Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help w/ zero access


  • This topic is locked This topic is locked
33 replies to this topic

#1 tentstake

tentstake

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 12 October 2011 - 08:29 AM

Performed a boot scan w/ Kasperky AV and it found and deleted the zero access rootkit and repaired the MBR. I stopped there and did not run any more malware scans. Now a lot of MS services will not start. Here's my OTL scan log.

OTL logfile created on: 10/11/2011 3:06:06 PM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\Becky\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.55 Gb Available Physical Memory | 77.71% Memory free
3.85 Gb Paging File | 3.62 Gb Available in Paging File | 93.98% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 228.13 Gb Total Space | 154.74 Gb Free Space | 67.83% Space Free | Partition Type: NTFS
Drive F: | 3.72 Gb Total Space | 1.40 Gb Free Space | 37.52% Space Free | Partition Type: FAT32

Computer Name: COCEY2002 | User Name: Becky | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/10/11 14:51:56 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Becky\Desktop\OTL.exe
PRC - [2011/01/07 14:54:08 | 000,247,760 | ---- | M] (Threat Expert Ltd.) -- C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
PRC - [2010/12/15 14:31:20 | 000,460,144 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
PRC - [2010/11/19 14:38:08 | 000,193,880 | ---- | M] (LeapFrog Enterprises, Inc.) -- C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/13 20:12:14 | 000,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cmd.exe
PRC - [2007/09/05 22:24:20 | 000,405,504 | ---- | M] (IDT, Inc.) -- C:\WINDOWS\sttray.exe
PRC - [2006/10/30 16:59:34 | 000,024,576 | ---- | M] () -- C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
PRC - [2006/09/20 08:35:26 | 000,020,480 | ---- | M] () -- C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
PRC - [2006/07/27 15:19:00 | 000,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2005/11/07 06:20:00 | 000,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE


========== Modules (No Company Name) ==========

MOD - [2010/12/15 14:31:20 | 000,460,144 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
MOD - [2010/12/15 14:31:04 | 004,300,800 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\Core.dll
MOD - [2010/12/15 14:26:48 | 000,737,280 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\qca2.dll
MOD - [2010/10/26 08:34:12 | 011,853,824 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\QtWebKit4.dll
MOD - [2010/10/26 00:37:32 | 000,258,048 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\phonon4.dll
MOD - [2010/10/26 00:23:48 | 000,204,800 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\QtSql4.dll
MOD - [2010/10/26 00:23:34 | 008,351,744 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\QtGui4.dll
MOD - [2010/10/26 00:08:04 | 000,983,040 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\QtNetwork4.dll
MOD - [2010/10/26 00:06:28 | 000,364,544 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\QtXml4.dll
MOD - [2010/10/26 00:06:18 | 002,248,704 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\QtCore4.dll
MOD - [2010/05/20 13:49:18 | 000,258,048 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\boost_serialization-vc80-mt-1_43.dll
MOD - [2010/05/17 09:47:20 | 000,642,048 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\PocoNet.dll
MOD - [2010/05/17 09:47:20 | 000,511,488 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\PocoXML.dll
MOD - [2010/05/17 09:47:18 | 001,199,104 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\PocoFoundation.dll
MOD - [2010/02/05 14:27:45 | 001,291,776 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2010/01/31 23:52:12 | 008,347,648 | ---- | M] () -- C:\Program Files\LeapFrog\LeapFrog Connect\QtGui4.dll
MOD - [2010/01/31 23:52:12 | 002,244,608 | ---- | M] () -- C:\Program Files\LeapFrog\LeapFrog Connect\QtCore4.dll
MOD - [2008/04/13 20:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/13 20:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2006/10/30 16:59:34 | 000,024,576 | ---- | M] () -- C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
MOD - [2006/09/20 08:35:26 | 000,020,480 | ---- | M] () -- C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
MOD - [2004/08/10 07:00:00 | 000,268,288 | ---- | M] () -- C:\WINDOWS\system32\sbe.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/01/28 01:15:33 | 000,066,048 | ---- | M] (PostgreSQL Global Development Group) [Disabled | Stopped] -- C:\Program Files\PostgreSQL\8.4\bin\pg_ctl.exe -- (postgresql-8.4)
SRV - [2011/01/07 14:54:08 | 000,247,760 | ---- | M] (Threat Expert Ltd.) [Auto | Running] -- C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)
SRV - [2010/12/15 14:31:20 | 000,460,144 | ---- | M] () [Auto | Running] -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe -- (FlipShare Service)
SRV - [2010/12/15 14:22:42 | 001,085,440 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe -- (FlipShareServer)
SRV - [2010/11/19 14:29:00 | 004,916,568 | ---- | M] (LeapFrog Enterprises, Inc.) [Disabled | Stopped] -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe -- (LeapFrog Connect Device Service)
SRV - [2010/02/25 20:21:50 | 000,126,392 | R--- | M] () [Unknown | Stopped] -- C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe -- (N360)


========== Driver Services (SafeList) ==========

DRV - [2011/09/29 17:35:11 | 000,816,760 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110929.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2011/08/23 00:17:32 | 000,356,280 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20111001.030\IDSXpx86.sys -- (IDSxpx86)
DRV - [2011/08/03 21:29:37 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20111004.004\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/08/03 21:29:37 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20111004.004\NAVENG.SYS -- (NAVENG)
DRV - [2011/07/27 19:03:37 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/05/22 18:20:36 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/05/06 00:01:59 | 000,361,904 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0403000.005\SYMTDI.SYS -- (SYMTDI)
DRV - [2010/04/29 01:03:51 | 000,116,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0403000.005\Ironx86.SYS -- (SymIRON)
DRV - [2010/04/21 23:02:20 | 000,173,104 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0403000.005\SYMEFA.SYS -- (SymEFA)
DRV - [2010/04/21 22:29:50 | 000,325,680 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\N360\0403000.005\SRTSP.SYS -- (SRTSP)
DRV - [2010/04/21 22:29:50 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0403000.005\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2010/02/25 20:22:57 | 000,501,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0403000.005\ccHPx86.sys -- (ccHP)
DRV - [2009/10/14 23:50:05 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0403000.005\SYMDS.SYS -- (SymDS)
DRV - [2008/04/13 14:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2006/10/08 15:03:36 | 000,021,056 | ---- | M] (Webroot Software Inc (www.webroot.com)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sskbfd.sys -- (SSKBFD)
DRV - [2006/07/27 15:24:28 | 001,171,464 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/05/17 15:03:24 | 000,044,544 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2005/11/18 13:02:50 | 000,005,660 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/11/18 13:02:10 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/11/07 06:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/11/07 06:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/11/07 06:20:00 | 000,086,652 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/11/07 06:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/11/07 06:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/11/07 06:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/11/07 06:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2004/08/10 07:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2004/08/10 07:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2003/11/17 16:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 16:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 16:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/?cid=081510
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
IE - HKCU\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:4.6
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Becky\Application Data\Move Networks\plugins\npqmp071706000001.dll (Move Networks)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=8: C:\Program Files\Google\Update\1.2.183.23\npGoogleOneClick8.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Becky\Application Data\Move Networks\plugins\npqmp071706000001.dll (Move Networks)
FF - HKCU\Software\MozillaPlugins\@yahoo.com/BrowserPlus,version=2.6.0: C:\Documents and Settings\Becky\Local Settings\Application Data\Yahoo!\BrowserPlus\2.6.0\Plugins\npybrowserplus_2.6.0.dll (Yahoo! Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\ [2011/07/21 15:45:37 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn_2010_9_0_6 [2011/09/16 03:23:25 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{cb84136f-9c44-433a-9048-c5cd9df1dc16}: C:\Program Files\PC Tools Security\BDT\Firefox\ [2011/10/05 19:39:26 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\moveplayer@movenetworks.com: C:\Documents and Settings\Becky\Application Data\Move Networks [2010/08/15 08:29:56 | 000,000,000 | ---D | M]

[2010/05/19 15:47:54 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Becky\Application Data\Mozilla\Extensions
[2009/08/22 11:54:02 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Becky\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2011/08/11 06:51:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Becky\Application Data\Mozilla\Firefox\Profiles\6au99158.default\extensions
[2011/08/11 06:51:13 | 000,000,000 | ---D | M] (ShopAtHome.com Intelligent Shopping Toolbar) -- C:\Documents and Settings\Becky\Application Data\Mozilla\Firefox\Profiles\6au99158.default\extensions\toolbar@shopathome.com
[2011/03/18 14:32:12 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
[2011/03/18 14:32:14 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll

O1 HOSTS File: ([2011/10/09 19:58:24 | 000,437,101 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 123fporn.info
O1 - Hosts: 15060 more lines...
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\coIEplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (AIM Toolbar Loader) - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O2 - BHO: (ShopAtHomeIEHelper Class) - {E8DAAA30-6CAA-4b58-9603-8E54238219E2} - C:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll (ShopAtHome.com)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKLM\..\Toolbar: (AIM Toolbar) - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\coIEplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (ShopAtHome.com Toolbar) - {98279C38-DE4B-4bcf-93C9-8EC26069D6F4} - C:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll (ShopAtHome.com)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (AIM Toolbar) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\coIEplg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (ShopAtHome.com Toolbar) - {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - C:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll (ShopAtHome.com)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [IDTSysTrayApp] C:\WINDOWS\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [Monitor] C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe (LeapFrog Enterprises, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O15 - HKCU\..Trusted Domains: fcps.org ([mail] https in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} http://downloads.ewido.net/ewidoOnlineScan.cab (ewidoOnlineScan Control)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab (DLM Control)
O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} http://quickscan.bitdefender.com/qsax/qsax.cab (BitDefender QuickScan Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1276734322375 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Garmin Communicator Plug-In https://my.garmin.com/static/m/cab/2.6.3/GarminAxControl.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 208.67.222.222 4.2.2.2
O18 - Protocol\Filter\x-sdch {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\WRNotifier: DllName - (WRLogonNTF.dll) - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Becky\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Becky\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (nwprovau) -C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (C:\WINDOWS\system32\hgGwTNfg) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 04:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/10/11 15:05:58 | 000,607,260 | ---- | C] (Swearware) -- C:\Documents and Settings\Becky\Desktop\dds.scr
[2011/10/11 15:05:58 | 000,582,656 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Becky\Desktop\OTL.exe
[2011/10/11 11:26:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Hitman Pro
[2011/10/11 11:01:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Becky\Desktop\soho tools
[2011/10/11 07:41:02 | 000,000,000 | ---D | C] -- C:\Kaspersky Rescue Disk 10.0
[2011/10/09 20:00:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Becky\Application Data\Egozk
[2011/10/09 20:00:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Becky\Application Data\Ebsyco
[2011/10/09 20:00:21 | 000,000,000 | ---D | C] -- C:\Adobe
[2011/10/09 19:57:06 | 000,000,000 | ---D | C] -- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
[2011/10/09 19:57:06 | 000,000,000 | ---D | C] -- C:\Program Files\File Scanner Library (Spybot - Search & Destroy)
[2011/10/09 19:52:58 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/10/05 19:39:24 | 002,000,848 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll
[2011/10/05 19:39:24 | 001,533,904 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDRes.dll
[2011/10/05 19:39:24 | 000,149,456 | ---- | C] (PC Tools) -- C:\WINDOWS\SGDetectionTool.dll
[2011/10/05 19:38:44 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools Security
[2011/10/05 19:37:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Becky\Application Data\QuickScan
[2011/10/05 19:28:02 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/10/05 16:16:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Becky\Local Settings\Application Data\NPE
[2011/10/05 16:13:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Malwarebytes' Anti-Malware
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[42 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[39 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/10/11 15:03:50 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Becky\Desktop\bzh6gbx1.exe
[2011/10/11 15:02:56 | 000,607,260 | ---- | M] (Swearware) -- C:\Documents and Settings\Becky\Desktop\dds.scr
[2011/10/11 14:51:56 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Becky\Desktop\OTL.exe
[2011/10/11 14:44:14 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/10/11 14:27:05 | 000,013,746 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/10/11 14:27:05 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/10/11 14:27:05 | 000,000,280 | ---- | M] () -- C:\WINDOWS\tasks\SmartDefrag_Startup.job
[2011/10/11 14:26:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/10/11 14:07:07 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\NSSstub.job
[2011/10/11 11:17:21 | 000,000,000 | ---- | M] () -- C:\WINDOWS\1749556221
[2011/10/11 11:15:57 | 000,000,248 | RHS- | M] () -- C:\boot.ini
[2011/10/09 20:00:09 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/10/09 19:55:03 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/10/09 16:42:48 | 000,000,134 | ---- | M] () -- C:\Documents and Settings\Becky\Desktop\Internet Explorer Troubleshooting.url
[2011/10/07 14:54:37 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Becky\Desktop\Microsoft Office Word 2003.lnk
[2011/10/05 19:39:33 | 000,653,226 | ---- | M] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2011/10/05 16:13:13 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/10/01 13:59:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/09/29 03:00:20 | 047,369,160 | ---- | M] () -- C:\WINDOWS\System32\MRT.exe
[2011/09/26 18:17:00 | 000,001,940 | ---- | M] () -- C:\Documents and Settings\Becky\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2011/09/16 18:33:13 | 000,000,245 | ---- | M] () -- C:\Documents and Settings\Becky\Desktop\Netflix.url
[2011/09/16 03:02:04 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[42 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[39 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/10/11 15:05:58 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Becky\Desktop\bzh6gbx1.exe
[2011/10/09 16:42:48 | 000,000,134 | ---- | C] () -- C:\Documents and Settings\Becky\Desktop\Internet Explorer Troubleshooting.url
[2011/10/05 19:39:52 | 000,000,884 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/10/05 19:39:52 | 000,000,880 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/10/05 19:39:25 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll
[2011/10/05 19:39:24 | 000,002,125 | ---- | C] () -- C:\WINDOWS\UDB.zip
[2011/10/05 19:39:24 | 000,000,882 | ---- | C] () -- C:\WINDOWS\RegSDImport.xml
[2011/10/05 19:39:24 | 000,000,879 | ---- | C] () -- C:\WINDOWS\RegISSImport.xml
[2011/10/05 19:39:24 | 000,000,131 | ---- | C] () -- C:\WINDOWS\IDB.zip
[2011/10/05 19:39:16 | 000,653,226 | ---- | C] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2011/10/04 15:58:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\1749556221
[2011/05/12 14:38:46 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\Becky\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2010/12/31 00:09:21 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/12/31 00:04:43 | 000,000,045 | ---- | C] () -- C:\Documents and Settings\Becky\Local Settings\Application Data\machpro.dat
[2010/07/08 07:59:30 | 000,217,180 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2010/07/08 07:59:27 | 000,217,180 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2010/07/08 07:59:27 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2010/07/08 07:58:36 | 002,186,342 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2009/12/30 10:44:53 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/08/28 15:08:22 | 008,892,928 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\atscie.msi
[2009/07/22 22:20:13 | 000,065,956 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2008/07/22 16:22:21 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmsbfn32.dll
[2008/05/17 23:01:26 | 000,000,264 | ---- | C] () -- C:\WINDOWS\System32\winsusrm.dll
[2008/05/17 23:01:26 | 000,000,120 | ---- | C] () -- C:\WINDOWS\System32\winsusrx.dll
[2008/02/12 19:00:21 | 000,044,032 | ---- | C] () -- C:\Documents and Settings\Becky\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/01/19 16:27:14 | 000,002,657 | ---- | C] () -- C:\WINDOWS\DevMgr.ini
[2008/01/19 16:26:07 | 000,000,020 | ---- | C] () -- C:\WINDOWS\Hposcv07.INI
[2008/01/19 13:58:19 | 047,369,160 | ---- | C] () -- C:\WINDOWS\System32\MRT.exe
[2008/01/19 13:52:12 | 000,001,318 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/01/19 13:48:10 | 000,001,682 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2008/01/19 03:47:13 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/01/19 03:00:45 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2008/01/19 01:49:28 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Becky\Local Settings\Application Data\fusioncache.dat
[2008/01/19 01:43:58 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/01/19 01:37:59 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/01/18 17:31:00 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/01/18 17:30:02 | 000,368,256 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/12/30 20:03:00 | 001,732,608 | R--- | C] () -- C:\WINDOWS\System32\ltmm_n.dll
[2005/12/08 21:07:00 | 000,045,056 | R--- | C] () -- C:\WINDOWS\System32\lfpcd14N.dll
[2005/03/22 18:38:24 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/03/22 18:38:24 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2005/02/11 22:08:00 | 000,843,776 | R--- | C] () -- C:\WINDOWS\System32\lteay14n.dll
[2005/02/11 22:08:00 | 000,688,128 | R--- | C] () -- C:\WINDOWS\System32\ltcry14n.dll
[2005/02/11 22:08:00 | 000,144,384 | R--- | C] () -- C:\WINDOWS\System32\lttls14n.dll
[2004/08/10 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 07:00:00 | 000,447,570 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/10 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 07:00:00 | 000,073,068 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/10 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 07:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/10 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/01/07 19:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:430C6D84
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:C1DF762D
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:D1B5B4F1

< End of report >

Here is my GMER scan log.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-12 08:56:06
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3250824AS rev.3.ADH
Running: bzh6gbx1.exe; Driver: C:\DOCUME~1\Becky\LOCALS~1\Temp\fflyrpow.sys


---- System - GMER 1.0.15 ----

SSDT 89B624D0 ZwAlertResumeThread
SSDT 89B64050 ZwAlertThread
SSDT 89CAE258 ZwAllocateVirtualMemory
SSDT 89B59058 ZwAssignProcessToJobObject
SSDT 8A4C8008 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB3DCA210]
SSDT 89B5D9C0 ZwCreateMutant
SSDT 89B56A38 ZwCreateSymbolicLinkObject
SSDT 8A3ED220 ZwCreateThread
SSDT 89B591D0 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB3DCA490]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB3DCA9F0]
SSDT 89CB0258 ZwDuplicateObject
SSDT 8A6038A8 ZwFreeVirtualMemory
SSDT 89B5F388 ZwImpersonateAnonymousToken
SSDT 89B61050 ZwImpersonateThread
SSDT 8A4103B8 ZwLoadDriver
SSDT 8A61BB98 ZwMapViewOfSection
SSDT 89B5C948 ZwOpenEvent
SSDT 89CB4298 ZwOpenProcess
SSDT 89B85108 ZwOpenProcessToken
SSDT 89B5AD88 ZwOpenSection
SSDT 89CB1298 ZwOpenThread
SSDT 89B57130 ZwProtectVirtualMemory
SSDT 89B6B108 ZwResumeThread
SSDT 89B73218 ZwSetContextThread
SSDT 89D25210 ZwSetInformationProcess
SSDT 89B5AB48 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB3DCAC40]
SSDT 89B5BB10 ZwSuspendProcess
SSDT 89B6B140 ZwSuspendThread
SSDT 89B931A8 ZwTerminateProcess
SSDT 89B6E248 ZwTerminateThread
SSDT 89B791A8 ZwUnmapViewOfSection
SSDT 89CBE250 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB69933A0, 0x592C35, 0xE8000020]

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB19084$\2843551131 0 bytes
File C:\WINDOWS\$NtUninstallKB19084$\4246423656 0 bytes
File C:\WINDOWS\$NtUninstallKB19084$\4246423656\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB19084$\4246423656\bckfg.tmp 817 bytes
File C:\WINDOWS\$NtUninstallKB19084$\4246423656\cfg.ini 303 bytes
File C:\WINDOWS\$NtUninstallKB19084$\4246423656\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB19084$\4246423656\keywords 213 bytes
File C:\WINDOWS\$NtUninstallKB19084$\4246423656\kwrd.dll 208896 bytes
File C:\WINDOWS\$NtUninstallKB19084$\4246423656\L 0 bytes
File C:\WINDOWS\$NtUninstallKB19084$\4246423656\L\yexqtvdm 138496 bytes
File C:\WINDOWS\$NtUninstallKB19084$\4246423656\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB19084$\4246423656\U 0 bytes
File C:\WINDOWS\$NtUninstallKB19084$\4246423656\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB19084$\4246423656\U\00000002.@ 209920 bytes
File C:\WINDOWS\$NtUninstallKB19084$\4246423656\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB19084$\4246423656\U\80000032.@ 71168 bytes

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 tentstake

tentstake
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 12 October 2011 - 08:33 AM

OTL Extras logfile created on: 10/11/2011 3:06:06 PM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\Becky\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.55 Gb Available Physical Memory | 77.71% Memory free
3.85 Gb Paging File | 3.62 Gb Available in Paging File | 93.98% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 228.13 Gb Total Space | 154.74 Gb Free Space | 67.83% Space Free | Partition Type: NTFS
Drive F: | 3.72 Gb Total Space | 1.40 Gb Free Space | 37.52% Space Free | Partition Type: FAT32

Computer Name: COCEY2002 | User Name: Becky | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE ()

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome ()
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 ()
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome ()
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome ()
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 ()
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" ()

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017
"24726:TCP" = 24726:TCP:*:Enabled:FlipShareServer
"24727:TCP" = 24727:TCP:*:Enabled:FlipShareServer
"10058:UDP" = 10058:UDP:*:Enabled:UDP 10058
"11249:TCP" = 11249:TCP:*:Enabled:TCP 11249

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\LeapFrog\LeapFrog Connect\LeapFrogConnect.exe" = C:\Program Files\LeapFrog\LeapFrog Connect\LeapFrogConnect.exe:*:Enabled:LeapFrog Connect -- (LeapFrog Enterprises, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AIM
"C:\Program Files\LeapFrog\LeapFrog Connect\LeapFrogConnect.exe" = C:\Program Files\LeapFrog\LeapFrog Connect\LeapFrogConnect.exe:*:Enabled:LeapFrog Connect -- (LeapFrog Enterprises, Inc.)
"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX850_series" = Canon MX850 series
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1A15507A-8551-4626-915D-3D5FA095CC1B}" = Corel Paint Shop Pro X
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 11
"{301CC8D1-FE75-41ED-9B11-41F006110950}" = Garmin City Navigator North America NT 2010.10 Update
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{420DFB63-8AE7-F7D6-E4B4-AB6D140221F4}" = FlipShare
"{54BB0384-1C33-488F-A95B-877E480D3EDC}" = MSXML 4.0
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{598C4070-36FF-47A4-BF4E-F001F94451B8}" = ProntoEdit NG Setup Support
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6BDE68AC-E1A3-4591-8E37-C95BF278EDF5}" = VetPacsLite 2006
"{6C1E7AA1-44E9-446D-AAB2-0DE6D9EFEAB1}" = Safari
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{779DECD7-E072-4B56-9B6B-BEB5973EEEB5}" = MobileMe Control Panel
"{7E6066E6-8B5B-4100-B0FA-1D9E9B663CBA}" = iTunes
"{7FCC4EDC-6EE2-4309-ABD7-85F2667A7B90}" = WebEx Support Manager for Internet Explorer
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91CA0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Small Business Edition 2003
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9C9D0F85-5658-4A5E-95A9-65F7DB2916EE}" = Broadcom 440x 10/100 Integrated Controller
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1)
"{AE62373F-7C9D-47F7-AFDA-C1D976D7AB3E}" = Communicate In Print 2
"{B252ADE8-8F39-4CBD-89CB-5919008754FE}" = VC User CRT71 RTL X86 ---
"{B3575D00-27EF-49C2-B9E0-14B3D954E992}" = Apple Application Support
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C23CD6DA-1958-43A5-ADD0-59396572E02E}" = Apple Mobile Device Support
"{C2E4B5BD-32DB-4817-A060-341AB17C3F90}" = Bonjour
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{C6359569-E03E-4CDC-98E8-CDD080C6EEB5}" = LeapFrog Connect
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}" = Presto! PageManager 7.15.20
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"{F2E6EB42-B04D-4F63-853F-8016BF71B25A}" = VC User MFC71 RTL X86 ---
"{FB64BF25-3593-4E4E-AA85-84AEF1D1475F}" = Broadcom Management Programs
"{FCD9CD52-7222-4672-94A0-A722BA702FD0}" = Dell Resource CD
"{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic
"2008 Addendum Libraries" = 2008 Addendum Libraries
"8F14F2ECEDE68D26EA515B48DC25B39103C4FE8D" = Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012)
"ActiveTouchMeetingClient" = WebEx
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"AIM Toolbar" = AIM Toolbar
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.9
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"Boardmaker with SD Pro" = Boardmaker with SD Pro
"Browser Defender_is1" = Browser Defender 3.0
"Canon MX850 series User Registration" = Canon MX850 series User Registration
"Canon_IJ_Network_Scan_UTILITY" = Canon IJ Network Scan Utility
"Canon_IJ_Network_UTILITY" = Canon IJ Network Tool
"CanonMyPrinter" = Canon My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"Coupon Printer for Windows5.0.0.1" = Coupon Printer for Windows
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"ESET Online Scanner" = ESET Online Scanner v3
"Flashback" = Flashback
"FMS" = FMS
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MP Navigator EX 1.1" = Canon MP Navigator EX 1.1
"MSNINST" = MSN
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"N360" = Norton Security Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PostgreSQL 8.4" = PostgreSQL 8.4
"ProntoEdit NG" = ProntoEdit NG
"SelectRebatesUninstall" = ShopAtHome.com Toolbar
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"SystemRequirementsLab" = System Requirements Lab
"UPCShell" = LeapFrog Connect
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows XP Service Pack" = Windows XP Service Pack 3
"Writing with Symbols 2000 (v2)" = Writing with Symbols 2000 (v2)

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.6.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/11/2011 11:06:53 AM | Computer Name = COCEY2002 | Source = Google Update | ID = 20
Description =

Error - 10/11/2011 11:07:27 AM | Computer Name = COCEY2002 | Source = Media Center Scheduler | ID = 0
Description =

Error - 10/11/2011 11:14:11 AM | Computer Name = COCEY2002 | Source = Google Update | ID = 20
Description =

Error - 10/11/2011 11:18:28 AM | Computer Name = COCEY2002 | Source = Google Update | ID = 20
Description =

Error - 10/11/2011 2:05:36 PM | Computer Name = COCEY2002 | Source = Google Update | ID = 20
Description =

Error - 10/11/2011 2:13:14 PM | Computer Name = COCEY2002 | Source = Google Update | ID = 20
Description =

Error - 10/11/2011 2:21:14 PM | Computer Name = COCEY2002 | Source = Google Update | ID = 20
Description =

Error - 10/11/2011 2:27:20 PM | Computer Name = COCEY2002 | Source = Google Update | ID = 20
Description =

Error - 10/11/2011 2:38:03 PM | Computer Name = COCEY2002 | Source = Google Update | ID = 20
Description =

Error - 10/11/2011 2:44:14 PM | Computer Name = COCEY2002 | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 10/11/2011 2:44:10 PM | Computer Name = COCEY2002 | Source = Service Control Manager | ID = 7003
Description = The TCP/IP NetBIOS Helper service depends on the following nonexistent
service: Afd

Error - 10/11/2011 2:44:47 PM | Computer Name = COCEY2002 | Source = Service Control Manager | ID = 7003
Description = The Network Location Awareness (NLA) service depends on the following
nonexistent service: Afd

Error - 10/11/2011 2:44:56 PM | Computer Name = COCEY2002 | Source = Service Control Manager | ID = 7003
Description = The TCP/IP NetBIOS Helper service depends on the following nonexistent
service: Afd

Error - 10/11/2011 2:45:14 PM | Computer Name = COCEY2002 | Source = Service Control Manager | ID = 7024
Description = The Background Intelligent Transfer Service service terminated with
service-specific error 2147952450 (0x80072742).

Error - 10/11/2011 2:45:24 PM | Computer Name = COCEY2002 | Source = Service Control Manager | ID = 7003
Description = The DHCP Client service depends on the following nonexistent service:
Afd

Error - 10/11/2011 2:45:38 PM | Computer Name = COCEY2002 | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%2147952450

Error - 10/11/2011 2:47:10 PM | Computer Name = COCEY2002 | Source = Service Control Manager | ID = 7003
Description = The Network Location Awareness (NLA) service depends on the following
nonexistent service: Afd

Error - 10/11/2011 2:48:16 PM | Computer Name = COCEY2002 | Source = Service Control Manager | ID = 7003
Description = The Network Location Awareness (NLA) service depends on the following
nonexistent service: Afd

Error - 10/11/2011 2:50:09 PM | Computer Name = COCEY2002 | Source = Service Control Manager | ID = 7003
Description = The Network Location Awareness (NLA) service depends on the following
nonexistent service: Afd

Error - 10/11/2011 2:51:28 PM | Computer Name = COCEY2002 | Source = Service Control Manager | ID = 7003
Description = The Network Location Awareness (NLA) service depends on the following
nonexistent service: Afd


< End of report >

Edited by Budapest, 12 October 2011 - 08:31 PM.
Moved from AII ~Budapest


#3 tentstake

tentstake
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 13 October 2011 - 04:37 PM

Now I have a second computer infected with the same thing. I tossed the gambit at it. A-squared, Hitman Pro, SAS, MBAM, Spyware Terminator, UnHack Me, Bootable Kaspersky, Bootable Bit Defender, and TDSSKiller. Only thing i have used was combo fix because the lack of a usuable internet connection with the computer.

All the same services destroyed on the first computer are also destroyed on this one also. Any ideas on how to restore them? Googling has not been helpful today.

Me really starting to hate those that code these viruses :ranting:

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:25 AM

Posted 16 October 2011 - 06:30 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 tentstake

tentstake
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 18 October 2011 - 07:05 AM

Here are the results from DDS scan.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Becky at 7:53:54 on 2011-10-18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1604 [GMT -4:00]
.
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\WINDOWS\sttray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.comcast.net/?cid=081510
uSearch Page = hxxp://www.google.com
uSearch Bar =
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.3.0.5\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ShopAtHomeIEHelper Class: {e8daaa30-6caa-4b58-9603-8e54238219e2} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.3.0.5\coIEPlg.dll
TB: ShopAtHome.com Toolbar: {98279c38-de4b-4bcf-93c9-8ec26069d6f4} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [IDTSysTrayApp] sttray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: fcps.org\mail
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.3/GarminAxControl.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1276734322375
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 208.67.222.222 4.2.2.2
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: WRNotifier - WRLogonNTF.dll
LSA: Authentication Packages = msv1_0 nwprovau c:\windows\system32\hgGwTNfg
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-10-28 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-10-28 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20110929.001\BHDrvx86.sys [2011-9-29 816760]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-10-28 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-10-28 116784]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\pc tools security\bdt\BDTUpdateService.exe [2011-10-5 247760]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20111001.030\IDSXpx86.sys [2011-10-3 356280]
S2 FlipShareServer;FlipShare Server;c:\program files\flip video\flipshareserver\FlipShareServer.exe [2010-12-15 1085440]
S2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.3.0.5\ccsvchst.exe [2010-10-28 126392]
S3 NAVENG;NAVENG;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20111004.004\NAVENG.SYS [2011-10-4 86136]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20111004.004\NAVEX15.SYS [2011-10-4 1576312]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-10-5 136176]
S4 postgresql-8.4;postgresql-8.4 - PostgreSQL Server 8.4;C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N "postgresql-8.4" -D "C:/Program Files/PostgreSQL/8.4/data" -w --> C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]
.
=============== Created Last 30 ================
.
2011-10-11 15:26:21 -------- d-----w- c:\documents and settings\all users.windows\application data\Hitman Pro
2011-10-11 11:41:02 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2011-10-10 00:00:25 -------- d-----w- c:\documents and settings\becky\application data\Egozk
2011-10-10 00:00:25 -------- d-----w- c:\documents and settings\becky\application data\Ebsyco
2011-10-10 00:00:21 -------- d-----w- C:\Adobe
2011-10-09 23:57:06 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2011-10-09 23:57:06 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2011-10-09 23:52:58 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-05 23:39:25 767952 ----a-w- c:\windows\BDTSupport.dll
2011-10-05 23:39:24 2000848 ----a-w- c:\windows\PCTBDCore.dll
2011-10-05 23:39:24 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-10-05 23:39:24 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-10-05 23:38:44 -------- d-----w- c:\program files\PC Tools Security
2011-10-05 23:37:21 -------- d-----w- c:\documents and settings\becky\application data\QuickScan
2011-10-05 23:28:02 -------- d-----w- c:\program files\ESET
2011-10-05 20:16:50 -------- d-----w- c:\documents and settings\becky\local settings\application data\NPE
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-17 16:23:42 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-07-26 00:48:46 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 7:55:07.57 ===============

Attached Files



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:25 AM

Posted 18 October 2011 - 07:16 AM

Hello, unfortunately you have a nasty rootkit infection. Please read the following first.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 tentstake

tentstake
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 18 October 2011 - 08:27 AM

ComboFix scan results as requested

ComboFix 11-10-18.01 - Becky 10/18/2011 8:49.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1629 [GMT -4:00]
Running from: c:\documents and settings\Becky\Desktop\ComboFix.exe
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - WINDOWS: deleted 0 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Becky\Application Data\.#
c:\documents and settings\Becky\Application Data\.#\MBX@134C@AC4030.###
c:\documents and settings\Becky\Application Data\.#\MBX@134C@AC4060.###
c:\documents and settings\Becky\Application Data\Adobe\plugs
c:\documents and settings\Becky\Application Data\Adobe\shed
c:\program files\Internet Explorer\SET41A.tmp
c:\program files\Internet Explorer\SET41B.tmp
c:\program files\Internet Explorer\SET41C.tmp
c:\program files\Internet Explorer\SET41D.tmp
c:\program files\Internet Explorer\SET41E.tmp
c:\program files\SelectRebates
c:\program files\SelectRebates\FFToolbar\chrome.manifest
c:\program files\SelectRebates\FFToolbar\chrome\sahtoolbar.jar
c:\program files\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js
c:\program files\SelectRebates\FFToolbar\install.rdf
c:\program files\SelectRebates\SahImages\alert.png
c:\program files\SelectRebates\SahImages\check.png
c:\program files\SelectRebates\SahImages\close.png
c:\program files\SelectRebates\SelectAlerts.dat
c:\program files\SelectRebates\SelectRebates.exe
c:\program files\SelectRebates\SelectRebates.ini
c:\program files\SelectRebates\SelectRebatesA.dat
c:\program files\SelectRebates\SelectRebatesApi.exe
c:\program files\SelectRebates\SelectRebatesB.dat
c:\program files\SelectRebates\SelectRebatesBT.dat
c:\program files\SelectRebates\SelectRebatesDownload.exe
c:\program files\SelectRebates\SelectRebatesH.dat
c:\program files\SelectRebates\SelectRebatesUninstall.exe
c:\program files\SelectRebates\SRebates.dll
c:\program files\SelectRebates\SRFF3.dll
c:\program files\SelectRebates\Toolbar\AddtoList.bmp
c:\program files\SelectRebates\Toolbar\basis.xml
c:\program files\SelectRebates\Toolbar\Basis.xml.dym
c:\program files\SelectRebates\Toolbar\Blank.bmp
c:\program files\SelectRebates\Toolbar\CashBack.bmp
c:\program files\SelectRebates\Toolbar\Coupons.bmp
c:\program files\SelectRebates\Toolbar\GroceryCoupon.bmp
c:\program files\SelectRebates\Toolbar\i_magnifying.bmp
c:\program files\SelectRebates\Toolbar\icons.bmp
c:\program files\SelectRebates\Toolbar\logo.bmp
c:\program files\SelectRebates\Toolbar\logo_24.bmp
c:\program files\SelectRebates\Toolbar\logo_HotSpots.bmp
c:\program files\SelectRebates\Toolbar\ReviewSite.bmp
c:\program files\SelectRebates\Toolbar\RightControls.dym
c:\program files\SelectRebates\Toolbar\sahtb-alert.bmp
c:\program files\SelectRebates\Toolbar\sahtb-go.bmp
c:\program files\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp
c:\program files\SelectRebates\Toolbar\sahtb-icons.bmp
c:\program files\SelectRebates\Toolbar\sahtb-restaurant.bmp
c:\program files\SelectRebates\Toolbar\sahtb-wishlist.bmp
c:\program files\SelectRebates\Toolbar\Scissors.bmp
c:\program files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
C:\Recycle.Bin
c:\recycle.bin\5C2AFF657748D34
c:\recycle.bin\B6232F3AB3A.exe
c:\windows\$NtUninstallKB19084$
c:\windows\$NtUninstallKB19084$\2843551131
c:\windows\$NtUninstallKB19084$\4246423656\@
c:\windows\$NtUninstallKB19084$\4246423656\bckfg.tmp
c:\windows\$NtUninstallKB19084$\4246423656\cfg.ini
c:\windows\$NtUninstallKB19084$\4246423656\Desktop.ini
c:\windows\$NtUninstallKB19084$\4246423656\keywords
c:\windows\$NtUninstallKB19084$\4246423656\kwrd.dll
c:\windows\$NtUninstallKB19084$\4246423656\L\yexqtvdm
c:\windows\$NtUninstallKB19084$\4246423656\lsflt7.ver
c:\windows\$NtUninstallKB19084$\4246423656\U\00000001.@
c:\windows\$NtUninstallKB19084$\4246423656\U\00000002.@
c:\windows\$NtUninstallKB19084$\4246423656\U\80000000.@
c:\windows\$NtUninstallKB19084$\4246423656\U\80000032.@
c:\windows\system32\d3d9caps.dat
c:\windows\system32\winsusrm.dll
c:\windows\system32\winsusrx.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_CLBDRIVER
.
.
((((((((((((((((((((((((( Files Created from 2011-09-18 to 2011-10-18 )))))))))))))))))))))))))))))))
.
.
2011-10-11 15:26 . 2011-10-11 15:26 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Hitman Pro
2011-10-11 11:41 . 2011-10-11 14:03 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2011-10-10 00:00 . 2011-10-11 14:00 -------- d-----w- c:\documents and settings\Becky\Application Data\Egozk
2011-10-10 00:00 . 2011-10-10 00:00 -------- d-----w- c:\documents and settings\Becky\Application Data\Ebsyco
2011-10-10 00:00 . 2011-10-10 00:00 -------- d-----w- C:\Adobe
2011-10-09 23:57 . 2011-10-09 23:57 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2011-10-09 23:57 . 2011-10-09 23:57 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2011-10-09 23:52 . 2011-10-09 23:55 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-05 23:54 . 2011-10-05 23:54 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Google
2011-10-05 23:39 . 2011-10-05 23:39 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Google
2011-10-05 23:39 . 2011-01-07 18:54 767952 ----a-w- c:\windows\BDTSupport.dll
2011-10-05 23:39 . 2011-01-07 18:54 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-10-05 23:39 . 2011-01-07 18:54 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-10-05 23:39 . 2011-01-07 18:54 2000848 ----a-w- c:\windows\PCTBDCore.dll
2011-10-05 23:38 . 2011-10-07 11:17 -------- d-----w- c:\program files\PC Tools Security
2011-10-05 23:37 . 2011-10-05 23:37 -------- d-----w- c:\documents and settings\Becky\Application Data\QuickScan
2011-10-05 23:28 . 2011-10-05 23:28 -------- d-----w- c:\program files\ESET
2011-10-05 20:16 . 2011-10-05 20:16 -------- d-----w- c:\documents and settings\Becky\Local Settings\Application Data\NPE
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2004-08-10 11:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 21:00 . 2010-05-19 19:59 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-26 00:48 . 2011-06-29 10:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-03-08 . B60DDDD2D63CE41CB8C487FCFBB6419E . 638816 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe
[-] 2007-10-10 . E854D02E4231F704D9BE782A424E6D8B . 625152 . . [7.00.6000.16574] . . c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2GDR\iexplore.exe
[-] 2007-10-10 . 632BDE0179847234433CA50945442ACB . 625664 . . [7.00.6000.20696] . . c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2QFE\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-11-19 193880]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HPAiODevice(hp psc 900 series) - 1.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HPAiODevice(hp psc 900 series) - 1.lnk
backup=c:\windows\pss\HPAiODevice(hp psc 900 series) - 1.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 16:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-04-20 16:48 58656 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-11-07 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-10 12:04 59392 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 14:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 14:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-06-07 21:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-06-07 21:34 13902440 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-06-07 21:34 110696 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTools FGuard]
2011-01-07 18:54 108496 ----a-w- c:\program files\PC Tools Security\BDT\FGuard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-08-22 15:52 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-08-29 12:27 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"postgresql-8.4"=2 (0x2)
"NVSvc"=2 (0x2)
"LeapFrog Connect Device Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AROReminder"=c:\program files\Advanced Registry Optimizer\aro.exe -rem
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"CanonMyPrinter"=c:\program files\Canon\MyPrinter\BJMyPrt.exe /logon
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"24726:TCP"= 24726:TCP:FlipShareServer
"24727:TCP"= 24727:TCP:FlipShareServer
"10058:UDP"= 10058:UDP:UDP 10058
"11249:TCP"= 11249:TCP:TCP 11249
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [10/28/2010 5:14 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [10/28/2010 5:14 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110929.001\BHDrvx86.sys [9/29/2011 5:35 PM 816760]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [10/28/2010 5:14 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [10/28/2010 5:14 PM 116784]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [10/5/2011 7:39 PM 247760]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20111001.030\IDSXpx86.sys [10/3/2011 6:39 PM 356280]
S2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [12/15/2010 2:22 PM 1085440]
S2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe [10/28/2010 5:14 PM 126392]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/5/2011 7:39 PM 136176]
S4 postgresql-8.4;postgresql-8.4 - PostgreSQL Server 8.4;C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N "postgresql-8.4" -D "C:/Program Files/PostgreSQL/8.4/data" -w --> C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-05 23:39]
.
2011-10-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-05 23:39]
.
2011-10-12 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-12-25 00:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/?cid=081510
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: fcps.org\mail
TCP: DhcpNameServer = 208.67.222.222 4.2.2.2
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.3/GarminAxControl.CAB
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-32382779.sys
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-4Y3Y0C3A9F7W1I5DPTLRI - c:\recycle.bin\B6232F3AB3A.exe
MSConfigStartUp-SelectRebates - c:\program files\SelectRebates\SelectRebates.exe
MSConfigStartUp-{AF34EAB6-CD9F-AD7B-9C27-14708D933762} - c:\documents and settings\Becky\Application Data\Egozk\qouc.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-18 09:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(684)
c:\windows\System32\dimsntfy.dll
.
- - - - - - - > 'explorer.exe'(2568)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\sttray.exe
c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe
c:\windows\stsystra.exe
.
**************************************************************************
.
Completion time: 2011-10-18 09:18:36 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-18 13:18
.
Pre-Run: 166,106,140,672 bytes free
Post-Run: 166,753,767,424 bytes free
.
- - End Of File - - B25B7C3C21C586FFA7E58A5F176D594B

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:25 AM

Posted 18 October 2011 - 09:20 AM

How are things running at this point? Can you please verify if Internet Explorer runs fine?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 tentstake

tentstake
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 18 October 2011 - 09:29 AM

not good. TCP/IP stack still destroyed. i.e. no internet

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:25 AM

Posted 18 October 2011 - 10:22 AM

Please click Start > Run, type cmd and press enter.

Type netsh winsock reset and press enter.

Restart your computer and let me know how things are.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 tentstake

tentstake
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 18 October 2011 - 10:27 AM

while i was waiting for your reply, I started a SFC scan. it asked for the disk to fix some DLLs. as soon as it's done scanning, I perform your command. looks to be about 3/4 of the way done w/ SFC.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:25 AM

Posted 18 October 2011 - 10:31 AM

Okay, I'll wait for the results.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 tentstake

tentstake
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 18 October 2011 - 11:26 AM

Just sitting there trying to aquire an address. SFC didn't help. Even w/ the disks that can w/ the computer, it still was asking for another disk.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:25 AM

Posted 18 October 2011 - 11:46 AM

Hi again,

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    afd.sys
    ipsec.sys
    netbt.sys
    
    :reg
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd /s
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt /s
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\ipsec /s
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 tentstake

tentstake
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 18 October 2011 - 12:01 PM

SystemLook scan log:


SystemLook 30.07.11 by jpshortstuff
Log created at 12:56 on 18/10/2011 by Becky
Administrator - Elevation successful

========== filefind ==========

Searching for "afd.sys"
C:\i386\afd.sys --a---- 138496 bytes [19:12 31/12/2006] [09:00 10/08/2004] 5AC495F4CB807B2B98AD2AD591E6D92E
C:\WINDOWS\$hf_mig$\KB2503665\SP3QFE\afd.sys --a---- 138496 bytes [19:46 15/06/2011] [13:25 16/02/2011] 8D499B1276012EB907E7A9E0F4D8FDA4
C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys --a---- 138496 bytes [15:07 16/10/2008] [15:07 16/10/2008] 38D7B715504DA4741DF35E3594FE2099
C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\afd.sys --a---- 138368 bytes [10:44 20/06/2008] [10:44 20/06/2008] D99DDFFB33DEACDCF20717CB520379F6
C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys --a---- 138496 bytes [11:40 20/06/2008] [11:40 20/06/2008] E3049B90FE06F3F740B7CFDA44995E2C
C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys --a---- 138496 bytes [11:48 20/06/2008] [11:48 20/06/2008] D6EE6014241D034E63C49A50CB2B442A
C:\WINDOWS\$hf_mig$\KB956803\SP2QFE\afd.sys --a---- 138368 bytes [21:10 14/10/2008] [09:48 14/08/2008] 6A0397376853E604DE8E1E7A87FC08AC
C:\WINDOWS\$hf_mig$\KB956803\SP3GDR\afd.sys --a---- 138496 bytes [21:10 14/10/2008] [10:04 14/08/2008] 7E775010EF291DA96AD17CA4B17137D7
C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys --a---- 138496 bytes [21:10 14/10/2008] [10:34 14/08/2008] 4D43E74F2A1239D53929B82600F1971C
C:\WINDOWS\$NtServicePackUninstall$\afd.sys -----c- 138368 bytes [23:22 03/10/2009] [09:51 14/08/2008] 55E6E1C51B6D30E54335750955453702
C:\WINDOWS\$NtUninstallKB2503665$\afd.sys -----c- 138496 bytes [07:05 16/06/2011] [14:43 16/10/2008] 7618D5218F2A614672EC61A80D854A37
C:\WINDOWS\$NtUninstallKB2509553$\afd.sys -----c- 138496 bytes [07:01 14/04/2011] [10:04 14/08/2008] 7E775010EF291DA96AD17CA4B17137D7
C:\WINDOWS\$NtUninstallKB951748$\afd.sys -----c- 138112 bytes [23:35 03/10/2009] [19:19 13/04/2008] 322D0E36693D6E24A2398BEE62A268CD
C:\WINDOWS\$NtUninstallKB951748_0$\afd.sys -----c- 138496 bytes [07:00 09/07/2008] [11:00 10/08/2004] 5AC495F4CB807B2B98AD2AD591E6D92E
C:\WINDOWS\$NtUninstallKB956803$\afd.sys -----c- 138496 bytes [23:36 03/10/2009] [11:40 20/06/2008] E3049B90FE06F3F740B7CFDA44995E2C
C:\WINDOWS\$NtUninstallKB956803_0$\afd.sys -----c- 138368 bytes [07:02 15/10/2008] [10:44 20/06/2008] 944CA435BFCFC82CC1ED9E3A7D731AA9
C:\WINDOWS\LastGood\system32\dllcache\afd.sys --a---- 138112 bytes [16:32 18/10/2011] [19:19 13/04/2008] 322D0E36693D6E24A2398BEE62A268CD
C:\WINDOWS\ServicePackFiles\i386\afd.sys ------- 138112 bytes [00:06 30/08/2008] [19:19 13/04/2008] 322D0E36693D6E24A2398BEE62A268CD
C:\WINDOWS\system32\dllcache\afd.sys --a--c- 138112 bytes [11:40 20/06/2008] [19:19 13/04/2008] 322D0E36693D6E24A2398BEE62A268CD

Searching for "ipsec.sys"
C:\i386\ipsec.sys --a---- 74752 bytes [19:14 31/12/2006] [09:00 10/08/2004] 64537AA5C003A6AFEEE1DF819062D0D1
C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys -----c- 74752 bytes [23:22 03/10/2009] [11:00 10/08/2004] 64537AA5C003A6AFEEE1DF819062D0D1
C:\WINDOWS\ServicePackFiles\i386\ipsec.sys ------- 75264 bytes [00:06 30/08/2008] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91
C:\WINDOWS\system32\dllcache\ipsec.sys --a--c- 75264 bytes [11:00 10/08/2004] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91
C:\WINDOWS\system32\drivers\ipsec.sys --a---- 75264 bytes [11:00 10/08/2004] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91

Searching for "netbt.sys"
C:\i386\netbt.sys --a---- 162816 bytes [19:14 31/12/2006] [09:00 10/08/2004] 0C80E410CD2F47134407EE7DD19CC86B
C:\WINDOWS\$NtServicePackUninstall$\netbt.sys -----c- 162816 bytes [23:22 03/10/2009] [11:00 10/08/2004] 0C80E410CD2F47134407EE7DD19CC86B
C:\WINDOWS\ServicePackFiles\i386\netbt.sys ------- 162816 bytes [00:06 30/08/2008] [19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D
C:\WINDOWS\system32\dllcache\netbt.sys --a--c- 162816 bytes [11:00 10/08/2004] [19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D
C:\WINDOWS\system32\drivers\netbt.sys --a---- 162816 bytes [11:00 10/08/2004] [19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D

========== reg ==========

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd]
(No values found)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd\Parameters]
(No values found)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd\Enum]
"0"="Root\LEGACY_AFD\0000"
"Count"= 0x0000000001 (1)
"NextInstance"= 0x0000000001 (1)
"INITSTARTFAILED"= 0x0000000001 (1)


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt]
"Type"= 0x0000000001 (1)
"Start"= 0x0000000001 (1)
"ErrorControl"= 0x0000000001 (1)
"Tag"= 0x0000000006 (6)
"ImagePath"="system32\DRIVERS\netbt.sys"
"DisplayName"="NetBios over Tcpip"
"Group"="PNP_TDI"
"DependOnService"="Tcpip"
"DependOnGroup"=" "
"Description"="NetBios over Tcpip"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Linkage]
"OtherDependencies"="Tcpip"
"Bind"="\Device\Tcpip_{CA48CE5A-E98E-412B-8359-8AB7C1860E51} \Device\Tcpip_{9BF202C9-E975-4B15-AB74-A0504A26A90F} \Device\Tcpip_{5AAD5C06-B2CB-41BC-8FDF-E75DADF57FA8} \Device\Tcpip_{E8FB6446-EF92-4FAD-9FFA-0FD07109E8A6} \Device\Tcpip_{B23835FD-7D38-4AA6-A7FE-86FF3E415219}"
"Route"=""Tcpip" "{CA48CE5A-E98E-412B-8359-8AB7C1860E51}" "Tcpip" "{9BF202C9-E975-4B15-AB74-A0504A26A90F}" "Tcpip" "{5AAD5C06-B2CB-41BC-8FDF-E75DADF57FA8}" "Tcpip" "NdisWanIp""
"Export"="\Device\NetBT_Tcpip_{CA48CE5A-E98E-412B-8359-8AB7C1860E51} \Device\NetBT_Tcpip_{9BF202C9-E975-4B15-AB74-A0504A26A90F} \Device\NetBT_Tcpip_{5AAD5C06-B2CB-41BC-8FDF-E75DADF57FA8} \Device\NetBT_Tcpip_{E8FB6446-EF92-4FAD-9FFA-0FD07109E8A6} \Device\NetBT_Tcpip_{B23835FD-7D38-4AA6-A7FE-86FF3E415219}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters]
"NbProvider"="_tcp"
"NameServerPort"= 0x0000000089 (137)
"CacheTimeout"= 0x00000927c0 (600000)
"BcastNameQueryCount"= 0x0000000003 (3)
"BcastQueryTimeout"= 0x00000002ee (750)
"NameSrvQueryCount"= 0x0000000003 (3)
"NameSrvQueryTimeout"= 0x00000005dc (1500)
"Size/Small/Medium/Large"= 0x0000000001 (1)
"SessionKeepAlive"= 0x000036ee80 (3600000)
"TransportBindName"="\Device\"
"EnableLMHOSTS"= 0x0000000001 (1)
"EnableProxy"= 0x0000000002 (2)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces]
(No values found)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces\Tcpip_{5AAD5C06-B2CB-41BC-8FDF-E75DADF57FA8}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces\Tcpip_{9BF202C9-E975-4B15-AB74-A0504A26A90F}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces\Tcpip_{B23835FD-7D38-4AA6-A7FE-86FF3E415219}]
"NameServerList"=" "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces\Tcpip_{CA48CE5A-E98E-412B-8359-8AB7C1860E51}]
"NameServerList"=" "
"NetbiosOptions"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters\Interfaces\Tcpip_{E8FB6446-EF92-4FAD-9FFA-0FD07109E8A6}]
"NameServerList"=""
"RASFlags"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Security]
"Security"=01 00 14 80 e8 00 00 00 f4 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 b8 00 08 00 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 9d 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 25 02 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 14 00 40 00 00 00 01 01 00 00 00 00 00 05 13 00 00 00 00 00 14 00 40 00 00 00 01 01 00 00 00 00 00 05 14 00 00 00 00 00 18 00 9d 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 2c 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 (REG_BINARY)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Enum]
"0"="Root\LEGACY_NETBT\0000"
"Count"= 0x0000000001 (1)
"NextInstance"= 0x0000000001 (1)


[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\ipsec]
"Type"= 0x0000000001 (1)
"Start"= 0x0000000001 (1)
"ErrorControl"= 0x0000000001 (1)
"Tag"= 0x0000000005 (5)
"ImagePath"="system32\DRIVERS\ipsec.sys"
"DisplayName"="IPSEC driver"
"Group"="PNP_TDI"
"Description"="IPSEC driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\ipsec\Security]
"Security"=01 00 14 80 90 00 00 00 9c 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 fd 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 (REG_BINARY)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\ipsec\Enum]
"0"="Root\LEGACY_IPSEC\0000"
"Count"= 0x0000000001 (1)
"NextInstance"= 0x0000000001 (1)


-= EOF =-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users