Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HTTP Tidserv Request2 & Trojan.Zefarch!gen


  • This topic is locked This topic is locked
14 replies to this topic

#1 DuckDog74

DuckDog74

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 26 June 2010 - 12:17 PM

I am using Norton 360 on an HP running Windows XP I think SP2. I started getting false infection alerts that I recognized immediatly. A friend was able to remove some of the viruses but not all. At one point when I went to google, I would be redirected to some other site when selecting one of the results. Currently I am getting a message from Norton about every few minutes stating that an intrusion was blocked with the following information:

An intrusion attempt by 91.212.226.59 was blocked. Application path \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SVCHOST.EXE

I also get another alert from Norton: Trojan.Zefarch!gen detected by Auto-Protect

I have followed all of the instruction in the guide before using malware.


DDS (Ver_10-03-17.01) - NTFSx86
Run by HP_Owner at 22:04:35.14 on Fri 06/25/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.175 [GMT -5:00]

AV: Norton 360 *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PIXELA\Everio MediaBrowser HD Edition\MBCameraMonitor.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.8.0.41\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Wmohet] rundll32.exe "c:\windows\ojuholurac.dll",Startup
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\camera~1.lnk - c:\program files\pixela\everio mediabrowser hd edition\MBCameraMonitor.exe
uPolicies-system: NoDispBackgroundPage =
uPolicies-system: NoDispSettingsPage =
uPolicies-system: NoDispAppearancePage =
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\office
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo1.walgreens.com/WalgreensActivia.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll
Notify: GoToAssist Express Customer - c:\program files\citrix\gotoassist express customer\223\g2ax_winlogon.dll
Notify: igfxcui - igfxsrvc.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-2 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-2 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-2 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100624.001\IDSXpx86.sys [2010-6-25 331640]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2010-6-25 67584]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-2-2 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-26 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100625.021\NAVENG.SYS [2010-6-25 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100625.021\NAVEX15.SYS [2010-6-25 1347504]
S3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\citrix\gotoassist express customer\223\g2ax_service.exe [2010-6-21 161144]

=============== Created Last 30 ================

2010-06-26 03:00:00 0 ----a-w- c:\documents and settings\hp_owner\defogger_reenable
2010-06-25 18:05:27 0 d-----w- c:\windows\system32\N360_BACKUP
2010-06-25 16:15:25 0 d-----w- c:\program files\Cobian Backup 10
2010-06-22 00:13:36 0 d-----w- c:\program files\Citrix
2010-06-22 00:13:24 108920 ----a-w- c:\documents and settings\hp_owner\g2ax_customer_downloadhelper_win32_x86.exe
2010-06-21 23:46:26 2388 ----a-w- c:\windows\DCEBOOT.CFG
2010-06-21 23:46:26 11264 ----a-w- c:\windows\DCEBoot.exe
2010-06-21 20:32:44 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-21 15:12:05 2523 ----a-w- c:\windows\uyepukalege.dll
2010-06-21 14:56:56 120 ----a-w- c:\windows\Amejapimoxihuv.dat
2010-06-21 14:56:56 0 ----a-w- c:\windows\Lnakivegohekev.bin
2010-06-10 00:48:59 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

==================== Find3M ====================

2010-06-25 14:44:27 268 ----a-w- c:\docume~1\hp_owner\applic~1\wklnhst.dat
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 13:33:36 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-08 18:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2008-09-24 15:26:58 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092420080925\index.dat

============= FINISH: 22:06:23.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:30 AM

Posted 26 June 2010 - 07:19 PM

Hi DuckDog74,

Welcome to Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

If the issue is not resolved please update me on the current condition of your computer.

#3 DuckDog74

DuckDog74
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 28 June 2010 - 04:00 PM

Thanks for your help. I am using my lap top to communicate with you. My desk top is currently shut down which is the PC that is infected. The last time I started it i got this message: RUNDLL Error C:\WINDOWS\ojuholurac.dll The specified module could not be found. I have also got this message : Svchhost.exe Application Error The exception Interger division by zero (Oxc0000094) occured in the application at location Oxool56c8. Please let me know where to go from here.



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:30 AM

Posted 28 June 2010 - 04:13 PM

We will take care of the error and the rootkit infection in this round.
  1. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    @ECHO OFF
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /f
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
    Reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Wmohet  /f
    proxycfg -d

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: fix.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate fix.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A window flashes, this is normal.

  2. We are going to run this special tool.
    • Please download TDSSKiller.exe and save it to your desktop.
    • Run TDSSKiller.exe.
    • When it finished press any key to continue.
    • Let reboot if needed and tell me if it needed a reboot.
    • Also it makes a txt file on the C:\ directory (like TDSSKiller.2.3.2.0_Date_Time_log.txt). Please attach it to your replay.


#5 DuckDog74

DuckDog74
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 29 June 2010 - 05:44 AM

Sorry it took so long to get back with you. I am working nights 5pm to 5am. I will be off today so I will be available most of the day.

OK Instructions 1 & 2 were completed. Here is the log.

Attached Files


Edited by DuckDog74, 29 June 2010 - 05:47 AM.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:30 AM

Posted 29 June 2010 - 07:45 AM

No worries about the deley.

The rootkit infection is taken care of and issue should have been resolved. thumbup2.gif
  1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Download JavaRa from Javara for Java update or directly from here.
    Use the tool to remove old and redundant versions of the Java Runtime Environment. The latest version is Java 6 update 20. Please uninstall any remaining versions if the tool could not uninstall them (look for any entry on Add/Remove that contains Java, JRE or Java Run Time), they are:

    Java 2 Runtime Environment, SE v1.4.2_03
    Java™ 6 Update 13


  2. This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

  3. Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  4. Tell me also how is your computer running.


#7 DuckDog74

DuckDog74
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 29 June 2010 - 02:48 PM

The computer seems to be running ok but I haven't done anything except for communicate in this forum and follow the instructions that you provided. I am still showing a widonws security alert. I don't thinks its a real alert. I says my norton 360 may be out of date. It pops up when I start up and stays as a small red sheild in the bottom right hand corner. This is the log from Malware:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4258

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/29/2010 2:28:04 PM
mbam-log-2010-06-29 (14-28-04).txt

Scan type: Quick scan
Objects scanned: 144085
Time elapsed: 9 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{35a5b43b-cb8a-49ca-a9f4-d3b308d2e3cc} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{35a5b43b-cb8a-49ca-a9f4-d3b308d2e3cc} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servises (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HP_Owner\Application Data\chrtmp (Malware.Trace) -> Quarantined and deleted successfully.


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:30 AM

Posted 29 June 2010 - 02:56 PM

QUOTE
I am still showing a widonws security alert. I don't thinks its a real alert. I says my norton 360 may be out of date. It pops up when I start up and stays as a small red sheild in the bottom right hand corner.

This is Windows Security Center notification. Please update Norton.

QUOTE
The computer seems to be running ok but I haven't done anything except ...

Use the computer and give me feedback about it before we round off.

#9 DuckDog74

DuckDog74
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 29 June 2010 - 04:14 PM

I checked Norton and it is up to date. I also checked for windows updates and there were none. When I click on the recommendations it says to update my exisiting antivirus or get new antivirus. There is a box that says I will monitor the antivirus myself and windows will nolonger monitor it.

One other thing. When I was updating Java, your instructions say to remove all older versions of Java. When I selected the remove older versions, as it would start to run it would lock up each time and never remove the older versions. I went to the control panel and looked at the versions that were installed. This is what is listed:

Java 2 Runtime Environment, SE v1.4.2_03
Java DB 10.5.3.0
Java ™ 6 Update 20
Java ™ SE Development Kit 6 Update 20



#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:30 AM

Posted 29 June 2010 - 04:35 PM

Java ™ 6 Update 20 is the latest version that you want to keep.
Java DB 10.5.3.0 and Java ™ SE Development Kit 6 Update 20 are specialized tools. If you don't use them they can be uninstalled.
Java 2 Runtime Environment, SE v1.4.2_03 should uninstalled anyway.
  1. Download the trial version of Your Uninstaller! (Free Fix)
      Install it and run it.
      Under Modules select Uninstaller.
      Highlight The Java you want to remove and press Uninstall.
      It might give you an error, proceed anyway and it eventually removes the software.
      Let it remove all the files and folders and anything it founds.

  2. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • You will get a warning about the not trusted download sites for ComboFix, click Yes.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.



#11 DuckDog74

DuckDog74
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 29 June 2010 - 07:36 PM

ComboFix 10-06-29.02 - HP_Owner 06/29/2010 19:17:12.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.319 [GMT -5:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Owner\g2ax_customer_downloadhelper_win32_x86.exe
c:\documents and settings\HP_Owner\Local Settings\Application Data\Windows Server
c:\documents and settings\HP_Owner\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\HP_Owner\Local Settings\Application Data\Windows Server\uses32.dat
c:\windows\uyepukalege.dll
c:\windows\xpsp1hfm.log
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-30 )))))))))))))))))))))))))))))))
.

2010-06-29 21:55 . 2010-06-29 21:55 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\URSoft
2010-06-29 21:55 . 2010-06-29 21:55 -------- d-----w- c:\program files\Your Uninstaller 2010
2010-06-29 20:55 . 2010-06-29 20:55 61440 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5894ce5c-n\decora-sse.dll
2010-06-29 20:55 . 2010-06-29 20:55 503808 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-117e5acd-n\msvcp71.dll
2010-06-29 20:55 . 2010-06-29 20:55 499712 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-117e5acd-n\jmc.dll
2010-06-29 20:55 . 2010-06-29 20:55 348160 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-117e5acd-n\msvcr71.dll
2010-06-29 20:55 . 2010-06-29 20:55 12800 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5894ce5c-n\decora-d3d.dll
2010-06-29 19:01 . 2010-06-29 19:01 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2010-06-29 19:00 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-29 19:00 . 2010-06-29 19:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-29 19:00 . 2010-06-29 19:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-29 19:00 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-29 18:51 . 2010-06-29 18:51 -------- d-----w- c:\program files\CCleaner
2010-06-29 18:29 . 2010-06-29 18:28 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-29 17:56 . 2010-06-29 17:56 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Uniblue
2010-06-29 17:56 . 2010-06-29 17:56 -------- d-----w- c:\program files\Uniblue
2010-06-26 17:13 . 2010-06-26 17:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-25 18:05 . 2010-06-25 18:05 -------- d-----w- c:\windows\system32\N360_BACKUP
2010-06-25 16:16 . 2010-06-25 16:16 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Safe mirror
2010-06-25 16:15 . 2010-06-25 16:16 -------- d-----w- c:\program files\Cobian Backup 10
2010-06-25 14:43 . 2010-06-25 14:43 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Template
2010-06-23 18:53 . 2010-06-23 18:53 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\{CA433BE9-81BF-45E2-A3AE-882A34A8475A}
2010-06-23 17:52 . 2010-06-23 17:52 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\{984A52B7-B8FA-411B-B166-D4F12574B631}
2010-06-22 23:41 . 2010-06-22 23:41 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\{653DB7A0-3A90-4DD6-88A7-212DDD96B7A6}
2010-06-22 22:48 . 2010-06-22 22:48 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\{3C0157FD-6D19-4DD6-9CAB-C3C036D8048A}
2010-06-22 00:13 . 2010-06-22 00:13 -------- d-----w- c:\program files\Citrix
2010-06-22 00:13 . 2010-06-22 00:13 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Citrix
2010-06-21 23:46 . 2010-06-21 23:46 11264 ----a-w- c:\windows\DCEBoot.exe
2010-06-21 20:32 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-21 16:42 . 2010-06-21 16:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-21 16:42 . 2004-10-22 01:06 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{457791C5-D702-4143-A7B2-2744BE9573F2}\NewShortcut1_5B69D3033CA54B39B5ECE7D051297E77.exe
2010-06-21 16:42 . 2004-10-22 02:30 128 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2010-06-21 15:08 . 2010-06-21 15:08 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\{4FC8B377-DD6C-4639-ADD7-6EFA09847802}
2010-06-21 14:56 . 2010-06-23 17:53 0 ----a-w- c:\windows\Lnakivegohekev.bin
2010-06-21 14:56 . 2010-06-23 17:53 120 ----a-w- c:\windows\Amejapimoxihuv.dat
2010-06-21 14:56 . 2010-06-21 14:56 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\{B3C63798-521C-4A48-8E7A-5BB37243BB4C}
2010-06-10 00:48 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-29 22:12 . 2009-11-10 07:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-29 22:00 . 2004-10-22 00:27 -------- d-----w- c:\program files\Java
2010-06-29 22:00 . 2004-10-22 00:27 -------- d-----w- c:\program files\Common Files\Java
2010-06-29 10:37 . 2004-11-03 19:19 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-06-25 14:44 . 2009-08-21 16:34 268 ----a-w- c:\documents and settings\HP_Owner\Application Data\wklnhst.dat
2010-06-20 03:23 . 2009-01-20 01:28 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\LimeWire
2010-05-26 20:29 . 2010-05-26 20:28 -------- d-----w- c:\program files\iTunes
2010-05-26 20:29 . 2010-05-26 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-26 20:28 . 2010-05-26 20:28 -------- d-----w- c:\program files\iPod
2010-05-26 20:28 . 2008-08-24 20:45 -------- d-----w- c:\program files\Common Files\Apple
2010-05-26 20:25 . 2010-05-26 20:24 -------- d-----w- c:\program files\QuickTime
2010-05-26 20:19 . 2008-12-25 16:16 -------- d-----w- c:\program files\Bonjour
2010-05-26 20:14 . 2010-05-26 20:14 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-26 20:11 . 2008-11-19 23:40 -------- d-----w- c:\program files\Safari
2010-05-26 20:08 . 2010-05-26 20:08 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-05-06 10:41 . 2004-11-03 18:52 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-11-03 18:52 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-11-03 19:19 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 13:33 . 2010-02-24 18:07 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-16 13:33 . 2008-11-20 00:00 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-07-29 77824]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-10-22 180269]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Camera Monitor HD.lnk - c:\program files\PIXELA\Everio MediaBrowser HD Edition\MBCameraMonitor.exe [2010-3-18 541976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2010-06-22 00:13 147832 ----a-w- c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_winlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-06-30 00:06 88363 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2004-07-21 00:22 57344 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2004-07-29 08:34 2551808 ----a-w- c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-08 03:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2004-08-21 05:51 118784 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-09-13 20:49 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
2004-06-08 01:42 659456 ----a-w- c:\windows\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
2004-06-08 01:53 49152 ----a-w- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-07 23:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 20:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2006-10-31 06:03 284184 ----a-w- c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2006-11-16 02:58 746520 ----a-w- c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
2004-10-15 04:54 253952 ----a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2006-11-16 03:01 244512 ----a-w- c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2008-12-12 18:46 9555968 ----a-w- c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2002-10-16 23:57 81920 ----a-w- c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2004-04-15 03:43 233472 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\regcmdcons]
1999-11-07 14:11 27136 ----a-w- c:\hp\bin\cloaker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2003-12-18 07:31 118784 ----a-w- c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\secondintel]
1999-11-07 14:11 27136 ----a-w- c:\hp\bin\cloaker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2004-10-22 01:39 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 15:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2009-11-10 21:39 5244216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/2/2010 9:29 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/2/2010 9:29 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/2/2010 9:29 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100625.001\IDSXpx86.sys [6/26/2010 11:40 AM 331640]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [6/25/2010 11:16 AM 67584]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2/2/2010 9:29 PM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/26/2010 3:00 AM 102448]
S3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_service.exe [6/21/2010 7:13 PM 161144]
.
Contents of the 'Scheduled Tasks' folder

2010-06-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
Trusted Zone: microsoft.com\office
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
Toolbar-Locked - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
SafeBoot-klmdb.sys
MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-dresdfgj - c:\documents and settings\HP_Owner\Local Settings\Application Data\rhqlvudah\vnumnrktssd.exe
MSConfigStartUp-SSC_UserPrompt - c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-Symantec NetDriver Monitor - c:\progra~1\SYMNET~1\SNDMon.exe
MSConfigStartUp-VTTimer - VTTimer.exe
MSConfigStartUp-Wmohet - c:\windows\ixibajogan.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-29 19:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_winlogon.dll
.
Completion time: 2010-06-29 19:31:48
ComboFix-quarantined-files.txt 2010-06-30 00:31

Pre-Run: 155,523,653,632 bytes free
Post-Run: 155,635,326,976 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 5E4A78FC815DA78077875EAC5B3DF180


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:30 AM

Posted 29 June 2010 - 07:51 PM

  1. Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    CODE
    DirLook::
    c:\documents and settings\HP_Owner\Local Settings\Application Data\{4FC8B377-DD6C-4639-ADD7-6EFA09847802}
    c:\documents and settings\HP_Owner\Local Settings\Application Data\{B3C63798-521C-4A48-8E7A-5BB37243BB4C}
    File::
    c:\windows\Lnakivegohekev.bin
    c:\windows\Amejapimoxihuv.dat
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    [HKEY_CURRENT_USSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "ProxyEnable"=-
    [HKEY_CURRENT_USSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    "ProxyServer"=-
    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555


    Save this as CFScript.txt, in the same location as ComboFix.exe




    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  2. Tell me also how is your computer running now.


#13 DuckDog74

DuckDog74
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 29 June 2010 - 08:42 PM

The PC seems to be running ok. Should I turn Norton back on? Here is the log:



ComboFix 10-06-29.02 - HP_Owner 06/29/2010 20:27:19.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.373 [GMT -5:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FILE ::
"c:\windows\Amejapimoxihuv.dat"
"c:\windows\Lnakivegohekev.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Amejapimoxihuv.dat
c:\windows\Lnakivegohekev.bin

.
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-30 )))))))))))))))))))))))))))))))
.

2010-06-29 21:55 . 2010-06-29 21:55 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\URSoft
2010-06-29 21:55 . 2010-06-29 21:55 -------- d-----w- c:\program files\Your Uninstaller 2010
2010-06-29 20:55 . 2010-06-29 20:55 61440 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5894ce5c-n\decora-sse.dll
2010-06-29 20:55 . 2010-06-29 20:55 503808 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-117e5acd-n\msvcp71.dll
2010-06-29 20:55 . 2010-06-29 20:55 499712 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-117e5acd-n\jmc.dll
2010-06-29 20:55 . 2010-06-29 20:55 348160 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-117e5acd-n\msvcr71.dll
2010-06-29 20:55 . 2010-06-29 20:55 12800 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5894ce5c-n\decora-d3d.dll
2010-06-29 19:01 . 2010-06-29 19:01 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2010-06-29 19:00 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-29 19:00 . 2010-06-29 19:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-29 19:00 . 2010-06-29 19:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-29 19:00 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-29 18:51 . 2010-06-29 18:51 -------- d-----w- c:\program files\CCleaner
2010-06-29 18:29 . 2010-06-29 18:28 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-29 17:56 . 2010-06-29 17:56 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Uniblue
2010-06-29 17:56 . 2010-06-29 17:56 -------- d-----w- c:\program files\Uniblue
2010-06-26 17:13 . 2010-06-26 17:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-25 18:05 . 2010-06-25 18:05 -------- d-----w- c:\windows\system32\N360_BACKUP
2010-06-25 16:16 . 2010-06-25 16:16 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Safe mirror
2010-06-25 16:15 . 2010-06-25 16:16 -------- d-----w- c:\program files\Cobian Backup 10
2010-06-25 14:43 . 2010-06-25 14:43 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Template
2010-06-23 18:53 . 2010-06-23 18:53 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\{CA433BE9-81BF-45E2-A3AE-882A34A8475A}
2010-06-23 17:52 . 2010-06-23 17:52 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\{984A52B7-B8FA-411B-B166-D4F12574B631}
2010-06-22 23:41 . 2010-06-22 23:41 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\{653DB7A0-3A90-4DD6-88A7-212DDD96B7A6}
2010-06-22 22:48 . 2010-06-22 22:48 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\{3C0157FD-6D19-4DD6-9CAB-C3C036D8048A}
2010-06-22 00:13 . 2010-06-22 00:13 -------- d-----w- c:\program files\Citrix
2010-06-22 00:13 . 2010-06-22 00:13 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Citrix
2010-06-21 23:46 . 2010-06-21 23:46 11264 ----a-w- c:\windows\DCEBoot.exe
2010-06-21 20:32 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-06-21 16:42 . 2010-06-21 16:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-21 16:42 . 2004-10-22 01:06 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{457791C5-D702-4143-A7B2-2744BE9573F2}\NewShortcut1_5B69D3033CA54B39B5ECE7D051297E77.exe
2010-06-21 16:42 . 2004-10-22 02:30 128 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2010-06-21 15:08 . 2010-06-21 15:08 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\{4FC8B377-DD6C-4639-ADD7-6EFA09847802}
2010-06-21 14:56 . 2010-06-21 14:56 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\{B3C63798-521C-4A48-8E7A-5BB37243BB4C}
2010-06-10 00:48 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-29 22:12 . 2009-11-10 07:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-29 22:00 . 2004-10-22 00:27 -------- d-----w- c:\program files\Java
2010-06-29 22:00 . 2004-10-22 00:27 -------- d-----w- c:\program files\Common Files\Java
2010-06-29 10:37 . 2004-11-03 19:19 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-06-25 14:44 . 2009-08-21 16:34 268 ----a-w- c:\documents and settings\HP_Owner\Application Data\wklnhst.dat
2010-06-20 03:23 . 2009-01-20 01:28 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\LimeWire
2010-05-26 20:29 . 2010-05-26 20:28 -------- d-----w- c:\program files\iTunes
2010-05-26 20:29 . 2010-05-26 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-26 20:28 . 2010-05-26 20:28 -------- d-----w- c:\program files\iPod
2010-05-26 20:28 . 2008-08-24 20:45 -------- d-----w- c:\program files\Common Files\Apple
2010-05-26 20:25 . 2010-05-26 20:24 -------- d-----w- c:\program files\QuickTime
2010-05-26 20:19 . 2008-12-25 16:16 -------- d-----w- c:\program files\Bonjour
2010-05-26 20:14 . 2010-05-26 20:14 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-26 20:11 . 2008-11-19 23:40 -------- d-----w- c:\program files\Safari
2010-05-26 20:08 . 2010-05-26 20:08 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-05-06 10:41 . 2004-11-03 18:52 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-11-03 18:52 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-11-03 19:19 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 13:33 . 2010-02-24 18:07 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-16 13:33 . 2008-11-20 00:00 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\HP_Owner\Local Settings\Application Data\{4FC8B377-DD6C-4639-ADD7-6EFA09847802} ----

2010-06-21 15:08 . 2010-06-21 15:08 2054 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\{4FC8B377-DD6C-4639-ADD7-6EFA09847802}\chrome\content\_cfg.js
2010-06-21 15:08 . 2010-06-21 15:08 764 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\{4FC8B377-DD6C-4639-ADD7-6EFA09847802}\install.rdf
2010-06-21 15:08 . 2010-06-21 15:08 122 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\{4FC8B377-DD6C-4639-ADD7-6EFA09847802}\chrome.manifest

---- Directory of c:\documents and settings\HP_Owner\Local Settings\Application Data\{B3C63798-521C-4A48-8E7A-5BB37243BB4C} ----

2010-06-21 14:56 . 2010-06-21 14:56 2054 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\{B3C63798-521C-4A48-8E7A-5BB37243BB4C}\chrome\content\_cfg.js
2010-06-21 14:56 . 2010-06-21 14:56 764 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\{B3C63798-521C-4A48-8E7A-5BB37243BB4C}\install.rdf
2010-06-21 14:56 . 2010-06-21 14:56 122 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\{B3C63798-521C-4A48-8E7A-5BB37243BB4C}\chrome.manifest


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-07-29 77824]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-10-22 180269]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Camera Monitor HD.lnk - c:\program files\PIXELA\Everio MediaBrowser HD Edition\MBCameraMonitor.exe [2010-3-18 541976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2010-06-22 00:13 147832 ----a-w- c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_winlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-06-30 00:06 88363 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2004-07-21 00:22 57344 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2004-07-29 08:34 2551808 ----a-w- c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-08 03:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2004-08-21 05:51 118784 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-09-13 20:49 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
2004-06-08 01:42 659456 ----a-w- c:\windows\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
2004-06-08 01:53 49152 ----a-w- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-07 23:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 20:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2006-10-31 06:03 284184 ----a-w- c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2006-11-16 02:58 746520 ----a-w- c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
2004-10-15 04:54 253952 ----a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2006-11-16 03:01 244512 ----a-w- c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2008-12-12 18:46 9555968 ----a-w- c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2002-10-16 23:57 81920 ----a-w- c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2004-04-15 03:43 233472 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\regcmdcons]
1999-11-07 14:11 27136 ----a-w- c:\hp\bin\cloaker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2003-12-18 07:31 118784 ----a-w- c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\secondintel]
1999-11-07 14:11 27136 ----a-w- c:\hp\bin\cloaker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2004-10-22 01:39 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 15:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2009-11-10 21:39 5244216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/2/2010 9:29 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/2/2010 9:29 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/2/2010 9:29 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100625.001\IDSXpx86.sys [6/26/2010 11:40 AM 331640]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [6/25/2010 11:16 AM 67584]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2/2/2010 9:29 PM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/26/2010 3:00 AM 102448]
S3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_service.exe [6/21/2010 7:13 PM 161144]
.
Contents of the 'Scheduled Tasks' folder

2010-06-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
Trusted Zone: microsoft.com\office
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-29 20:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\program files\Citrix\GoToAssist Express Customer\223\g2ax_winlogon.dll
.
Completion time: 2010-06-29 20:36:59
ComboFix-quarantined-files.txt 2010-06-30 01:36
ComboFix2.txt 2010-06-30 00:31

Pre-Run: 155,648,716,800 bytes free
Post-Run: 155,638,059,008 bytes free

- - End Of File - - 2ADC29EEBF879EB2425E948713445EAD

Edited by DuckDog74, 29 June 2010 - 08:44 PM.


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:30 AM

Posted 30 June 2010 - 03:39 AM

It looks good. thumbup2.gif

  1. To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

    Your Emulation drivers are now re-enabled.

  2. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  3. You may delete any tool or log we used from your computer.

  4. I recommend installing this small application for safe surfing: Javacools© SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
    • Download and install it.
    • Update it manually by clicking on Updates in the left pane and then Check for Updates.
    • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
    • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.

Happy Surfing. smile.gif




#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:30 AM

Posted 04 July 2010 - 06:02 AM



This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users