Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit and Google Redirects & Spontaneous Page Loads in Firefox.


  • This topic is locked This topic is locked
35 replies to this topic

#1 Kuribos Shoe

Kuribos Shoe

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 07 November 2011 - 07:13 PM

Hello,

I'm on a 32-bit Windows XP machine with 768mb RAM

I'm not sure what virus/rootkit I have contracted. I got it from stupidly clicking an unknown.exe file. I keep getting Google Redirects to random sites and sometimes the Browser starts and loads a tab to such sites spontaneously. (I'm using Firefox 7)

I had Symantec Endpoint Protection on the system at the time of infection, but the virus/rootkit has disabled it somehow since I rebooted the computer and I can't get it to function correctly, it loads the shell management program but says no products are installed.

I tried running both 'Spybot S&D' and 'MalwareBytes Anti-Malware' with no real results before I gave up and registered here.

Reading some other forum posts, I decided to uninstall the older versions of Java I had on my system and I think I got all of it. I haven't installed the new JRE7 yet though. Not sure if this was caused by Java flaw, but figured I'd mention it.

Also if there are any other programs I should remove, update, or install. Please let me know.

I followed the "Preparation Guide" and the appropriate DDS & GMER logs are attached.

Thanks in advance for any help that anyone can provide.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180
Run by Rich at 15:33:07 on 2011-11-07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.768.42 [GMT -6:00]
.
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {804E5358-FFA4-00EC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {804E5358-FFA4-00C9-0D24-347CA8A3377C}
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerBlock\peerblock.exe
svchost.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
"C:\WINDOWS\system32\svchost.exe"
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\symantec\symantec endpoint protection\12.1.671.4971.105\bin\ips\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe" -s
uRun: [NCsoft]
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [nwiz] nwiz.exe /install
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [RAMfreer] c:\documents and settings\administrator\RAMfreer.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_09\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
uPolicies-explorer: NoSMHelp = 01000000
uPolicies-explorer: NoRecentDocsNetHood = 01000000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{5B0B786C-2476-4096-8CC4-2B4F3CCFF856} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{5B0B786C-2476-4096-8CC4-2B4F3CCFF856} : DhcpNameServer = 192.168.2.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
Notify: SEP - c:\program files\symantec\symantec endpoint protection\12.1.671.4971.105\bin\WinLogoutNotifier.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\93vh3sa3.default\
FF - prefs.js: browser.startup.homepage - www.google.com/
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\93vh3sa3.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\sep\0c01029f\136b.105\x86\SymDS.sys [2011-5-2 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\sep\0c01029f\136b.105\x86\SymEFA.sys [2011-5-17 756856]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\symantec\symantec endpoint protection\12.1.671.4971.105\data\definitions\bashdefs\20111027.011\BHDrvx86.sys [2011-11-1 818808]
R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2008-3-30 241664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\sep\0c01029f\136b.105\x86\Ironx86.sys [2011-5-10 136312]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-4-19 399416]
R2 SepMasterService;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\12.1.671.4971.105\bin\ccSvcHst.exe [2011-6-14 137224]
R2 SocketLock;Raw Socket Lock Driver;c:\windows\system32\socketlock.sys [2006-8-24 3712]
R3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\BLKWGD.sys [2007-8-25 463872]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-30 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\symantec\symantec endpoint protection\12.1.671.4971.105\data\definitions\ipsdefs\20111104.030\IDSXpx86.sys [2011-11-4 356280]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\symantec\symantec endpoint protection\12.1.671.4971.105\data\definitions\virusdefs\20111105.009\NAVENG.SYS [2011-11-5 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\symantec\symantec endpoint protection\12.1.671.4971.105\data\definitions\virusdefs\20111105.009\NAVEX15.SYS [2011-11-5 1576312]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-5-1 19056]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys --> c:\windows\system32\drivers\appliand.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-19 993848]
S3 SyDvCtrl;SyDvCtrl;c:\program files\symantec\symantec endpoint protection\12.1.671.4971.105\bin\SyDvCtrl32.sys [2011-6-17 23984]
S3 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-4-22 92592]
.
=============== Created Last 30 ================
.
2011-11-07 19:00:18 53472 ----a-w- c:\windows\system32\OLD2.tmp
2011-11-07 08:18:58 -------- d-----w- c:\program files\ESET
2011-11-07 04:36:48 0 ----a-w- c:\windows\system32\REN3D.tmp
2011-11-07 04:36:48 0 ----a-w- c:\windows\system32\REN3C.tmp
2011-11-07 04:36:48 0 ----a-w- c:\windows\system32\REN3B.tmp
2011-11-07 04:36:36 0 ----a-w- c:\windows\system32\REN35.tmp
2011-11-07 04:36:36 0 ----a-w- c:\windows\system32\REN34.tmp
2011-11-07 04:36:36 0 ----a-w- c:\windows\system32\REN33.tmp
2011-11-07 04:36:24 0 ----a-w- c:\windows\system32\REN2B.tmp
2011-11-07 04:36:24 0 ----a-w- c:\windows\system32\REN2A.tmp
2011-11-07 04:36:24 0 ----a-w- c:\windows\system32\REN29.tmp
2011-11-07 04:36:04 0 ----a-w- c:\windows\system32\REN1C.tmp
2011-11-07 04:36:04 0 ----a-w- c:\windows\system32\REN1B.tmp
2011-11-07 04:36:04 0 ----a-w- c:\windows\system32\REN1A.tmp
2011-11-06 21:00:38 -------- d-sh--w- c:\documents and settings\administrator\local settings\application data\f1ed48c9
2011-11-06 17:17:02 -------- d-----w- c:\program files\Games
2011-11-06 16:35:43 -------- d-----w- c:\documents and settings\administrator\application data\PopCapv1005eni
2011-10-16 16:06:14 -------- d-----w- c:\documents and settings\administrator\local settings\application data\NCSoft
2011-10-16 14:40:33 -------- d-----w- c:\documents and settings\administrator\local settings\application data\assembly
.
==================== Find3M ====================
.
2011-11-06 21:16:09 36864 ----a-w- c:\windows\system32\acs.exe
2011-11-06 21:10:21 413696 ----a-w- c:\windows\system32\ati2evxx.exe
2011-10-12 22:57:50 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-03 10:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-09-01 21:58:31 31232 ----a-w- c:\windows\system32\cmdow.exe
2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-12 18:51:26 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2005-06-22 05:37:42 45568 --sha-r- c:\windows\system32\cygz.dll
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
.
============= FINISH: 15:35:09.56 ===============




Attachments:
Attached File  attach.txt   13.83KB   1 downloads
Attached File  ark.log   110.92KB   0 downloads

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:13 AM

Posted 10 November 2011 - 01:00 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Kuribos Shoe

Kuribos Shoe
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 10 November 2011 - 04:14 AM

Hi, and thanks for getting back to me.

I tried to do what you asked for but might've had a few snags.

I attempted to disable the Symantec Endpoint Protection but again the program would not load until I tried starting some services the dialog prompt said needed to be enabled. After that, it only loaded the shell and said that no protection technologies were installed.

So I ran combofix and I got a dialog warning saying that it saw 4 real-time AVs active. 3 dealing with Anti-Vir (Which I uninstalled 6 months ago) and SEP which far as I could tell wouldn't let me disable it.

Upon seeing the warning, I clicked the X in the top right corner to stop running Combofix but the program started anyways. I decided to let it run instead of trying to stop it.

Combofix stated right away that I was infected with a rootkit ZeroAccess and that it had infected the tcp/ip stack.

The scanning process went fairly smooth save for that I kept having "Automatic Updates" dialog error boxes which popped up throughout the scan saying "Auto Updates has encountered a problem and needs to close. Giving me two choices (Close or Debug), I clicked CLOSE the first time yet it kept popping up repeatedly save once when the Dialog Box said PEV.exe encountered a problem and needed to close.

I clicked the "For more info about the error" tab a few times and it always relates to wuauclt.exe
AppName: wuauclt.exe
AppVer: 5.4.3790.5512
ModName: wuauclt.exe
ModVer: 5.4.3790.5512
Offset: 00014154

Anyways, I just kept clicking close throughout the Combofix scan and let the program finish. It rebooted the computer twice in all before writing the log which I've included below, but now I'm getting the "Automatic Updates" Dialog Error pop-ups every few seconds where I hadn't see that behavior before running Combofix.

I can still get online in Firefox, and after checking Google I'm not getting any redirects, however these dialog prompt errors every 10 secs is a problem.

So the system is better in that it's not redirecting, but worse in that I've got system popups I can't get rid of.

I also noticed that calc.exe was infected, but I never saw if it was cleaned or replaced.


Any help you can provide would be excellent. Sorry if I am rambling, I was trying to be thorough.

AND if you could help me clean these Anti-Vir remnants off and possibly restore or recommend a better free Anti-Virus/Real Time Protection option, I'd be grateful.


Here's the Combofix log generated:

ComboFix 11-11-10.01 - Rich 11/10/2011 2:22.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.768.401 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {804E5358-FFA4-00C9-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {804E5358-FFA4-00EC-0D24-347CA8A3377C}
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\inst.exe
c:\documents and settings\Administrator\Application Data\vso_ts_preview.xml
c:\documents and settings\All Users\Application Data\DragToDiscUserNameD.txt
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\$NtUninstallKB18139$\3801309542
c:\windows\$NtUninstallKB18139$\4058859721\@
c:\windows\$NtUninstallKB18139$\4058859721\L\adwjkeee
c:\windows\$NtUninstallKB18139$\4058859721\loader.tlb
c:\windows\$NtUninstallKB18139$\4058859721\U\@00000001
c:\windows\$NtUninstallKB18139$\4058859721\U\@000000c0
c:\windows\$NtUninstallKB18139$\4058859721\U\@000000cb
c:\windows\$NtUninstallKB18139$\4058859721\U\@000000cf
c:\windows\$NtUninstallKB18139$\4058859721\U\@80000000
c:\windows\$NtUninstallKB18139$\4058859721\U\@800000c0
c:\windows\$NtUninstallKB18139$\4058859721\U\@800000cb
c:\windows\$NtUninstallKB18139$\4058859721\U\@800000cf
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\iun6002.exe
c:\windows\kb913800.exe
c:\windows\system32\
c:\windows\$NtUninstallKB18139$ . . . . Failed to delete
.
c:\windows\system32\calc.exe . . . is infected!!
.
Infected copy of c:\windows\system32\mshta.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\mshta.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-10-10 to 2011-11-10 )))))))))))))))))))))))))))))))
.
.
2011-11-07 08:18 . 2011-11-07 08:18 -------- d-----w- c:\program files\ESET
2011-11-07 04:36 . 2011-11-07 04:36 0 ----a-w- c:\windows\system32\REN3D.tmp
2011-11-07 04:36 . 2011-11-07 04:36 0 ----a-w- c:\windows\system32\REN3C.tmp
2011-11-07 04:36 . 2011-11-07 04:36 0 ----a-w- c:\windows\system32\REN3B.tmp
2011-11-07 04:36 . 2011-11-07 04:36 0 ----a-w- c:\windows\system32\REN35.tmp
2011-11-07 04:36 . 2011-11-07 04:36 0 ----a-w- c:\windows\system32\REN34.tmp
2011-11-07 04:36 . 2011-11-07 04:36 0 ----a-w- c:\windows\system32\REN33.tmp
2011-11-07 04:36 . 2011-11-07 04:36 0 ----a-w- c:\windows\system32\REN2B.tmp
2011-11-07 04:36 . 2011-11-07 04:36 0 ----a-w- c:\windows\system32\REN2A.tmp
2011-11-07 04:36 . 2011-11-07 04:36 0 ----a-w- c:\windows\system32\REN29.tmp
2011-11-07 04:36 . 2011-11-07 04:36 0 ----a-w- c:\windows\system32\REN1C.tmp
2011-11-07 04:36 . 2011-11-07 04:36 0 ----a-w- c:\windows\system32\REN1B.tmp
2011-11-07 04:36 . 2011-11-07 04:36 0 ----a-w- c:\windows\system32\REN1A.tmp
2011-11-06 21:00 . 2011-11-06 21:01 -------- d-sh--w- c:\documents and settings\Administrator\Local Settings\Application Data\f1ed48c9
2011-11-06 17:17 . 2011-11-06 18:10 -------- d-----w- c:\program files\Games
2011-11-06 16:35 . 2011-11-06 16:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\PopCapv1005eni
2011-10-16 16:06 . 2011-10-16 16:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NCSoft
2011-10-16 14:40 . 2011-10-16 14:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\assembly
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-06 21:16 . 2005-05-05 05:53 36864 ----a-w- c:\windows\system32\acs.exe
2011-11-06 21:10 . 2006-05-03 16:43 413696 ----a-w- c:\windows\system32\ati2evxx.exe
2011-10-12 22:57 . 2011-05-18 19:49 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-03 10:06 . 2010-11-14 11:43 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2002-12-31 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2002-12-31 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2002-12-31 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2002-12-31 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-09-01 21:58 . 2011-09-01 21:58 31232 ----a-w- c:\windows\system32\cmdow.exe
2011-08-31 22:00 . 2010-01-17 05:51 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-17 13:49 . 2002-12-31 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-12 18:51 . 2006-06-14 22:38 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2011-10-01 15:18 . 2011-05-08 19:25 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2005-06-22 05:37 45568 --sha-r- c:\windows\system32\cygz.dll
2006-05-03 09:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 216064 --sh--r- c:\windows\system32\nbDX.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2011-04-25 . 7E9C4CD54CC21D3F0F7AC8A562FF7101 . 3610624 . . [7.00.6000.21300] . . c:\windows\$hf_mig$\KB2530548-IE7\SP3QFE\mshtml.dll
[7] 2011-02-18 . F1CBB65EFAFAFA19B06D902DE9E02DEA . 3609600 . . [7.00.6000.21299] . . c:\windows\$hf_mig$\KB2497640-IE7\SP3QFE\mshtml.dll
[7] 2011-02-17 . C9158D1A97BC96CA728F721237DEE9AA . 3607040 . . [7.00.6000.17097] . . c:\windows\ie7updates\KB2530548-IE7\mshtml.dll
[7] 2010-11-06 . 1B62916D85DFC66158B1FD0CAC16BA05 . 3607040 . . [7.00.6000.21295] . . c:\windows\$hf_mig$\KB2416400-IE7\SP3QFE\mshtml.dll
[7] 2010-06-24 . 0FB7E2774BD643C181D673426AF3F62A . 3603968 . . [7.00.6000.21283] . . c:\windows\$hf_mig$\KB2183461-IE7\SP3QFE\mshtml.dll
[7] 2010-05-04 . C466BDCDFAE6F6EFD618F34BA90B1923 . 3603456 . . [7.00.6000.21264] . . c:\windows\$hf_mig$\KB982381-IE7\SP3QFE\mshtml.dll
[7] 2010-01-05 . 1673677DBD70142DB1294F1B6FC3323E . 3602944 . . [7.00.6000.21183] . . c:\windows\$hf_mig$\KB978207-IE7\SP3QFE\mshtml.dll
[7] 2009-08-29 . EDAD55105DDD067AE3906011F297267C . 3600384 . . [7.00.6000.21115] . . c:\windows\$hf_mig$\KB974455-IE7\SP3QFE\mshtml.dll
[7] 2009-04-29 . C6FD770D518FB024245A0EE217D72BC1 . 3598336 . . [7.00.6000.21045] . . c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\mshtml.dll
[7] 2009-01-16 . CC9D001B7370B292C35B366CA05B12B4 . 3596288 . . [7.00.6000.20996] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\mshtml.dll
[7] 2008-10-16 . B74F31A4BD83797D7A083F922169287D . 3595264 . . [7.00.6000.20935] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\mshtml.dll
[7] 2008-06-23 . 28B8231CA8D55FC85E027A57C90F5C88 . 3594240 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\mshtml.dll
[7] 2008-04-14 . A706E122B398FE1AB85CB9B75D044223 . 3066880 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\mshtml.dll
[7] 2008-03-01 . 4EE273E2B09317C1217EF0DB91F93534 . 3593216 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\mshtml.dll
[7] 2007-10-30 . 54D8B404F17AA74C666F7F3AEF2AE459 . 3593216 . . [7.00.6000.20710] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\mshtml.dll
[-] 2007-08-20 . E267EE248CDA7667C19001C069DE867B . 3584512 . . [7.00.6000.16544] . . c:\windows\SoftwareDistribution\Download\0eda838ef8ec599d822155030a70ecac\SP2GDR\mshtml.dll
[-] 2007-08-20 . AA8A4BD78D24FCDB96DDAEE3756AA372 . 3592192 . . [7.00.6000.20661] . . c:\windows\SoftwareDistribution\Download\0eda838ef8ec599d822155030a70ecac\SP2QFE\mshtml.dll
[-] 2007-08-14 . C6EC2493346ED8888A549F59210A8ED3 . 3578368 . . [7.00.5730.13] . . c:\windows\system32\mshtml.dll
[-] 2007-08-14 . C6EC2493346ED8888A549F59210A8ED3 . 3578368 . . [7.00.5730.13] . . c:\windows\system32\dllcache\mshtml.dll
.
[7] 2011-04-25 . 72942C4583A65E93FB21CA4F5D0A54C7 . 841216 . . [7.00.6000.21300] . . c:\windows\$hf_mig$\KB2530548-IE7\SP3QFE\wininet.dll
[7] 2011-02-17 . 2F7A5408260CD0D3D2E916F811E166F5 . 832512 . . [7.00.6000.17096] . . c:\windows\ie7updates\KB2530548-IE7\wininet.dll
[7] 2011-02-17 . 25FF5FFE129621CD879F9DB3B308D42C . 841216 . . [7.00.6000.21298] . . c:\windows\$hf_mig$\KB2497640-IE7\SP3QFE\wininet.dll
[7] 2010-11-06 . F4310169BC5EE25617301E8E78FE5C84 . 841216 . . [7.00.6000.21295] . . c:\windows\$hf_mig$\KB2416400-IE7\SP3QFE\wininet.dll
[7] 2010-06-24 . 2E5F7848F3FEECC1F3915A64C0AD0FA8 . 841216 . . [7.00.6000.21283] . . c:\windows\$hf_mig$\KB2183461-IE7\SP3QFE\wininet.dll
[7] 2010-05-04 . 506B3DCB9C26070072E3047C6910F844 . 841216 . . [7.00.6000.21256] . . c:\windows\$hf_mig$\KB982381-IE7\SP3QFE\wininet.dll
[7] 2010-01-05 . E7B99465DE2EDCF29784B7600BF6FAE8 . 841216 . . [7.00.6000.21183] . . c:\windows\$hf_mig$\KB978207-IE7\SP3QFE\wininet.dll
[7] 2009-08-29 . A5885AF9BFBD942B828E6020AD326517 . 840704 . . [7.00.6000.21115] . . c:\windows\$hf_mig$\KB974455-IE7\SP3QFE\wininet.dll
[7] 2009-04-29 . 62CCA075F44015147B8971DAFFBCFF76 . 828928 . . [7.00.6000.21045] . . c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\wininet.dll
[7] 2008-12-20 . 044E0A4E9FE97C0FB9AFE9C89E2A82E6 . 827904 . . [7.00.6000.20978] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[7] 2008-10-16 . 0D5B75171FF51775B630A431B6C667E8 . 827904 . . [7.00.6000.20935] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[7] 2008-06-23 . C66402A06B83B036C195242C0C8CF83C . 827904 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[7] 2008-04-14 . 7A4F775ABB2F1C97DEF3E73AFA2FAEDD . 666112 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\wininet.dll
[7] 2008-03-01 . 6316C2F0C61271C8ABDFF7429174879E . 827392 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
[7] 2007-10-10 . 0E5D918F87EFA7D2424D66B499C7EB04 . 825344 . . [7.00.6000.20696] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
[-] 2007-08-20 . 774435E499D8E9643EC961A6103C361F . 824832 . . [7.00.6000.16544] . . c:\windows\SoftwareDistribution\Download\0eda838ef8ec599d822155030a70ecac\SP2GDR\wininet.dll
[-] 2007-08-20 . 357D54BF94FE9D6D8505A96B5C2A3BCA . 825344 . . [7.00.6000.20661] . . c:\windows\SoftwareDistribution\Download\0eda838ef8ec599d822155030a70ecac\SP2QFE\wininet.dll
[-] 2007-08-14 . A4A0FC92358F39538A6494C42EF99FE9 . 818688 . . [7.00.5730.13] . . c:\windows\system32\wininet.dll
[-] 2007-08-14 . A4A0FC92358F39538A6494C42EF99FE9 . 818688 . . [7.00.5730.13] . . c:\windows\system32\dllcache\wininet.dll
.
[7] 2011-04-21 . 3E23DBEBE1020D52C63235E4189FAC03 . 634648 . . [7.00.6000.21300] . . c:\windows\$hf_mig$\KB2530548-IE7\SP3QFE\iexplore.exe
[7] 2011-02-14 . E4A798DFDE7FE6E79F23548F0EF0F844 . 634648 . . [7.00.6000.17096] . . c:\windows\ie7updates\KB2530548-IE7\iexplore.exe
[7] 2011-02-14 . E3CC8CCF21BFDC954255BB17083FB9F0 . 634648 . . [7.00.6000.21298] . . c:\windows\$hf_mig$\KB2497640-IE7\SP3QFE\iexplore.exe
[7] 2010-10-18 . DA6E1F0F1932B62DD2F6ED05541C555C . 634648 . . [7.00.6000.21295] . . c:\windows\$hf_mig$\KB2416400-IE7\SP3QFE\iexplore.exe
[7] 2010-06-17 . B0BC6DC9C9277250C5C8F7B7A48A02CC . 634648 . . [7.00.6000.21283] . . c:\windows\$hf_mig$\KB2183461-IE7\SP3QFE\iexplore.exe
[7] 2010-04-16 . B24A4E23A2FEDB6976EB04D334AD82B2 . 634648 . . [7.00.6000.21256] . . c:\windows\$hf_mig$\KB982381-IE7\SP3QFE\iexplore.exe
[7] 2009-12-18 . D19E56D5930C37CF211867DF450C372A . 634632 . . [7.00.6000.21183] . . c:\windows\$hf_mig$\KB978207-IE7\SP3QFE\iexplore.exe
[7] 2009-08-27 . 332EC7562F3AA7364F2D4231C56DA986 . 634648 . . [7.00.6000.21115] . . c:\windows\$hf_mig$\KB974455-IE7\SP3QFE\iexplore.exe
[7] 2009-04-25 . C0503FD8D163652735C1EE900672A75C . 636088 . . [7.00.6000.21045] . . c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\iexplore.exe
[7] 2008-12-19 . 15E8A89499741D5CF59A9CF6463A4339 . 634024 . . [7.00.6000.20978] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\iexplore.exe
[7] 2008-10-15 . 056C927CF7207857E8B34F7A8FFD9B9E . 633632 . . [7.00.6000.20935] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\iexplore.exe
[7] 2008-06-23 . C52A9EF571E91535EB78DB4B8B95EA07 . 625664 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe
[7] 2008-02-22 . 6E0888626E0CAC79F57149814E22DB4D . 625664 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\iexplore.exe
[7] 2007-10-10 . 632BDE0179847234433CA50945442ACB . 625664 . . [7.00.6000.20696] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\iexplore.exe
[-] 2007-08-17 . 3AC2BC667DA0AF2C968E96E1630F5AB5 . 625152 . . [7.00.6000.16544] . . c:\windows\SoftwareDistribution\Download\0eda838ef8ec599d822155030a70ecac\SP2GDR\iexplore.exe
[-] 2007-08-17 . 5577D0E3AC2F9F035ACD81B44AF5F511 . 625152 . . [7.00.6000.20661] . . c:\windows\SoftwareDistribution\Download\0eda838ef8ec599d822155030a70ecac\SP2QFE\iexplore.exe
[-] 2007-08-14 . DE49B348A18369B4626FBA1D49B07FB4 . 622080 . . [7.00.5730.13] . . c:\windows\system32\dllcache\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-04-22 247728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-4-19 291896]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoRecentDocsNetHood"= 01000000
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 16:10 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Belkin Wireless Utility.lnk
backup=c:\windows\pss\Belkin Wireless Utility.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 17:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CoolSwitch]
2002-03-19 22:30 45632 ----a-w- c:\windows\system32\TaskSwitch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2007-01-23 20:44 101136 ----a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]
2005-07-15 21:48 479232 ----a-w- c:\program files\Google\Gmail Notifier\gnotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"O&O Defrag"=2 (0x2)
"NVSvc"=2 (0x2)
"gusvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\12.1.671.4971.105\\Bin\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\12.1.671.4971.105\\Bin\\snac.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Games\\JewelQuest\\JewelQuest.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Games\\RoboKill 2 Leviathan Five v01\\Robokill 2.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\SEP\0C01029F\136B.105\x86\SymDS.sys [5/2/2011 7:18 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\SEP\0C01029F\136B.105\x86\SymEFA.sys [5/17/2011 8:32 PM 756856]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20111027.011\BHDrvx86.sys [11/1/2011 3:42 PM 818808]
R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [3/30/2008 4:42 PM 241664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\SEP\0C01029F\136B.105\x86\Ironx86.sys [5/10/2011 8:54 PM 136312]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 12:19 PM 50704]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [4/19/2011 12:44 AM 399416]
R2 SepMasterService;Symantec Endpoint Protection;c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe [6/14/2011 4:31 PM 137224]
R2 SocketLock;Raw Socket Lock Driver;c:\windows\system32\socketlock.sys [8/24/2006 11:38 AM 3712]
R3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\BLKWGD.sys [8/25/2007 6:30 PM 463872]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/30/2011 1:21 PM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\IPSDefs\20111104.030\IDSXpx86.sys [11/4/2011 7:56 PM 356280]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [5/1/2010 1:54 PM 19056]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [5/20/2009 8:37 PM 47360]
S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys --> c:\windows\system32\DRIVERS\appliand.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 2:30 AM 15544]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [4/19/2011 12:44 AM 993848]
S3 SyDvCtrl;SyDvCtrl;c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SyDvCtrl32.sys [6/17/2011 5:06 PM 23984]
S3 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/22/2011 6:21 AM 92592]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PBFILTER
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{5B0B786C-2476-4096-8CC4-2B4F3CCFF856}: NameServer = 8.8.8.8,8.8.4.4
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\93vh3sa3.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.com/
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-NCsoft - (no file)
HKLM-Run-RAMfreer - c:\documents and settings\Administrator\RAMfreer.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_09\bin\jusched.exe
Notify-SEP - c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll
SafeBoot-08510668.sys
SafeBoot-16295843.sys
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-avgnt - c:\program files\Avira\AntiVir Desktop\avgnt.exe
MSConfigStartUp-Google Update - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
MSConfigStartUp-RAMfreer - c:\documents and settings\Administrator\RAMfreer.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
MSConfigStartUp-TrojanScanner - c:\program files\Trojan Remover\Trjscan.exe
AddRemove-Heroes of Might and Magic III Complete - c:\program files\Heroes 3 Complete\Heroes of Might and Magic III Complete.isu
AddRemove-{991B1E79-12B6-40C3-A081-1FC47C6F2F37} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{991B1~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-10 02:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SepMasterService]
"ImagePath"="\"c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe\" /s \"Symantec Endpoint Protection\" /m \"c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\sms.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SmcService]
"ImagePath"="\"c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="41E5D4E416B4F6F3902964663E7C12B076CF678C09716FA0634C2F5F72F577CE6FAF058AD54E443E9B60045903FD814CA0A17D035377DAEA5B6F6EC9551D7A1E3420886185951754266548B39D65920AD59097676AE5273F2C288BBCB501AA3A0E56243D4646589D9B1EA3B6E6C42D4D07E27C86FE445F9DF1443D353F3E546262C39C68DDB0333748BF12195C42FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B555A6171C11EC38DE3DFEBC9E127BECC74C921C09C74965F0AD987EFCBA3360519D0B09BD43735D2CE80E425FAA9ED85A195FF205A259B45FC1E5F75D42EB6A342351E83A4B6C23A29F440CB044F58DB076191BCDDFE90B9852275754B64C2D55B32EED95CF2503BC9639ACCE777D332BF822099E69DBE938AA20ED8648E6968B6B6668FC6680F62BDF5014105F86F171CAA16899FE91468026D7C4FD7A4E0A4EFD02DB04F763EE3FA2B3E2B1E9E96651A78418C2B2730A56B79B9829241CDB3E314E03A14037CD701BD26DD15702A0B8DF78A9026C6C92C1637A5557F2ECD69ADFDDC8ADD169695818DF3F74BDACA4BCD770E324E56C2EEF43C9A13FE4E1B9CB7705CD680FEB8F387D4F148088CCE9150724C059AEE7A4B103A0D47ACE1FB55A7A5CE7F4B2B57C7141DB5FC1F2C8DC9C7B8F70B5A7D42DFB66DB7806584D70F2FEC11ED7C73E640B700644E6120CDDD4D3EF54320A3076E7C01CCD42FB18056AAFD62DFC31846E30298C1F84C804C160C4C8042B5F7A9F32FB44C8F60C328035CA7F07B22289B5B09E787A11D0A4CD081663C7E086B440BB957C8E4BA94F65EC23E44E2AA4D3C77D98129A693AE4C0B7A54920773269DE899EB2FC4D4EA8294F9D755CF994ECA92E7267F24AE53DC8FD62C8BF78E9A1F9443D9422EEC578373F36E13D9DA1E1527E9ACBAD5988AE0C90D1768CCE87EE81B9A819C2852E03EBC1799EB2F25343AA4D9455299DAC3A9FC58A2820CB3A635BD9AF7655C97D0A1B010BE5B0BC002A141CF9DC7681B0E7919AB8FAC9230598E03A332806D9F958884C9F33DFA0562CE093F1825AD544C0E22F1FCC8C6EBE29DD922970B3B6BFB8719283C91C2AD56AD6FCBE264FCD70D485468FC09D29113414419AD2F2C63FFB00EB132EF546D38332C8B3EF827E0CB6E1C874BEE9337B5D39C6A3960AD1BB795912422832C7F79F2309B5C8D466C7FB54C148700D52524EF4C6F54776854D8591E196C54AE5C067C9F3425F5CE321BF2DE19BC6DB2E3930E40C593864F4DE01B3DEAA5869BAFD873FE5682663B9722130FB92745B53ADB41A82A2F9BA13B0C9BD2D2C75704454338DDCCAD2E68FE2C21589E66FC7B17D0E1A3BC26710BBD64520185D7574653D20357C215F987170CA08A563738E"
.
[HKEY_LOCAL_MACHINE\software\Symantec\Symantec Endpoint Protection\CurrentVersion]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,4f,00,46,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(972)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(3832)
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\acs.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\msiexec.exe
c:\windows\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2011-11-10 02:43:48 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-10 08:43
.
Pre-Run: 2,164,674,560 bytes free
Post-Run: 2,295,934,976 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - BD7D3CAD5F55C5901076578474A2B87D

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:13 AM

Posted 10 November 2011 - 05:11 AM

Hello


at this time which antivirus is installed?

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
calc.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Kuribos Shoe

Kuribos Shoe
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 10 November 2011 - 04:03 PM

The last anti-virus I installed was SEP. As far as I know I deleted Anti-Vir months ago. I didn't even see evidence of it until the combofix warning.
SEP seems to not be functional however. There's no icon in the lower right corner of windows taskbar as there usually was and every time I try to start the program manually it says some services need to be running.


Here's the Log for calc.exe

SystemLook 30.07.11 by jpshortstuff
Log created at 14:59 on 10/11/2011 by Rich
Administrator - Elevation successful

========== filefind ==========

Searching for "calc.exe "
C:\WINDOWS\system32\calc.exe --a---- 946448 bytes [19:53 05/06/2006] [12:00 31/12/2002] 006728285A531498449FCB9B4AC8814E

-= EOF =-

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:13 AM

Posted 10 November 2011 - 04:59 PM

run this to finish removing avira - http://www.avira.com/en/support-download-avira-registrycleaner


and this for norton - https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?docid=20080828154508EN&lg=english&ct=united+states&product=home&version=1&pvid=f-home&entsrc=redirect_pubweb

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::
KillAll::
Extra::


AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {804E5358-FFA4-00C9-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {804E5358-FFA4-00EC-0D24-347CA8A3377C}
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Kuribos Shoe

Kuribos Shoe
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 10 November 2011 - 08:17 PM

Another slight hiccup.

I used the Avira Reg Cleaner Tool without a problem.

I used the Norton Tool and it said I had to uninstall the Symantec Product from the "Add/Remove Programs" section.
I tried this and was given an error message that said:

Error 2318
File Does Not Exist C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\.

I knew the folder was there though, so I typed in the file path and saw the folder in question and all the files but they've got Blue Text for most of the file names (Which I think means they've been compressed somehow) I don't know why they're like this but if the rootkit did it that's probably why SEP stopped working.

I'd like to get the files uncompressed somehow (and make sure nothing else has been affected likewise.


I HAVE NOT run the CFScript.txt yet because I couldn't get SEP to uninstall.

So what should I do next? OR should I just run the Script without fixing/deleting SEP first?

Thanks for you're continued assistance, It's very appreciated.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:13 AM

Posted 10 November 2011 - 09:00 PM

Greetings


AppRemover


Please download AppRemover and save it to your DeskTop

  • Double click on AppRemover.exe to Start the program
  • Click on the NEXTbutton
  • select cleanup Failed uninstall and click on the NEXT
  • after the scan has completed (may take a few min) click on NEXT again
  • select all things that you know have been uninstalled before click on NEXT
  • after it has completed click on NEXT
  • click on Reboot Now to finish the removal

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Kuribos Shoe

Kuribos Shoe
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 11 November 2011 - 05:33 PM

Okay, I started the AppRemover scan last night about 15 min after your post and it took more than 12 hours to reach 100% completed, yet it wouldn't let me click on the next button.

I'm not sure why the scan took so long, but at this point it's not doing anything and won't let me proceed. (buttons are greyed out)

Should I run the AppRemover scan again?

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:13 AM

Posted 11 November 2011 - 09:33 PM

Remove Norton

Note : You should first attempt to remove your Norton product using Add/Remove Programs in the Windows Control Panel (Programs and Features, in Windows Vista). This is the best method. After uninstalling using Windows Add/Remove Programs, run the Norton Removal Tool to ensure successful removal of all Norton references.

Please go to this -page- and select the product you have

1 Download the Norton Removal Tool.
Save the file to the Windows desktop.
2 On the Windows desktop, double-click the Norton Removal Tool icon.
3 Follow the on-screen instructions.
Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.
[/list]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Kuribos Shoe

Kuribos Shoe
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 12 November 2011 - 03:49 AM

The removal tool for SEP 12.1 isn't on that page.

Apparently there's a tool called CleanWipe from Symantec, but you have to get it from them or something.

Wish I'd never installed this thing.

So what should I try now?

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:13 AM

Posted 12 November 2011 - 12:44 PM

go ahead and run the combofix script and let me have the report


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Kuribos Shoe

Kuribos Shoe
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 12 November 2011 - 11:37 PM

Okay. Not sure if calc.exe got repaired. Should I just delete it and install a new copy?

I was able to get SEP12.1 off the system though. Looks like both Avira & Symantec are off.

Any suggestions on what should I be using for AV instead?

Note: I ran the Combofix log BEFORE I found the correct removal tool for Norton SEP 12.1

Here's the CFScript.txt Combofix Log

ComboFix 11-11-12.04 - Rich 11/12/2011 22:17:41.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.768.430 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {804E5358-FFA4-00C9-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {804E5358-FFA4-00EC-0D24-347CA8A3377C}
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\PowerToyReadme.htm
.
c:\windows\system32\calc.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-10-13 to 2011-11-13 )))))))))))))))))))))))))))))))
.
.
2011-11-13 03:01 . 2011-11-13 03:01 -------- d-----w- C:\cleanwipe extraction
2011-11-07 08:18 . 2011-11-07 08:18 -------- d-----w- c:\program files\ESET
2011-11-07 04:36 . 2011-11-07 04:36 0 ----a-w- c:\windows\system32\REN3D.tmp
2011-11-07 04:36 . 2011-11-07 04:36 0 ----a-w- c:\windows\system32\REN3C.tmp
2011-11-07 04:36 . 2011-11-07 04:36 0 ----a-w- c:\windows\system32\REN3B.tmp
2011-11-07 04:36 . 2011-11-07 04:36 0 ----a-w- c:\windows\system32\REN35.tmp
2011-11-07 04:36 . 2011-11-07 04:36 0 ----a-w- c:\windows\system32\REN34.tmp
2011-11-07 04:36 . 2011-11-07 04:36 0 ----a-w- c:\windows\system32\REN33.tmp
2011-11-07 04:36 . 2011-11-07 04:36 0 ----a-w- c:\windows\system32\REN2B.tmp
2011-11-07 04:36 . 2011-11-07 04:36 0 ----a-w- c:\windows\system32\REN2A.tmp
2011-11-07 04:36 . 2011-11-07 04:36 0 ----a-w- c:\windows\system32\REN29.tmp
2011-11-07 04:36 . 2011-11-07 04:36 0 ----a-w- c:\windows\system32\REN1C.tmp
2011-11-07 04:36 . 2011-11-07 04:36 0 ----a-w- c:\windows\system32\REN1B.tmp
2011-11-07 04:36 . 2011-11-07 04:36 0 ----a-w- c:\windows\system32\REN1A.tmp
2011-11-06 21:00 . 2011-11-06 21:01 -------- d-sh--w- c:\documents and settings\Administrator\Local Settings\Application Data\f1ed48c9
2011-11-06 17:17 . 2011-11-06 18:10 -------- d-----w- c:\program files\Games
2011-11-06 16:35 . 2011-11-06 16:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\PopCapv1005eni
2011-10-16 16:06 . 2011-10-16 16:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NCSoft
2011-10-16 14:40 . 2011-10-16 14:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\assembly
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-06 21:16 . 2005-05-05 05:53 36864 ----a-w- c:\windows\system32\acs.exe
2011-11-06 21:10 . 2006-05-03 16:43 413696 ----a-w- c:\windows\system32\ati2evxx.exe
2011-10-12 22:57 . 2011-05-18 19:49 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2006-06-05 19:55 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 10:06 . 2010-11-14 11:43 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-28 07:06 . 2002-12-31 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2002-12-31 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2002-12-31 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20 . 2002-12-31 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-09-01 21:58 . 2011-09-01 21:58 31232 ----a-w- c:\windows\system32\cmdow.exe
2011-08-31 22:00 . 2010-01-17 05:51 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-17 13:49 . 2002-12-31 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-11-13 02:54 . 2011-05-08 19:25 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2005-06-22 05:37 45568 --sha-r- c:\windows\system32\cygz.dll
2006-05-03 09:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 216064 --sh--r- c:\windows\system32\nbDX.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2011-04-25 . 7E9C4CD54CC21D3F0F7AC8A562FF7101 . 3610624 . . [7.00.6000.21300] . . c:\windows\$hf_mig$\KB2530548-IE7\SP3QFE\mshtml.dll
[7] 2011-02-18 . F1CBB65EFAFAFA19B06D902DE9E02DEA . 3609600 . . [7.00.6000.21299] . . c:\windows\$hf_mig$\KB2497640-IE7\SP3QFE\mshtml.dll
[7] 2011-02-17 . C9158D1A97BC96CA728F721237DEE9AA . 3607040 . . [7.00.6000.17097] . . c:\windows\ie7updates\KB2530548-IE7\mshtml.dll
[7] 2010-11-06 . 1B62916D85DFC66158B1FD0CAC16BA05 . 3607040 . . [7.00.6000.21295] . . c:\windows\$hf_mig$\KB2416400-IE7\SP3QFE\mshtml.dll
[7] 2010-06-24 . 0FB7E2774BD643C181D673426AF3F62A . 3603968 . . [7.00.6000.21283] . . c:\windows\$hf_mig$\KB2183461-IE7\SP3QFE\mshtml.dll
[7] 2010-05-04 . C466BDCDFAE6F6EFD618F34BA90B1923 . 3603456 . . [7.00.6000.21264] . . c:\windows\$hf_mig$\KB982381-IE7\SP3QFE\mshtml.dll
[7] 2010-01-05 . 1673677DBD70142DB1294F1B6FC3323E . 3602944 . . [7.00.6000.21183] . . c:\windows\$hf_mig$\KB978207-IE7\SP3QFE\mshtml.dll
[7] 2009-08-29 . EDAD55105DDD067AE3906011F297267C . 3600384 . . [7.00.6000.21115] . . c:\windows\$hf_mig$\KB974455-IE7\SP3QFE\mshtml.dll
[7] 2009-04-29 . C6FD770D518FB024245A0EE217D72BC1 . 3598336 . . [7.00.6000.21045] . . c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\mshtml.dll
[7] 2009-01-16 . CC9D001B7370B292C35B366CA05B12B4 . 3596288 . . [7.00.6000.20996] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\mshtml.dll
[7] 2008-10-16 . B74F31A4BD83797D7A083F922169287D . 3595264 . . [7.00.6000.20935] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\mshtml.dll
[7] 2008-06-23 . 28B8231CA8D55FC85E027A57C90F5C88 . 3594240 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\mshtml.dll
[7] 2008-04-14 . A706E122B398FE1AB85CB9B75D044223 . 3066880 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\mshtml.dll
[7] 2008-03-01 . 4EE273E2B09317C1217EF0DB91F93534 . 3593216 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\mshtml.dll
[7] 2007-10-30 . 54D8B404F17AA74C666F7F3AEF2AE459 . 3593216 . . [7.00.6000.20710] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\mshtml.dll
[-] 2007-08-20 . E267EE248CDA7667C19001C069DE867B . 3584512 . . [7.00.6000.16544] . . c:\windows\SoftwareDistribution\Download\0eda838ef8ec599d822155030a70ecac\SP2GDR\mshtml.dll
[-] 2007-08-20 . AA8A4BD78D24FCDB96DDAEE3756AA372 . 3592192 . . [7.00.6000.20661] . . c:\windows\SoftwareDistribution\Download\0eda838ef8ec599d822155030a70ecac\SP2QFE\mshtml.dll
[-] 2007-08-14 . C6EC2493346ED8888A549F59210A8ED3 . 3578368 . . [7.00.5730.13] . . c:\windows\system32\mshtml.dll
[-] 2007-08-14 . C6EC2493346ED8888A549F59210A8ED3 . 3578368 . . [7.00.5730.13] . . c:\windows\system32\dllcache\mshtml.dll
.
[7] 2011-04-25 . 72942C4583A65E93FB21CA4F5D0A54C7 . 841216 . . [7.00.6000.21300] . . c:\windows\$hf_mig$\KB2530548-IE7\SP3QFE\wininet.dll
[7] 2011-02-17 . 2F7A5408260CD0D3D2E916F811E166F5 . 832512 . . [7.00.6000.17096] . . c:\windows\ie7updates\KB2530548-IE7\wininet.dll
[7] 2011-02-17 . 25FF5FFE129621CD879F9DB3B308D42C . 841216 . . [7.00.6000.21298] . . c:\windows\$hf_mig$\KB2497640-IE7\SP3QFE\wininet.dll
[7] 2010-11-06 . F4310169BC5EE25617301E8E78FE5C84 . 841216 . . [7.00.6000.21295] . . c:\windows\$hf_mig$\KB2416400-IE7\SP3QFE\wininet.dll
[7] 2010-06-24 . 2E5F7848F3FEECC1F3915A64C0AD0FA8 . 841216 . . [7.00.6000.21283] . . c:\windows\$hf_mig$\KB2183461-IE7\SP3QFE\wininet.dll
[7] 2010-05-04 . 506B3DCB9C26070072E3047C6910F844 . 841216 . . [7.00.6000.21256] . . c:\windows\$hf_mig$\KB982381-IE7\SP3QFE\wininet.dll
[7] 2010-01-05 . E7B99465DE2EDCF29784B7600BF6FAE8 . 841216 . . [7.00.6000.21183] . . c:\windows\$hf_mig$\KB978207-IE7\SP3QFE\wininet.dll
[7] 2009-08-29 . A5885AF9BFBD942B828E6020AD326517 . 840704 . . [7.00.6000.21115] . . c:\windows\$hf_mig$\KB974455-IE7\SP3QFE\wininet.dll
[7] 2009-04-29 . 62CCA075F44015147B8971DAFFBCFF76 . 828928 . . [7.00.6000.21045] . . c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\wininet.dll
[7] 2008-12-20 . 044E0A4E9FE97C0FB9AFE9C89E2A82E6 . 827904 . . [7.00.6000.20978] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[7] 2008-10-16 . 0D5B75171FF51775B630A431B6C667E8 . 827904 . . [7.00.6000.20935] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[7] 2008-06-23 . C66402A06B83B036C195242C0C8CF83C . 827904 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[7] 2008-04-14 . 7A4F775ABB2F1C97DEF3E73AFA2FAEDD . 666112 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\wininet.dll
[7] 2008-03-01 . 6316C2F0C61271C8ABDFF7429174879E . 827392 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
[7] 2007-10-10 . 0E5D918F87EFA7D2424D66B499C7EB04 . 825344 . . [7.00.6000.20696] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
[-] 2007-08-20 . 774435E499D8E9643EC961A6103C361F . 824832 . . [7.00.6000.16544] . . c:\windows\SoftwareDistribution\Download\0eda838ef8ec599d822155030a70ecac\SP2GDR\wininet.dll
[-] 2007-08-20 . 357D54BF94FE9D6D8505A96B5C2A3BCA . 825344 . . [7.00.6000.20661] . . c:\windows\SoftwareDistribution\Download\0eda838ef8ec599d822155030a70ecac\SP2QFE\wininet.dll
[-] 2007-08-14 . A4A0FC92358F39538A6494C42EF99FE9 . 818688 . . [7.00.5730.13] . . c:\windows\system32\wininet.dll
[-] 2007-08-14 . A4A0FC92358F39538A6494C42EF99FE9 . 818688 . . [7.00.5730.13] . . c:\windows\system32\dllcache\wininet.dll
.
[7] 2011-04-21 . 3E23DBEBE1020D52C63235E4189FAC03 . 634648 . . [7.00.6000.21300] . . c:\windows\$hf_mig$\KB2530548-IE7\SP3QFE\iexplore.exe
[7] 2011-02-14 . E4A798DFDE7FE6E79F23548F0EF0F844 . 634648 . . [7.00.6000.17096] . . c:\windows\ie7updates\KB2530548-IE7\iexplore.exe
[7] 2011-02-14 . E3CC8CCF21BFDC954255BB17083FB9F0 . 634648 . . [7.00.6000.21298] . . c:\windows\$hf_mig$\KB2497640-IE7\SP3QFE\iexplore.exe
[7] 2010-10-18 . DA6E1F0F1932B62DD2F6ED05541C555C . 634648 . . [7.00.6000.21295] . . c:\windows\$hf_mig$\KB2416400-IE7\SP3QFE\iexplore.exe
[7] 2010-06-17 . B0BC6DC9C9277250C5C8F7B7A48A02CC . 634648 . . [7.00.6000.21283] . . c:\windows\$hf_mig$\KB2183461-IE7\SP3QFE\iexplore.exe
[7] 2010-04-16 . B24A4E23A2FEDB6976EB04D334AD82B2 . 634648 . . [7.00.6000.21256] . . c:\windows\$hf_mig$\KB982381-IE7\SP3QFE\iexplore.exe
[7] 2009-12-18 . D19E56D5930C37CF211867DF450C372A . 634632 . . [7.00.6000.21183] . . c:\windows\$hf_mig$\KB978207-IE7\SP3QFE\iexplore.exe
[7] 2009-08-27 . 332EC7562F3AA7364F2D4231C56DA986 . 634648 . . [7.00.6000.21115] . . c:\windows\$hf_mig$\KB974455-IE7\SP3QFE\iexplore.exe
[7] 2009-04-25 . C0503FD8D163652735C1EE900672A75C . 636088 . . [7.00.6000.21045] . . c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\iexplore.exe
[7] 2008-12-19 . 15E8A89499741D5CF59A9CF6463A4339 . 634024 . . [7.00.6000.20978] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\iexplore.exe
[7] 2008-10-15 . 056C927CF7207857E8B34F7A8FFD9B9E . 633632 . . [7.00.6000.20935] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\iexplore.exe
[7] 2008-06-23 . C52A9EF571E91535EB78DB4B8B95EA07 . 625664 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe
[7] 2008-02-22 . 6E0888626E0CAC79F57149814E22DB4D . 625664 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\iexplore.exe
[7] 2007-10-10 . 632BDE0179847234433CA50945442ACB . 625664 . . [7.00.6000.20696] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\iexplore.exe
[-] 2007-08-17 . 3AC2BC667DA0AF2C968E96E1630F5AB5 . 625152 . . [7.00.6000.16544] . . c:\windows\SoftwareDistribution\Download\0eda838ef8ec599d822155030a70ecac\SP2GDR\iexplore.exe
[-] 2007-08-17 . 5577D0E3AC2F9F035ACD81B44AF5F511 . 625152 . . [7.00.6000.20661] . . c:\windows\SoftwareDistribution\Download\0eda838ef8ec599d822155030a70ecac\SP2QFE\iexplore.exe
[-] 2007-08-14 . DE49B348A18369B4626FBA1D49B07FB4 . 622080 . . [7.00.5730.13] . . c:\windows\system32\dllcache\iexplore.exe
.
((((((((((((((((((((((((((((( SnapShot@2011-11-10_08.36.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-06-05 19:55 . 2009-08-07 01:24 53472 c:\windows\system32\wuauclt.exe
- 2009-01-01 11:05 . 2011-08-12 18:51 17272 c:\windows\system32\spmsg.dll
+ 2009-01-01 11:05 . 2010-07-05 13:15 17272 c:\windows\system32\spmsg.dll
- 2002-12-31 12:00 . 2011-11-06 18:57 72698 c:\windows\system32\perfc009.dat
+ 2002-12-31 12:00 . 2011-11-13 03:16 72698 c:\windows\system32\perfc009.dat
+ 2002-12-31 12:00 . 2011-11-13 03:16 444236 c:\windows\system32\perfh009.dat
- 2002-12-31 12:00 . 2011-11-06 18:57 444236 c:\windows\system32\perfh009.dat
- 2010-05-12 17:19 . 2011-05-02 15:31 692736 c:\windows\system32\dllcache\inetcomm.dll
+ 2010-05-12 17:19 . 2011-10-10 14:22 692736 c:\windows\system32\dllcache\inetcomm.dll
- 2011-09-21 13:05 . 2011-09-09 09:12 599040 c:\windows\system32\dllcache\crypt32.dll
+ 2011-09-21 13:05 . 2011-09-28 07:06 599040 c:\windows\system32\dllcache\crypt32.dll
+ 2002-12-31 12:00 . 2011-11-13 03:40 50295240 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoRecentDocsNetHood"= 01000000
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 16:10 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Belkin Wireless Utility.lnk
backup=c:\windows\pss\Belkin Wireless Utility.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
backup=c:\windows\pss\Secunia PSI Tray.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 17:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CoolSwitch]
2002-03-19 22:30 45632 ----a-w- c:\windows\system32\TaskSwitch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2007-01-23 20:44 101136 ----a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2011-04-22 12:21 247728 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]
2005-07-15 21:48 479232 ----a-w- c:\program files\Google\Gmail Notifier\gnotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"O&O Defrag"=2 (0x2)
"NVSvc"=2 (0x2)
"gusvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
"SNAC"=2 (0x2)
"SmcService"=3 (0x3)
"SepMasterService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\12.1.671.4971.105\\Bin\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\12.1.671.4971.105\\Bin\\snac.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Games\\JewelQuest\\JewelQuest.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\Games\\RoboKill 2 Leviathan Five v01\\Robokill 2.exe"=
.
R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [3/30/2008 4:42 PM 241664]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 12:19 PM 50704]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [4/19/2011 12:44 AM 399416]
R2 SocketLock;Raw Socket Lock Driver;c:\windows\system32\socketlock.sys [8/24/2006 11:38 AM 3712]
R3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\BLKWGD.sys [8/25/2007 6:30 PM 463872]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [5/1/2010 1:54 PM 19056]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [5/20/2009 8:37 PM 47360]
S2 SepMasterService;Symantec Endpoint Protection;c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe [6/14/2011 4:31 PM 137224]
S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys --> c:\windows\system32\DRIVERS\appliand.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 2:30 AM 15544]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [4/19/2011 12:44 AM 993848]
S3 SyDvCtrl;SyDvCtrl;c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SyDvCtrl32.sys [6/17/2011 5:06 PM 23984]
S3 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/22/2011 6:21 AM 92592]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 192.168.2.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\93vh3sa3.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-12 22:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SepMasterService]
"ImagePath"="\"c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe\" /s \"Symantec Endpoint Protection\" /m \"c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\sms.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SmcService]
"ImagePath"="\"c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="41E5D4E416B4F6F3902964663E7C12B076CF678C09716FA0634C2F5F72F577CE6FAF058AD54E443E9B60045903FD814CA0A17D035377DAEA5B6F6EC9551D7A1E3420886185951754266548B39D65920AD59097676AE5273F2C288BBCB501AA3A0E56243D4646589D9B1EA3B6E6C42D4D07E27C86FE445F9DF1443D353F3E546262C39C68DDB0333748BF12195C42FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B555A6171C11EC38DE3DFEBC9E127BECC74C921C09C74965F0AD987EFCBA3360519D0B09BD43735D2CE80E425FAA9ED85A195FF205A259B45FC1E5F75D42EB6A342351E83A4B6C23A29F440CB044F58DB076191BCDDFE90B9852275754B64C2D55B32EED95CF2503BC9639ACCE777D332BF822099E69DBE938AA20ED8648E6968B6B6668FC6680F62BDF5014105F86F171CAA16899FE91468026D7C4FD7A4E0A4EFD02DB04F763EE3FA2B3E2B1E9E96651A78418C2B2730A56B79B9829241CDB3E314E03A14037CD701BD26DD15702A0B8DF78A9026C6C92C1637A5557F2ECD69ADFDDC8ADD169695818DF3F74BDACA4BCD770E324E56C2EEF43C9A13FE4E1B9CB7705CD680FEB8F387D4F148088CCE9150724C059AEE7A4B103A0D47ACE1FB55A7A5CE7F4B2B57C7141DB5FC1F2C8DC9C7B8F70B5A7D42DFB66DB7806584D70F2FEC11ED7C73E640B700644E6120CDDD4D3EF54320A3076E7C01CCD42FB18056AAFD62DFC31846E30298C1F84C804C160C4C8042B5F7A9F32FB44C8F60C328035CA7F07B22289B5B09E787A11D0A4CD081663C7E086B440BB957C8E4BA94F65EC23E44E2AA4D3C77D98129A693AE4C0B7A54920773269DE899EB2FC4D4EA8294F9D755CF994ECA92E7267F24AE53DC8FD62C8BF78E9A1F9443D9422EEC578373F36E13D9DA1E1527E9ACBAD5988AE0C90D1768CCE87EE81B9A819C2852E03EBC1799EB2F25343AA4D9455299DAC3A9FC58A2820CB3A635BD9AF7655C97D0A1B010BE5B0BC002A141CF9DC7681B0E7919AB8FAC9230598E03A332806D9F958884C9F33DFA0562CE093F1825AD544C0E22F1FCC8C6EBE29DD922970B3B6BFB8719283C91C2AD56AD6FCBE264FCD70D485468FC09D29113414419AD2F2C63FFB00EB132EF546D38332C8B3EF827E0CB6E1C874BEE9337B5D39C6A3960AD1BB795912422832C7F79F2309B5C8D466C7FB54C148700D52524EF4C6F54776854D8591E196C54AE5C067C9F3425F5CE321BF2DE19BC6DB2E3930E40C593864F4DE01B3DEAA5869BAFD873FE5682663B9722130FB92745B53ADB41A82A2F9BA13B0C9BD2D2C75704454338DDCCAD2E68FE2C21589E66FC7B17D0E1A3BC26710BBD64520185D7574653D20357C215F987170CA08A563738E"
.
[HKEY_LOCAL_MACHINE\software\Symantec\Symantec Endpoint Protection\CurrentVersion]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,4f,00,46,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1024)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(380)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\acs.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2011-11-12 22:30:48 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-13 04:30
ComboFix2.txt 2011-11-10 08:43
.
Pre-Run: 2,569,453,568 bytes free
Post-Run: 2,591,756,288 bytes free
.
- - End Of File - - 927DB1D1A1D32838E0DE3F8669244CB2

Edited by Kuribos Shoe, 13 November 2011 - 02:22 AM.


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:13 AM

Posted 14 November 2011 - 08:27 PM

Do you have access to another xp computer and what problems are we having with the computer now?


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Kuribos Shoe

Kuribos Shoe
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 14 November 2011 - 10:12 PM

I do not have access to another XP machine at present. Why do you ask specifically?

As far as problems go, the only thing that stands out at present is combofix telling me that calc.exe is infected, but I have not been able to confirm this or what it's infected with.

I'm thinking of installing the new Anti-Vir 2012 Free Edition, but wanted to wait until you gave the go ahead.

Other than calc.exe, I don't see any other noticeable symptoms and no google redirects.

Just need to find out if I'm clean from the rootkit, no other malicious programs were installed, and that no other viruses are present.

Also, I want to make sure that all old java products are completely off my system so that I can install the new JRE 7
And I wouldn't mind getting rid of any other older programs which make XP systems more susceptible to compromise/infection.

Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users