Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with W32.unruy!gen2


  • This topic is locked This topic is locked
18 replies to this topic

#1 danzec

danzec

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 28 September 2010 - 10:37 PM

My parents computer got a virus. I brought it home and tried to clean it up last week with my usual arsenal of spybot, malwarebytes and Symantic but Symantic autoprotect is still catching W32.ubruy!gen2 frequently. Additionally, clicking a google search link using firefox or IE results in being re-directed to a page un-related to the link. Occasionally a error comes up "Generic Host Process for Win32 Services has encountered a problem and needs to close" , Send error report etc.... Lastly what appears to me a bogus "Windows Security Alert" pops up randomly.

I am in over my head here and would appreciate any help.

Below are the logs:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Joe at 19:52:01.50 on Tue 09/28/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.116 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\HDAShCut.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask .exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2 .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\PROGRA~1\SYMANT~1\VPTray .exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray .exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr .exe
C:\Program Files\Common Files\Java\Java Update\jusched .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Ahead\InCD\InCD .exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Joe\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://cbs3.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uWinlogon: Shell=C:\Documents
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy2\TeaTimer.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunServices: [MOSearch] c:\progra~1\common~1\system\mosearch\bin\mosearch.exe
StartupFolder: c:\docume~1\joe\startm~1\programs\startup\billmi~1.lnk - c:\quickenw\BILLMIND.EXE
StartupFolder: c:\docume~1\joe\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\documents and settings\joe\start menu\programs\startup\PowerReg Scheduler V3.exe
StartupFolder: c:\docume~1\joe\startm~1\programs\startup\quicke~1.lnk - c:\quickenw\QWDLLS.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{871df2be-41d2-4334-ac33-839af16fc8fe}\Icon3E5562ED7.ico
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy2\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133238776908
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\pkmcdo.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joe\applic~1\mozilla\firefox\profiles\cnulpwrn.default\
FF - prefs.js: browser.startup.homepage - hxxp://philadelphia.cbslocal.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: XULRunner: {62AE86A7-C2CE-4FEF-A0FD-609682EF605F} - c:\documents and settings\joe\local settings\application data\{62AE86A7-C2CE-4FEF-A0FD-609682EF605F}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100927.002\naveng.sys [2010-9-27 85424]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100927.002\navex15.sys [2010-9-27 1362608]
S0 ytusr;ytusr;c:\windows\system32\drivers\ytusr.sys [2010-9-19 0]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2010-09-28 23:49:34 0 ----a-w- c:\documents and settings\joe\defogger_reenable
2010-09-22 22:19:16 0 d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2010-09-22 22:18:56 0 d-----w- c:\program files\McAfee Security Scan
2010-09-22 20:19:05 112 ----a-w- c:\docume~1\alluse~1\applic~1\Y1LDai.dat
2010-09-21 12:49:18 0 d--h--w- C:\$AVG
2010-09-21 03:20:27 0 d---a-w- C:\.Trash-999
2010-09-19 23:46:29 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-09-19 20:28:15 0 d-----w- c:\program files\Spybot - Search & Destroy2
2010-09-19 12:49:26 0 ----a-w- c:\windows\system32\drivers\ytusr.sys
2010-09-19 12:49:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-09-16 20:59:49 0 d-----w- c:\docume~1\joe\applic~1\Malwarebytes
2010-09-16 20:59:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-16 20:59:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-16 20:59:02 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-16 20:59:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-15 20:14:03 1324 ----a-w- c:\windows\system32\d3d9caps.dat

==================== Find3M ====================

2010-09-22 20:17:01 94724 ----a-w- c:\windows\system32\HDAShCut.exe
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 09:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2008-08-23 20:14:40 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082320080824\index.dat
2007-07-08 17:18:35 32768 --sha-w- c:\windows\temp\cookies\index.dat
2007-07-08 17:18:35 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2007-07-08 17:18:35 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 19:53:53.12 ===============




Attached Files



BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:38 PM

Posted 03 October 2010 - 06:58 AM

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 danzec

danzec
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 03 October 2010 - 09:37 AM

Thank You Blade81 for the reply. I cannot post from the infected computer, I get a "connection reset" in firefox every time. I copied the requested logs to a usb stick and was able to post them below from other pc.

Observations after this procedure

1. Seems Symantic and Spybot did not load after the last combofix re-boot ( I do not see them in the tray anyway)
2. Had a "generic host process Win32" "tell microsoft about this problem" error
3. HP Photosmart Essential 2.5 "There is a problem with this installer package......"
4. advertisement tab opened in firefox
5 "connection reset" when hitting the "add reply" button on bleepingcomputer.

Combofix Log:

ComboFix 10-10-02.02 - Joe 10/03/2010 9:42.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.519 [GMT -4:00]

Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

* Created a new restore point

.



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.



c:\documents and settings\All Users\Application Data\.wtav

c:\documents and settings\Joe\Local Settings\Application Data\{62AE86A7-C2CE-4FEF-A0FD-609682EF605F}

c:\documents and settings\Joe\Local Settings\Application Data\{62AE86A7-C2CE-4FEF-A0FD-609682EF605F}\chrome.manifest

c:\documents and settings\Joe\Local Settings\Application Data\{62AE86A7-C2CE-4FEF-A0FD-609682EF605F}\chrome\content\_cfg.js

c:\documents and settings\Joe\Local Settings\Application Data\{62AE86A7-C2CE-4FEF-A0FD-609682EF605F}\chrome\content\overlay.xul

c:\documents and settings\Joe\Local Settings\Application Data\{62AE86A7-C2CE-4FEF-A0FD-609682EF605F}\install.rdf

c:\documents and settings\Joe\Local Settings\Temporary Internet Files\pse_350_enu.exe

c:\documents and settings\Joe\Recent\GWBASIC.pif

c:\progra~1\SYMANT~1\VPTray.exe

c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe

c:\program files\Ahead\InCD\InCD.exe

c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

c:\program files\Common Files\Java\Java Update\jusched.exe

c:\program files\Common Files\Symantec Shared\ccApp.exe

c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe

c:\program files\iTunes\iTunesHelper.exe

c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe

c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe

c:\program files\Mozilla Firefox\searchplugins\google_search.xml

c:\program files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask.exe

c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

c:\windows\system32\devmgr32.dll

c:\windows\system32\driVERs\ytusr.sys



c:\windows\system32\drivers\ytusr.sys . . . is infected!! . . . Failed to find a valid replacement.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.



-------\Legacy_6TO4

-------\Legacy_USERINIT

-------\Legacy_ytusr

-------\Service_ytusr





((((((((((((((((((((((((( Files Created from 2010-09-03 to 2010-10-03 )))))))))))))))))))))))))))))))

.



2010-09-28 23:55 . 2010-09-28 23:55 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer

2010-09-27 17:42 . 2010-09-27 17:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities

2010-09-26 19:14 . 2010-09-26 19:14 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Identities

2010-09-22 22:22 . 2010-09-22 22:19 53632 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-09-22 22:21 . 2010-09-22 22:21 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-09-22 22:19 . 2010-09-22 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-09-22 22:19 . 2010-09-22 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan

2010-09-22 22:18 . 2010-09-22 22:18 -------- d-----w- c:\program files\McAfee Security Scan

2010-09-22 22:14 . 2010-09-22 22:14 0 ----a-w- c:\windows\nsreg.dat

2010-09-22 22:14 . 2010-09-22 22:14 -------- d-----w- c:\documents and settings\Joe\Local Settings\Application Data\Mozilla

2010-09-22 15:57 . 2010-09-22 15:57 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2010-09-21 12:49 . 2010-09-21 12:49 -------- d-----w- C:\$AVG

2010-09-21 03:20 . 2010-09-21 03:20 -------- d---a-w- C:\.Trash-999

2010-09-19 23:46 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2010-09-19 20:28 . 2010-09-21 19:15 -------- d-----w- c:\program files\Spybot - Search & Destroy2

2010-09-19 20:22 . 2010-09-19 20:22 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

2010-09-19 12:49 . 2010-09-19 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

2010-09-16 20:59 . 2010-09-16 20:59 -------- d-----w- c:\documents and settings\Joe\Application Data\Malwarebytes

2010-09-16 20:59 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-16 20:59 . 2010-09-16 20:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-16 20:59 . 2010-09-16 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-09-16 20:59 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-15 23:46 . 2010-09-15 23:46 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM

2010-09-15 23:45 . 2010-09-15 23:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-09-15 20:14 . 2010-10-03 13:14 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-09-15 20:12 . 2010-09-15 20:12 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache



.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-10-03 13:54 . 2005-11-29 05:53 -------- d-----w- c:\program files\Symantec AntiVirus

2010-10-03 13:51 . 2009-02-27 01:27 -------- d-----w- c:\program files\QuickTime

2010-10-03 13:50 . 2009-02-27 01:28 -------- d-----w- c:\program files\iTunes

2010-10-03 13:50 . 2005-11-29 05:53 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-10-03 13:10 . 2010-09-22 20:19 112 ----a-w- c:\documents and settings\All Users\Application Data\Y1LDai.dat

2010-09-22 22:26 . 2005-12-25 22:56 -------- d-----w- c:\program files\Common Files\Adobe

2010-09-22 20:17 . 2005-01-07 22:07 94724 ----a-w- c:\windows\system32\HDAShCut.exe

2010-09-19 20:29 . 2007-07-08 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-09-19 20:24 . 2005-12-25 23:26 -------- d-----w- c:\program files\Spybot - Search & Destroy 1.1

2010-09-19 20:23 . 2007-07-08 17:04 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-09-10 17:59 . 2005-12-25 22:56 -------- d-----w- c:\program files\Common Files\Java

2010-09-10 17:59 . 2006-03-17 20:29 -------- d-----w- c:\program files\Java

2010-08-17 13:17 . 2004-08-03 22:56 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-06 19:50 . 2010-08-06 19:50 503808 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-743a81c7-n\msvcp71.dll

2010-08-06 19:50 . 2010-08-06 19:50 499712 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-743a81c7-n\jmc.dll

2010-08-06 19:50 . 2010-08-06 19:50 61440 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3445b709-n\decora-sse.dll

2010-08-06 19:50 . 2010-08-06 19:50 348160 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-743a81c7-n\msvcr71.dll

2010-08-06 19:50 . 2010-08-06 19:50 12800 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3445b709-n\decora-d3d.dll

2010-07-22 15:49 . 2004-08-03 22:56 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-07-22 05:57 . 2009-04-17 13:28 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-07-17 09:00 . 2010-05-12 17:46 423656 ----a-w- c:\windows\system32\deployJava1.dll

.

CODE
<pre>

c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe

c:\program files\Ahead\InCD\InCD .exe

c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe

c:\program files\Common Files\Java\Java Update\jusched .exe

c:\program files\Common Files\Symantec Shared\ccApp .exe

c:\program files\HP\Digital Imaging\bin\hpqSRMon .exe

c:\program files\iTunes\iTunesHelper .exe

c:\program files\Maxtor\OneTouch Status\maxmenumgr .exe

c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr .exe

c:\program files\MusicMatch\MusicMatch Jukebox\mmtask .exe

c:\program files\MusicMatch\MusicMatch Jukebox\mm_tray .exe

c:\program files\QuickTime\qttask                                                                                                       .exe

c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2 .exe

c:\program files\Symantec AntiVirus\VPTray .exe

c:\windows\system32\HDAShCut .exe

</pre>




((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy2\TeaTimer.exe" [2009-03-05 2260480]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]

"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2010-09-22 94724]

"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [N/A]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [N/A]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"MMTray"="c:\program files\MusicMatch\MusicMatch Jukebox\mm_tray.exe" [N/A]

"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [N/A]

"InCD"="c:\program files\Ahead\InCD\InCD.exe" [N/A]

"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [N/A]

"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [N/A]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [N/A]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [N/A]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [N/A]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [N/A]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [N/A]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [N/A]



c:\documents and settings\Joe\Start Menu\Programs\Startup\

Billminder.lnk - c:\quickenw\BILLMIND.EXE [2001-3-3 30208]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

PowerReg Scheduler V3.exe [2006-3-31 225280]

Quicken Startup.lnk - c:\quickenw\QWDLLS.EXE [2001-3-3 27136]



c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2009-11-24 6144]



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001



[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\Atari\\Deer Hunter 2004\\DH2004.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=



R3 EraserUtilDrv11010;EraserUtilDrv11010;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilDrv11010.sys [10/3/2010 9:15 AM 102448]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 1:30 PM 124608]



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder



2010-09-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]



2010-10-03 c:\windows\Tasks\User_Feed_Synchronization-{DDEE7C09-8684-4E2B-9841-475BC8EC36B7}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://cbs3.com/

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

FF - ProfilePath - c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\cnulpwrn.default\

FF - prefs.js: browser.startup.homepage - hxxp://philadelphia.cbslocal.com/

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll



---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -



WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)







**************************************************************************



catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-10-03 09:58

Windows 5.1.2600 Service Pack 3 NTFS



scanning hidden processes ...



scanning hidden autostart entries ...



scanning hidden files ...



scan completed successfully

hidden files: 0



**************************************************************************



Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net



device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x854CEC76]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf7602f28

\Driver\ACPI -> ACPI.sys @ 0xf7475cb8

\Driver\atapi -> atapi.sys @ 0xf7407852

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014

ParseProcedure -> ntkrnlpa.exe @ 0x80577c76

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014

ParseProcedure -> ntkrnlpa.exe @ 0x80577c76

NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf7314bd4

PacketIndicateHandler -> NDIS.sys @ 0xf7320a21

SendHandler -> NDIS.sys @ 0xf7314d44

user & kernel MBR OK



**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------



[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"



[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001



[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"



[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"



[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"



[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"



[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"



[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------



- - - - - - - > 'winlogon.exe'(860)

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll



- - - - - - - > 'lsass.exe'(920)

c:\windows\system32\WININET.dll



- - - - - - - > 'explorer.exe'(748)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Ahead\InCD\InCDsrv.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\HDAShCut.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Maxtor\Sync\SyncServices.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\msiexec.exe

.

**************************************************************************

.

Completion time: 2010-10-03 10:03:09 - machine was rebooted

ComboFix-quarantined-files.txt 2010-10-03 14:03



Pre-Run: 145,871,745,024 bytes free

Post-Run: 145,790,001,152 bytes free



WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect



- - End Of File - - 1F69214D6184001209D105F78D28F492



DDS.txt:



DDS (Ver_10-03-17.01) - NTFSx86

Run by Joe at 10:06:33.82 on Sun 10/03/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.391 [GMT -4:00]



AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}



============== Running Processes ===============



C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Ahead\InCD\InCDsrv.exe

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\HDAShCut.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe

C:\QUICKENW\QWDLLS.EXE

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\explorer.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\Documents and Settings\Joe\Desktop\dds.scr



============== Pseudo HJT Report ===============



uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://cbs3.com/

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll

TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll

EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll

uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy2\TeaTimer.exe

mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"

mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"

mRun: [InCD] c:\program files\ahead\incd\InCD.exe

mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"

mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"

mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

StartupFolder: c:\docume~1\joe\startm~1\programs\startup\billmi~1.lnk - c:\quickenw\BILLMIND.EXE

StartupFolder: c:\docume~1\joe\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\documents and settings\joe\start menu\programs\startup\PowerReg Scheduler V3.exe

StartupFolder: c:\docume~1\joe\startm~1\programs\startup\quicke~1.lnk - c:\quickenw\QWDLLS.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{871df2be-41d2-4334-ac33-839af16fc8fe}\Icon3E5562ED7.ico

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy2\SDHelper.dll

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133238776908

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\pkmcdo.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll



================= FIREFOX ===================



FF - ProfilePath - c:\docume~1\joe\applic~1\mozilla\firefox\profiles\cnulpwrn.default\

FF - prefs.js: browser.startup.homepage - hxxp://philadelphia.cbslocal.com/

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll



---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);



============= SERVICES / DRIVERS ===============



R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]

R3 EraserUtilDrv11010;EraserUtilDrv11010;c:\program files\common files\symantec shared\eengine\EraserUtilDrv11010.sys [2010-10-3 102448]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101002.003\naveng.sys [2010-10-3 86064]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101002.003\navex15.sys [2010-10-3 1371184]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]



=============== Created Last 30 ================



2010-10-03 13:22:17 0 d-sha-r- C:\cmdcons

2010-10-03 13:17:51 98816 ----a-w- c:\windows\sed.exe

2010-10-03 13:17:51 77312 ----a-w- c:\windows\MBR.exe

2010-10-03 13:17:51 256512 ----a-w- c:\windows\PEV.exe

2010-10-03 13:17:51 161792 ----a-w- c:\windows\SWREG.exe

2010-09-28 23:49:34 0 ----a-w- c:\documents and settings\joe\defogger_reenable

2010-09-22 22:19:16 0 d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan

2010-09-22 22:18:56 0 d-----w- c:\program files\McAfee Security Scan

2010-09-22 20:19:05 112 ----a-w- c:\docume~1\alluse~1\applic~1\Y1LDai.dat

2010-09-21 12:49:18 0 d-----w- C:\$AVG

2010-09-21 03:20:27 0 d---a-w- C:\.Trash-999

2010-09-19 23:46:29 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2010-09-19 20:28:15 0 d-----w- c:\program files\Spybot - Search & Destroy2

2010-09-19 12:49:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Update

2010-09-16 20:59:49 0 d-----w- c:\docume~1\joe\applic~1\Malwarebytes

2010-09-16 20:59:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-16 20:59:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-16 20:59:02 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-16 20:59:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-09-15 20:14:03 1324 ----a-w- c:\windows\system32\d3d9caps.dat



==================== Find3M ====================



2010-09-22 20:17:01 94724 ----a-w- c:\windows\system32\HDAShCut.exe

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-07-17 09:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll

2008-08-23 20:14:40 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082320080824\index.dat



============= FINISH: 10:07:47.18 ===============

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:38 PM

Posted 03 October 2010 - 09:52 AM

Hi,
  • Please download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?



Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log in your reply.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 danzec

danzec
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 03 October 2010 - 06:24 PM

below are requested logs, ty

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #1

==============================================

>Drivers

==============================================

0xEC9A8000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4083712 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)

0xBF0BF000 C:\WINDOWS\System32\ati3duag.dll 2412544 bytes (ATI Technologies Inc. , ati3duag.dll)

0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2066816 bytes (Microsoft Corporation, NT Kernel & System)

0x804D7000 PnpManager 2066816 bytes

0x804D7000 RAW 2066816 bytes

0x804D7000 WMIxWDM 2066816 bytes

0xBF800000 Win32k 1855488 bytes

0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xF5BDE000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 1368064 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)

0xAF831000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101002.003\navex15.sys 1368064 bytes (Symantec Corporation, AV Engine)

0xBF30C000 C:\WINDOWS\System32\ativvaxx.dll 602112 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)

0xB00EF000 C:\WINDOWS\system32\Drivers\CVPNDRVA.sys 589824 bytes (Cisco Systems, Inc., Cisco Systems VPN Client IPSec Driver)

0xF732B000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xB3B26000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xB3AC8000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)

0xF5A61000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)

0xB3C71000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0xAFFD0000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)

0xB3EA9000 C:\Program Files\Symantec AntiVirus\savrt.sys 348160 bytes (Symantec Corporation, AutoProtect)

0xAFBF7000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)

0xB3C31000 C:\WINDOWS\System32\Drivers\SYMTDI.SYS 262144 bytes (Symantec Corporation, Network Dispatch Driver)

0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 258048 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)

0xBF051000 C:\WINDOWS\System32\ati2cqag.dll 233472 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)

0xBF08A000 C:\WINDOWS\System32\atikvmag.dll 217088 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)

0xF5ABF000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)

0xF746F000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xB01A7000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)

0xF72FE000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0xF5A35000 C:\WINDOWS\system32\drivers\windrvr6.sys 180224 bytes (Jungo, WinDriver Device Driver 6.22)

0xAF433000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)

0xB3B96000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xF5B5B000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)

0xB3BE3000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xF7419000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)

0xB3C0B000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)

0xAF45E000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)

0xEC984000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0xF5BA6000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0xF5B83000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)

0xB3BC1000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0x806D0000 ACPI_HAL 131840 bytes

0x806D0000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0xF73E1000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0xF743F000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)

0xF5B17000 C:\WINDOWS\system32\DRIVERS\dne2000.sys 122880 bytes (Deterministic Networks, Inc., Deterministic Network Enhancer)

0xAFA1F000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys 118784 bytes (Symantec Corporation, Symantec Eraser Utility Driver)

0xB3E8C000 C:\Program Files\Symantec\SYMEVENT.SYS 118784 bytes (Symantec Corporation, Symantec Event Library)

0xF72E4000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)

0xB3CDD000 C:\WINDOWS\System32\Drivers\InCDfs.SYS 102400 bytes (Nero AG, InCD File System Driver)

0xF7401000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)

0xB3AB0000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes

0xF73B8000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)

0xF5B00000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))

0xB0529000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)

0xAF81D000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101002.003\naveng.sys 81920 bytes (Symantec Corporation, AV Engine)

0xF5B47000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)

0xB3E78000 C:\Program Files\Symantec AntiVirus\Savrtpel.sys 81920 bytes (Symantec Corporation, SAVRTPEL)

0xF5BCA000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)

0xB3CCA000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)

0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)

0xF5B35000 C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys 73728 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )

0xF73CF000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)

0xF745E000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)

0xF5AEF000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)

0xF767E000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)

0xF76AE000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)

0xF762E000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)

0xF75AE000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)

0xF76CE000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)

0xB492E000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)

0xF780E000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)

0xF76BE000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)

0xECEB8000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)

0xF77FE000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)

0xF75BE000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)

0xF76EE000 C:\WINDOWS\system32\DRIVERS\AmdK8.sys 57344 bytes (Advanced Micro Devices, AMD Processor Driver)

0xF75FE000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)

0xF76DE000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)

0xF76FE000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)

0xF75DE000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)

0xF771E000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)

0xF6DD1000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)

0xF769E000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)

0xF75CE000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)

0xF770E000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)

0xF759E000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)

0xF77EE000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)

0xF773E000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)

0xF75EE000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)

0xF772E000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)

0xED307000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)

0xAF4AD000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)

0xECE88000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)

0xB4C1F000 C:\ComboFix\catchme.sys 32768 bytes

0xF798E000 C:\WINDOWS\System32\DRIVERS\InCDPass.sys 32768 bytes (Nero AG, Ahead RW Filter Driver)

0xF78C6000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)

0xF797E000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)

0xF799E000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)

0xF7996000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 28672 bytes (GEAR Software Inc., CD/DVD Class Filter Driver)

0xF7986000 C:\WINDOWS\System32\Drivers\incdrm.SYS 28672 bytes (Nero AG, Ahead MRW Filter Driver)

0xF781E000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)

0xF79A6000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)

0xEB76B000 C:\DOCUME~1\Joe\LOCALS~1\Temp\mbr.sys 24576 bytes

0xF7866000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)

0xEB733000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)

0xB527F000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)

0xF7896000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)

0xF7826000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)

0xF7876000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)

0xF782E000 PxHelp20.sys 20480 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)

0xF787E000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)

0xF786E000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)

0xF7976000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)

0xF5DDA000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)

0xF7A5A000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)

0xB06C2000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)

0xF7A3A000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)

0xF79B2000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)

0xF7A96000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)

0xB95C5000 C:\WINDOWS\System32\Drivers\InCDrec.SYS 12288 bytes (Nero AG, InCD File System Recognizer)

0xF7A3E000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)

0xB53DB000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)

0xF7B18000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)

0xF7AA0000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)

0xF7B1C000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes

0xF7B0A000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)

0xF7B28000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)

0xB2786000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)

0xB278A000 C:\WINDOWS\system32\Drivers\PROCEXP113.SYS 8192 bytes

0xF7B30000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)

0xF7AD6000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)

0xF7AE0000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)

0xF7A9E000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)

0x8549F000 C:\WINDOWS\system32\KDCOM.DLL 7040 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)

0xF7C6A000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)

0xF7C03000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)

0xF7C17000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)

0xF7B66000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)

!!!!!!!!!!!Hidden driver: 0x854CEABF ?_empty_? 1345 bytes

==============================================

>Stealth

==============================================

0xF7401000 WARNING: suspicious driver modification [atapi.sys::0x854CEABF]

==============================================

>Files

==============================================

!-->[Hidden] C:\Config.Msi\1529d17.rbs

==============================================

>Hooks

==============================================

ntkrnlpa.exe+0x0002AC38, Type: Inline - RelativeJump 0x80501C38-->80501C3B [ntkrnlpa.exe]

ntkrnlpa.exe+0x0006AA9A, Type: Inline - RelativeJump 0x80541A9A-->80541AA1 [ntkrnlpa.exe]

[3008]svchost.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]

[3008]svchost.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]

[3008]svchost.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]

[3008]svchost.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]

[3008]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]

[3008]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]

[3008]svchost.exe-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump 0x7E42974E-->00000000 [unknown_code_page]

[748]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]

[748]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]

[748]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]

[748]explorer.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]

[748]explorer.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]

[748]explorer.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]

[748]explorer.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]

[748]explorer.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]

[748]explorer.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]

[748]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]

[748]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]


-----

MBRCheck, version 1.2.3

© 2010, AD



Command-line:

Windows Version: Windows XP Professional

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x0000001d



Kernel Drivers (total 134):

0x804D7000 \WINDOWS\system32\ntkrnlpa.exe

0x806D0000 \WINDOWS\system32\hal.dll

0x8549F000 \WINDOWS\system32\KDCOM.DLL

0xF79B2000 \WINDOWS\system32\BOOTVID.dll

0xF746F000 ACPI.sys

0xF7A9E000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xF745E000 pci.sys

0xF759E000 isapnp.sys

0xF75AE000 ohci1394.sys

0xF75BE000 \WINDOWS\system32\DRIVERS\1394BUS.SYS

0xF7B66000 pciide.sys

0xF781E000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xF75CE000 MountMgr.sys

0xF743F000 ftdisk.sys

0xF7AA0000 dmload.sys

0xF7419000 dmio.sys

0xF7826000 PartMgr.sys

0xF75DE000 VolSnap.sys

0xF7401000 atapi.sys

0xF75EE000 disk.sys

0xF75FE000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xF73E1000 fltmgr.sys

0xF73CF000 sr.sys

0xF782E000 PxHelp20.sys

0xF73B8000 KSecDD.sys

0xF732B000 Ntfs.sys

0xF72FE000 NDIS.sys

0xF72E4000 Mup.sys

0xF762E000 \SystemRoot\system32\DRIVERS\nic1394.sys

0xF5BDE000 \SystemRoot\system32\DRIVERS\ati2mtag.sys

0xF5BCA000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xF7976000 \SystemRoot\system32\DRIVERS\usbohci.sys

0xF5BA6000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xF797E000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xF769E000 \SystemRoot\system32\DRIVERS\imapi.sys

0xF76AE000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xF76BE000 \SystemRoot\system32\DRIVERS\redbook.sys

0xF5B83000 \SystemRoot\system32\DRIVERS\ks.sys

0xF7986000 \SystemRoot\System32\Drivers\incdrm.SYS

0xF798E000 \SystemRoot\System32\DRIVERS\InCDPass.sys

0xF7996000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys

0xF5B5B000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0xF76CE000 \SystemRoot\system32\DRIVERS\serial.sys

0xF7A3A000 \SystemRoot\system32\DRIVERS\serenum.sys

0xF799E000 \SystemRoot\system32\DRIVERS\fdc.sys

0xF5B47000 \SystemRoot\system32\DRIVERS\parport.sys

0xF76DE000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0xF79A6000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xF7866000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xF5B35000 \SystemRoot\system32\DRIVERS\Rtlnicxp.sys

0xF76EE000 \SystemRoot\system32\DRIVERS\AmdK8.sys

0xF5B17000 \SystemRoot\system32\DRIVERS\dne2000.sys

0xF7C6A000 \SystemRoot\system32\DRIVERS\audstub.sys

0xF76FE000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xF7A3E000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xF5B00000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xF770E000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xF771E000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xF786E000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xF5AEF000 \SystemRoot\system32\DRIVERS\psched.sys

0xF772E000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xF7876000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xF787E000 \SystemRoot\system32\DRIVERS\raspti.sys

0xF5ABF000 \SystemRoot\system32\DRIVERS\rdpdr.sys

0xF773E000 \SystemRoot\system32\DRIVERS\termdd.sys

0xF7AD6000 \SystemRoot\system32\DRIVERS\swenum.sys

0xF5A61000 \SystemRoot\system32\DRIVERS\update.sys

0xF7A5A000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xF5A35000 \SystemRoot\system32\drivers\windrvr6.sys

0xF77EE000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xF77FE000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xF7AE0000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xEC9A8000 \SystemRoot\system32\drivers\RtkHDAud.sys

0xEC984000 \SystemRoot\system32\drivers\portcls.sys

0xF780E000 \SystemRoot\system32\drivers\drmk.sys

0xB527F000 \SystemRoot\system32\DRIVERS\flpydisk.sys

0xB3EA9000 \??\C:\Program Files\Symantec AntiVirus\savrt.sys

0xB3E8C000 \??\C:\Program Files\Symantec\SYMEVENT.SYS

0xB3E78000 \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys

0xF7B0A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xF7C17000 \SystemRoot\System32\Drivers\Null.SYS

0xF7B18000 \SystemRoot\System32\Drivers\Beep.SYS

0xEB733000 \SystemRoot\System32\drivers\vga.sys

0xF7B28000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xF7B30000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xB95C5000 \SystemRoot\System32\Drivers\InCDrec.SYS

0xB3CDD000 \SystemRoot\System32\Drivers\InCDfs.SYS

0xF7896000 \SystemRoot\System32\Drivers\Msfs.SYS

0xF78C6000 \SystemRoot\System32\Drivers\Npfs.SYS

0xB53DB000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xB3CCA000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xB3C71000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xB3C31000 \SystemRoot\System32\Drivers\SYMTDI.SYS

0xB3C0B000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xECE88000 \SystemRoot\system32\DRIVERS\wanarp.sys

0xB3BE3000 \SystemRoot\system32\DRIVERS\netbt.sys

0xB492E000 \SystemRoot\system32\DRIVERS\arp1394.sys

0xB3BC1000 \SystemRoot\System32\drivers\afd.sys

0xED307000 \SystemRoot\system32\DRIVERS\netbios.sys

0xB3B96000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xB3B26000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xF6DD1000 \SystemRoot\System32\Drivers\Fips.SYS

0xB3AC8000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

0xF767E000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xB3AB0000 \SystemRoot\System32\Drivers\dump_atapi.sys

0xF7B1C000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xF7A96000 \SystemRoot\System32\drivers\Dxapi.sys

0xF5DDA000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xF7C03000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF012000 \SystemRoot\System32\ati2dvag.dll

0xBF051000 \SystemRoot\System32\ati2cqag.dll

0xBF08A000 \SystemRoot\System32\atikvmag.dll

0xBF0BF000 \SystemRoot\System32\ati3duag.dll

0xBF30C000 \SystemRoot\System32\ativvaxx.dll

0xB06C2000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0xB0529000 \SystemRoot\system32\drivers\wdmaud.sys

0xECEB8000 \SystemRoot\system32\drivers\sysaudio.sys

0xB01A7000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0xB2786000 \SystemRoot\System32\Drivers\ParVdm.SYS

0xB00EF000 \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys

0xAFFD0000 \SystemRoot\system32\DRIVERS\srv.sys

0xAFBF7000 \SystemRoot\System32\Drivers\HTTP.sys

0xEB76B000 \??\C:\DOCUME~1\Joe\LOCALS~1\Temp\mbr.sys

0xAFA1F000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys

0xAF831000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101002.003\navex15.sys

0xAF81D000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101002.003\naveng.sys

0xB4C1F000 \??\C:\ComboFix\catchme.sys

0xB278A000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS

0xAF45E000 \SystemRoot\System32\Drivers\Fastfat.SYS

0xF7966000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS

0xAF433000 \SystemRoot\system32\drivers\kmixer.sys

0x7C900000 \WINDOWS\system32\ntdll.dll



Processes (total 44):

0 System Idle Process

4 System

752 C:\WINDOWS\system32\smss.exe

808 csrss.exe

860 C:\WINDOWS\system32\winlogon.exe

908 C:\WINDOWS\system32\services.exe

920 C:\WINDOWS\system32\lsass.exe

1096 C:\WINDOWS\system32\ati2evxx.exe

1116 C:\WINDOWS\system32\svchost.exe

1200 svchost.exe

1332 C:\Program Files\Ahead\InCD\InCDsrv.exe

1636 svchost.exe

1764 C:\WINDOWS\system32\ati2evxx.exe

1840 svchost.exe

2000 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

132 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

340 C:\WINDOWS\system32\spoolsv.exe

564 C:\WINDOWS\RTHDCPL.exe

592 C:\WINDOWS\system32\HDAShCut.exe

716 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

784 C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe

1148 C:\QUICKENW\QWDLLS.EXE

2008 svchost.exe

976 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

1268 C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

1624 C:\Program Files\Symantec AntiVirus\DefWatch.exe

1988 C:\WINDOWS\system32\svchost.exe

2072 C:\Program Files\Java\jre6\bin\jqs.exe

2136 C:\Program Files\Maxtor\Sync\SyncServices.exe

2408 C:\WINDOWS\system32\svchost.exe

2544 C:\WINDOWS\system32\svchost.exe

2596 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

2740 C:\WINDOWS\system32\svchost.exe

2796 C:\Program Files\Symantec AntiVirus\Rtvscan.exe

2840 wdfmgr.exe

3812 alg.exe

748 C:\WINDOWS\explorer.exe

4072 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe

3892 C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

3396 C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

3700 C:\WINDOWS\system32\msiexec.exe

1324 C:\WINDOWS\system32\svchost.exe

1160 C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe

572 C:\Documents and Settings\Joe\Desktop\MBRCheck.exe



\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)



PhysicalDrive0 Model Number: WDCWD1600JB-00GVC0, Rev: 08.02D08



Size Device Name MBR Status

--------------------------------------------

149 GB \\.\PhysicalDrive0 Windows XP MBR code detected

SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A





Done!

#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:38 PM

Posted 03 October 2010 - 11:51 PM

Hi,

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@ECHO OFF
"C:\Documents and Settings\Joe\Desktop\MBRCheck.exe" -s 0 -d c:\MBR_dump.dat
DEL %0

Double-click on fixes.bat file to execute it. Ensure that c:\MBR_backup.dat file exists. Please archive it into a zip file. Then upload the zip file to this website. Kindly include a link to this topic in the message.

Do you have your XP Professional installation cd handy?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 danzec

danzec
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 04 October 2010 - 07:57 AM

Uploaded MBR_dump.dat to website. MBR_backup.dat did not exist.


Yes I have the Win XP installation CD

thank you



#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:38 PM

Posted 04 October 2010 - 08:50 AM

Sorry, misspelt the file name there. It was MBR_dump.dat that was expected to be created, not MBR_backup.dat. So that went fine.


Insert the XP Pro cd and restart the computer. If prompted, select any options required to boot from the CD.
When the text-based part of Setup begins, follow the prompts; choose the repair or recover option by pressing R. When prompted, type the Administrator password (press enter if not set). That should take you to the system prompt.

type following command and press enter (answer yes to confirmation):
fixmbr

Then type:
exit (press enter to exit recovery console)


After getting back to Windows, run Rootkit UnHooker again.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 danzec

danzec
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 04 October 2010 - 11:40 AM

ran fixmbr, below is new rootkit unhooker log:

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #1

==============================================

>Drivers

==============================================

0xEE5D5000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4083712 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)

0xBF0BF000 C:\WINDOWS\System32\ati3duag.dll 2412544 bytes (ATI Technologies Inc. , ati3duag.dll)

0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2066816 bytes (Microsoft Corporation, NT Kernel & System)

0x804D7000 PnpManager 2066816 bytes

0x804D7000 RAW 2066816 bytes

0x804D7000 WMIxWDM 2066816 bytes

0xBF800000 Win32k 1855488 bytes

0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xF6C14000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 1368064 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)

0xB73D4000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101003.002\navex15.sys 1368064 bytes (Symantec Corporation, AV Engine)

0xBF30C000 C:\WINDOWS\System32\ativvaxx.dll 602112 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)

0xB7CB4000 C:\WINDOWS\system32\Drivers\CVPNDRVA.sys 589824 bytes (Cisco Systems, Inc., Cisco Systems VPN Client IPSec Driver)

0xF7329000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xED911000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xED8B3000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)

0xF6A6F000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)

0xEDA84000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0xB7B95000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)

0xEE55C000 C:\Program Files\Symantec AntiVirus\savrt.sys 348160 bytes (Symantec Corporation, AutoProtect)

0xB77E4000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)

0xEDA44000 C:\WINDOWS\System32\Drivers\SYMTDI.SYS 262144 bytes (Symantec Corporation, Network Dispatch Driver)

0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 258048 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)

0xBF051000 C:\WINDOWS\System32\ati2cqag.dll 233472 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)

0xBF08A000 C:\WINDOWS\System32\atikvmag.dll 217088 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)

0xF6ACD000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)

0xF746D000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xB7D6C000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)

0xF72FC000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0xF6A43000 C:\WINDOWS\system32\drivers\windrvr6.sys 180224 bytes (Jungo, WinDriver Device Driver 6.22)

0xB7651000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)

0xED981000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xF6B91000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)

0xED9CE000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xF7417000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)

0xEDA1E000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)

0xB80EC000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)

0xEE5B1000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0xF6BDC000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0xF6BB9000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)

0xED9AC000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0x806D0000 ACPI_HAL 131840 bytes

0x806D0000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0xF73DF000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0xF743D000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)

0xF6B4D000 C:\WINDOWS\system32\DRIVERS\dne2000.sys 122880 bytes (Deterministic Networks, Inc., Deterministic Network Enhancer)

0xB7522000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys 118784 bytes (Symantec Corporation, Symantec Eraser Utility Driver)

0xEE53F000 C:\Program Files\Symantec\SYMEVENT.SYS 118784 bytes (Symantec Corporation, Symantec Event Library)

0xF72E2000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)

0xEDAF0000 C:\WINDOWS\System32\Drivers\InCDfs.SYS 102400 bytes (Nero AG, InCD File System Driver)

0xF73FF000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)

0xED89B000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes

0xF73B6000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)

0xF6B36000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))

0xB80D7000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)

0xB73C0000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101003.002\naveng.sys 81920 bytes (Symantec Corporation, AV Engine)

0xF6B7D000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)

0xEE52B000 C:\Program Files\Symantec AntiVirus\Savrtpel.sys 81920 bytes (Symantec Corporation, SAVRTPEL)

0xF6C00000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)

0xEDADD000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)

0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)

0xF6B6B000 C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys 73728 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )

0xF73CD000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)

0xF745C000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)

0xF6B25000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)

0xF77FC000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)

0xF6DA2000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)

0xF762C000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)

0xF75AC000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)

0xF6D82000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)

0xF77AC000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)

0xF76CC000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)

0xF6D92000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)

0xB82D8000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)

0xF76BC000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)

0xF75BC000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)

0xF6D62000 C:\WINDOWS\system32\DRIVERS\AmdK8.sys 57344 bytes (Advanced Micro Devices, AMD Processor Driver)

0xF75FC000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)

0xF6D72000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)

0xF763C000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)

0xF75DC000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)

0xF765C000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)

0xF77DC000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)

0xF6DB2000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)

0xF75CC000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)

0xF764C000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)

0xF759C000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)

0xF76AC000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)

0xF767C000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)

0xF75EC000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)

0xF766C000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)

0xF77BC000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)

0xB796D000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)

0xF779C000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)

0xF7984000 C:\WINDOWS\System32\DRIVERS\InCDPass.sys 32768 bytes (Nero AG, Ahead RW Filter Driver)

0xF7924000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)

0xF7974000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)

0xF7994000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)

0xF798C000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 28672 bytes (GEAR Software Inc., CD/DVD Class Filter Driver)

0xF797C000 C:\WINDOWS\System32\Drivers\incdrm.SYS 28672 bytes (Nero AG, Ahead MRW Filter Driver)

0xF781C000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)

0xF799C000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)

0xF79A4000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)

0xF790C000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)

0xF787C000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)

0xF791C000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)

0xF7824000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)

0xF786C000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)

0xF782C000 PxHelp20.sys 20480 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)

0xF7874000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)

0xF7864000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)

0xF796C000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)

0xF794C000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)

0xF72AE000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)

0xB84D8000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)

0xF7A8C000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)

0xF79AC000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)

0xF7A74000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)

0xF6B11000 C:\WINDOWS\System32\Drivers\InCDrec.SYS 12288 bytes (Nero AG, InCD File System Recognizer)

0xF7A90000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)

0xF6B01000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)

0xF7AF8000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)

0xF7AA0000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)

0xF7B48000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes

0xF7AE4000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)

0xF7A9C000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)

0xF7B06000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)

0xF7B08000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)

0xF7B0A000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)

0xF7AC6000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)

0xF7AC8000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)

0xF7A9E000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)

0xF7C6D000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)

0xF7B8E000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)

0xF7B89000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)

0xF7B64000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)

==============================================

>Stealth

==============================================

==============================================

>Files

==============================================

!-->[Hidden] C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\AYQ5XHJI\3A%252F%252Fnhost.667733.information-seeking[1].com%252Fjump2%252F%253Faffiliate%253Dnhost%2526subid%253D667733%2526terms%253Dtoyota%252520prius%252520hybridm

==============================================

>Hooks

==============================================

ntkrnlpa.exe+0x0006AA9A, Type: Inline - RelativeJump 0x80541A9A-->80541AA1 [ntkrnlpa.exe]

[1896]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]

[1896]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]

[1896]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]

[1896]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]

[1896]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]

[1896]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->00000000 [shimeng.dll]

[1896]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]


#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:38 PM

Posted 04 October 2010 - 12:33 PM

Good. Now please run ComboFix again and post back its log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 danzec

danzec
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 04 October 2010 - 01:56 PM

Somewhere along the line Symantic AntiVirus broke....it is running but not showing in the tray. I keep getting a prompt to insert the symantic CD however I do not have it here. It is probably at my parents. I managed to get the auto-protect off by canceling the symantic insert cd boxes.

Computer seems to be working better.....

New combofix log:

ComboFix 10-10-02.02 - Joe 10/04/2010 14:32:20.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.345 [GMT -4:00]
Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((( Files Created from 2010-09-04 to 2010-10-04 )))))))))))))))))))))))))))))))
.

2010-10-04 13:59 . 2010-10-04 13:59 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-10-04 12:51 . 2010-10-04 12:51 508 ----a-w- C:\MBR_dump.zip
2010-10-04 12:48 . 2010-10-04 12:48 512 ----a-w- C:\MBR_dump.dat
2010-09-28 23:55 . 2010-09-28 23:55 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2010-09-27 17:42 . 2010-09-27 17:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-09-26 19:14 . 2010-09-26 19:14 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Identities
2010-09-22 22:22 . 2010-09-22 22:19 53632 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-09-22 22:21 . 2010-09-22 22:21 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-09-22 22:19 . 2010-09-22 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-09-22 22:19 . 2010-09-22 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-09-22 22:18 . 2010-10-04 13:59 -------- d-----w- c:\program files\McAfee Security Scan
2010-09-22 22:14 . 2010-09-22 22:14 0 ----a-w- c:\windows\nsreg.dat
2010-09-22 22:14 . 2010-09-22 22:14 -------- d-----w- c:\documents and settings\Joe\Local Settings\Application Data\Mozilla
2010-09-22 15:57 . 2010-09-22 15:57 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-09-21 12:49 . 2010-09-21 12:49 -------- d-----w- C:\$AVG
2010-09-21 03:20 . 2010-09-21 03:20 -------- d---a-w- C:\.Trash-999
2010-09-19 23:46 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-09-19 20:28 . 2010-09-21 19:15 -------- d-----w- c:\program files\Spybot - Search & Destroy2
2010-09-19 20:22 . 2010-09-19 20:22 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-09-19 12:49 . 2010-09-19 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-09-16 20:59 . 2010-09-16 20:59 -------- d-----w- c:\documents and settings\Joe\Application Data\Malwarebytes
2010-09-16 20:59 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-16 20:59 . 2010-09-16 20:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-16 20:59 . 2010-09-16 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-16 20:59 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-15 23:46 . 2010-09-15 23:46 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-09-15 23:45 . 2010-09-15 23:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-09-15 20:14 . 2010-10-04 13:52 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-15 20:12 . 2010-09-15 20:12 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-04 18:29 . 2005-11-29 05:53 -------- d-----w- c:\program files\Symantec AntiVirus
2010-10-04 12:21 . 2010-09-22 20:19 112 ----a-w- c:\documents and settings\All Users\Application Data\Y1LDai.dat
2010-10-03 13:51 . 2009-02-27 01:27 -------- d-----w- c:\program files\QuickTime
2010-10-03 13:50 . 2009-02-27 01:28 -------- d-----w- c:\program files\iTunes
2010-10-03 13:50 . 2005-11-29 05:53 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-09-22 22:26 . 2005-12-25 22:56 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-22 20:17 . 2005-01-07 22:07 94724 ----a-w- c:\windows\system32\HDAShCut.exe
2010-09-19 20:29 . 2007-07-08 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-19 20:24 . 2005-12-25 23:26 -------- d-----w- c:\program files\Spybot - Search & Destroy 1.1
2010-09-19 20:23 . 2007-07-08 17:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-10 17:59 . 2005-12-25 22:56 -------- d-----w- c:\program files\Common Files\Java
2010-09-10 17:59 . 2006-03-17 20:29 -------- d-----w- c:\program files\Java
2010-08-17 13:17 . 2004-08-03 22:56 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-06 19:50 . 2010-08-06 19:50 503808 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-743a81c7-n\msvcp71.dll
2010-08-06 19:50 . 2010-08-06 19:50 499712 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-743a81c7-n\jmc.dll
2010-08-06 19:50 . 2010-08-06 19:50 61440 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3445b709-n\decora-sse.dll
2010-08-06 19:50 . 2010-08-06 19:50 348160 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-743a81c7-n\msvcr71.dll
2010-08-06 19:50 . 2010-08-06 19:50 12800 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3445b709-n\decora-d3d.dll
2010-07-22 15:49 . 2004-08-03 22:56 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-17 13:28 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 09:00 . 2010-05-12 17:46 423656 ----a-w- c:\windows\system32\deployJava1.dll
.
CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Ahead\InCD\InCD .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Common Files\Symantec Shared\ccApp .exe
c:\program files\HP\Digital Imaging\bin\hpqSRMon .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Maxtor\OneTouch Status\maxmenumgr .exe
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr .exe
c:\program files\MusicMatch\MusicMatch Jukebox\mmtask .exe
c:\program files\MusicMatch\MusicMatch Jukebox\mm_tray .exe
c:\program files\QuickTime\qttask                                                                                                       .exe
c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2 .exe
c:\program files\Symantec AntiVirus\VPTray .exe
c:\windows\system32\HDAShCut .exe
</pre>


((((((((((((((((((((((((((((( SnapShot@2010-10-03_13.57.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-04 14:08 . 2010-10-04 14:08 16384 c:\windows\Temp\Perflib_Perfdata_1a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy2\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2010-09-22 94724]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [N/A]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [N/A]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"MMTray"="c:\program files\MusicMatch\MusicMatch Jukebox\mm_tray.exe" [N/A]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [N/A]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [N/A]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [N/A]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [N/A]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [N/A]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [N/A]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [N/A]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [N/A]

c:\documents and settings\Joe\Start Menu\Programs\Startup\
Billminder.lnk - c:\quickenw\BILLMIND.EXE [2001-3-3 30208]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
PowerReg Scheduler V3.exe [2006-3-31 225280]
Quicken Startup.lnk - c:\quickenw\QWDLLS.EXE [2001-3-3 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2009-11-24 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Atari\\Deer Hunter 2004\\DH2004.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 1:30 PM 124608]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrv11010
*Deregistered* - EraserUtilRebootDrv
*Deregistered* - Normandy

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-09-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-10-04 c:\windows\Tasks\User_Feed_Synchronization-{DDEE7C09-8684-4E2B-9841-475BC8EC36B7}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://cbs3.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\cnulpwrn.default\
FF - prefs.js: browser.startup.homepage - hxxp://philadelphia.cbslocal.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-04 14:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1996)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-10-04 14:41:34
ComboFix-quarantined-files.txt 2010-10-04 18:41
ComboFix2.txt 2010-10-03 14:03

Pre-Run: 145,723,768,832 bytes free
Post-Run: 145,779,748,864 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 9A57526C3D8136849E04F7585295CF83


#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:38 PM

Posted 05 October 2010 - 12:06 AM

Hi again,

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
  • Run Spybot-S&D in Advanced Mode
  • If it is not already set to do this, go to the Mode menu
    select
    Advanced Mode
  • On the left hand side, click on Tools
  • Then click on the Resident icon in the list
  • Uncheck
    Resident TeaTimer
    and OK any prompts.
  • Restart your computer


Open notepad and copy/paste the text in the quotebox below into it:

CODE
RenV::
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Ahead\InCD\InCD .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Common Files\Symantec Shared\ccApp .exe
c:\program files\HP\Digital Imaging\bin\hpqSRMon .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Maxtor\OneTouch Status\maxmenumgr .exe
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr .exe
c:\program files\MusicMatch\MusicMatch Jukebox\mmtask .exe
c:\program files\MusicMatch\MusicMatch Jukebox\mm_tray .exe
c:\program files\QuickTime\qttask                                                                                                       .exe
c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2 .exe
c:\program files\Symantec AntiVirus\VPTray .exe
c:\windows\system32\HDAShCut .exe
DDS::
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall these old Javas:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1



Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.


Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 danzec

danzec
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 05 October 2010 - 01:13 PM

Kaspersky , DDS and Combofix logs:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, October 5, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, October 05, 2010 11:10:02
Records in database: 4281827
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Objects scanned: 67264
Threats found: 15
Infected objects found: 284
Suspicious objects found: 0
Scan duration: 01:48:34


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07780000\4FF90F81.VBN Infected: Packed.Win32.Klone.k 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80000\4FDE07EE.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80001\4FDE0833.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80002\4FDE0871.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80003\4FDE08B3.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80004\4FDE0A0D.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80005\4FDE0A76.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80006\4FDE0AE3.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80007\4FDE0B4E.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80008\4FDE0C61.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C80009.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C8000A.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07C8000B.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B4C0000\4FDE1D97.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B4C0001\4FDE1FD5.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B4C0002\4FDE224A.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B4C0003\4FDE3C3D.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B4C0004\4FDE3C82.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B4C0005\4FDE3CD8.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B4C0006\4FDE3D0D.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B4C0007\4FDE3E83.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B4C0008\4FDE40E1.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B4C0009\4FDE4363.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B4C000A\4FDE676E.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B4C000B\4FDE6821.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B4C000C\4FDE68C6.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B4C000D\4FDE692A.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B4C000E\4FDE6987.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B4C000F\4FDE6A06.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B4C0010\4FDE6A73.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B4C0011\4FDE6AE3.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B4C0012\4FDE6B53.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B4C0013\4FDE6DCB.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B4C0014\4FDE7050.VBN Infected: Trojan-Downloader.Win32.Suurch.bwd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280000\4CBA5948.VBN Infected: Packed.Win32.Klone.k 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D000000\4D915AB6.VBN Infected: Exploit.JS.Pdfka.cop 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DB40002.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DB40002.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DB40002.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DB40003.VBN Infected: Trojan-Downloader.Java.Agent.ft 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DB40003.VBN Infected: Trojan-Downloader.Java.Agent.fu 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DB40003.VBN Infected: Trojan-Downloader.Java.Agent.fv 1
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\15\25b8b8f-53aad2be Infected: Trojan-Downloader.Java.Agent.fx 1
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\15\25b8b8f-53aad2be Infected: Exploit.Java.Agent.f 1
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\15\25b8b8f-53aad2be Infected: Trojan-Downloader.Java.Agent.fy 1
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\60\686c0d7c-2cca7b72 Infected: Trojan.Java.Agent.ab 1
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\60\686c0d7c-2cca7b72 Infected: Trojan.Java.Agent.aa 1
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\60\686c0d7c-2cca7b72 Infected: Trojan.Java.Agent.ac 1
C:\Qoobox\Quarantine\C\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\Ahead\InCD\InCD.exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\Common Files\Java\Java Update\jusched.exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\Common Files\Symantec Shared\ccApp.exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\iTunes\iTunesHelper.exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\searchplugins\google_search.xml.vir Infected: Trojan.Win32.Clicker.hd 1
C:\Qoobox\Quarantine\C\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\QuickTime\qttask.exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\Qoobox\Quarantine\C\PROGRA~1\SYMANT~1\VPTray.exe.vir Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001503.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001504.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001505.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001506.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001507.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001508.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001509.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001510.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001511.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001512.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001513.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001514.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001515.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001516.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001517.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001518.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001519.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001520.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001521.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001522.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001523.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001524.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001525.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001526.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001527.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001528.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001529.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001530.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001531.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001532.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001533.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001534.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001535.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001536.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001537.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001538.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001539.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001540.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001541.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001542.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001543.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001544.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001545.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001546.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001547.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001548.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001549.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001550.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001551.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001552.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001553.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001554.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001555.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001556.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001557.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001558.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001559.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001560.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001561.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001562.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001563.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001564.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001565.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001566.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001567.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001568.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001569.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001570.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001571.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001572.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001573.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001574.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001575.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001576.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001577.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001578.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001579.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001580.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001581.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001582.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001583.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001584.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001585.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001586.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001587.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001588.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001589.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001590.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001591.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001592.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001593.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001594.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001595.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001596.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001597.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001598.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001599.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001600.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001601.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001602.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001603.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001604.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001605.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001606.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001607.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001608.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001609.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001610.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001611.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001612.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001613.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001614.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001615.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001616.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001617.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP6\A0001618.exe Infected: Trojan.Win32.Powp.gen 1
C:\System Volume Information\_restore{8AA10F86-67BE-4600-B4F7-B29F4DCD2176}\RP8\A0002396.exe Infected: Trojan.Win32.Powp.gen 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YPAD8N07\default[1] Infected: Trojan.HTML.Fraud.bp 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YPAD8N07\default[2] Infected: Trojan.HTML.Fraud.bp 1

Selected area has been scanned.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Joe at 14:09:16.34 on Tue 10/05/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.452 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\QUICKENW\QWDLLS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Joe\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://cbs3.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\joe\startm~1\programs\startup\billmi~1.lnk - c:\quickenw\BILLMIND.EXE
StartupFolder: c:\docume~1\joe\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\documents and settings\joe\start menu\programs\startup\PowerReg Scheduler V3.exe
StartupFolder: c:\docume~1\joe\startm~1\programs\startup\quicke~1.lnk - c:\quickenw\QWDLLS.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{871df2be-41d2-4334-ac33-839af16fc8fe}\Icon3E5562ED7.ico
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_21.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy2\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133238776908
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\pkmcdo.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joe\applic~1\mozilla\firefox\profiles\cnulpwrn.default\
FF - prefs.js: browser.startup.homepage - hxxp://philadelphia.cbslocal.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101004.003\naveng.sys [2010-10-4 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101004.003\navex15.sys [2010-10-4 1371184]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2010-10-05 13:31:45 0 d-----w- c:\windows\system32\appmgmt
2010-10-05 12:45:35 0 d-sha-r- C:\cmdcons
2010-10-04 12:51:41 508 ----a-w- C:\MBR_dump.zip
2010-10-04 12:48:56 512 ----a-w- C:\MBR_dump.dat
2010-10-03 13:17:51 98816 ----a-w- c:\windows\sed.exe
2010-10-03 13:17:51 77312 ----a-w- c:\windows\MBR.exe
2010-10-03 13:17:51 256512 ----a-w- c:\windows\PEV.exe
2010-10-03 13:17:51 161792 ----a-w- c:\windows\SWREG.exe
2010-09-28 23:49:34 0 ----a-w- c:\documents and settings\joe\defogger_reenable
2010-09-22 22:19:16 0 d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2010-09-22 22:18:56 0 d-----w- c:\program files\McAfee Security Scan
2010-09-22 20:19:05 112 ----a-w- c:\docume~1\alluse~1\applic~1\Y1LDai.dat
2010-09-21 12:49:18 0 d-----w- C:\$AVG
2010-09-21 03:20:27 0 d---a-w- C:\.Trash-999
2010-09-19 23:46:29 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-09-19 20:28:15 0 d-----w- c:\program files\Spybot - Search & Destroy2
2010-09-19 12:49:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-09-16 20:59:49 0 d-----w- c:\docume~1\joe\applic~1\Malwarebytes
2010-09-16 20:59:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-16 20:59:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-16 20:59:02 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-16 20:59:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-15 20:14:03 1324 ----a-w- c:\windows\system32\d3d9caps.dat

==================== Find3M ====================

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 09:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2008-08-23 20:14:40 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082320080824\index.dat

============= FINISH: 14:10:04.09 ===============


ComboFix 10-10-04.02 - Joe 10/05/2010 8:46.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.351 [GMT -4:00]
Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Joe\Desktop\CFScript
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((( Files Created from 2010-09-05 to 2010-10-05 )))))))))))))))))))))))))))))))
.

2010-10-04 13:59 . 2010-10-04 13:59 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-10-04 12:51 . 2010-10-04 12:51 508 ----a-w- C:\MBR_dump.zip
2010-10-04 12:48 . 2010-10-04 12:48 512 ----a-w- C:\MBR_dump.dat
2010-09-28 23:55 . 2010-09-28 23:55 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2010-09-27 17:42 . 2010-09-27 17:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-09-26 19:14 . 2010-09-26 19:14 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Identities
2010-09-22 22:22 . 2010-09-22 22:19 53632 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-09-22 22:21 . 2010-09-22 22:21 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-09-22 22:19 . 2010-09-22 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-09-22 22:19 . 2010-09-22 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-09-22 22:18 . 2010-10-04 13:59 -------- d-----w- c:\program files\McAfee Security Scan
2010-09-22 22:14 . 2010-09-22 22:14 0 ----a-w- c:\windows\nsreg.dat
2010-09-22 22:14 . 2010-09-22 22:14 -------- d-----w- c:\documents and settings\Joe\Local Settings\Application Data\Mozilla
2010-09-22 15:57 . 2010-09-22 15:57 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-09-21 12:49 . 2010-09-21 12:49 -------- d-----w- C:\$AVG
2010-09-21 03:20 . 2010-09-21 03:20 -------- d---a-w- C:\.Trash-999
2010-09-19 23:46 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-09-19 20:28 . 2010-09-21 19:15 -------- d-----w- c:\program files\Spybot - Search & Destroy2
2010-09-19 20:22 . 2010-09-19 20:22 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-09-19 12:49 . 2010-09-19 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-09-16 20:59 . 2010-09-16 20:59 -------- d-----w- c:\documents and settings\Joe\Application Data\Malwarebytes
2010-09-16 20:59 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-16 20:59 . 2010-09-16 20:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-16 20:59 . 2010-09-16 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-16 20:59 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-15 23:46 . 2010-09-15 23:46 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-09-15 23:45 . 2010-09-15 23:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-09-15 20:14 . 2010-10-04 13:52 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-15 20:12 . 2010-09-15 20:12 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-05 12:46 . 2005-11-29 05:53 -------- d-----w- c:\program files\Symantec AntiVirus
2010-10-05 12:46 . 2009-02-27 01:28 -------- d-----w- c:\program files\iTunes
2010-10-05 12:46 . 2009-02-27 01:27 -------- d-----w- c:\program files\QuickTime
2010-10-05 12:46 . 2005-11-29 05:53 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-10-05 12:31 . 2010-09-22 20:19 112 ----a-w- c:\documents and settings\All Users\Application Data\Y1LDai.dat
2010-09-22 22:26 . 2005-12-25 22:56 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-19 20:29 . 2007-07-08 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-19 20:24 . 2005-12-25 23:26 -------- d-----w- c:\program files\Spybot - Search & Destroy 1.1
2010-09-19 20:23 . 2007-07-08 17:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-10 17:59 . 2005-12-25 22:56 -------- d-----w- c:\program files\Common Files\Java
2010-09-10 17:59 . 2006-03-17 20:29 -------- d-----w- c:\program files\Java
2010-08-17 13:17 . 2004-08-03 22:56 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-06 19:50 . 2010-08-06 19:50 503808 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-743a81c7-n\msvcp71.dll
2010-08-06 19:50 . 2010-08-06 19:50 499712 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-743a81c7-n\jmc.dll
2010-08-06 19:50 . 2010-08-06 19:50 61440 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3445b709-n\decora-sse.dll
2010-08-06 19:50 . 2010-08-06 19:50 348160 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-743a81c7-n\msvcr71.dll
2010-08-06 19:50 . 2010-08-06 19:50 12800 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3445b709-n\decora-d3d.dll
2010-07-22 15:49 . 2004-08-03 22:56 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-17 13:28 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 09:00 . 2010-05-12 17:46 423656 ----a-w- c:\windows\system32\deployJava1.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-10-03_13.57.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-05 12:27 . 2010-10-05 12:27 16384 c:\windows\Temp\Perflib_Perfdata_55c.dat
+ 2007-01-29 08:58 . 2010-06-21 14:46 46080 c:\windows\system32\tzchange.exe
- 2007-01-29 08:58 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe
+ 2005-01-07 22:07 . 2005-01-07 22:07 61952 c:\windows\system32\HDAShCut.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"MMTray"="c:\program files\MusicMatch\MusicMatch Jukebox\mm_tray.exe" [2005-03-15 135168]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2005-03-15 53248]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-25 1397760]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\Joe\Start Menu\Programs\Startup\
Billminder.lnk - c:\quickenw\BILLMIND.EXE [2001-3-3 30208]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
PowerReg Scheduler V3.exe [2006-3-31 225280]
Quicken Startup.lnk - c:\quickenw\QWDLLS.EXE [2001-3-3 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2009-11-24 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Atari\\Deer Hunter 2004\\DH2004.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 1:30 PM 124608]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrv11010

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-09-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-10-05 c:\windows\Tasks\User_Feed_Synchronization-{DDEE7C09-8684-4E2B-9841-475BC8EC36B7}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://cbs3.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\cnulpwrn.default\
FF - prefs.js: browser.startup.homepage - hxxp://philadelphia.cbslocal.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3952)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-10-05 08:55:07
ComboFix-quarantined-files.txt 2010-10-05 12:55
ComboFix2.txt 2010-10-04 18:41
ComboFix3.txt 2010-10-03 14:03

Pre-Run: 145,697,325,056 bytes free
Post-Run: 145,667,678,208 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 783275BA8750B7FAC9528676AC5B092B



#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:38 PM

Posted 05 October 2010 - 01:47 PM

Hi again,

Most Kaspersky findings were already quarantined items (those in system restore & qoobox folder will be removed when ComboFix is uninstalled and system restore reseted). Uninstall QuickTime Player and then reinstall latest version here (if needed).


Open notepad and copy/paste the text in the quotebox below into it:

CODE
File::
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\15\25b8b8f-53aad2be
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\60\686c0d7c-2cca7b72
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YPAD8N07\default[1]
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YPAD8N07\default[2]



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log. Any issues left?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 danzec

danzec
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 05 October 2010 - 03:04 PM

Blade81,

Thank you for your help! I rebooted and surfed a few pages, no pop-ups, re-directs or errors. Symantic anti-virus is working again just fine as well. A few questions.

1. My parents have a Maxtor Onetouch usb backup drive. Should I take any special steps when I re-connect that drive for their backup?

2. Should I re-enable spybot realtime protection?

Below is the last combofix log:

ComboFix 10-10-05.01 - Joe 10/05/2010 15:31:35.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.379 [GMT -4:00]
Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Joe\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\documents and settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\15\25b8b8f-53aad2be"
"c:\documents and settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\60\686c0d7c-2cca7b72"
"c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YPAD8N07\default[1]"
"c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YPAD8N07\default[2]"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\15\25b8b8f-53aad2be
c:\documents and settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\60\686c0d7c-2cca7b72
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YPAD8N07\default[1]
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YPAD8N07\default[2]

.
((((((((((((((((((((((((( Files Created from 2010-09-05 to 2010-10-05 )))))))))))))))))))))))))))))))
.

2010-10-05 19:23 . 2010-10-05 19:24 -------- d-----w- c:\program files\QuickTime
2010-10-04 13:59 . 2010-10-04 13:59 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-10-04 12:51 . 2010-10-04 12:51 508 ----a-w- C:\MBR_dump.zip
2010-10-04 12:48 . 2010-10-04 12:48 512 ----a-w- C:\MBR_dump.dat
2010-09-28 23:55 . 2010-09-28 23:55 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2010-09-27 17:42 . 2010-09-27 17:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-09-26 19:14 . 2010-09-26 19:14 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Identities
2010-09-22 22:22 . 2010-09-22 22:19 53632 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-09-22 22:21 . 2010-09-22 22:21 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-09-22 22:19 . 2010-09-22 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-09-22 22:19 . 2010-09-22 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-09-22 22:18 . 2010-10-04 13:59 -------- d-----w- c:\program files\McAfee Security Scan
2010-09-22 22:14 . 2010-09-22 22:14 0 ----a-w- c:\windows\nsreg.dat
2010-09-22 22:14 . 2010-09-22 22:14 -------- d-----w- c:\documents and settings\Joe\Local Settings\Application Data\Mozilla
2010-09-22 15:57 . 2010-09-22 15:57 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-09-21 12:49 . 2010-09-21 12:49 -------- d-----w- C:\$AVG
2010-09-21 03:20 . 2010-09-21 03:20 -------- d---a-w- C:\.Trash-999
2010-09-19 23:46 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-09-19 20:28 . 2010-09-21 19:15 -------- d-----w- c:\program files\Spybot - Search & Destroy2
2010-09-19 20:22 . 2010-09-19 20:22 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-09-19 12:49 . 2010-09-19 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-09-16 20:59 . 2010-09-16 20:59 -------- d-----w- c:\documents and settings\Joe\Application Data\Malwarebytes
2010-09-16 20:59 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-16 20:59 . 2010-09-16 20:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-16 20:59 . 2010-09-16 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-16 20:59 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-15 23:46 . 2010-09-15 23:46 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-09-15 23:45 . 2010-09-15 23:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-09-15 20:14 . 2010-10-04 13:52 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-15 20:12 . 2010-09-15 20:12 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-05 19:27 . 2005-11-29 05:53 -------- d-----w- c:\program files\Symantec AntiVirus
2010-10-05 19:23 . 2009-02-27 01:27 -------- d-----w- c:\program files\Common Files\Apple
2010-10-05 13:35 . 2006-03-17 20:29 -------- d-----w- c:\program files\Java
2010-10-05 12:46 . 2009-02-27 01:28 -------- d-----w- c:\program files\iTunes
2010-10-05 12:46 . 2005-11-29 05:53 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-10-05 12:31 . 2010-09-22 20:19 112 ----a-w- c:\documents and settings\All Users\Application Data\Y1LDai.dat
2010-09-22 22:26 . 2005-12-25 22:56 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-19 20:29 . 2007-07-08 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-19 20:24 . 2005-12-25 23:26 -------- d-----w- c:\program files\Spybot - Search & Destroy 1.1
2010-09-19 20:23 . 2007-07-08 17:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-10 17:59 . 2005-12-25 22:56 -------- d-----w- c:\program files\Common Files\Java
2010-08-17 13:17 . 2004-08-03 22:56 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-06 19:50 . 2010-08-06 19:50 503808 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-743a81c7-n\msvcp71.dll
2010-08-06 19:50 . 2010-08-06 19:50 499712 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-743a81c7-n\jmc.dll
2010-08-06 19:50 . 2010-08-06 19:50 61440 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3445b709-n\decora-sse.dll
2010-08-06 19:50 . 2010-08-06 19:50 348160 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-743a81c7-n\msvcr71.dll
2010-08-06 19:50 . 2010-08-06 19:50 12800 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3445b709-n\decora-d3d.dll
2010-07-22 15:49 . 2004-08-03 22:56 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-17 13:28 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 09:00 . 2010-05-12 17:46 423656 ----a-w- c:\windows\system32\deployJava1.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-10-03_13.57.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-05 12:27 . 2010-10-05 12:27 16384 c:\windows\Temp\Perflib_Perfdata_55c.dat
+ 2007-01-29 08:58 . 2010-06-21 14:46 46080 c:\windows\system32\tzchange.exe
- 2007-01-29 08:58 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe
+ 2005-01-07 22:07 . 2005-01-07 22:07 61952 c:\windows\system32\HDAShCut.exe
+ 2009-07-12 05:12 . 2009-07-12 05:12 632656 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
+ 2009-07-12 05:09 . 2009-07-12 05:09 554832 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
+ 2009-07-12 05:08 . 2009-07-12 05:08 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcm80.dll
+ 2010-10-05 19:23 . 2010-10-05 19:23 807936 c:\windows\Installer\16ace87.msi
+ 2010-10-05 19:24 . 2010-10-05 19:24 9472000 c:\windows\Installer\16ace8b.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"MMTray"="c:\program files\MusicMatch\MusicMatch Jukebox\mm_tray.exe" [2005-03-15 135168]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2005-03-15 53248]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-25 1397760]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

c:\documents and settings\Joe\Start Menu\Programs\Startup\
Billminder.lnk - c:\quickenw\BILLMIND.EXE [2001-3-3 30208]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
PowerReg Scheduler V3.exe [2006-3-31 225280]
Quicken Startup.lnk - c:\quickenw\QWDLLS.EXE [2001-3-3 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2009-11-24 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Atari\\Deer Hunter 2004\\DH2004.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 1:30 PM 124608]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - APPMGMT
*Deregistered* - EraserUtilDrv11010

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-09-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-10-05 c:\windows\Tasks\User_Feed_Synchronization-{DDEE7C09-8684-4E2B-9841-475BC8EC36B7}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://cbs3.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\cnulpwrn.default\
FF - prefs.js: browser.startup.homepage - hxxp://philadelphia.cbslocal.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-10-05 15:39:00
ComboFix-quarantined-files.txt 2010-10-05 19:38
ComboFix2.txt 2010-10-05 12:55
ComboFix3.txt 2010-10-04 18:41
ComboFix4.txt 2010-10-03 14:03

Pre-Run: 145,560,592,384 bytes free
Post-Run: 145,647,661,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 191767E5CB339BB26CE8C746AB43B915






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users