Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Malware/Virus Intrusion - Suspect this is rootkit type


  • This topic is locked This topic is locked
14 replies to this topic

#1 icemeister

icemeister

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 20 April 2010 - 01:44 PM

I have noticed that since Sunday afternoon my PC seems to be randomly re-directing my google searches to different websites other than the link i click on. PC has also slowed slightly. Upon further investigation/searching it would appear i am infected with a rootkit. Can anyone help?
So far i have.....

Installed a copy of Norton 360 and ran full scan - Nothing shown.
I think this maybe because it is hiding itself as genuine system files and i installed it once infected so think too late.

I have done nothing further until i found this site. Please find attached the dds logs. Tried running GMER and seemed to be running ok initially. However, after a while the app just crashes. Think malware maybe responsible?

Instead of GMER please find a HiJackThis log attached. i have only run a scan and not any fixes as am not sure what to do.

In addition to above i download a sophos ant-root kit analyser. Please find attached a notepad doc with the results it found. Looking through the only one that seems suspect is the top reg entry. Other than that all normal.

Can you help to fix please? I have major deadlines coming up so any help you can provide would be great.

The way i see it options are as follows:

1. Fix with assistance(hence why i am here)

2. System Restore Point _ have one from Saturday created by Windows update. Although not convinced this thing wouldnt re-appear from what i read.

3. Dell Recovery Disk - use this(which came with machine) Royal pain coz i have itunes and other data on PC which i would need to restore. other problem is if this disk uses D: partition(labelled recovery) and this is infected then problem still exists.

Any help you can provide woulld be mjuch appreciated. Also, if we are able to remove will Norton 360 protect me from future infection? Running this and windows defender. If not what else can i run that would prevent this and not cause performance issues?

Thanks,

Andrew

(Logs Attached are dds, hijackthis and output pasted from sophos tool).

P.S. Am Running Windows Vista Service Pack 2

Attached Files


Edited by icemeister, 20 April 2010 - 02:42 PM.


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:42 AM

Posted 25 April 2010 - 02:42 PM

Hello, and welcome.gif to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif

***************************************************

Please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 icemeister

icemeister
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 25 April 2010 - 04:35 PM

As per the instruction i have downloaded and run the tool after taking my pc off the internet and disabling my AV(attach is zipped as requested) Please Find attached logs as requested. Can you advise if i am infected and if it can be removed please? What are the next steps?

Many thanks for your assistance.

DESCRIPTION OF PROBLEM
====================

I have noticed that since Sunday afternoon my PC seems to be randomly re-directing my google searches to different websites other than the link i click on. PC has also slowed slightly. Upon further investigation/searching it would appear i am infected with a rootkit. Can anyone help?
So far i have.....

Installed a copy of Norton 360 and ran full scan - Nothing shown.
I think this maybe because it is hiding itself as genuine system files and i installed it once infected so think too late.

I have done nothing further until i found this site. Please find attached the dds logs. Tried running GMER and seemed to be running ok initially. However, after a while the app just crashes. Think malware maybe responsible?

Instead of GMER please find a HiJackThis log attached. i have only run a scan and not any fixes as am not sure what to do.

In addition to above i download a sophos ant-root kit analyser. Please find attached a notepad doc with the results it found. Looking through the only one that seems suspect is the top reg entry. Other than that all normal.

Can you help to fix please? I have major deadlines coming up so any help you can provide would be great.

The way i see it options are as follows:

1. Fix with assistance(hence why i am here)

2. System Restore Point _ have one from Saturday created by Windows update. Although not convinced this thing wouldnt re-appear from what i read.

3. Dell Recovery Disk - use this(which came with machine) Royal pain coz i have itunes and other data on PC which i would need to restore. other problem is if this disk uses D: partition(labelled recovery) and this is infected then problem still exists.

Any help you can provide woulld be mjuch appreciated. Also, if we are able to remove will Norton 360 protect me from future infection? Running this and windows defender. If not what else can i run that would prevent this and not cause performance issues?

Thanks,

Andrew



P.S. Am Running Windows Vista Service Pack 2

Attached Files


Edited by icemeister, 26 April 2010 - 06:08 AM.


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:42 AM

Posted 26 April 2010 - 08:06 PM

Hello icemeister.

QUOTE
Also, if we are able to remove will Norton 360 protect me from future infection?


No program can completely protect you from malware attack for several reasons. As far as Norton360's effectiveness. . . I've had mixed results. It's not one of my recommended programs. The important thing to remember is you should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

Windows Defender is not an antivirus, but an antimalware program. So it is okay to run alongside an Antivirus. Right now though, let's focus on getting you cleaned up. We can discuss antivirus software and other protection measures later.

***************************************************

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade

In your next reply, please include the following:
ComboFix Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 icemeister

icemeister
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 04 May 2010 - 09:32 AM

Hi,

I will run this tonight. Have been meaning to but has been absolutley manic. Will undertake tonight and post log files as requested.

Many Thanks for your continued assistance.

Andrew

#6 icemeister

icemeister
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 08 May 2010 - 12:15 PM

Apologies for delaying in replying. Has been manic couple of weeks.

Have run thecombofix as requested which detected a rootkit and rebooted the machine. Please find attached the combofig.txt file. I also had a text file called log pop up when combofix completed. Looks the same but just in case please find attached.

Please advise as to next steps.

Your continued assistance is very much appreciated.

ice

ComboFix 10-05-07.07 - amilis 08/05/2010 17:11:48.1.4 - x86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.44.1033.18.3292.2310 [GMT 1:00]
Running from: c:\users\amilis\Desktop\renamed.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\amilis\AppData\Roaming\Microsoft\~DFK2b64af74.tmp
c:\users\amilis\AppData\Roaming\Microsoft\~DFK2b97cc0a.tmp
c:\users\amilis\AppData\Roaming\Microsoft\1eaadjc.dll
c:\users\amilis\AppData\Roaming\Microsoft\bass.dll
c:\users\amilis\AppData\Roaming\Microsoft\kfgresk.dll
c:\users\amilis\AppData\Roaming\Microsoft\mjcriu.dll
c:\users\amilis\AppData\Roaming\Microsoft\peaadje.dll
c:\users\amilis\AppData\Roaming\Microsoft\qwadjb.dll
c:\users\amilis\AppData\Roaming\Microsoft\rsaadjd.dll
c:\windows\system32\AbaleZip.dll
c:\windows\system32\spool\prtprocs\w32x86\00003ed7.tmp
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

.
((((((((((((((((((((((((( Files Created from 2010-04-08 to 2010-05-08 )))))))))))))))))))))))))))))))
.

2010-05-08 16:17 . 2010-05-08 16:18 -------- d-----w- c:\users\amilis\AppData\Local\temp
2010-05-08 16:17 . 2010-05-08 16:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-24 09:56 . 2010-04-24 09:56 -------- d-----w- c:\program files\Common Files\SWF Studio
2010-04-24 09:40 . 2010-04-24 09:40 -------- d-----w- c:\program files\3ivx
2010-04-24 09:40 . 2010-04-24 09:40 -------- d-----w- c:\programdata\Flip Video
2010-04-24 09:40 . 2010-04-24 09:40 -------- d-----w- c:\program files\Flip Video
2010-04-20 18:23 . 2010-04-20 18:23 -------- d-----w- c:\program files\Trend Micro
2010-04-19 19:52 . 2010-04-19 19:52 -------- d-----w- c:\program files\Sophos
2010-04-19 19:49 . 2010-04-19 19:49 -------- d-----r- c:\program files\Norton Support
2010-04-19 19:46 . 2010-04-19 19:46 -------- d-----w- c:\users\amilis\AppData\Local\Symantec
2010-04-19 19:44 . 2010-04-19 19:44 -------- d-----w- c:\windows\system32\N360_BACKUP
2010-04-19 19:23 . 2010-01-20 22:02 310320 ----a-w- c:\windows\system32\drivers\SymEFA.sys
2010-04-19 19:23 . 2010-01-20 22:02 217136 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-04-19 19:23 . 2010-01-20 22:02 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-04-19 19:23 . 2010-01-20 22:02 482432 ----a-w- c:\windows\system32\drivers\cchpx86.sys
2010-04-19 19:23 . 2010-01-20 22:02 259632 ----a-w- c:\windows\system32\drivers\BHDrvx86.sys
2010-04-18 20:03 . 2009-01-15 11:19 23848 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-04-18 20:03 . 2008-04-17 11:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-04-18 20:03 . 2010-04-19 19:24 -------- d-----w- c:\programdata\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2010-04-18 20:02 . 2010-04-18 20:02 -------- d-----w- c:\users\amilis\AppData\Local\Downloaded Installations
2010-04-18 20:02 . 2010-01-20 22:02 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-04-18 20:02 . 2010-04-19 19:24 -------- d-----w- c:\program files\Symantec
2010-04-18 20:02 . 2010-04-19 19:23 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-04-18 20:02 . 2010-04-19 22:54 -------- d-----w- c:\windows\system32\drivers\N360
2010-04-18 20:02 . 2010-04-18 20:02 -------- d-----w- c:\program files\Norton 360
2010-04-18 18:40 . 2010-04-18 18:40 -------- d-----w- c:\users\amilis\AppData\Roaming\CamfrogWEB
2010-04-18 11:59 . 2010-04-18 11:59 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-18 11:55 . 2010-04-18 19:33 -------- d-----w- c:\programdata\Lavasoft
2010-04-18 11:38 . 2010-04-18 11:38 75776 --sha-r- c:\users\amilis\AppData\Roaming\imgutilh.dll
2010-04-18 11:35 . 2010-04-18 11:35 -------- d-----w- c:\users\amilis\AppData\Roaming\BSD
2010-04-18 11:35 . 2010-04-18 19:51 -------- d-----w- c:\program files\Common Files\BSD
2010-04-18 11:34 . 2010-04-18 19:51 -------- d-----w- c:\programdata\BSD
2010-04-18 11:34 . 2010-04-03 22:16 1571328 ----a-w- c:\windows\bsdsetup.dll
2010-04-14 20:27 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 20:27 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 20:27 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 20:27 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 20:27 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 20:27 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 20:27 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 20:27 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 20:18 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 20:18 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-14 20:12 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-04-10 17:40 . 2010-04-10 17:40 -------- d-----w- c:\program files\Belkin
2010-04-10 17:40 . 2010-04-10 17:40 -------- d-----w- c:\users\amilis\AppData\Roaming\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-08 15:53 . 2010-02-13 16:41 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-04-24 09:56 . 2009-04-02 20:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-19 19:23 . 2010-04-18 20:02 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-04-19 19:23 . 2010-04-18 20:02 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-04-19 19:23 . 2009-10-12 18:21 -------- d-----w- c:\programdata\Symantec
2010-04-18 20:16 . 2009-10-18 17:05 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-18 20:09 . 2009-10-12 18:21 -------- d-----w- c:\programdata\Norton
2010-04-18 20:02 . 2010-04-18 20:02 1290592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2010-04-18 20:02 . 2010-04-18 20:02 136840 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2010-04-18 20:02 . 2010-04-18 20:02 796016 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2010-04-18 20:01 . 2009-10-12 18:21 -------- d-----w- c:\programdata\NortonInstaller
2010-04-18 19:58 . 2009-10-12 18:21 -------- d-----w- c:\program files\NortonInstaller
2010-04-18 08:00 . 2010-05-08 15:36 84912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100508.003\NAVENG.SYS
2010-04-18 08:00 . 2010-05-08 15:36 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100508.003\EECTRL.SYS
2010-04-18 08:00 . 2010-05-08 15:36 2747440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100508.003\CCERASER.DLL
2010-04-18 08:00 . 2010-05-08 15:36 259440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100508.003\ECMSVR32.DLL
2010-04-18 08:00 . 2010-05-08 15:36 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100508.003\NAVENG32.DLL
2010-04-18 08:00 . 2010-05-08 15:36 1647984 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100508.003\NAVEX32A.DLL
2010-04-18 08:00 . 2010-05-08 15:36 1324720 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100508.003\NAVEX15.SYS
2010-04-18 08:00 . 2010-05-08 15:36 102448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100508.003\ERASER.SYS
2010-04-17 18:29 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-17 16:07 . 2009-04-02 21:01 -------- d-----w- c:\programdata\Microsoft Help
2010-03-21 21:47 . 2009-05-26 22:14 73296 ----a-w- c:\users\amilis\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-23 06:39 . 2010-04-10 17:35 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-04-10 17:35 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 06:33 . 2010-04-10 17:35 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 04:55 . 2010-04-10 17:35 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-22 23:33 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-02-20 23:06 . 2010-03-22 21:16 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-22 21:16 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-22 21:16 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-13 16:35 . 2010-02-13 16:35 10134 ----a-r- c:\users\amilis\AppData\Roaming\Microsoft\Installer\{35725FBC-A136-4A46-9F29-091759D9BB93}\ARPPRODUCTICON.exe
2010-02-13 15:53 . 2010-02-13 15:53 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb21A5.tmp.exe
2010-02-12 16:41 . 2010-05-08 14:01 558448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2009-04-03 04:47 . 2009-04-03 04:43 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-12 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]
"DMDKFXAIDU"="c:\users\amilis\AppData\Roaming\imgutilh.dll" [2010-04-18 75776]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-18 6246400]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-17 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-17 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-17 145944]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-25 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-10-12 122880]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]

c:\users\amilis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OneNote Table Of Contents.onetoc2 [2009-12-23 3656]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2009-12-10 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-04-02 20:34 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:aa,95,98,ea,22,b0,ca,01

R2 0208831271620784mcinstcleanup;McAfee Application Installer Cleanup (0208831271620784);c:\users\amilis\AppData\Local\Temp\020883~1.EXE [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 135664]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\F2A8.tmp [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS [2010-01-20 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\N360\0308000.029\BHDrvx86.sys [2010-01-20 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\N360\0308000.029\ccHPx86.sys [2010-01-20 482432]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100505.001\IDSvix86.sys [2010-03-05 343088]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2008-07-18 73728]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-23 155648]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2010-01-20 117640]
S2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys [2008-07-21 27648]
S2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [2007-06-07 202280]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2009-11-13 92008]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-04-18 102448]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-07-17 112128]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [2010-01-20 48688]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 16:07]

2010-05-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 16:07]

2010-05-08 c:\windows\Tasks\Norton Security Scan for amilis.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2010-02-14 11:54]

2010-05-08 c:\windows\Tasks\RtlNICDiagVistaStart.job
- c:\program files\Realtek\RTNICDiag\RTNICDiag.exe [2009-04-02 11:18]

2010-04-25 c:\windows\Tasks\WebReg HP Photosmart C4400 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2008-03-25 19:42]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
Trusted Zone: audiko.net
Trusted Zone: meetcam.com
Trusted Zone: o2.co.uk\*.broadband
DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - hxxp://activex.camfrogweb.com/advanced/2.0.2.3/cfweb_activex.camfrogweb.com-advanced-2.0.2.3_instmodule.exe
DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://bb-bristol-asa.bevanbrittan.com/CACHE/sdesktop/install/binaries/instweb.cab
FF - ProfilePath - c:\users\amilis\AppData\Roaming\Mozilla\Firefox\Profiles\2yesru1q.default\
FF - prefs.js: browser.startup.homepage - hxxp://g.uk.msn.com/USCON/2
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-08 17:18
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll atapi.sys >>UNKNOWN [0x872888C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x82be2d24
\Driver\ACPI -> acpi.sys @ 0x80691d68
\Driver\atapi -> atapi.sys @ 0x8079d9b0
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\F2A8.tmp"
.
Completion time: 2010-05-08 17:21:06
ComboFix-quarantined-files.txt 2010-05-08 16:21

Pre-Run: 403,695,992,832 bytes free
Post-Run: 403,627,372,544 bytes free

- - End Of File - - E282FBFE8017D1BF304AB1EEB1395D90

Attached Files


Edited by Blade Zephon, 09 May 2010 - 04:06 AM.
Posted log in reply to facilitate analysis. Please do not attach logs unless the board software will not let you post them directly. Thanks!


#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:42 AM

Posted 09 May 2010 - 04:35 AM

Hello icemeister.

Please download: DelDomains.inf
Locate DelDomains.inf right-click and select: Install
Note: you will not see any on-screen action ...
This will remove all entries in the Trusted, Restricted,and Enhanced Security Configuration Zones.
Note once you do this, any previous restricted zone hacks (spywareblaster, ie-spyad, etc) will need to be reapplyed.[/list]

***************************************************

1. Open notepad and copy/paste the text in the codebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/311299/possible-malwarevirus-intrusion-suspect-this-is-rootkit-type/

Collect::
c:\users\amilis\AppData\Roaming\imgutilh.dll

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DMDKFXAIDU"=-


Save this as CFScript.txt, in the same location as renamed.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.



Refering to the picture above, drag CFScript into renamed.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
~Blade


In your next reply, please include the following:
ComboFix log
How is the computer running now?

Edited by Blade Zephon, 09 May 2010 - 04:38 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 icemeister

icemeister
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 15 May 2010 - 02:15 PM

Ok, Finally got round to running these. Took some time but done now. I have submitted a log online for analysis and attach the combofix log file for you. Just ran some initial tests and seems that some searches are still being hijacked. search for webkinz and clicked link. took me to k - directory site and when i clicked back to the site it should have done.

I await your response for the next step.

Your assistance is very much appreciated.

Ice.

ComboFix 10-05-15.01 - amilis 15/05/2010 18:48:19.2.4 - x86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.44.1033.18.3292.2432 [GMT 1:00]
Running from: c:\users\amilis\Desktop\renamed.exe
Command switches used :: c:\users\amilis\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

file zipped: c:\users\amilis\AppData\Roaming\imgutilh.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\amilis\AppData\Roaming\imgutilh.dll
c:\windows\system32\AbaleZip.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-15 to 2010-05-15 )))))))))))))))))))))))))))))))
.

2010-05-15 17:55 . 2010-05-15 17:56 -------- d-----w- c:\users\amilis\AppData\Local\temp
2010-05-15 17:55 . 2010-05-15 17:55 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-15 17:55 . 2010-05-15 17:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-15 12:36 . 2010-05-15 12:36 680 ----a-w- c:\users\amilis\AppData\Local\d3d9caps.dat
2010-05-13 18:44 . 2010-05-13 18:44 19944 ----a-w- c:\windows\system32\drivers\iwepdnja.sys
2010-05-13 18:42 . 2010-05-13 18:44 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-11 20:53 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-04-24 09:56 . 2010-04-24 09:56 -------- d-----w- c:\program files\Common Files\SWF Studio
2010-04-24 09:40 . 2010-04-24 09:40 -------- d-----w- c:\program files\3ivx
2010-04-24 09:40 . 2010-04-24 09:40 -------- d-----w- c:\programdata\Flip Video
2010-04-24 09:40 . 2010-04-24 09:40 -------- d-----w- c:\program files\Flip Video
2010-04-20 18:23 . 2010-04-20 18:23 -------- d-----w- c:\program files\Trend Micro
2010-04-19 19:52 . 2010-04-19 19:52 -------- d-----w- c:\program files\Sophos
2010-04-19 19:49 . 2010-04-19 19:49 -------- d-----r- c:\program files\Norton Support
2010-04-19 19:46 . 2010-04-19 19:46 -------- d-----w- c:\users\amilis\AppData\Local\Symantec
2010-04-19 19:44 . 2010-04-19 19:44 -------- d-----w- c:\windows\system32\N360_BACKUP
2010-04-19 19:23 . 2010-01-20 22:02 310320 ----a-w- c:\windows\system32\drivers\SymEFA.sys
2010-04-19 19:23 . 2010-01-20 22:02 217136 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-04-19 19:23 . 2010-01-20 22:02 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-04-19 19:23 . 2010-01-20 22:02 482432 ----a-w- c:\windows\system32\drivers\cchpx86.sys
2010-04-19 19:23 . 2010-01-20 22:02 259632 ----a-w- c:\windows\system32\drivers\BHDrvx86.sys
2010-04-18 20:03 . 2009-01-15 11:19 23848 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-04-18 20:03 . 2008-04-17 11:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-04-18 20:03 . 2010-04-19 19:24 -------- d-----w- c:\programdata\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2010-04-18 20:02 . 2010-04-18 20:02 -------- d-----w- c:\users\amilis\AppData\Local\Downloaded Installations
2010-04-18 20:02 . 2010-01-20 22:02 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-04-18 20:02 . 2010-04-19 19:24 -------- d-----w- c:\program files\Symantec
2010-04-18 20:02 . 2010-04-19 19:23 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-04-18 20:02 . 2010-04-19 22:54 -------- d-----w- c:\windows\system32\drivers\N360
2010-04-18 20:02 . 2010-04-18 20:02 -------- d-----w- c:\program files\Norton 360
2010-04-18 18:40 . 2010-04-18 18:40 -------- d-----w- c:\users\amilis\AppData\Roaming\CamfrogWEB
2010-04-18 11:59 . 2010-04-18 11:59 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-18 11:55 . 2010-04-18 19:33 -------- d-----w- c:\programdata\Lavasoft
2010-04-18 11:35 . 2010-04-18 11:35 -------- d-----w- c:\users\amilis\AppData\Roaming\BSD
2010-04-18 11:35 . 2010-04-18 19:51 -------- d-----w- c:\program files\Common Files\BSD
2010-04-18 11:34 . 2010-04-18 19:51 -------- d-----w- c:\programdata\BSD
2010-04-18 11:34 . 2010-04-03 22:16 1571328 ----a-w- c:\windows\bsdsetup.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-15 17:44 . 2010-02-13 16:41 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-05-12 22:42 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-12 20:08 . 2009-04-02 21:01 -------- d-----w- c:\programdata\Microsoft Help
2010-04-24 09:56 . 2009-04-02 20:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-19 19:23 . 2010-04-18 20:02 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-04-19 19:23 . 2010-04-18 20:02 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-04-19 19:23 . 2009-10-12 18:21 -------- d-----w- c:\programdata\Symantec
2010-04-18 20:16 . 2009-10-18 17:05 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-18 20:09 . 2009-10-12 18:21 -------- d-----w- c:\programdata\Norton
2010-04-18 20:01 . 2009-10-12 18:21 -------- d-----w- c:\programdata\NortonInstaller
2010-04-18 19:58 . 2009-10-12 18:21 -------- d-----w- c:\program files\NortonInstaller
2010-04-10 17:40 . 2010-04-10 17:40 -------- d-----w- c:\program files\Belkin
2010-04-10 17:40 . 2010-04-10 17:40 -------- d-----w- c:\users\amilis\AppData\Roaming\InstallShield
2010-03-21 21:47 . 2009-05-26 22:14 73296 ----a-w- c:\users\amilis\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-05 14:01 . 2010-04-14 20:27 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-23 11:10 . 2010-04-14 20:27 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-23 11:10 . 2010-04-14 20:27 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-23 11:10 . 2010-04-14 20:27 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 06:39 . 2010-04-10 17:35 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-04-10 17:35 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 06:33 . 2010-04-10 17:35 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 04:55 . 2010-04-10 17:35 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-22 23:33 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-02-20 23:06 . 2010-03-22 21:16 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-22 21:16 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-22 21:16 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-18 14:07 . 2010-04-14 20:27 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-18 14:07 . 2010-04-14 20:27 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-18 14:07 . 2010-04-14 20:27 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-18 11:28 . 2010-04-14 20:27 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2009-04-03 04:47 . 2009-04-03 04:43 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-12 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-18 6246400]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-17 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-17 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-17 145944]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-25 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-10-12 122880]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]

c:\users\amilis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OneNote Table Of Contents.onetoc2 [2009-12-23 3656]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2009-12-10 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-04-02 20:34 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:aa,95,98,ea,22,b0,ca,01

R2 0208831271620784mcinstcleanup;McAfee Application Installer Cleanup (0208831271620784);c:\users\amilis\AppData\Local\Temp\020883~1.EXE [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 135664]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\F2A8.tmp [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS [2010-01-20 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\N360\0308000.029\BHDrvx86.sys [2010-01-20 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\N360\0308000.029\ccHPx86.sys [2010-01-20 482432]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100505.001\IDSvix86.sys [2010-03-05 343088]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2008-07-18 73728]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-23 155648]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2010-01-20 117640]
S2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys [2008-07-21 27648]
S2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [2007-06-07 202280]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2009-11-13 92008]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-04-18 102448]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-07-17 112128]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [2010-01-20 48688]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 16:07]

2010-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 16:07]

2010-05-09 c:\windows\Tasks\Norton Security Scan for amilis.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2010-02-14 11:54]

2010-05-15 c:\windows\Tasks\RtlNICDiagVistaStart.job
- c:\program files\Realtek\RTNICDiag\RTNICDiag.exe [2009-04-02 11:18]

2010-04-25 c:\windows\Tasks\WebReg HP Photosmart C4400 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2008-03-25 19:42]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - hxxp://activex.camfrogweb.com/advanced/2.0.2.3/cfweb_activex.camfrogweb.com-advanced-2.0.2.3_instmodule.exe
DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://bb-bristol-asa.bevanbrittan.com/CACHE/sdesktop/install/binaries/instweb.cab
FF - ProfilePath - c:\users\amilis\AppData\Roaming\Mozilla\Firefox\Profiles\2yesru1q.default\
FF - prefs.js: browser.startup.homepage - hxxp://g.uk.msn.com/USCON/2
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-15 18:55
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll atapi.sys >>UNKNOWN [0x8739D8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x82be0d24
\Driver\ACPI -> acpi.sys @ 0x8069ed68
\Driver\atapi -> atapi.sys @ 0x807aa9b0
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\F2A8.tmp"
.
Completion time: 2010-05-15 18:58:06
ComboFix-quarantined-files.txt 2010-05-15 17:58
ComboFix2.txt 2010-05-08 16:21

Pre-Run: 392,071,708,672 bytes free
Post-Run: 392,593,563,648 bytes free

- - End Of File - - 90372E31996735F5932A5106FAD3D52D

Attached Files


Edited by Blade Zephon, 16 May 2010 - 12:08 AM.
Posted log in reply to facilitate analysis. Please do not attach logs unless the board software will not let you post them directly. Thanks!


#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:42 AM

Posted 17 May 2010 - 08:21 PM

Hello icemeister
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

~Blade


In your next reply, please include the following:
TDSSKiller log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:42 AM

Posted 21 May 2010 - 10:48 AM

Are you still there?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:42 AM

Posted 01 June 2010 - 06:30 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:42 AM

Posted 12 June 2010 - 09:56 PM

Topic reopened

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#13 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:42 AM

Posted 18 June 2010 - 05:05 AM

Due to lack of feedback, this topic is now Closed

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#14 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:42 AM

Posted 19 July 2010 - 10:29 PM

Topic Reopened, please post the log requested above.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#15 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:42 AM

Posted 26 July 2010 - 09:23 PM

Due to lack of feedback, this topic is now Closed.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users