Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer.exe Sending Mass Email


  • Please log in to reply
9 replies to this topic

#1 camp1t

camp1t

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 17 February 2007 - 04:37 PM

Hi - After installing Norton AV 7 I found that a worm was sending bulk emails from my computer. I realised this because the Norton email scanning boxes appeared and eventually filled my screen so that working while connected to the internet was impossible. My current workaround is to install McAfee as well which blocks emails from non-specified programs. The log file that is generated by McAfee reports explorer.exe attempting to send emails every hour.

So far I've done:

A full system scan with Norton AV
A full system scan with McAfee
Run Spyhunter
Run Spybot (interestingly Spybot reported SpyHunter as malicious, so I removed Spyhunter.)

I have removed taskdir.exe from my system32 folder and other suspicious looking dll's. I thought that this would be it but the mass emails are still being attempted.

The workaround is ok, but having two anti-virus programs is taking up a fair bit of CPU. I'm thinking that there is something attached to explorer.exe that is scheduled to make attempts on the hour. Any help appreciated as I've spent about 2 days looking at this problem. Thanks!

BC AdBot (Login to Remove)

 


m

#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:11:48 PM

Posted 20 February 2007 - 04:12 AM

Hi and welcome

Download ComboScan to your Desktop.:

http://www.techsupportforum.com/sectools/D...d/comboscan.exe

Close all applications and windows.
Double-click on comboscan.exe to run it, and follow the prompts.
When the scan is complete, a text file will open - ComboScan.txt
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt here.
A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.

Please copy/paste contents of Supplimentry.txt here.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

What ComboScan will do:
create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review.
ComboScan automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 camp1t

camp1t
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 20 February 2007 - 07:44 PM

Hey thanks! Comboscan.txt file and supplementary.txt follows:

ComboScan v20070212.14 run by Cameron on 2007-02-21 at 13:34:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Restore was disabled; re-enabling.
Failed to create restore point: System Restore is disabled (service is not running).
Performed disk cleanup.


-- HijackThis log (run as Cameron.com) ------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:35:19 p.m., on 21/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Cameron\Desktop\comboscan.exe
C:\DOCUME~1\Cameron\LOCALS~1\Temp\~dpavsle.tmp\Cameron.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SQL Server FullText Search (MSSQLSERVER) (msftesql) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:MSSQLSERVER (file missing)
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


-- HijackThis Fixed Entries (C:\Program Files\HijackThis\backups\) --------------

backup-20070215-121741-210 O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070215-121741-293 R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
backup-20070215-121741-990 O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070215-121810-246 O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
backup-20070215-121810-333 O20 - Winlogon Notify: ksapgh - C:\WINDOWS\SYSTEM32\ksapgh.dll
backup-20070215-121810-407 O20 - Winlogon Notify: winmxw32 - C:\WINDOWS\SYSTEM32\winmxw32.dll
backup-20070215-121819-807 R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
backup-20070215-125027-288 O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070215-125027-508 O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070215-125027-903 R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
backup-20070215-163001-951 R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
backup-20070216-070538-724 O20 - Winlogon Notify: instcat - instcat.dll (file missing)


-- File Associations ------------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

3 ALCXWDM (Service for Realtek AC97 Audio (WDM)) - system32\drivers\ALCXWDM.SYS
1 AmdK8 (AMD Processor Driver) - system32\DRIVERS\AmdK8.sys
3 DNE (Deterministic Network Enhancer Miniport) - system32\DRIVERS\dne2000.sys
1 eeCtrl (Symantec Eraser Control driver) - \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
3 EntDrv51 - \??\C:\WINDOWS\system32\drivers\EntDrv51.sys
3 EraserUtilRebootDrv - \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
3 GEARAspiWDM - System32\Drivers\GEARAspiWDM.sys
3 HidUsb (Microsoft HID Class Driver) - system32\DRIVERS\hidusb.sys
1 kbdhid (Keyboard HID Driver) - system32\DRIVERS\kbdhid.sys
3 mouhid (Mouse HID Driver) - System32\DRIVERS\mouhid.sys
3 ms_mpu401 (Microsoft MPU-401 MIDI UART Driver) - system32\drivers\msmpu401.sys
3 MTsensor (ATK0110 ACPI UTILITY) - System32\DRIVERS\ASACPI.sys
3 NaiAvFilter1 - system32\drivers\naiavf5x.sys
1 NaiAvTdi1 - system32\drivers\mvstdi5x.sys
3 NAVENG - \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070220.019\NAVENG.SYS
3 NAVEX15 - \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070220.019\NAVEX15.SYS
3 nv - system32\DRIVERS\nv4_mini.sys
0 nvata - System32\DRIVERS\nvata.sys
3 NVENETFD (NVIDIA nForce Networking Controller Driver) - System32\DRIVERS\NVENETFD.sys
3 nvnetbus (NVIDIA Network Bus Enumerator) - System32\DRIVERS\nvnetbus.sys
1 p81eskse (FWSHIFT service) - \??\C:\WINDOWS\system32\p81eskse.sys
0 PCIIde - System32\DRIVERS\pciide.sys
3 pfc (Padus ASPI Shell) - system32\drivers\pfc.sys
0 PxHelp20 - System32\Drivers\PxHelp20.sys
1 RCFOX (SonicWALL IPsec Driver) - \??\C:\WINDOWS\system32\Drivers\RCFOX.sys
3 rcvpn (SonicWALL VPN Adapter) - system32\DRIVERS\rcvpn.sys
3 SPBBCDrv - \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
1 SRTSP - System32\Drivers\SRTSP.SYS
3 SRTSPL - System32\Drivers\SRTSPL.SYS
1 SRTSPX - System32\Drivers\SRTSPX.SYS
3 SYMDNS - \SystemRoot\System32\Drivers\SYMDNS.SYS
3 SymEvent - \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
3 SYMFW - \SystemRoot\System32\Drivers\SYMFW.SYS
3 SYMIDS - \SystemRoot\System32\Drivers\SYMIDS.SYS
3 SYMIDSCO - \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20070214.003\SymIDSCo.sys
3 SYMNDIS - \SystemRoot\System32\Drivers\SYMNDIS.SYS
3 SYMREDRV - \SystemRoot\System32\Drivers\SYMREDRV.SYS
1 SYMTDI - \SystemRoot\System32\Drivers\SYMTDI.SYS
3 usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - System32\DRIVERS\usbehci.sys
3 usbohci (Microsoft USB Open Host Controller Miniport Driver) - System32\DRIVERS\usbohci.sys
3 usbscan (USB Scanner Driver) - system32\DRIVERS\usbscan.sys
3 USBSTOR (USB Mass Storage Driver) - system32\DRIVERS\USBSTOR.SYS
3 WmBEnum (Logitech Virtual Bus Enumerator Driver) - system32\drivers\WmBEnum.sys
3 WmFilter (Logitech WingMan HID Filter Driver) - system32\drivers\WmFilter.sys
3 WmVirHid (Logitech Virtual Hid Device Driver) - system32\drivers\WmVirHid.sys
3 WmXlCore (Logitech WingMan Translation Layer Driver) - system32\drivers\WmXlCore.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 aspnet_state (ASP.NET State Service) - %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
2 Automatic LiveUpdate Scheduler - "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"
2 ccEvtMgr (Symantec Event Manager) - "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
2 ccSetMgr (Symantec Settings Manager) - "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
3 clr_optimization_v2.0.50727_32 (.NET Runtime Optimization Service v2.0.50727_X86) - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
2 CLTNetCnService (Symantec Lic NetConnect service) - "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
3 comHost (COM Host) - "C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe"
3 IDriverT (InstallDriver Table Manager) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
2 IISADMIN (IIS Admin) - C:\WINDOWS\system32\inetsrv\inetinfo.exe
3 iPod Service - "C:\Program Files\iPod\bin\iPodService.exe"
3 ISPwdSvc (Symantec IS Password Validation) - "C:\Program Files\Norton Internet Security\isPwdSvc.exe"
2 LightScribeService (LightScribeService Direct Disc Labeling Service) - "C:\Program Files\Common Files\LightScribe\LSSrvc.exe"
3 LiveUpdate - "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE"
3 Macromedia Licensing Service - "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"
2 McAfeeFramework (McAfee Framework Service) - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart
2 McShield (Network Associates McShield) - "C:\Program Files\Network Associates\VirusScan\Mcshield.exe"
2 McTaskManager (Network Associates Task Manager) - "C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe"
2 msftesql (SQL Server FullText Search (MSSQLSERVER)) - "C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:MSSQLSERVER
2 MSSQLSERVER (SQL Server (MSSQLSERVER)) - "C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER
4 MSSQLServerADHelper (SQL Server Active Directory Helper) - "C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe"
4 msvsmon80 (Visual Studio 2005 Remote Debugger) - "C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80
2 MySQL - "C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt" --defaults-file="C:\Program Files\MySQL\MySQL Server 4.1\my.ini" MySQL
2 NVSvc (NVIDIA Display Driver Service) - %SystemRoot%\system32\nvsvc32.exe
3 ose (Office Source Engine) - "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
3 RampartSvc (SonicWall VPN Client Service) - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
3 ReportServer (SQL Server Reporting Services (MSSQLSERVER)) - "C:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportServer\bin\ReportingServicesService.exe"
4 SQLBrowser (SQL Server Browser) - "C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
3 SQLSERVERAGENT (SQL Server Agent (MSSQLSERVER)) - "C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER
3 SQLWriter (SQL Server VSS Writer) - "C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
3 Symantec Core LC - "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"
2 SymAppCore (Symantec AppCore Service) - "C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe"
2 UleadBurningHelper (Ulead Burning Helper) - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
2 W3SVC (World Wide Web Publishing) - %SystemRoot%\system32\inetsrv\inetinfo.exe


-- Scheduled Tasks --------------------------------------------------------------

2007-02-20 09:41:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>
2007-02-17 12:30:41 366 --a------ C:\WINDOWS\Tasks\XoftSpySE.job<XOFTSP~1.JOB>
2007-02-15 13:10:37 568 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Cameron.job<NORTON~1.JOB>


-- Files created between 2007-01-21 and 2007-02-21 ------------------------------

2007-02-17 14:23:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy<SPYBOT~1>
2007-02-17 13:12:25 0 d-------- C:\SDFix
2007-02-17 12:29:45 0 d-------- C:\Program Files\XoftSpySE<XOFTSP~1>
2007-02-17 11:52:48 0 d-------- C:\quarantine<QUARAN~1>
2007-02-17 11:50:24 1004032 --a------ C:\explorer.exe<Unsigned: Microsoft Corporation>
2007-02-17 11:30:13 171192 --a------ C:\FixAbwiz.exe<Signed: n/a>
2007-02-17 11:17:17 0 d-------- C:\Program Files\Common Files\Cisco Systems<CISCOS~1>
2007-02-17 11:17:00 108256 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys<Unsigned: Network Associates, Inc.>
2007-02-17 11:17:00 58048 --a------ C:\WINDOWS\system32\drivers\mvstdi5x.sys<Unsigned: Network Associates, Inc.>
2007-02-17 11:16:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Network Associates<NETWOR~1>
2007-02-17 11:16:51 0 d-------- C:\Program Files\Network Associates<NETWOR~1>
2007-02-17 11:16:51 0 d-------- C:\Program Files\Common Files\Network Associates<NETWOR~1>
2007-02-17 10:28:26 0 d-------- C:\WINDOWS\GroundZero Advanced Netstat<GROUND~1>
2007-02-17 10:28:26 0 d-------- C:\Program Files\GroundZero Advanced Netstat<GROUND~1>
2007-02-16 08:17:28 0 d-------- C:\WINDOWS\ie7updates<IE7UPD~1>
2007-02-15 22:17:20 0 d-------- C:\WINDOWS\WBEM
2007-02-15 22:17:18 0 d-------- C:\WINDOWS\system32\en-US
2007-02-15 22:16:59 0 d--h---c- C:\WINDOWS\ie7
2007-02-15 22:16:10 262144 --a------ C:\Documents and Settings\All Users\ntuser.dat
2007-02-15 22:15:49 0 d-------- C:\WINDOWS\network diagnostic<NETWOR~1>
2007-02-15 18:57:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage<WINDOW~1>
2007-02-15 17:01:51 0 d-------- C:\Program Files\Common Files\{E0BFB295-08A3-5129-0320-060724060040}<{E0BFB~1>
2007-02-15 16:12:20 0 d-------- C:\!KillBox
2007-02-15 12:52:58 0 d-------- C:\Program Files\Norton Internet Security<NORTON~1>
2007-02-15 12:51:51 48776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL<Signed: Symantec Corporation>
2007-02-15 12:51:51 115000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS<Signed: Symantec Corporation>
2007-02-15 12:14:48 0 d-------- C:\Program Files\HijackThis<HIJACK~1>
2007-02-15 11:25:53 0 d--h----- C:\WINDOWS\PIF
2007-02-15 11:07:37 0 d-------- C:\Program Files\Symantec
2007-02-15 11:07:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-02-15 11:04:01 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1>
2007-02-14 22:46:04 1532177 --a------ C:\Documents and Settings\LocalService\Application Data\Install.dat
2007-02-14 22:46:02 1532177 --a------ C:\Documents and Settings\NetworkService\Application Data\Install.dat
2007-01-30 21:11:16 5600 --a------ C:\WINDOWS\system32\drivers\WmVirHid.sys<Signed: Logitech Inc.>
2007-01-30 21:11:16 21280 --a------ C:\WINDOWS\system32\drivers\WmFilter.sys<Signed: Logitech Inc.>
2007-01-30 21:11:16 10144 --a------ C:\WINDOWS\system32\drivers\WmBEnum.sys<Signed: Logitech Inc.>
2007-01-30 21:11:15 44064 --a------ C:\WINDOWS\system32\drivers\WmXlCore.sys<Signed: Logitech Inc.>
2007-01-30 21:11:14 0 d-------- C:\Program Files\Common Files\Logitech
2007-01-30 21:11:04 0 d-------- C:\Program Files\Logitech
2007-01-30 14:42:54 0 d-------- C:\Program Files\Your Company Name<YOURCO~1>
2007-01-30 14:42:54 0 d-------- C:\Program Files\SendBlaster<SENDBL~1>
2007-01-30 12:23:14 0 d-------- C:\Program Files\MSXML 4.0<MSXML4~1.0>
2007-01-30 11:55:44 0 d-------- C:\Program Files\Microsoft Games<MI9A48~1>
2007-01-26 12:30:32 9856 -----n--- C:\WINDOWS\system32\drivers\pfc.sys<Unsigned: Padus, Inc.>
2007-01-26 12:30:04 0 d-------- C:\Program Files\CyberLink<CYBERL~1>
2007-01-26 12:29:21 0 d-------- C:\pdwork
2007-01-26 12:24:52 0 d-------- C:\Program Files\Common Files\SONY Digital Images<SONYDI~1>
2007-01-26 12:23:03 0 d-------- C:\Program Files\Common Files\Ulead Systems<ULEADS~1>
2007-01-26 12:23:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems<ULEADS~1>
2007-01-26 12:23:02 0 d-------- C:\Program Files\Ulead Systems<ULEADS~1>
2007-01-25 14:53:02 0 --a------ C:\WINDOWS\nsreg.dat
2007-01-25 14:52:48 2301 --a------ C:\WINDOWS\mozver.dat
2007-01-25 14:52:47 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-01-25 14:52:38 20640 -----n--- C:\WINDOWS\system32\drivers\PxHelp20.sys<Unsigned: Sonic Solutions>
2007-01-25 14:52:37 109568 -----n--- C:\WINDOWS\system32\pxinsi64.exe<Unsigned: Sonic Solutions>
2007-01-25 14:52:37 108544 -----n--- C:\WINDOWS\system32\pxcpyi64.exe<Unsigned: Sonic Solutions>
2007-01-25 14:51:49 0 d-------- C:\Documents and Settings\Cameron\Application Data\DivX
2007-01-25 14:51:14 0 d-------- C:\Program Files\DivX


-- Find3M Report ----------------------------------------------------------------

2007-02-18 21:04:05 0 d-------- C:\Program Files\Java
2007-02-15 07:43:30 271620 --a------ C:\WINDOWS\system32\drivers\ndis.sys<Unsigned: n/a>
2007-01-30 21:11:02 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-01-30 15:12:54 0 d---s---- C:\Documents and Settings\Cameron\Application Data\Microsoft<MICROS~1>
2007-01-30 11:45:25 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-01-30 11:45:04 0 d-------- C:\Program Files\Apple Software Update<APPLES~1>
2007-01-25 14:52:59 0 d-------- C:\Documents and Settings\Cameron\Application Data\Mozilla
2007-01-25 14:52:54 0 d-------- C:\Program Files\Google
2007-01-20 22:19:14 0 d-------- C:\Documents and Settings\Cameron\Application Data\Google
2007-01-19 12:23:15 0 d-------- C:\Program Files\salesforce.com<SALESF~1.COM>
2007-01-19 12:15:39 0 d-------- C:\Program Files\Essential<ESSENT~1>
2007-01-17 20:35:13 0 d-------- C:\Documents and Settings\Cameron\Application Data\Apple Computer<APPLEC~1>
2007-01-17 20:35:10 0 d-------- C:\Program Files\iTunes
2007-01-17 20:35:06 0 d-------- C:\Program Files\iPod
2007-01-17 14:40:20 0 d-------- C:\Program Files\Canon
2007-01-17 14:11:23 0 d-------- C:\Program Files\MSDN
2007-01-17 14:08:31 0 d-------- C:\Program Files\Microsoft Device Emulator<MI9C2B~1>
2007-01-17 14:08:25 0 d-------- C:\Program Files\Microsoft SQL Server 2005 Mobile Edition<MI40D9~1>
2007-01-17 14:04:30 0 d-------- C:\Program Files\Microsoft Visual Studio 8<MID05A~1>
2007-01-17 14:03:28 0 d-------- C:\Program Files\MSBuild
2007-01-17 14:03:20 0 d-------- C:\Program Files\HTML Help Workshop<HTMLHE~1>
2007-01-17 14:03:01 0 d-------- C:\Program Files\Common Files\Merge Modules<MERGEM~1>
2007-01-17 13:57:57 0 d-------- C:\Program Files\CE Remote Tools<CEREMO~1>
2007-01-17 13:46:41 0 d-------- C:\Program Files\Microsoft SQL Server<MICROS~4>
2007-01-17 13:45:09 0 d-------- C:\Program Files\SQLXML 4.0<SQLXML~1.0>
2007-01-17 13:40:20 0 d-------- C:\Program Files\Microsoft Analysis Services<MIA538~1>
2007-01-17 13:40:06 0 d-------- C:\Program Files\Microsoft.NET<MICROS~1.NET>
2007-01-17 12:48:40 0 d-------- C:\Documents and Settings\Cameron\Application Data\MySQL
2007-01-17 12:19:10 0 d-------- C:\Program Files\MySQL
2007-01-17 10:45:57 0 d-------- C:\Program Files\Macromedia<MACROM~1>
2007-01-17 10:35:22 0 d-------- C:\Program Files\Common Files\Macromedia Shared<MACROM~2>
2007-01-16 21:37:08 0 d-------- C:\Documents and Settings\Cameron\Application Data\Sun
2007-01-16 21:36:03 0 d-------- C:\Program Files\Common Files\Java
2007-01-16 12:35:40 0 d-------- C:\Documents and Settings\Cameron\Application Data\SonicWALL<SONICW~1>
2007-01-16 12:34:09 0 d-------- C:\Program Files\Common Files\Deterministic Networks<DETERM~1>
2007-01-16 12:34:06 0 d-------- C:\Program Files\SonicWALL<SONICW~1>
2007-01-15 20:27:01 0 d-------- C:\Documents and Settings\Cameron\Application Data\Adobe
2007-01-15 19:34:34 0 d-------- C:\Program Files\Messenger<MESSEN~1>
2007-01-15 15:53:41 0 d-------- C:\Program Files\Common Files\Macromedia<MACROM~1>
2007-01-15 15:50:53 0 d-------- C:\Documents and Settings\Cameron\Application Data\Macromedia<MACROM~1>
2007-01-15 15:42:19 0 d-------- C:\Program Files\Common Files\InstallShield<INSTAL~1>
2007-01-15 14:56:17 8 --a------ C:\WINDOWS\system32\nvModes.dat
2007-01-15 11:56:43 0 d-------- C:\Documents and Settings\Cameron\Application Data\CyberLink<CYBERL~1>
2007-01-15 11:54:50 60416 --a------ C:\WINDOWS\ALCFDRTM.EXE<Unsigned: Realtek Semiconductor Corp.>
2007-01-15 11:50:29 0 d-------- C:\Program Files\Microsoft ActiveSync<MICROS~3>
2007-01-13 14:08:31 520192 --a------ C:\WINDOWS\system32\DivXsm.exe<Unsigned: n/a>
2007-01-13 14:08:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll<Unsigned: n/a>
2007-01-13 14:08:20 200704 --a------ C:\WINDOWS\system32\ssldivx.dll<Unsigned: The OpenSSL Project, http://www.openssl.org/>
2007-01-13 14:08:20 1044480 --a------ C:\WINDOWS\system32\libdivx.dll<Unsigned: The OpenSSL Project, http://www.openssl.org/>
2007-01-13 14:03:31 196608 --a------ C:\WINDOWS\system32\dtu100.dll<Unsigned: DivX, Inc.>
2007-01-13 14:03:31 73728 --a------ C:\WINDOWS\system32\dpl100.dll<Unsigned: DivX, Inc.>
2007-01-13 14:03:30 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll<Unsigned: DivXNetworks>
2007-01-13 14:03:29 57344 --a------ C:\WINDOWS\system32\dpv11.dll<Unsigned: DivXNetworks>
2007-01-13 14:03:29 344064 --a------ C:\WINDOWS\system32\dpus11.dll<Unsigned: DivXNetworks>
2007-01-13 14:03:29 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll<Unsigned: DivXNetworks>
2007-01-13 14:03:29 294912 --a------ C:\WINDOWS\system32\dpu11.dll<Unsigned: DivXNetworks>
2007-01-13 14:03:29 294912 --a------ C:\WINDOWS\system32\dpu10.dll<Unsigned: DivXNetworks>
2007-01-13 14:03:26 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll<DIVX_X~3.DLL><Unsigned: DivX, Inc.>
2007-01-13 14:03:26 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll<DIVX_X~1.DLL><Unsigned: DivX, Inc.>
2007-01-13 14:03:26 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll<DIVX_X~2.DLL><Unsigned: DivX, Inc.>
2007-01-13 14:03:26 635486 --a------ C:\WINDOWS\system32\DivX.dll<Unsigned: DivX, Inc.>
2007-01-12 18:01:42 25400 --a------ C:\WINDOWS\system32\drivers\srtspx.sys<Signed: Symantec Corporation>
2007-01-12 18:01:42 276792 --a------ C:\WINDOWS\system32\drivers\srtspl.sys<Signed: Symantec Corporation>
2007-01-12 18:01:42 247608 --a------ C:\WINDOWS\system32\drivers\srtsp.sys<Signed: Symantec Corporation>
2007-01-12 14:19:45 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll<DIVXWM~1.DLL><Unsigned: n/a>
2007-01-12 14:19:44 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe<DIVXCO~1.EXE><Unsigned: DivX, Inc.>
2007-01-12 10:28:45 0 d-------- C:\Program Files\AMD
2007-01-12 10:09:12 0 d-------- C:\Program Files\Common Files\Adobe
2007-01-12 10:06:51 0 d-------- C:\Program Files\ASUSTeK
2007-01-12 10:02:14 0 d-------- C:\Program Files\Ahead
2007-01-12 10:01:55 0 d-------- C:\Program Files\Common Files\LightScribe<LIGHTS~1>
2007-01-12 10:00:11 0 d-------- C:\Program Files\Common Files\Nero
2007-01-12 09:59:24 0 d-------- C:\Program Files\Common Files\Ahead
2007-01-12 09:19:52 0 d-------- C:\Program Files\Movie Maker<MOVIEM~1>
2007-01-12 09:18:50 0 d-------- C:\Program Files\Windows NT<WINDOW~1>
2007-01-12 09:11:26 0 d-------- C:\Program Files\Realtek Sound Manager<REALTE~1>
2007-01-12 09:11:26 0 d-------- C:\Program Files\AvRack
2007-01-12 05:34:45 0 d-------- C:\Program Files\Common Files\ODBC
2007-01-12 05:34:42 0 d-------- C:\Program Files\Common Files\SpeechEngines<SPEECH~1>
2007-01-12 05:34:23 62 --ahs---- C:\Documents and Settings\Cameron\Application Data\desktop.ini
2007-01-11 16:47:37 0 d-------- C:\Documents and Settings\Cameron\Application Data\Identities<IDENTI~1>
2007-01-11 16:43:22 0 d-------- C:\Program Files\microsoft frontpage<MICROS~1>
2007-01-11 16:43:13 0 -rahs---- C:\MSDOS.SYS<Unsigned: n/a>
2007-01-11 16:43:13 0 -rahs---- C:\IO.SYS<Unsigned: n/a>
2007-01-11 16:43:13 0 --a------ C:\CONFIG.SYS<Unsigned: n/a>
2007-01-11 16:43:13 0 --a------ C:\AUTOEXEC.BAT
2007-01-11 16:41:27 0 d-------- C:\Program Files\Common Files\MSSoap
2007-01-11 16:40:57 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat<EMPTYR~1.DAT>
2007-01-11 16:40:52 0 d--h----- C:\Program Files\WindowsUpdate<WINDOW~3>
2007-01-11 16:40:52 0 d-------- C:\Program Files\Online Services<ONLINE~1>
2007-01-11 16:40:43 0 d-------- C:\Program Files\MSN Gaming Zone<MSNGAM~1>


-- Registry Dump ----------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"RemoteControl"="\"C:\\Program Files\\ASUSTeK\\ASUSDVD\\PDVDServ.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\TBMon.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"System Registry Hook"="{309C96FA-8C40-4bce-879C-989DC33DCD25}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{064ecc56-be01-11db-92f8-0015f240dfe2}]
Shell\AutoRun\command .\_autorun\autorun_win.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1cb7b6e2-be0b-11db-92fa-0015f240dfe2}]
Shell\AutoRun\command .\_autorun\autorun_win.exe
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST


-- End of ComboScan: finished at 2007-02-21 at 13:36:45 -------------------------


ComboScan v20070212.14 run by Cameron on 2007-02-21 at 13:34:32
Supplementary logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information -----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3500+
Percentage of Memory in Use: 39%
Physical Memory (total/avail): 2047.48 MiB / 1242.79 MiB
Pagefile Memory (total/avail): 3940.5 MiB / 3237.72 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1992.7 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 149.04 GiB total, 111.19 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 149.05 GiB total, 117.66 GiB free.


-- Security Center --------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: Norton Internet Security v2007 (Symantec Corporation)
AV: Norton Internet Security v2007 (Symantec Corporation)


-- Environment Variables --------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Cameron\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ESSENTIA-E44FJN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Cameron
lib=C:\Program Files\SQLXML 4.0\bin\
LOGONSERVER=\\ESSENTIA-E44FJN
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\Microsoft SQL Server\90\DTS\Binn\;C:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE\;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Ulead Systems\MPEG
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Cameron\LOCALS~1\Temp
TMP=C:\DOCUME~1\Cameron\LOCALS~1\Temp
USERDOMAIN=ESSENTIA-E44FJN
USERNAME=Cameron
USERPROFILE=C:\Documents and Settings\Cameron
VS80COMNTOOLS=C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\
windir=C:\WINDOWS


-- User Profiles ----------------------------------------------------------------

Cameron (admin)
ASPNET (new local)


-- Add/Remove Programs ----------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNNMP.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
ASUSDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Canon Camera Support Core Library --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91F1A0D6-23AD-49FE-8D4E-379485652214} /l1033
Canon Camera Window DS for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91203BD3-6C3E-472F-ADBD-F60FDC7C4010}
Canon Camera Window DVC for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4C96958A-6562-4143-B820-FF4890D3B734}
Canon Camera Window for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{C7281207-4AA4-425E-B57A-0E9EF8445635}
Canon MovieEdit Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{8AF1E098-1A5C-4336-BBE2-D047ABB401ED}
Canon PhotoRecord --> MsiExec.exe /X{0878E100-C0BB-41E8-B4C6-C486B61FDA7B}
Canon RAW Image Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{45EF4EE3-F591-4B74-A477-0CAE12934CE7}
Canon RemoteCapture Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{28291BD5-92D2-4685-82DC-CCA925C53CCA}
Canon Utilities PhotoStitch 3.1 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{218BBBE3-FE63-4BB2-81A8-7435575A84FA}
Canon ZoomBrowser EX --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Firefox --> MsiExec.exe /X{2CCBABCB-6427-4A55-B091-49864623C43F}
GroundZero Advanced Netstat --> "C:\WINDOWS\GroundZero Advanced Netstat\uninstall.exe" "/U:C:\Program Files\GroundZero Advanced Netstat\Uninstall\uninstall.xml"
HijackThis 1.99.1 --> C:\DOCUME~1\Cameron\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe /uninstall
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
LiveUpdate 3.1 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Logitech Gaming Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B9242864-2841-4ADE-86E0-8F90F91B04DD}\setup.exe" -l0x9
Macromedia Contribute 3.11 --> MsiExec.exe /I{4B9535BF-CC90-4158-AF32-CAF57A8820CA}
Macromedia Dreamweaver 8 --> MsiExec.exe /I{0837A661-FEC3-48B3-876C-91E7D32048A9}
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Fireworks 8 --> MsiExec.exe /I{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}
Macromedia Flash 8 --> MsiExec.exe /I{2BD5C305-1B27-4D41-B690-7A61172D2FEB}
Macromedia Flash 8 Video Encoder --> MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
Macromedia FlashPaper 2 --> MsiExec.exe /X{F977FD4B-C9A6-4BAA-B4BB-DE3023288253}
Mailman --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Essential\Mailman\Uninst.isu"
McAfee VirusScan Enterprise --> MsiExec.exe /I{5DF3D1BB-894E-4DCD-8275-159AC9829B43}
Microsoft Device Emulator version 1.0 - ENU --> MsiExec.exe /X{78B75C6D-E53C-424C-BF83-4B63BD4A6682}
Microsoft Document Explorer 2005 --> C:\Program Files\Common Files\Microsoft Shared\Help 8\Microsoft Document Explorer 2005\install.exe
Microsoft Document Explorer 2005 --> MsiExec.exe /X{44D4AF75-6870-41F5-9181-662EA05507E1}
Microsoft Flight Simulator X --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{9527A496-5DF9-412A-ADC7-168BA5379CA6}
Microsoft Office 2003 Web Components --> MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Small Business Edition 2003 --> MsiExec.exe /I{91CA0409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server 2005 --> "C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 --> MsiExec.exe /I{130A3BE1-85CC-4135-8EA7-5A724EE6CE2C}
Microsoft SQL Server 2005 Backward compatibility --> MsiExec.exe /I{96327C3C-96BE-4C7A-A6F7-A71635E5949A}
Microsoft SQL Server 2005 Books Online (English) --> MsiExec.exe /I{0B43A744-B1B8-4089-9BD1-9D41C7EC0AA3}
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools --> MsiExec.exe /X{1389C6A4-4965-4AEC-9175-08B54A10FA48}
Microsoft SQL Server 2005 Reporting Services --> MsiExec.exe /I{E930E839-998E-42F9-97E2-71FC960DB1B7}
Microsoft SQL Server 2005 Tools --> MsiExec.exe /I{1DD463C0-A50A-4394-B7E4-5895C02F9E0D}
Microsoft SQL Server Native Client --> MsiExec.exe /I{BF251EAF-8697-4E89-BF09-C998F97BBC40}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{1CBE3804-20DF-48DA-B048-895C206E80A5}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Visual J# 2.0 Redistributable Package --> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft Visual J# 2.0 Redistributable Package\install.exe
Microsoft Visual Studio 2005 Premier Partner Edition - ENU --> MsiExec.exe /I{C25EF637-BE7A-4761-9B45-9069989C319F}
Microsoft Visual Studio 2005 Standard Edition - ENU --> C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Studio 2005 Standard Edition - ENU\setup.exe
Microsoft Visual Studio 2005 Standard Edition - ENU --> MsiExec.exe /X{D407F7C0-579E-4CCB-91FD-855CE5084E86}
Mozilla Firefox (1.5.0.9) --> C:\Program Files\Mozilla Firefox\uninstall\uninstall.exe /ua "1.5.0.9 (en-US)"
MSDN Library for Visual Studio 2005 --> msiexec /i {23959E96-A80F-4172-A655-210E9BB7BFBE}
MSDN Library for Visual Studio 2005 --> MsiExec.exe /X{23959E96-A80F-4172-A655-210E9BB7BFBE}
MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
MSXML 6.0 Parser (KB927977) --> MsiExec.exe /I{5A710547-B58E-488B-828D-CA9A25A0533C}
MySQL Server 4.1 --> MsiExec.exe /I{063DFF87-7F52-4A39-89C0-BFF7E9B7BA8E}
MySQL Tools for 5.0 --> MsiExec.exe /I{64D7BC08-5A84-467A-82B5-DB262DE9B1DA}
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\Setupx.exe /uninstall ExtraUninstallID=""
Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0}
Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447a-81DA-71BD20580E1B}
Norton Internet Security --> MsiExec.exe /I{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}
Norton Internet Security --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Internet Security (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}_10_0_1_86\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}.exe" /X
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
PHP 4.4.4 --> C:\WINDOWS\system32\UNWISE.EXE C:\WINDOWS\system32\INSTALL.LOG
PowerDirector --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\Setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
SendBlaster --> MsiExec.exe /X{42DA3228-A220-11DA-B2CF-000D9D8AD03F}
SForce Office Toolkit --> MsiExec.exe /X{E5CB596C-44A2-498E-8F90-E054A17FD9E4}
SonicWALL Global VPN Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{53648F92-1CC5-22D2-A6DF-00A0C9A23BCD}\setup.exe" -l0x9 -FromCPL
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SQLXML4 --> MsiExec.exe /I{8C62A94B-4AB6-485F-A111-93056684D340}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Ulead DVD MovieFactory 4.0 SE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{448AB2CB-C94A-47DE-80B8-9D7824DEFA57}\setup.exe" -l0x9
XoftSpySE --> C:\Program Files\XoftSpySE\uninstall.exe


-- End of ComboScan: finished at 2007-02-21 at 13:36:45 -------------------------

#4 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:11:48 PM

Posted 22 February 2007 - 12:38 AM

Hi

Thanks for the log.

Looks like you have some Haxdoor onboard.

1 p81eskse (FWSHIFT service) - \??\C:\WINDOWS\system32\p81eskse.sys

I'd like to d. check what is left of it.



Download haxfix.exe ( http://users.telenet.be/marcvn/tools/haxfix.exe ).
Save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark "Create a desktop icon".
Click "Next".
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
Click "Finish".
A red "dos window" (dos box) will open.
Select option 1. Make logfile by typing 1 and then pressing Enter.
Haxfix will start scanning the computer. When it is finished a logfile will open.
Copy the contents of that logfile and paste it into this thread.

CN you "see" this file:

C:\explorer.exe

And this one:

C:\WINDOWS\system32\drivers\ndis.sys

Upload both those here please:

http://www.bleepingcomputer.com/submit-mal....php?channel=20

Please include link to this thread so I can ID who's files they are.

Then:

Download catchme.exe form here:

http://www.gmer.net/catchme.exe

Save file to your desktop.
Double click it and let it run.
A "dos" window will pop up while the program scans system for hidden files/processes.
It will tell you when done and lets you know if anything is found.
You can close the "dos" window.
A log file called catchme.txt will be placed on the desktop.

Please post the contents of that file.
It should be small enough to copy/paste here.

Don't be tempted to try to find/delete all files that this log shows. Sometimes malware hides legit files as well.

Since I am pretty sure haxdoor is or was on here it is advised you use a clean computer to change your passwords to any sensitive sites you use such as banking, paypal, ebay, etc.
Please don't use this computer for these services till we can determine it is clean.
Some varients of haxdoor can/do log keystrokes.

If you did use computer for any of the above services you should also contact your credit card/banking companies to alert them.
They can put a watch on your accounts for suspicious activity.


Thanks

Blender

ps. I see also you are running 2 security suites. Norton & Mcafee.
One should be removed as having 2 AV or Firewall programs will conflict.

Question:

Did you disable your system restore? If so please turn it back on so we have something to fall back on if something should go wrong while we work.
I'll take an infected restore point over nothing.
Once all is cleaned up & running OK...we'll purge the restore points & make a fresh one to remove infected files backed up there.

Do let me know please if troubles turning on system restore.

Thanks
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#5 camp1t

camp1t
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 22 February 2007 - 08:37 PM

Hi. Thanks for the response. Haxlog.txt and catchme.log follow:

HAXFIX logfile - by Marckie

version 4.37
Fri 23/02/2007 7:53:44.28

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
no matching notify keys found

checking for matching services
no matching services found

checking for matching safeboot services
no matching safeboot services found

checking for other Haxdoor-files
no other Haxdoor-files found


--- Checking for Goldun ---


checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
p81eskse

checking for other Goldun-files
no other Goldun-files found

checking iexplore.exe
iexplore.exe is not infected


Finished!

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

#6 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:11:48 PM

Posted 23 February 2007 - 03:16 AM

Hi

Open this folder program files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
Close all other open windows since this step requires a reboot
Select option 2. Run auto fix by typing 2 and then pressing Enter

If an infection is found, you'll get a message to close all other open windows.

Close all open windows except the red dos window from haxfix and then press Enter
The computer will reboot
After reboot a logfile will open > (c:\haxfix.txt)
Post the contents of that logfile along with a new HijackThis log.

Let me know how the machine is running. Outgoing email activity seems to have stopped?

What is in this folder please:

C:\Program Files\Common Files\{E0BFB295-08A3-5129-0320-060724060040}

You can delete:

C:\explorer.exe <--Only from here!! The scan I ran on the file you sent showed no infections but explorer.exe does not belong in the root of the drive.
It belongs in your windows folder.

Lets do an online scan too please:

Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save report button.
  • Call it Kaspersky.txt
  • Expand the arrow beside "file types" and save as .txt file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#7 camp1t

camp1t
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 23 February 2007 - 04:17 AM

OK , here is the log. I've deleted c:\explore.exe. McAfee is still blocking emails - I notice that c:\windows\explorer.exe is a different file size to the one in c: (1,008KB). I've just submitted the file to Kasperskey and it seems clean.

Kasperskey online scan just stops with a Welcome window when I click install ActiveX control.

Thanks. Maybe this will go away when I reboot tomorrow. Will let you know either way.

HAXFIX logfile - by Marckie

version 4.37
Fri 23/02/2007 21:53:41.82

--- Auto Haxdoorfix ---


searching for files:

no infections found


--- Goldunfix ---


searching for files:


checking iexplore.exe
iexplore.exe is not infected

searching for SSODLkeys:
no SSODLkeys found

searching for notifykeys:
no notifykeys found

searching for services:
p81eskse


deleting service p81eskse
[SWSC] DeleteService SUCCESS


.....rebooting the computer.....


searching for ssodlkeys

not needed


searching for notifykeys

not needed


searching for services

service p81eskse not found


searching for safeboot services

not needed


searching for files

p81eskse.sys exists
deleting p81eskse.sys
p81eskse.sys has been deleted


checking for other files

No other files found


checking for a3d files

no a3d files found


Finished

#8 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:11:48 PM

Posted 23 February 2007 - 06:55 PM

Hi

No it prolly wont go away tomorrow.
Sounds like there is still something on that machine.
Got rid of Goldun at least.

Does McAfee tell you what file is doing all the mailing? I've never used McAfee firewall so I don't know how detailed its logs are when it blocks stuff.

Kaspersky window...
In the welcome window you may have to use the "zoom" at bottom right & increse it to 125% to get the scroll bars.
Then you can "accept" and proceed with scan as laid out above.

Can you upload me your c:\windows\explorer.exe please? I'd like to compare the 2.

http://www.bleepingcomputer.com/submit-mal....php?channel=20

What is in this folder please:

C:\Program Files\Common Files\{E0BFB295-08A3-5129-0320-060724060040}

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#9 camp1t

camp1t
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 23 February 2007 - 07:56 PM

Hi, McAfee reports explorer.exe attempting to send mail. With McAfee you can limit applications that are allowed to send.

C:\Program Files\Common Files\{E0BFB295-08A3-5129-0320-060724060040}

was empty, so I deleted it. McAfee log follows, will try online scan again. Thanks.

24/02/2007 12:50:58 p.m. Blocked by port blocking rule explorer.exe Prevent mass mailing worms from sending mail 194.67.23.20
24/02/2007 12:50:58 p.m. Blocked by port blocking rule explorer.exe Prevent mass mailing worms from sending mail 216.39.53.1
24/02/2007 12:50:58 p.m. Blocked by port blocking rule explorer.exe Prevent mass mailing worms from sending mail 66.249.93.27
24/02/2007 1:50:58 p.m. Blocked by port blocking rule explorer.exe Prevent mass mailing worms from sending mail 194.67.23.20
24/02/2007 1:50:58 p.m. Blocked by port blocking rule explorer.exe Prevent mass mailing worms from sending mail 216.39.53.1
24/02/2007 1:50:58 p.m. Blocked by port blocking rule explorer.exe Prevent mass mailing worms from sending mail 209.85.135.27

#10 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:11:48 PM

Posted 25 February 2007 - 04:14 AM

Hi

Sorry for delay. I got caught up in service calls.

Check properties of explorer.exe in windows folder & let me know modification date.
Also check in add/remove programs (do check "show updates")
Let me know if the install date of any of the listed windows updates match date your explorer.exe. (sp2 for eg)

C:\Windows\system32\dllcache\explorer.exe <--check properties. What is date creation & modification date please?
Dllcache folder is hidden.

To show hidden files:

Reveal Hidden Files
  • Click Start.
  • Open My Computer.
  • SelectTools menu
  • Click Folder Options.
  • Select the View Tab.
  • Select Show hidden files and foldersin the Hidden files and folders section.
  • Uncheck Hide protected operating system files (recommended) option.
  • Uncheck the Hide file extensions for known file types option.
  • Click Yes.
  • Click OK.


----------------------------------

Download Gmer from here:

http://www.gmer.net/gmer.zip

Unzip it.
Disconnect from internet & shut down Antivirus to prevent conflicts.
Shut down also any other unneeded apps including any open browser windows.
The less stuff we got running the less chance of false positives in log.
Double click gmer.exe to run it.
Allow driver to install if asked (gmer.sys)
You may warning at program start that there is possible rootkit activity and do you want to run scan.

Say OK to run scan.
If no warning...just hit "scan"
Let the scan finish.
Once done press "copy"
Open notepad> press "ctrl+v" to paste log.
Save log.

Re-enable your antivirus, re-connect to internet & post that log here

If log is huge you can upload it here please:

http://www.bleepingcomputer.com/submit-mal....php?channel=19

Do include link please to this thread so I know who the log belongs to.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users