Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

https tidserv request and request 2 infection


  • This topic is locked This topic is locked
20 replies to this topic

#1 Brian2010

Brian2010

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 10 April 2010 - 11:00 PM

I believe my computer has become infected with this malware. The symptoms yesterday were continues messages from Norton about blocking various attacks. Trojan Horse was mentioned in one of the entries, also. I attempted to clean these off myself. The steps I took: I noticed I had around 30 tasks in windows scheduler that ran every 15 minutes. I deleted those. According to the event log, windows security center was disabled so I renabled that. I checked the registry files where I was familiar with looking and didn't see anything unusual. Today, the symptoms are redirects in IE 8 to different websites than clicked, about every 30 minutes another block by Norton for HTTPS tidserv request or HTTPS tidserv request 2, I can not make changes in MSCONFIG even though I'm logged in as administrator, and the computer will not boot in safe mode or safe mode with networking.
Attaching the attach.txt and ark.log files.

From the DDS.txt log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Brian at 22:32:26.64 on Sat 04/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.202 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
C:\WINDOWS\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brian\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cnn.com/
uSearch Bar = hxxp://www.toshiba.com/search
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.6.0.32\coIEPlg.dll
BHO: TTB000000 Class: {62960d20-6d0d-1ab4-4bf1-95b0b5b8783a} - c:\windows\COUPON~1.DLL
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.6.0.32\IPSBHO.DLL
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: CouponBar: {5bed3930-2e9e-76d8-bacc-80df2188d455} - c:\windows\CouponBarIE.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.6.0.32\coIEPlg.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NDSTray.exe] NDSTray.exe
mRun: [TFncKy] TFncKy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: microsoft.com\www.update
Trusted Zone: noaa.gov\www.nhc
Trusted Zone: rhapsody.com\www
Trusted Zone: sportsline.com\www
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250363820625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1243112824896&h=4139c242d7fffbd109191dd292d0df05/&filename=jinstall-6u13-windows-i586-jc.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} - hxxp://ind1nt231/webcore/crystalreport/viewer/activeXViewer/activexviewer.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {ECD55D89-AB73-4194-A9D6-237164DFC9D4} - hxxp://ind1nt231/webcore/cab/InstallFontTools.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1106000.020\symds.sys [2010-4-6 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1106000.020\symefa.sys [2010-4-6 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\bashdefs\20100324.001\BHDrvx86.sys [2010-3-24 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1106000.020\cchpx86.sys [2010-4-6 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1106000.020\ironx86.sys [2010-4-6 116784]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-17 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\ipsdefs\20100402.001\IDSXpx86.sys [2010-4-5 329592]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\virusdefs\20100410.020\NAVENG.SYS [2010-4-10 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\virusdefs\20100410.020\NAVEX15.SYS [2010-4-10 1324720]
S3 COAX;COAX;c:\windows\system32\drivers\COAX.sys [2006-9-20 26528]
S3 RMBS;RMBS; [x]

=============== Created Last 30 ================

2010-04-11 02:27:32 0 ----a-w- c:\documents and settings\brian\defogger_reenable
2010-04-10 15:50:01 0 d-----w- C:\backup
2010-04-10 15:22:58 0 d-----w- c:\windows\pss
2010-04-09 08:40:00 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-04-09 08:40:00 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-04-09 08:39:24 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-04-09 08:39:24 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-04-09 08:37:39 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-04-09 08:37:39 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-04-09 08:32:22 0 d-----w- C:\spoolerlogs
2010-03-15 00:32:45 0 d-----w- c:\docume~1\brian\applic~1\E-centives

==================== Find3M ====================

2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-17 09:38:14 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-17 09:38:14 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-17 09:38:14 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-17 09:38:14 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2008-09-04 13:59:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat

============= FINISH: 22:34:29.28 ===============

Any help would be greatly appreciated.

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:06 PM

Posted 13 April 2010 - 11:27 AM

Hello and and Welcome to Bleepingcomputer

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have since
resolved your issues I would appreciate if you would let me no so I can close this topic.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

unite.jpg


#3 Brian2010

Brian2010
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 14 April 2010 - 04:15 AM

Hello,

First...thanks for your help. Here is the text of the combofix log:

ComboFix 10-04-13.03 - Brian 04/14/2010 4:39.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.100 [GMT -4:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-3189052832-4293742930-2107519714-1003
c:\windows\system32\ctfmon .exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\tpsmain .exe

.
((((((((((((((((((((((((( Files Created from 2010-03-14 to 2010-04-14 )))))))))))))))))))))))))))))))
.

2010-04-10 18:20 . 2010-04-10 18:36 -------- d-----w- c:\windows\BDOSCAN8
2010-04-10 15:50 . 2010-04-10 15:50 -------- d-----w- C:\backup
2010-04-10 01:41 . 2010-04-10 01:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-10 01:40 . 2010-04-10 01:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-09 08:40 . 2008-04-13 18:40 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-04-09 08:40 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-04-09 08:39 . 2008-04-13 18:41 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-04-09 08:39 . 2008-04-13 18:41 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-04-09 08:37 . 2008-04-13 18:40 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-04-09 08:37 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-04-09 08:32 . 2010-04-09 08:32 -------- d-----w- C:\spoolerlogs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-10 23:10 . 2010-03-11 09:58 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-09 08:35 . 2009-08-13 08:46 -------- d-----w- c:\program files\QuickTime
2010-04-09 08:34 . 2006-01-19 03:57 -------- d-----w- c:\program files\ltmoh
2010-04-09 07:56 . 2009-08-09 19:19 -------- d-----w- c:\program files\Plaxo
2010-04-06 01:16 . 2009-08-11 21:15 -------- d-----w- c:\program files\Coupons
2010-03-25 23:29 . 2010-02-17 09:38 786800 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn\components\coFFPlgn.dll
2010-03-24 20:38 . 2010-03-24 20:38 536112 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100324.001\BHDrvx86.sys
2010-03-24 20:38 . 2010-03-24 20:38 201616 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100324.001\BHRules.dll
2010-03-24 20:38 . 2010-03-24 20:38 1407888 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100324.001\BHEngine.dll
2010-03-24 20:38 . 2010-03-24 20:38 678960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100324.001\BHDrvx64.sys
2010-03-24 20:38 . 2010-03-24 20:38 611216 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100324.001\bbRGen.dll
2010-03-15 00:32 . 2010-03-15 00:32 -------- d-----w- c:\documents and settings\Brian\Application Data\E-centives
2010-03-15 00:32 . 2010-03-15 00:32 423464 ----a-w- c:\documents and settings\Brian\Application Data\E-centives\BSTIEPrintCtl1.dll
2010-03-12 01:22 . 2009-08-15 19:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-12 00:53 . 2010-03-12 00:53 46952 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\OCS\Download\.hsie2010.exe
2010-03-12 00:53 . 2010-03-12 00:53 24952 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\OCS\Download\.CLT2010.exe
2010-03-12 00:52 . 2010-02-17 09:37 968560 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\OCS\hsplayer.dll
2010-03-12 00:52 . 2010-03-12 00:52 -------- d-----w- c:\documents and settings\Brian\Application Data\Tific
2010-03-10 11:49 . 2009-11-17 22:42 79488 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-07 16:55 . 2008-03-03 00:59 -------- d-----w- c:\documents and settings\Brian\Application Data\U3
2010-02-25 06:24 . 2006-01-19 02:02 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-17 10:20 . 2006-09-05 00:53 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-17 09:45 . 2010-04-14 08:25 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100413.048\NAVENG.SYS
2010-02-17 09:45 . 2010-04-14 08:25 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100413.048\NAVENG32.DLL
2010-02-17 09:45 . 2010-04-14 08:25 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100413.048\NAVEX32A.DLL
2010-02-17 09:45 . 2010-04-14 08:25 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100413.048\NAVEX15.SYS
2010-02-17 09:45 . 2010-04-14 08:25 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100413.048\EECTRL.SYS
2010-02-17 09:45 . 2010-04-14 08:25 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100413.048\CCERASER.DLL
2010-02-17 09:45 . 2010-04-14 08:25 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100413.048\ECMSVR32.DLL
2010-02-17 09:45 . 2010-04-14 08:25 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100413.048\ERASER.SYS
2010-02-17 09:40 . 2009-08-08 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-17 09:38 . 2009-08-08 00:52 -------- d-----w- c:\program files\Symantec
2010-02-17 09:38 . 2010-02-17 09:38 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-17 09:38 . 2010-02-17 09:38 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-17 09:38 . 2010-02-17 09:38 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-17 09:38 . 2010-02-17 09:38 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-17 09:37 . 2010-02-17 09:37 -------- d-----w- c:\program files\Norton Internet Security
2010-02-17 09:36 . 2010-02-17 09:36 -------- d-----w- c:\program files\NortonInstaller
2010-02-17 09:27 . 2009-08-08 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
.
CODE
<pre>
c:\program files\Adobe\Acrobat 7.0\Reader\adobeupdatemanager .exe
c:\program files\HP\HP Software Update\hpwuschd .exe
c:\program files\HP\hpcoretech\hpcmpmgr .exe
c:\program files\Intel\Wireless\Bin\ifrmewrk .exe
c:\program files\Intel\Wireless\Bin\zcfgsvc .exe
c:\program files\ltmoh\ltmoh .exe
c:\program files\Plaxo\3.17.0.16\plaxohelper_en .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\TOSHIBA\TOSCDSPD\toscdspd .exe
c:\program files\TOSHIBA\TOSHIBA Applet\thotkey .exe
c:\program files\TOSHIBA\TOSHIBA Zooming Utility\smoothview .exe
c:\program files\TOSHIBA\Tvs\tvstray .exe
c:\windows\system32\DLA\dlactrlw .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"NDSTray.exe"="NDSTray.exe" [N/A]
"TFncKy"="TFncKy.exe" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-8-15 813584]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-1-18 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1106000.020\symds.sys [4/6/2010 5:18 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1106000.020\symefa.sys [4/6/2010 5:18 PM 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100324.001\BHDrvx86.sys [3/24/2010 4:38 PM 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1106000.020\cchpx86.sys [4/6/2010 5:18 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1106000.020\ironx86.sys [4/6/2010 5:18 PM 116784]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.6.0.32\ccsvchst.exe [4/6/2010 5:17 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/17/2010 4:39 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100409.001\IDSXpx86.sys [4/14/2010 4:26 AM 329592]
S2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [10/14/2006 12:38 PM 8192]
S3 COAX;COAX;c:\windows\system32\drivers\COAX.sys [9/20/2006 9:19 PM 26528]
S3 RMBS;RMBS; [x]
.
Contents of the 'Scheduled Tasks' folder

2006-07-13 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-01-19 00:12]

2006-07-13 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-01-19 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: noaa.gov\www.nhc
Trusted Zone: rhapsody.com\www
Trusted Zone: sportsline.com\www
DPF: {ECD55D89-AB73-4194-A9D6-237164DFC9D4} - hxxp://ind1nt231/webcore/cab/InstallFontTools.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-14 04:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x81FA2AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8667f28
\Driver\ACPI -> ACPI.sys @ 0xf85bacb8
\Driver\atapi -> atapi.sys @ 0xf8554852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf837dbb0
PacketIndicateHandler -> NDIS.sys @ 0xf838aa21
SendHandler -> NDIS.sys @ 0xf836887b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.6.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(856)
c:\windows\system32\WININET.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(916)
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-14 05:06:46
ComboFix-quarantined-files.txt 2010-04-14 09:06

Pre-Run: 48,669,958,144 bytes free
Post-Run: 55,128,018,944 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - B49FAAEE2D31C82DB4FA2FBDCD307991


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:06 PM

Posted 14 April 2010 - 12:25 PM

Hi Brian2010,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
RenV::
c:\program files\Adobe\Acrobat 7.0\Reader\adobeupdatemanager .exe
c:\program files\HP\HP Software Update\hpwuschd .exe
c:\program files\HP\hpcoretech\hpcmpmgr .exe
c:\program files\Intel\Wireless\Bin\ifrmewrk .exe
c:\program files\Intel\Wireless\Bin\zcfgsvc .exe
c:\program files\ltmoh\ltmoh .exe
c:\program files\Plaxo\3.17.0.16\plaxohelper_en .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\TOSHIBA\TOSCDSPD\toscdspd .exe
c:\program files\TOSHIBA\TOSHIBA Applet\thotkey .exe
c:\program files\TOSHIBA\TOSHIBA Zooming Utility\smoothview .exe
c:\program files\TOSHIBA\Tvs\tvstray .exe
c:\windows\system32\DLA\dlactrlw .exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
Driver::
RMBS


Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Edited by syler, 14 April 2010 - 12:26 PM.

unite.jpg


#5 Brian2010

Brian2010
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 14 April 2010 - 05:05 PM

Hi Syler,

A couple of things of note: I went offline to do the scan. After offline, I disable Norton firewall, also, and ran the script/scan. After the reboot when I first opened internet explorer, I got a message that stated it was not my default browser, did I want to make it my default browser. I clicked no. This message appeared after the first scan, too. After the first scan's reboot, I did click on yes to make it my default. When right clicking on internet explorer, instead of getting shortcut information, the system defaults to internet properties. I don't know if that's normal for IE or not. I always thought the shortcuts on the desktop when checking properties showed you where the executable file was located. Anyway, here's the newest log:

ComboFix 10-04-13.03 - Brian 04/14/2010 17:14:00.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.217 [GMT -4:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brian\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_RMBS


((((((((((((((((((((((((( Files Created from 2010-03-14 to 2010-04-14 )))))))))))))))))))))))))))))))
.

2010-04-14 21:02 . 2010-02-17 09:45 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100414.004\NAVEX32A.DLL
2010-04-14 21:02 . 2010-02-17 09:45 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100414.004\NAVENG32.DLL
2010-04-14 21:02 . 2010-02-17 09:45 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100414.004\NAVEX15.SYS
2010-04-14 21:02 . 2010-02-17 09:45 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100414.004\NAVENG.SYS
2010-04-14 21:02 . 2010-02-17 09:45 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100414.004\EECTRL.SYS
2010-04-14 21:02 . 2010-02-17 09:45 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100414.004\CCERASER.DLL
2010-04-14 21:02 . 2010-02-17 09:45 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100414.004\ECMSVR32.DLL
2010-04-14 21:02 . 2010-02-17 09:45 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100414.004\ERASER.SYS
2010-04-14 08:26 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100409.001\Scxpx86.dll
2010-04-14 08:26 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100409.001\IDSxpx86.dll
2010-04-14 08:26 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100409.001\IDSvix86.sys
2010-04-14 08:26 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100409.001\IDSXpx86.sys
2010-04-14 08:26 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100409.001\IDSviA64.sys
2010-04-10 18:20 . 2010-04-10 18:36 -------- d-----w- c:\windows\BDOSCAN8
2010-04-10 15:50 . 2010-04-10 15:50 -------- d-----w- C:\backup
2010-04-10 01:41 . 2010-04-10 01:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-10 01:40 . 2010-04-10 01:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-09 08:40 . 2008-04-13 18:40 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-04-09 08:40 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-04-09 08:39 . 2008-04-13 18:41 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-04-09 08:39 . 2008-04-13 18:41 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-04-09 08:37 . 2008-04-13 18:40 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-04-09 08:37 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-04-09 08:32 . 2010-04-09 08:32 -------- d-----w- C:\spoolerlogs
2010-04-05 21:32 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100402.001\Scxpx86.dll
2010-04-05 21:32 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100402.001\IDSvix86.sys
2010-04-05 21:32 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100402.001\IDSXpx86.sys
2010-04-05 21:32 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100402.001\IDSxpx86.dll
2010-04-05 21:32 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100402.001\IDSviA64.sys
2010-03-24 20:38 . 2010-03-24 20:38 536112 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100324.001\BHDrvx86.sys
2010-03-24 20:38 . 2010-03-24 20:38 201616 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100324.001\BHRules.dll
2010-03-24 20:38 . 2010-03-24 20:38 1407888 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100324.001\BHEngine.dll
2010-03-24 20:38 . 2010-03-24 20:38 678960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100324.001\BHDrvx64.sys
2010-03-24 20:38 . 2010-03-24 20:38 611216 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100324.001\bbRGen.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-14 21:13 . 2009-08-13 08:46 -------- d-----w- c:\program files\QuickTime
2010-04-14 21:13 . 2006-01-19 03:57 -------- d-----w- c:\program files\ltmoh
2010-04-10 23:10 . 2010-03-11 09:58 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-09 07:56 . 2009-08-09 19:19 -------- d-----w- c:\program files\Plaxo
2010-04-06 01:16 . 2009-08-11 21:15 -------- d-----w- c:\program files\Coupons
2010-03-25 23:29 . 2010-02-17 09:38 786800 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn\components\coFFPlgn.dll
2010-03-15 00:32 . 2010-03-15 00:32 -------- d-----w- c:\documents and settings\Brian\Application Data\E-centives
2010-03-15 00:32 . 2010-03-15 00:32 423464 ----a-w- c:\documents and settings\Brian\Application Data\E-centives\BSTIEPrintCtl1.dll
2010-03-12 01:22 . 2009-08-15 19:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-12 00:53 . 2010-03-12 00:53 46952 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\OCS\Download\.hsie2010.exe
2010-03-12 00:53 . 2010-03-12 00:53 24952 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\OCS\Download\.CLT2010.exe
2010-03-12 00:52 . 2010-02-17 09:37 968560 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\OCS\hsplayer.dll
2010-03-12 00:52 . 2010-03-12 00:52 -------- d-----w- c:\documents and settings\Brian\Application Data\Tific
2010-03-10 11:49 . 2009-11-17 22:42 79488 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-07 16:55 . 2008-03-03 00:59 -------- d-----w- c:\documents and settings\Brian\Application Data\U3
2010-02-25 06:24 . 2006-01-19 02:02 916480 ------w- c:\windows\system32\wininet.dll
2010-02-17 10:20 . 2006-09-05 00:53 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-17 09:40 . 2009-08-08 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-17 09:38 . 2009-08-08 00:52 -------- d-----w- c:\program files\Symantec
2010-02-17 09:38 . 2010-02-17 09:38 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-17 09:38 . 2010-02-17 09:38 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-17 09:38 . 2010-02-17 09:38 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-17 09:38 . 2010-02-17 09:38 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-17 09:37 . 2010-02-17 09:37 -------- d-----w- c:\program files\Norton Internet Security
2010-02-17 09:36 . 2010-02-17 09:36 -------- d-----w- c:\program files\NortonInstaller
2010-02-17 09:27 . 2009-08-08 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"NDSTray.exe"="NDSTray.exe" [BU]
"TFncKy"="TFncKy.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-8-15 813584]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-1-18 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1106000.020\symds.sys [4/6/2010 5:18 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1106000.020\symefa.sys [4/6/2010 5:18 PM 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100324.001\BHDrvx86.sys [3/24/2010 4:38 PM 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1106000.020\cchpx86.sys [4/6/2010 5:18 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1106000.020\ironx86.sys [4/6/2010 5:18 PM 116784]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.6.0.32\ccsvchst.exe [4/6/2010 5:17 PM 126392]
R2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [10/14/2006 12:38 PM 8192]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/17/2010 4:39 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100409.001\IDSXpx86.sys [4/14/2010 4:26 AM 329592]
S3 COAX;COAX;c:\windows\system32\drivers\COAX.sys [9/20/2006 9:19 PM 26528]
.
Contents of the 'Scheduled Tasks' folder

2006-07-13 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-01-19 00:12]

2006-07-13 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-01-19 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: noaa.gov\www.nhc
Trusted Zone: rhapsody.com\www
Trusted Zone: sportsline.com\www
DPF: {ECD55D89-AB73-4194-A9D6-237164DFC9D4} - hxxp://ind1nt231/webcore/cab/InstallFontTools.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-14 17:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x81F9BAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf867bf28
\Driver\ACPI -> ACPI.sys @ 0xf85cecb8
\Driver\atapi -> atapi.sys @ 0xf8568852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel® PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf8391bb0
PacketIndicateHandler -> NDIS.sys @ 0xf8380a0d
SendHandler -> NDIS.sys @ 0xf8394b40
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.6.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\WININET.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(920)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3688)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\pvsw\bin\w3dbsmgr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\AGRSMMSG.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2010-04-14 17:39:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-14 21:39
ComboFix2.txt 2010-04-14 09:06

Pre-Run: 55,147,139,072 bytes free
Post-Run: 55,005,691,904 bytes free

- - End Of File - - A9539115CBCB66ACE547348EE4E21A0E


#6 Brian2010

Brian2010
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 14 April 2010 - 06:47 PM

Due to curiosity, I looked in the folders on this most recent log. There is a vma.exe file in c:\documents and settings\NetworkService\Local Settings\Application Data\

Googling this suggests that trojan/malware. Let me know your thoughts as I have not done anything to that file.


#7 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:06 PM

Posted 15 April 2010 - 05:34 AM

Ok lets do this next.


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy the content of the following codebox into the main textfield :
    CODE
    :filefind
    afd.*
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan, Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

unite.jpg


#8 Brian2010

Brian2010
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 15 April 2010 - 04:36 PM

Okay. I stayed connected to the internet and kept Norton AV and FW running. I received a Windows update while the scan was running. Should I update windows or will this mess with your analysis? As far as I can tell, the virus started wreaking havoc on 4/9/2010. Here's the log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 17:22 on 15/04/2010 by Brian (Administrator - Elevation successful)

========== filefind ==========

Searching for "afd.*"
C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\afd.sys --a--- 138368 bytes [10:44 20/06/2008] [10:44 20/06/2008] D99DDFFB33DEACDCF20717CB520379F6
C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys --a--- 138496 bytes [11:40 20/06/2008] [11:40 20/06/2008] E3049B90FE06F3F740B7CFDA44995E2C
C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys --a--- 138496 bytes [11:48 20/06/2008] [11:48 20/06/2008] D6EE6014241D034E63C49A50CB2B442A
C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys --a--- 138496 bytes [00:20 03/01/2009] [10:34 14/08/2008] 4D43E74F2A1239D53929B82600F1971C
C:\WINDOWS\$NtServicePackUninstall$\afd.sys -----c 138368 bytes [13:18 04/09/2008] [10:44 20/06/2008] 944CA435BFCFC82CC1ED9E3A7D731AA9
C:\WINDOWS\$NtUninstallKB951748$\afd.sys -----c 138112 bytes [13:31 04/09/2008] [19:19 13/04/2008] 322D0E36693D6E24A2398BEE62A268CD
C:\WINDOWS\$NtUninstallKB951748_0$\afd.sys -----c 138496 bytes [01:09 18/08/2008] [12:00 04/08/2004] 5AC495F4CB807B2B98AD2AD591E6D92E
C:\WINDOWS\$NtUninstallKB956803$\afd.sys -----c 138496 bytes [03:29 03/01/2009] [11:40 20/06/2008] E3049B90FE06F3F740B7CFDA44995E2C
C:\WINDOWS\I386\AFD.SY_ --a--- 71536 bytes [02:03 19/01/2006] [12:00 04/08/2004] 2F39BB75EC3970BA7CDCE4F28BB9784F
C:\WINDOWS\ServicePackFiles\i386\afd.sys ------ 138112 bytes [23:42 17/08/2008] [19:19 13/04/2008] 322D0E36693D6E24A2398BEE62A268CD
C:\WINDOWS\system32\dllcache\afd.sys -----c 138496 bytes [11:40 20/06/2008] [10:04 14/08/2008] 7E775010EF291DA96AD17CA4B17137D7
C:\WINDOWS\system32\drivers\afd.sys --a--- 138496 bytes [02:01 19/01/2006] [10:04 14/08/2008] 7E775010EF291DA96AD17CA4B17137D7

-=End Of File=-

#9 Brian2010

Brian2010
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 16 April 2010 - 03:15 AM

Because of my settings, Windows did update when I shut down.

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:06 PM

Posted 16 April 2010 - 08:07 AM

We need to replace a file using the recovery console.

  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.
CMD /K COPY C:\WINDOWS\system32\dllcache\afd.sys C:\afd.sys
  • The command prompt should pop up and say 1 file(s) copied, if it doesn't please let me know before continuing.



Reboot your computer.

On the black screen with the startup menu select Microsoft Windows Recovery Console.

When the recovery console has started there is a menu where your asked to select which windows installation you want to login to, usually there is only one:

1. C:\WINDOWS

select the number and press Enter

If it ask you to type the administrator password, do so then press Enter.

It should then come up with C:\WINDOWS>

Now type in the following line, then press Enter.

COPY C:\afd.sys C:\windows\system32\drivers\afd.sys

It will then ask if you want to overwrite afd.sys, press Y then Enter

If successful it should say "1 file(s) copied"

Then type EXIT and press Enter to reboot the machine.


  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.
cmd /c mbr -t& start mbr.log
  • A file called mbr.log will pop up please post the contents in your reply.

unite.jpg


#11 Brian2010

Brian2010
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 16 April 2010 - 04:32 PM

Okay. It let me copy that file from cache. Many thanks for your help. Whatever is on this computer is either emulating many viruses or the computer truly got attacked by multiple viruses from some website or ad. When I check the history in Norton recent attacks that were blocked are: trojan.fakeav (av.exe), trojan.fakeav (msascui.exe), packed.mystic!gen3. Unauthorized access was logged from c:\windows\system32\mrt.exe three times on Thursday targeting c:\program files\norton internet security\engine\17.6.0.32\ccsvchst.exe Norton also seems to block access to this same file once every time the computer is booted, but when it was blocked, it was blocked from c:\windows\system32\services.exe

Here's the MBR log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK


#12 Brian2010

Brian2010
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 16 April 2010 - 04:35 PM

Oops, just noticed my error. The daily block is not on the same file, but is the same path. When it blocks services.exe, Norton says its a duplicate object.

#13 Brian2010

Brian2010
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 16 April 2010 - 06:46 PM

Things are much better. MSCONFIG does not give me the message it can only be changed by an administrator. I have not been redirected on IE8 for about 45 minutes. Norton is still showing unauthroized access blocked or allowed. Most of them pertain to the ccsvchst.exe file. Which I think is Norton's. The computer boots faster also. One thing I did do is uninstall Java as I heard older version had security leaks on some internet ads. I think I scrolled over an ad when the virus came in. I'll probably need to reinstall Java with the most current version at some point. According to Norton's safeweb site both www.java.com and www.sun.com are safe, but both have a couple of people that logged comments that said they were unsafe. So, I'm not reloading java until I know which one is supposed to be the right one. Your experience and effort is helping me tremendously and I can't thank you enough. What's the next step to make sure this virus or viruses are completely eradicated?

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:06 PM

Posted 17 April 2010 - 05:40 AM

Hi, im glad it's running better now, let's make sure that you are malware free.


Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Then please run combofix again and post the new log along with the mbam log.

Thanks

unite.jpg


#15 Brian2010

Brian2010
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 17 April 2010 - 05:03 PM

During the MBAM scan, norton blocked the mysticgen virus and removed the vma.exe file I had referenced earlier in the post. This feels very much like an onion that we are peeling back the layers to get to the core. Here's the MBAM log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4002

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/17/2010 5:27:09 PM
mbam-log-2010-04-17 (17-27-09).txt

Scan type: Quick scan
Objects scanned: 109151
Time elapsed: 13 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

I went offline and disabled Norton AV before running combofix, again. Here's the new combfix log:

ComboFix 10-04-13.03 - Brian 04/17/2010 17:41:21.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.206 [GMT -4:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2010-03-17 to 2010-04-17 )))))))))))))))))))))))))))))))
.

2010-04-17 21:12 . 2010-02-17 09:45 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100417.002\NAVENG.SYS
2010-04-17 21:12 . 2010-02-17 09:45 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100417.002\NAVENG32.DLL
2010-04-17 21:12 . 2010-02-17 09:45 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100417.002\NAVEX32A.DLL
2010-04-17 21:12 . 2010-02-17 09:45 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100417.002\NAVEX15.SYS
2010-04-17 21:12 . 2010-02-17 09:45 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100417.002\EECTRL.SYS
2010-04-17 21:12 . 2010-02-17 09:45 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100417.002\CCERASER.DLL
2010-04-17 21:12 . 2010-02-17 09:45 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100417.002\ECMSVR32.DLL
2010-04-17 21:12 . 2010-02-17 09:45 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100417.002\ERASER.SYS
2010-04-17 21:11 . 2010-04-17 21:11 -------- d-----w- c:\documents and settings\Brian\Application Data\Malwarebytes
2010-04-17 21:10 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-17 21:10 . 2010-04-17 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-17 21:10 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-17 21:10 . 2010-04-17 21:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-16 21:24 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100415.001\IDSvix86.sys
2010-04-16 21:24 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100415.001\Scxpx86.dll
2010-04-16 21:24 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100415.001\IDSxpx86.dll
2010-04-16 21:24 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100415.001\IDSviA64.sys
2010-04-16 21:24 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100415.001\IDSXpx86.sys
2010-04-16 21:01 . 2010-04-16 20:55 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2010-04-16 21:01 . 2010-04-16 20:55 138496 ----a-w- C:\afd.sys
2010-04-14 08:26 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100409.001\Scxpx86.dll
2010-04-14 08:26 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100409.001\IDSxpx86.dll
2010-04-14 08:26 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100409.001\IDSvix86.sys
2010-04-14 08:26 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100409.001\IDSXpx86.sys
2010-04-14 08:26 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100409.001\IDSviA64.sys
2010-04-10 18:20 . 2010-04-10 18:36 -------- d-----w- c:\windows\BDOSCAN8
2010-04-10 01:41 . 2010-04-10 01:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-10 01:40 . 2010-04-10 01:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-09 08:40 . 2008-04-13 18:40 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-04-09 08:40 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-04-09 08:39 . 2008-04-13 18:41 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-04-09 08:39 . 2008-04-13 18:41 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-04-09 08:37 . 2008-04-13 18:40 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-04-09 08:37 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-04-09 08:32 . 2010-04-09 08:32 -------- d-----w- C:\spoolerlogs
2010-03-24 20:38 . 2010-03-24 20:38 536112 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100324.001\BHDrvx86.sys
2010-03-24 20:38 . 2010-03-24 20:38 201616 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100324.001\BHRules.dll
2010-03-24 20:38 . 2010-03-24 20:38 1407888 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100324.001\BHEngine.dll
2010-03-24 20:38 . 2010-03-24 20:38 678960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100324.001\BHDrvx64.sys
2010-03-24 20:38 . 2010-03-24 20:38 611216 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100324.001\bbRGen.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-16 00:11 . 2009-08-15 19:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-14 21:13 . 2009-08-13 08:46 -------- d-----w- c:\program files\QuickTime
2010-04-14 21:13 . 2006-01-19 03:57 -------- d-----w- c:\program files\ltmoh
2010-04-10 23:10 . 2010-03-11 09:58 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-09 07:56 . 2009-08-09 19:19 -------- d-----w- c:\program files\Plaxo
2010-04-06 01:16 . 2009-08-11 21:15 -------- d-----w- c:\program files\Coupons
2010-03-25 23:29 . 2010-02-17 09:38 786800 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn\components\coFFPlgn.dll
2010-03-15 00:32 . 2010-03-15 00:32 -------- d-----w- c:\documents and settings\Brian\Application Data\E-centives
2010-03-15 00:32 . 2010-03-15 00:32 423464 ----a-w- c:\documents and settings\Brian\Application Data\E-centives\BSTIEPrintCtl1.dll
2010-03-12 00:53 . 2010-03-12 00:53 46952 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\OCS\Download\.hsie2010.exe
2010-03-12 00:53 . 2010-03-12 00:53 24952 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\OCS\Download\.CLT2010.exe
2010-03-12 00:52 . 2010-02-17 09:37 968560 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\OCS\hsplayer.dll
2010-03-12 00:52 . 2010-03-12 00:52 -------- d-----w- c:\documents and settings\Brian\Application Data\Tific
2010-03-10 11:49 . 2009-11-17 22:42 79488 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-10 06:15 . 2006-01-19 02:02 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-07 16:55 . 2008-03-03 00:59 -------- d-----w- c:\documents and settings\Brian\Application Data\U3
2010-02-25 06:24 . 2006-01-19 02:02 916480 ------w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-01-19 02:01 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2006-01-19 02:02 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-17 10:20 . 2006-09-05 00:53 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-17 09:40 . 2009-08-08 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-17 09:38 . 2009-08-08 00:52 -------- d-----w- c:\program files\Symantec
2010-02-17 09:38 . 2010-02-17 09:38 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-17 09:38 . 2010-02-17 09:38 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-17 09:38 . 2010-02-17 09:38 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-17 09:38 . 2010-02-17 09:38 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-17 09:37 . 2010-02-17 09:37 -------- d-----w- c:\program files\Norton Internet Security
2010-02-17 09:36 . 2010-02-17 09:36 -------- d-----w- c:\program files\NortonInstaller
2010-02-17 09:27 . 2009-08-08 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-16 13:25 . 2004-08-03 22:59 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-01-19 02:01 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-01-19 02:02 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"NDSTray.exe"="NDSTray.exe" [BU]
"TFncKy"="TFncKy.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-8-15 813584]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-1-18 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1106000.020\symds.sys [4/6/2010 5:18 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1106000.020\symefa.sys [4/6/2010 5:18 PM 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100324.001\BHDrvx86.sys [3/24/2010 4:38 PM 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1106000.020\cchpx86.sys [4/6/2010 5:18 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1106000.020\ironx86.sys [4/6/2010 5:18 PM 116784]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.6.0.32\ccsvchst.exe [4/6/2010 5:17 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/17/2010 4:39 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100415.001\IDSXpx86.sys [4/16/2010 5:24 PM 329592]
S2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [10/14/2006 12:38 PM 8192]
S3 COAX;COAX;c:\windows\system32\drivers\COAX.sys [9/20/2006 9:19 PM 26528]
.
Contents of the 'Scheduled Tasks' folder

2006-07-13 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-01-19 00:12]

2006-07-13 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-01-19 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: noaa.gov\www.nhc
Trusted Zone: rhapsody.com\www
Trusted Zone: sportsline.com\www
DPF: {ECD55D89-AB73-4194-A9D6-237164DFC9D4} - hxxp://ind1nt231/webcore/cab/InstallFontTools.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-17 17:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.6.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3968)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-17 17:51:47
ComboFix-quarantined-files.txt 2010-04-17 21:51
ComboFix2.txt 2010-04-14 21:39
ComboFix3.txt 2010-04-14 09:06

Pre-Run: 54,701,191,168 bytes free
Post-Run: 54,729,445,376 bytes free

- - End Of File - - BDC3694A2D850C6841D1006BFBF12F81





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users