815,588,352 bytes free
Post-Run: 14,944,800,768 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 2FB60C974D68C53B30A355E8BECB5FA9





GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-18 06:28:05
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kwryypoc.sys


---- System - GMER 1.0.15 ----

SSDT 89050060 ZwAlertResumeThread
SSDT 89057060 ZwAlertThread
SSDT 891C2180 ZwAllocateVirtualMemory
SSDT 8909FE10 ZwAssignProcessToJobObject
SSDT 894A3A48 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA8D6B130]
SSDT 89094E88 ZwCreateMutant
SSDT 89099EB0 ZwCreateSymbolicLinkObject
SSDT 89434100 ZwCreateThread
SSDT 8909FEF0 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA8D6B3B0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA8D6B910]
SSDT 891B7DE0 ZwDuplicateObject
SSDT 89598D98 ZwFreeVirtualMemory
SSDT 89089DB0 ZwImpersonateAnonymousToken
SSDT 89146DF0 ZwImpersonateThread
SSDT 8956E938 ZwLoadDriver
SSDT 891B48A0 ZwMapViewOfSection
SSDT 89094DC8 ZwOpenEvent
SSDT 89028200 ZwOpenProcess
SSDT 89434760 ZwOpenProcessToken
SSDT 890AEE90 ZwOpenSection
SSDT 89147DE0 ZwOpenThread
SSDT 89099F80 ZwProtectVirtualMemory
SSDT 89500A90 ZwResumeThread
SSDT 89019060 ZwSetContextThread
SSDT 891B5488 ZwSetInformationProcess
SSDT 8909FFD0 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA8D6BB60]
SSDT 890AEF70 ZwSuspendProcess
SSDT 89009060 ZwSuspendThread
SSDT 8913CA68 ZwTerminateProcess
SSDT 896945D0 ZwTerminateThread
SSDT 890AA1F8 ZwUnmapViewOfSection
SSDT 8958B440 ZwWriteVirtualMemory

Code \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 1D0 804E283C 4 Bytes JMP 6EC9B197
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF74D6794]
? SYMEFA.SYS The system cannot find the file specified. !
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB984AF80]
? C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
.text C:\WINDOWS\System32\svchost.exe[1236] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 01CB000A
.text C:\WINDOWS\explorer.exe[2940] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\explorer.exe[2940] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BC000A
.text C:\WINDOWS\explorer.exe[2940] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#7 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:02:13 PM

Posted 19 April 2010 - 03:59 PM

Hi-

It doesn't appear that ComboFix cleaned out the main infection so we will run TDSSKiller, follow that with GMER, and then get an OTL listing.

First, Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file in your next reply.


Next, let's run GMER.
  • Disconnect from the Internet and close all running programs.
  • Your Norton 360 should be disabled for this step as well.
  • Double-click on gmer.exe to start the program.
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • On the menu on the right side of the window, uncheck the Devices by clicking on it.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Finally, we need to create an OTL Report.
  • Please download OTL from here -
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Under the Custom Scan box paste in the contents of the CODE box.
    CODE
    netsvcs
    %SYSTEMDRIVE%\*.exe
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
  • Push the button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

In your reply, copy in the TDSSKiller report, the GMER reports and the two OTL reports.

Thanks.

Shannon

#8 D Speights

D Speights
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, CO
  • Local time:12:13 PM

Posted 20 April 2010 - 10:39 AM

Thank you for your help so far.

I have two concerns while I am working on this. First, how long should the GMER scan take? Second, when I ran TDSSKiller it said that atapi.sys was infected and would be cured on reboot. I ran TDSSKiller again after reboot and there were no problems found, which I take is a good thing. However, the first report was overwritten by the second.

I will post the reports when I am done with everything.

#9 D Speights

D Speights
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, CO
  • Local time:12:13 PM

Posted 20 April 2010 - 01:02 PM

Here are the logs in order (TDSSKiller, GMER, OTL, Extras):


09:33:20:609 2140 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
09:33:20:609 2140 ================================================================================
09:33:20:609 2140 SystemInfo:

09:33:20:609 2140 OS Version: 5.1.2600 ServicePack: 3.0
09:33:20:609 2140 Product type: Workstation
09:33:20:609 2140 ComputerName: SP8SWARE
09:33:20:609 2140 UserName: Owner
09:33:20:609 2140 Windows directory: C:\WINDOWS
09:33:20:609 2140 Processor architecture: Intel x86
09:33:20:609 2140 Number of processors: 1
09:33:20:609 2140 Page size: 0x1000
09:33:20:609 2140 Boot type: Normal boot
09:33:20:609 2140 ================================================================================
09:33:20:625 2140 UnloadDriverW: NtUnloadDriver error 2
09:33:20:625 2140 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
09:33:20:906 2140 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
09:33:20:906 2140 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
09:33:20:906 2140 wfopen_ex: Trying to KLMD file open
09:33:20:906 2140 wfopen_ex: File opened ok (Flags 2)
09:33:20:906 2140 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
09:33:20:906 2140 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
09:33:20:906 2140 wfopen_ex: Trying to KLMD file open
09:33:20:906 2140 wfopen_ex: File opened ok (Flags 2)
09:33:20:906 2140 Initialize success
09:33:20:906 2140
09:33:20:906 2140 Scanning Services ...
09:33:21:453 2140 Raw services enum returned 319 services
09:33:21:453 2140
09:33:21:453 2140 Scanning Kernel memory ...
09:33:21:453 2140 Devices to scan: 5
09:33:21:453 2140
09:33:21:453 2140 Driver Name: Disk
09:33:21:453 2140 IRP_MJ_CREATE : F763DBB0
09:33:21:453 2140 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
09:33:21:453 2140 IRP_MJ_CLOSE : F763DBB0
09:33:21:453 2140 IRP_MJ_READ : F7637D1F
09:33:21:453 2140 IRP_MJ_WRITE : F7637D1F
09:33:21:453 2140 IRP_MJ_QUERY_INFORMATION : 804FA88E
09:33:21:453 2140 IRP_MJ_SET_INFORMATION : 804FA88E
09:33:21:453 2140 IRP_MJ_QUERY_EA : 804FA88E
09:33:21:453 2140 IRP_MJ_SET_EA : 804FA88E
09:33:21:453 2140 IRP_MJ_FLUSH_BUFFERS : F76382E2
09:33:21:453 2140 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
09:33:21:453 2140 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
09:33:21:453 2140 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
09:33:21:453 2140 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
09:33:21:453 2140 IRP_MJ_DEVICE_CONTROL : F76383BB
09:33:21:453 2140 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
09:33:21:453 2140 IRP_MJ_SHUTDOWN : F76382E2
09:33:21:453 2140 IRP_MJ_LOCK_CONTROL : 804FA88E
09:33:21:453 2140 IRP_MJ_CLEANUP : 804FA88E
09:33:21:453 2140 IRP_MJ_CREATE_MAILSLOT : 804FA88E
09:33:21:453 2140 IRP_MJ_QUERY_SECURITY : 804FA88E
09:33:21:453 2140 IRP_MJ_SET_SECURITY : 804FA88E
09:33:21:453 2140 IRP_MJ_POWER : F7639C82
09:33:21:453 2140 IRP_MJ_SYSTEM_CONTROL : F763E99E
09:33:21:453 2140 IRP_MJ_DEVICE_CHANGE : 804FA88E
09:33:21:453 2140 IRP_MJ_QUERY_QUOTA : 804FA88E
09:33:21:453 2140 IRP_MJ_SET_QUOTA : 804FA88E
09:33:21:484 2140 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
09:33:21:484 2140
09:33:21:484 2140 Driver Name: USBSTOR
09:33:21:484 2140 IRP_MJ_CREATE : F781C218
09:33:21:484 2140 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
09:33:21:484 2140 IRP_MJ_CLOSE : F781C218
09:33:21:484 2140 IRP_MJ_READ : F781C23C
09:33:21:484 2140 IRP_MJ_WRITE : F781C23C
09:33:21:484 2140 IRP_MJ_QUERY_INFORMATION : 804FA88E
09:33:21:484 2140 IRP_MJ_SET_INFORMATION : 804FA88E
09:33:21:484 2140 IRP_MJ_QUERY_EA : 804FA88E
09:33:21:484 2140 IRP_MJ_SET_EA : 804FA88E
09:33:21:484 2140 IRP_MJ_FLUSH_BUFFERS : 804FA88E
09:33:21:484 2140 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
09:33:21:484 2140 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
09:33:21:484 2140 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
09:33:21:484 2140 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
09:33:21:484 2140 IRP_MJ_DEVICE_CONTROL : F781C180
09:33:21:484 2140 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78179E6
09:33:21:484 2140 IRP_MJ_SHUTDOWN : 804FA88E
09:33:21:484 2140 IRP_MJ_LOCK_CONTROL : 804FA88E
09:33:21:484 2140 IRP_MJ_CLEANUP : 804FA88E
09:33:21:484 2140 IRP_MJ_CREATE_MAILSLOT : 804FA88E
09:33:21:484 2140 IRP_MJ_QUERY_SECURITY : 804FA88E
09:33:21:484 2140 IRP_MJ_SET_SECURITY : 804FA88E
09:33:21:484 2140 IRP_MJ_POWER : F781B5F0
09:33:21:484 2140 IRP_MJ_SYSTEM_CONTROL : F7819A6E
09:33:21:484 2140 IRP_MJ_DEVICE_CHANGE : 804FA88E
09:33:21:484 2140 IRP_MJ_QUERY_QUOTA : 804FA88E
09:33:21:484 2140 IRP_MJ_SET_QUOTA : 804FA88E
09:33:21:500 2140 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
09:33:21:500 2140
09:33:21:500 2140 Driver Name: Disk
09:33:21:500 2140 IRP_MJ_CREATE : F763DBB0
09:33:21:500 2140 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
09:33:21:500 2140 IRP_MJ_CLOSE : F763DBB0
09:33:21:500 2140 IRP_MJ_READ : F7637D1F
09:33:21:500 2140 IRP_MJ_WRITE : F7637D1F
09:33:21:500 2140 IRP_MJ_QUERY_INFORMATION : 804FA88E
09:33:21:500 2140 IRP_MJ_SET_INFORMATION : 804FA88E
09:33:21:500 2140 IRP_MJ_QUERY_EA : 804FA88E
09:33:21:500 2140 IRP_MJ_SET_EA : 804FA88E
09:33:21:500 2140 IRP_MJ_FLUSH_BUFFERS : F76382E2
09:33:21:500 2140 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
09:33:21:500 2140 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
09:33:21:500 2140 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
09:33:21:500 2140 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
09:33:21:500 2140 IRP_MJ_DEVICE_CONTROL : F76383BB
09:33:21:500 2140 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
09:33:21:500 2140 IRP_MJ_SHUTDOWN : F76382E2
09:33:21:500 2140 IRP_MJ_LOCK_CONTROL : 804FA88E
09:33:21:500 2140 IRP_MJ_CLEANUP : 804FA88E
09:33:21:500 2140 IRP_MJ_CREATE_MAILSLOT : 804FA88E
09:33:21:500 2140 IRP_MJ_QUERY_SECURITY : 804FA88E
09:33:21:500 2140 IRP_MJ_SET_SECURITY : 804FA88E
09:33:21:500 2140 IRP_MJ_POWER : F7639C82
09:33:21:500 2140 IRP_MJ_SYSTEM_CONTROL : F763E99E
09:33:21:500 2140 IRP_MJ_DEVICE_CHANGE : 804FA88E
09:33:21:500 2140 IRP_MJ_QUERY_QUOTA : 804FA88E
09:33:21:500 2140 IRP_MJ_SET_QUOTA : 804FA88E
09:33:21:515 2140 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
09:33:21:515 2140
09:33:21:515 2140 Driver Name: Disk
09:33:21:515 2140 IRP_MJ_CREATE : F763DBB0
09:33:21:515 2140 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
09:33:21:515 2140 IRP_MJ_CLOSE : F763DBB0
09:33:21:515 2140 IRP_MJ_READ : F7637D1F
09:33:21:515 2140 IRP_MJ_WRITE : F7637D1F
09:33:21:515 2140 IRP_MJ_QUERY_INFORMATION : 804FA88E
09:33:21:515 2140 IRP_MJ_SET_INFORMATION : 804FA88E
09:33:21:515 2140 IRP_MJ_QUERY_EA : 804FA88E
09:33:21:515 2140 IRP_MJ_SET_EA : 804FA88E
09:33:21:515 2140 IRP_MJ_FLUSH_BUFFERS : F76382E2
09:33:21:515 2140 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
09:33:21:515 2140 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
09:33:21:515 2140 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
09:33:21:515 2140 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
09:33:21:515 2140 IRP_MJ_DEVICE_CONTROL : F76383BB
09:33:21:515 2140 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
09:33:21:515 2140 IRP_MJ_SHUTDOWN : F76382E2
09:33:21:515 2140 IRP_MJ_LOCK_CONTROL : 804FA88E
09:33:21:515 2140 IRP_MJ_CLEANUP : 804FA88E
09:33:21:515 2140 IRP_MJ_CREATE_MAILSLOT : 804FA88E
09:33:21:515 2140 IRP_MJ_QUERY_SECURITY : 804FA88E
09:33:21:515 2140 IRP_MJ_SET_SECURITY : 804FA88E
09:33:21:515 2140 IRP_MJ_POWER : F7639C82
09:33:21:515 2140 IRP_MJ_SYSTEM_CONTROL : F763E99E
09:33:21:515 2140 IRP_MJ_DEVICE_CHANGE : 804FA88E
09:33:21:515 2140 IRP_MJ_QUERY_QUOTA : 804FA88E
09:33:21:515 2140 IRP_MJ_SET_QUOTA : 804FA88E
09:33:21:515 2140 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
09:33:21:515 2140
09:33:21:515 2140 Driver Name: atapi
09:33:21:515 2140 IRP_MJ_CREATE : F74CA6F2
09:33:21:515 2140 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
09:33:21:515 2140 IRP_MJ_CLOSE : F74CA6F2
09:33:21:515 2140 IRP_MJ_READ : 804FA88E
09:33:21:515 2140 IRP_MJ_WRITE : 804FA88E
09:33:21:515 2140 IRP_MJ_QUERY_INFORMATION : 804FA88E
09:33:21:515 2140 IRP_MJ_SET_INFORMATION : 804FA88E
09:33:21:515 2140 IRP_MJ_QUERY_EA : 804FA88E
09:33:21:515 2140 IRP_MJ_SET_EA : 804FA88E
09:33:21:515 2140 IRP_MJ_FLUSH_BUFFERS : 804FA88E
09:33:21:515 2140 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
09:33:21:515 2140 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
09:33:21:515 2140 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
09:33:21:515 2140 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
09:33:21:515 2140 IRP_MJ_DEVICE_CONTROL : F74CA712
09:33:21:515 2140 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74C6852
09:33:21:515 2140 IRP_MJ_SHUTDOWN : 804FA88E
09:33:21:515 2140 IRP_MJ_LOCK_CONTROL : 804FA88E
09:33:21:515 2140 IRP_MJ_CLEANUP : 804FA88E
09:33:21:515 2140 IRP_MJ_CREATE_MAILSLOT : 804FA88E
09:33:21:515 2140 IRP_MJ_QUERY_SECURITY : 804FA88E
09:33:21:515 2140 IRP_MJ_SET_SECURITY : 804FA88E
09:33:21:515 2140 IRP_MJ_POWER : F74CA73C
09:33:21:515 2140 IRP_MJ_SYSTEM_CONTROL : F74D1336
09:33:21:515 2140 IRP_MJ_DEVICE_CHANGE : 804FA88E
09:33:21:515 2140 IRP_MJ_QUERY_QUOTA : 804FA88E
09:33:21:515 2140 IRP_MJ_SET_QUOTA : 804FA88E
09:33:21:531 2140 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
09:33:21:531 2140
09:33:21:531 2140 Completed
09:33:21:531 2140
09:33:21:531 2140 Results:
09:33:21:531 2140 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
09:33:21:531 2140 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
09:33:21:531 2140 File objects infected / cured / cured on reboot: 0 / 0 / 0
09:33:21:531 2140
09:33:21:546 2140 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
09:33:21:546 2140 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
09:33:21:546 2140 KLMD(ARK) unloaded successfully




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-20 11:56:55
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kwryypoc.sys


---- System - GMER 1.0.15 ----

SSDT 892FF128 ZwAlertResumeThread
SSDT 8930B828 ZwAlertThread
SSDT 890C7200 ZwAllocateVirtualMemory
SSDT 8979C9E0 ZwAssignProcessToJobObject
SSDT 895FD580 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB201A130]
SSDT 8952DA58 ZwCreateMutant
SSDT 892F6798 ZwCreateSymbolicLinkObject
SSDT 8951F058 ZwCreateThread
SSDT 895E5690 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB201A3B0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB201A910]
SSDT 896211F8 ZwDuplicateObject
SSDT 892F9870 ZwFreeVirtualMemory
SSDT 8930F128 ZwImpersonateAnonymousToken
SSDT 8950A128 ZwImpersonateThread
SSDT 897175F0 ZwLoadDriver
SSDT 895CBBF8 ZwMapViewOfSection
SSDT 89512128 ZwOpenEvent
SSDT 8950BE10 ZwOpenProcess
SSDT 892F6BA0 ZwOpenProcessToken
SSDT 89550740 ZwOpenSection
SSDT 891D71F8 ZwOpenThread
SSDT 89582B58 ZwProtectVirtualMemory
SSDT 89576CD8 ZwResumeThread
SSDT 892E5A08 ZwSetContextThread
SSDT 89111008 ZwSetInformationProcess
SSDT 8962FDF0 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB201AB60]
SSDT 89530B78 ZwSuspendProcess
SSDT 89517828 ZwSuspendThread
SSDT 89676DB8 ZwTerminateProcess
SSDT 89217828 ZwTerminateThread
SSDT 895565E8 ZwUnmapViewOfSection
SSDT 896338C0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 198 804E2804 1 Byte [70]
.text ntoskrnl.exe!_abnormal_termination + 478 804E2AE4 4 Bytes CALL 87D7804E
? klmdb.sys The system cannot find the file specified. !
? tskF.tmp The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xBA530F80]

---- EOF - GMER 1.0.15 ----




OTL logfile created on: 4/20/2010 11:24:25 AM - Run 1
OTL by OldTimer - Version 3.2.1.3 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 56.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 1920 3840 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 13.64 Gb Free Space | 36.65% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 298.01 Gb Total Space | 221.62 Gb Free Space | 74.37% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SP8SWARE
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/20 11:23:26 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2010/04/15 18:26:37 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/04/09 10:52:09 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gmer.exe
PRC - [2009/08/22 02:26:07 | 000,117,640 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
PRC - [2009/02/26 15:24:50 | 000,097,680 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
PRC - [2008/04/24 14:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/11/13 13:39:52 | 001,289,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe
PRC - [2006/11/13 13:39:34 | 000,199,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe
PRC - [2004/10/14 14:42:54 | 001,404,928 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe


========== Modules (SafeList) ==========

MOD - [2010/04/20 11:23:26 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2009/08/22 02:26:04 | 000,419,696 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\3.8.0.41\asOEHook.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/08/22 02:26:07 | 000,117,640 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe -- (N360)
SRV - [2008/10/15 17:13:58 | 000,439,632 | ---- | M] (RealVNC Ltd.) [Auto | Stopped] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)
SRV - [2008/04/24 14:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe -- (sprtsvc_ddoctorv2) SupportSoft Sprocket Service (ddoctorv2)
SRV - [2004/10/22 13:42:44 | 000,049,152 | ---- | M] (Alpha Networks Inc.) [Auto | Stopped] -- C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe -- (ANIWZCSdService)


========== Driver Services (SafeList) ==========

DRV - [2010/02/03 03:00:00 | 001,324,720 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100419.036\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/02/03 03:00:00 | 000,084,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100419.036\NAVENG.SYS -- (NAVENG)
DRV - [2009/10/28 16:37:22 | 000,329,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100415.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2009/08/26 02:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/08/26 02:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2009/08/22 02:26:08 | 000,482,432 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\ccHPx86.sys -- (ccHP)
DRV - [2009/08/22 02:26:08 | 000,310,320 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0308000.029\SYMEFA.SYS -- (SymEFA)
DRV - [2009/08/22 02:26:08 | 000,308,272 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SRTSP.SYS -- (SRTSP)
DRV - [2009/08/22 02:26:08 | 000,259,632 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\BHDrvx86.sys -- (BHDrvx86)
DRV - [2009/08/22 02:26:08 | 000,217,136 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMTDI.SYS -- (SYMTDI)
DRV - [2009/08/22 02:26:08 | 000,089,904 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMFW.SYS -- (SYMFW)
DRV - [2009/08/22 02:26:08 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0308000.029\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2009/08/22 02:26:08 | 000,036,400 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMNDIS.SYS -- (SYMNDIS)
DRV - [2009/08/22 02:26:08 | 000,033,072 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMIDS.SYS -- (SYMIDS)
DRV - [2009/08/20 15:19:42 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/08/18 13:20:55 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIMMP)
DRV - [2009/08/18 13:20:55 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIM)
DRV - [2009/07/23 13:07:40 | 000,006,528 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\jumi.sys -- (jumi)
DRV - [2004/09/17 09:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/08/05 13:25:38 | 000,381,312 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PRISMA02.sys -- (PRISM_A02) D-Link Wireless 802.11b/g Driver (USB)
DRV - [2004/07/27 11:20:46 | 000,028,205 | ---- | M] (Alpha Networks Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\ANIO.sys -- (ANIO)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1409082233-926492609-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1409082233-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1409082233-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..extensions.enabledItems: DesktopWatcher@Brociety.com:1.7.1
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.5.3
FF - prefs.js..extensions.enabledItems: {4d0c2910-1e70-11dc-af8a-0008743bf21a}:1.7.1
FF - prefs.js..extensions.enabledItems: {fa038e8f-d1d1-11db-9705-005056c00008}:1.7.1
FF - prefs.js..extensions.enabledItems: {FFA36170-80B1-4535-B0E3-A4569E497DD0}:3.0.2
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Firefox\extensions\\{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\ [2010/04/20 09:27:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/15 20:33:13 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/15 18:26:42 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/03/30 20:39:21 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/03/21 19:04:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/03/21 19:04:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/04/20 09:34:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xplmqurp.default\extensions
[2010/03/31 08:49:22 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xplmqurp.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe41}
[2009/09/02 12:38:23 | 000,000,000 | ---D | M] (Whiskey Militia Watcher) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xplmqurp.default\extensions\{4d0c2910-1e70-11dc-af8a-0008743bf21a}
[2009/09/02 12:37:19 | 000,000,000 | ---D | M] (Steep and Cheap Watcher) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xplmqurp.default\extensions\{fa038e8f-d1d1-11db-9705-005056c00008}
[2010/04/15 18:42:38 | 000,000,000 | ---D | M] (Mouse Gestures Redox) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xplmqurp.default\extensions\{FFA36170-80B1-4535-B0E3-A4569E497DD0}
[2009/09/02 12:38:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xplmqurp.default\extensions\DesktopWatcher@Brociety.com
[2010/04/15 13:20:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xplmqurp.default\extensions\personas@christopher.beard
[2010/04/20 09:27:22 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/03/31 22:47:26 | 000,324,976 | ---- | M] (Symantec Corporation) -- C:\Program Files\Mozilla Firefox\components\coFFPlgn.dll

O1 HOSTS File: ([2003/07/16 14:29:34 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.8.0.41\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-1409082233-926492609-839522115-1003\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKU\S-1-5-21-1409082233-926492609-839522115-1003..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 0
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 0
O7 - HKU\S-1-5-21-1409082233-926492609-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1409082233-926492609-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1409082233-926492609-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1409082233-926492609-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdat...b?1243742562058 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1243742542464 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/flash...ent/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll (Symantec Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/05/30 20:19:56 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/04/26 09:17:58 | 000,000,000 | ---D | M] - E:\autorun -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-1409082233-926492609-839522115-1003\...exe [@ = exefile] -- Reg Error: Key error. File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/05/30 14:05:40 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/04/20 11:23:26 | 000,562,176 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/04/20 10:08:22 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent
[2010/04/20 09:50:19 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/20 09:23:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\tdsskiller
[2010/04/17 20:30:44 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/17 20:28:33 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/17 20:28:33 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/17 20:28:33 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/17 20:28:33 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/17 20:28:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/17 20:27:31 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/15 18:27:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/04/13 18:25:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2010/04/13 18:25:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/04/13 18:25:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2010/04/10 17:28:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/04/10 17:28:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/04/09 17:38:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/08 08:20:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
[2010/04/08 08:20:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/04/07 15:45:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2010/04/07 15:45:07 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/07 15:45:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/07 15:45:03 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/07 15:45:03 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/07 14:19:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/07 11:00:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Symantec
[2010/04/06 20:48:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/03/22 10:43:42 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Owner\Desktop\TDSSKiller.exe
[2009/09/04 15:54:15 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/08/20 15:19:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Downloaded Installations
[2009/05/30 20:19:37 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/20 11:23:26 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/04/20 09:57:22 | 000,010,738 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Rent & Bills (Autosaved).xlsx
[2010/04/20 09:27:16 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/20 09:27:05 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/20 09:26:04 | 003,932,160 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/04/20 09:26:04 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/04/20 09:23:58 | 000,178,000 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Owner\Desktop\TDSSKiller.exe
[2010/04/20 09:23:12 | 000,154,469 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\tdsskiller.zip
[2010/04/20 09:11:37 | 006,905,696 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2010/04/17 22:44:09 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\atapi.sys
[2010/04/17 20:44:26 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/17 20:30:54 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/04/17 20:15:44 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/16 22:53:04 | 003,916,775 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2010/04/16 15:17:14 | 000,186,368 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/16 12:19:38 | 000,000,335 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\FixExe.reg
[2010/04/16 12:10:09 | 000,016,034 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\A7tSVvNm0XC7
[2010/04/16 12:10:09 | 000,016,034 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\A7tSVvNm0XC7
[2010/04/15 18:27:45 | 000,001,208 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\21a34KM55vORW
[2010/04/14 15:21:59 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/13 18:26:16 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/09 10:52:09 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gmer.exe
[2010/04/09 10:43:57 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\defogger_reenable
[2010/04/09 10:34:49 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2010/04/07 15:45:10 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/07 11:19:35 | 000,019,608 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\v8106Ew8k
[2010/04/07 11:19:35 | 000,019,608 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\v8106Ew8k
[2010/04/04 19:30:11 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/25 14:01:20 | 000,000,282 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to My Career Search.lnk
[2010/03/21 18:53:37 | 000,360,124 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/21 18:53:37 | 000,314,508 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/21 18:53:37 | 000,040,836 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/20 09:21:57 | 000,154,469 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\tdsskiller.zip
[2010/04/17 20:30:53 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/04/17 20:30:49 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/17 20:28:33 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/17 20:28:33 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/17 20:28:33 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/17 20:28:33 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/17 20:28:33 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/16 22:52:50 | 003,916,775 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2010/04/16 12:19:37 | 000,000,335 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\FixExe.reg
[2010/04/16 11:12:20 | 000,016,034 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\A7tSVvNm0XC7
[2010/04/16 11:12:20 | 000,016,034 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\A7tSVvNm0XC7
[2010/04/15 18:27:45 | 000,001,208 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\21a34KM55vORW
[2010/04/15 18:27:45 | 000,001,208 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\21a34KM55vORW
[2010/04/15 13:39:35 | 000,010,738 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Rent & Bills (Autosaved).xlsx
[2010/04/13 18:26:16 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/13 18:26:15 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/09 10:43:57 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\defogger_reenable
[2010/04/09 10:34:47 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2010/04/07 15:45:10 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/07 11:05:30 | 000,019,608 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\v8106Ew8k
[2010/04/07 11:05:30 | 000,019,608 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\v8106Ew8k
[2010/03/25 14:01:20 | 000,000,282 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to My Career Search.lnk
[2009/10/23 16:18:45 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\$_hpcst$.hpc
[2009/08/31 19:51:05 | 000,003,099 | ---- | C] () -- C:\Documents and Settings\Owner\_GEAREXT.WO_IDENT.TXT
[2009/06/01 15:44:05 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/06/01 12:33:58 | 000,186,368 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/05/30 20:25:22 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Owner\ntuser.dat.LOG
[2009/05/30 20:25:22 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Owner\ntuser.ini
[2009/05/30 20:25:21 | 003,932,160 | -H-- | C] () -- C:\Documents and Settings\Owner\NTUSER.DAT

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %ALLUSERSPROFILE%\Application Data\*.exe /s >
[2008/07/04 13:35:42 | 000,053,096 | ---- | M] (GEAR Software, Inc.) -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x64\DifXInstall64.exe
[2008/07/04 13:35:40 | 000,054,632 | ---- | M] (GEAR Software, Inc.) -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\DifXInstall32.exe
[2009/02/04 13:56:14 | 000,075,112 | ---- | M] (GEAR Software, Inc.) -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\DifXInstall32.exe
[2009/08/21 12:48:24 | 000,075,040 | ---- | M] (Apple Inc.) -- C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
[2010/02/10 21:02:51 | 029,589,992 | ---- | M] (Macrovision Corporation) -- C:\Documents and Settings\All Users\Application Data\TaxCut\2008\Update\US62017101eupd.exe


< MD5 for: AGP440.SYS >
[2009/05/30 22:54:28 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/05/30 23:18:49 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/05/30 22:54:28 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2009/05/30 23:18:49 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 00:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2003/07/16 14:46:14 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2009/05/30 22:54:28 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/05/30 23:18:49 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/05/30 22:54:28 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2009/05/30 23:18:49 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2010/04/11 11:29:24 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 12:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2010/04/17 22:44:09 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2010/04/20 09:26:39 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 23:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 18:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 18:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 18:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 01:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 18:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 18:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 18:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 01:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 01:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 18:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 18:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 18:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >
< End of report >



OTL Extras logfile created on: 4/20/2010 11:24:25 AM - Run 1
OTL by OldTimer - Version 3.2.1.3 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 56.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 1920 3840 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 13.64 Gb Free Space | 36.65% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 298.01 Gb Total Space | 221.62 Gb Free Space | 74.37% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SP8SWARE
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-1409082233-926492609-839522115-1003\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{10E1E87C-656C-4D08-86D6-5443D28583BE}" = TrayApp
"{1753255A-0AEB-4220-8C75-607B73F0C133}" = Copy
"{206FD69B-F9FE-4164-81BD-D52552BC9C23}" = GearDrvs
"{22466889-7642-488d-AA0E-F619704CF7AB}" = DeviceDiscovery
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 15
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{29FA38B4-0AE4-4D0D-8A51-6165BB990BB0}" = WebReg
"{2B7E4354-0492-460A-BDB1-1F59EE141025}" = AirPlus G
"{2F28B3C9-2C89-4206-8B33-8ADC9577C49B}" = Scan
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4C590030-7469-453E-8589-D15DA9D03F52}" = ANIWZCS2 Service
"{543E938C-BDC4-4933-A612-01293996845F}" = UnloadSupport
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}" = ANIO Service
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ULTIMATER_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ULTIMATER_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ULTIMATER_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ULTIMATER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ULTIMATER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002E-0000-0000-0000000FF1CE}" = Microsoft Office Ultimate 2007
"{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync
"{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944}" = iTunes
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A6B90148-02C5-4fd3-8D7A-EF2386835CB9}" = F4100_Help
"{A6C265BE-E2C1-483e-843D-6B4C1E912AE0}" = F4100
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
"{B4509BCE-7BAD-4a8c-B1AE-4D0CE7467C42}" = F4100_doccd
"{B4F35A00-24FD-4fb3-BF5E-413D5423434D}" = DJ_AIO_Software_min
"{C337BDAF-CB4E-47E2-BE1A-CB31BB7DD0E3}" = Apple Mobile Device Support
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CA50045C-5119-48e7-9BA7-6B317379857A}" = DJ_AIO_Software
"{CB84F0F2-927B-458D-9DC5-87832E3DC653}" = GearDrvs
"{CEF7211D-CE3A-44C4-B321-D84A2099AE94}" = Comcast Desktop Software (v1.2.0.9)
"{D0E39A1D-0CEE-4D85-B4A2-E3BE990D075E}" = Destination Component
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{D81FBA6E-5492-4C46-BAE3-3A9242C27210}" = TaxCut Basic + Efile 2008
"{D87149B3-7A1D-4548-9CBF-032B791E5908}" = Desktop Doctor
"{E2662C24-B31E-4349-A084-32EB76E8B760}" = BufferChm
"{E548726E-F4E8-459f-BAB8-45551BC071E9}" = DJ_AIO_ProductContext
"{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{FA8A44D7-3E8A-4034-9C4F-088FA6B72BC4}" = HP Deskjet All-In-One Software 9.0
"{FD8D8B04-BEAD-4A55-AA1D-62D2373E7DEA}" = Status
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"BitLord" = BitLord 1.1
"HP Imaging Device Functions" = HP Imaging Device Functions 9.0
"ie8" = Windows Internet Explorer 8
"InstallShield_{2B7E4354-0492-460A-BDB1-1F59EE141025}" = AirPlus G
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"Mozilla Thunderbird (3.0.4)" = Mozilla Thunderbird (3.0.4)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"N360" = Norton 360
"RealVNC_is1" = VNC Free Edition 4.1.3
"ULTIMATER" = Microsoft Office Ultimate 2007
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows Mobile Device Handbook" = T-Mobile Shadow™ User Manual
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1409082233-926492609-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Facebook Plug-In" = Facebook Plug-In

========== Last 10 Event Log Errors ==========

[ OSession Events ]
Error - 1/28/2010 1:20:38 PM | Computer Name = SP8SWARE | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 163252
seconds with 3660 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 4/17/2010 12:39:35 AM | Computer Name = SP8SWARE | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 4/17/2010 12:39:35 AM | Computer Name = SP8SWARE | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 4/19/2010 7:06:57 PM | Computer Name = SP8SWARE | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Management Instrumentation
service, but this action failed with the following error: %%1056

Error - 4/20/2010 12:33:17 AM | Computer Name = SP8SWARE | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 4/20/2010 12:33:17 AM | Computer Name = SP8SWARE | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 4/20/2010 11:08:28 AM | Computer Name = SP8SWARE | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the WZCSVC service.

Error - 4/20/2010 11:13:16 AM | Computer Name = SP8SWARE | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 4/20/2010 11:13:16 AM | Computer Name = SP8SWARE | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 4/20/2010 11:27:35 AM | Computer Name = SP8SWARE | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
PCIIde

Error - 4/20/2010 11:27:39 AM | Computer Name = SP8SWARE | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring
the volume.


< End of report >



#10 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:02:13 PM

Posted 21 April 2010 - 08:08 PM

Hi-

It looks like TDSSKiller took care of the main infection but I would like to look at a RootRepeal output to make sure. Then we will do a scan with Malwarebytes' Anti-Malware and ESET's online scan.

First, we will run RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open on your desktop.
  • Click the tab.
  • Click the button.
  • Check all seven boxes:
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Next, We will do a scan with Malwarebytes' Anti-Malware (MBAM).

Please run Malwarebytes' Anti-Malware.
  • Click on the Update tab and click the Check for Updates button.
  • When the update is finished, click on the Scanner tab.
  • Select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.

Note: If you are unable to get MBAM to run, download one of the following Rkill programs to your desktop, run it, and then try MBAM again. If you are unable run the Rkill you downloaded, download another one, and try it.
Rkill.exe
Rkill.com
Rkill.scr
Rkill.pif

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 or 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Finally, I'd like for you to scan your machine with ESET OnlineScan.
  • Need to install the free standing verson of ESET
  • ESET Smart Installer
  • Save it to your desktop.
  • Double click on the ESET Smart Installer icon on your desktop
  • Check
  • Click the button.
  • It will download its software.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push

In your reply, copy in the RootRepeal, MBAM, and ESET reports.

Thanks,

Shannon

#11 D Speights

D Speights
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, CO
  • Local time:12:13 PM

Posted 24 April 2010 - 03:17 PM

Thanks again for your help.

I just got back from a mini-vacation, a wedding in Estes Park, CO. That's the reason I haven't replied, but I will reply again shortly after I start working on this.

Also, I haven't seen any symptoms from my computer lately, so that's good.

-D. Speights

#12 D Speights

D Speights
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, CO
  • Local time:12:13 PM

Posted 25 April 2010 - 10:18 AM

Alright,

Here are reports from RootRepeal and MBAM , in that order. Also ESET didn't find any threats, so I couldn't produce a log. Thanks again.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/04/24 14:33
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB1536000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79F5000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB10B1000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF743F000 Size: 323584 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\owner\local settings\application data\mozilla\firefox\profiles\xplmqurp.default\cache\_cache_001_
Status: Size mismatch (API: 537130, Raw: 535458)

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x892e0058

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x892d3058

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x89092de0

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x894edb40

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x895abeb0

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb19d0130

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x8956b410

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x892cc230

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x89508e90

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x892e3250

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb19d03b0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb19d0910

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x89096a30

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x894e8c20

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x89195058

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x892ee058

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x8954b2b0

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x89628a90

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x894d3058

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x8909ad80

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x892f4058

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x89161058

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x8909dde0

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x8966f6d8

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x894f38b8

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x892d5b20

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x892fa340

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x894e8ba0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb19d0b60

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x892e6058

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x894e3058

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x892d7058

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x894e8058

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x892d8058

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x894eea08

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x89093530

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x892c1be8

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x892cacd0

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x895efb08

#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x8841e900

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x88369318

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x8836c0f0

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x88367da0

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x8835e168

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x8841e948

==EOF==




Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4032

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/24/2010 5:12:27 PM
mbam-log-2010-04-24 (17-12-27).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 185491
Time elapsed: 2 hour(s), 19 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#13 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:02:13 PM

Posted 27 April 2010 - 04:42 AM

Hi-

Your machine looks clean, but we still have some clean up work to do and I would like to get one more listing.

First, we need to run an OTL Fix
  • Please reopen on your desktop.
  • Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :OTL
    [2010/04/16 12:10:09 | 000,016,034 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\A7tSVvNm0XC7
    [2010/04/16 12:10:09 | 000,016,034 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\A7tSVvNm0XC7
    [2010/04/15 18:27:45 | 000,001,208 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\21a34KM55vORW
    [2010/04/07 11:19:35 | 000,019,608 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\v8106Ew8k
    [2010/04/07 11:19:35 | 000,019,608 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\v8106Ew8k
  • Push
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click .
  • A report will open. Copy and Paste that report in your next reply.

Next, your Java runtimes are out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version here - Java Runtime Environment (JRE) Version 6
  • Scroll down to where it says "JDK 6 Update 20 (JRE) ...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

Finally, we need to create an OTL Report[/b]
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Under the Custom Scan box paste in the contents of the CODE box.
    CODE
    netsvcs
    %SYSTEMDRIVE%\*.exe
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
  • Push the button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

In your reply, copy in the three OTL logs.

Thanks,
Shannon

#14 D Speights

D Speights
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lakewood, CO
  • Local time:12:13 PM

Posted 28 April 2010 - 12:11 AM

Okay, sounds good.

I will be out of town again for the next few days so I'll get on it when I get back.

Thanks again.

-D. Speights

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:13 PM

Posted 05 May 2010 - 03:32 PM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users