Sign In
Create Account
1
Hi Started another topic not sure if people understood my last one.
I get redirected when I do a search into google to random sites like info sheet etc.
I used to use spybot but that and nortons went wrong at the same time and have nothing but troble ever since. Here is my hijack this log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:42:20, on 28/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\b106d09e-674d-48f0-b96f-11c2af0132d0.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\b106d09e-674d-48f0-b96f-11c2af0132d0.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {17D667BA-5675-4AAB-9221-08B9379384D4} (Image Uploader Control) - http://cdnimg.piczo.com/images/uploader/pi...st_uploader.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191177426593
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191488840656
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://cdnimg.piczo.com/images/uploader/pi...st_uploader.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF5413F5-E0D5-421B-96BB-806F247AE1B6}: NameServer = 194.168.4.100
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
--
End of file - 11914 bytes
Please I hope someone can help. Otherwise it is a complete reinstall.
#1
Posted 28 April 2009 - 09:52 PM
-
- Members
-
- 9 posts
New Member
- Gender:Female
- Location:England
Back to top
#2
Posted 29 April 2009 - 03:10 AM
-
- Experts
-
- 1,130 posts
Elite Member
- Location:Westchester County, NY
Hi and Welcome,
Please download ATF Cleaner by Atribune
Click Exit on the Main menu to close the program.
\
Download RootRepeal:
http://rootrepeal.go.../RootRepeal.zip
Remove MBAM from your system.
Then redownload the MBAM installer and rename it as you download it from mbam-setup.exe to bambisetup.exe
Note:You must rename installer as you download it and not after it is on your computer.
You may have to modify your browser settings so you can rename as you download it. To do that:
For Firefox
For Internet Explorer:
Now, double-click bambisetup.exe to install MBAM but do not update or run a scan.
Close it immediately once MBAM is installed.
Then rename "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" -> "C:\Program Files\Malwarebytes' Anti-Malware\newyork.exe"
NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
Download DDS and save it to your desktop from here
Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool.
===============================================================
Please post the MBAM log, the RootRepeal log, the DDS scan reports (do NOT attach), and a new HJT log.
Please download ATF Cleaner by Atribune
- Close Internet Explorer and any other open browsers
- Double-click ATF-Cleaner.exe to run the program.
- Under Main choose: Select All
- Click the Empty Selected button.
- Click Firefox at the top and choose: Select All
- Click the Empty Selected button.
- NOTE: If you would like to keep your saved passwords, please click
-
- No at the prompt.
- Click Opera at the top and choose: Select All
- Click the Empty Selected button.
- NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
\
Download RootRepeal:
http://rootrepeal.go.../RootRepeal.zip
- Extract the archive to a folder you create such as C:\RootRepeal
- It is very important that you disable your Norton Antivirus now - before running a scan
- Double-click RootRepeal.exe to launch the program
- Click the "File" tab (located at the bottom of the RootRepeal screen)
- Click the "Scan" button
- In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
- Click OK and the file scan will begin
- When the scan is done, there will be files listed, and most if not all of them will be legitimate
- Click the "Save Report" Button
- Save the log file to your Documents folder
- Post the content of the RootRepeal file scan log in your next reply.
- Re-enable your Norton Antivirus
Remove MBAM from your system.
Then redownload the MBAM installer and rename it as you download it from mbam-setup.exe to bambisetup.exe
Note:You must rename installer as you download it and not after it is on your computer.
You may have to modify your browser settings so you can rename as you download it. To do that:
For Firefox
- Click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
For Internet Explorer:
- Choose to save, not open the file
- When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.
Now, double-click bambisetup.exe to install MBAM but do not update or run a scan.
Close it immediately once MBAM is installed.
Then rename "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" -> "C:\Program Files\Malwarebytes' Anti-Malware\newyork.exe"
- Now, launch MBAM by double-clicking newyork.exe in the MBAM folder.
- Select the Update tab -> Check for Updates
- After MBAM updates, select the Scanner tab.
- Select Perform quick scan, then click Scan.
- When the scan is complete, click OK -> Show Results to view the scan results.
- Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
- When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.
NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
Download DDS and save it to your desktop from here
Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool.
- When done, DDS will open two (2) logs:
- DDS.txt
- Attach.txt
- DDS.txt
- Save both reports to your desktop
- Please copy and paste both logs into your next reply - do NOT attach them.
===============================================================
Please post the MBAM log, the RootRepeal log, the DDS scan reports (do NOT attach), and a new HJT log.
#3
Posted 29 April 2009 - 08:06 AM
-
- Members
-
- 9 posts
New Member
- Gender:Female
- Location:England
negster22, on Apr 29 2009, 04:10 AM, said:
Please post the MBAM log, the RootRepeal log, the DDS scan reports (do NOT attach), and a new HJT log.
Thank you for getting back to me.
Here as requested.
repeat tool log
ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/29 07:28
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: C:\WINDOWS\SchedLgU.Txt
Status: Allocation size mismatch (API: 32768, Raw: 4096)
Path: C:\WINDOWS\system32\gxvxccounter
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\gxvxcsvpijngwryhoblfrrrjgegftquoaypxm.dll
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\drivers\gxvxcewwcmpeojtkqtpmomsysamekxespkexl.sys
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl
Status: Allocation size mismatch (API: 8192, Raw: 4096)
Path: C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\volatile.DAT
Status: Allocation size mismatch (API: 4096, Raw: 288)
Now it is the mbam log
Malwarebytes' Anti-Malware 1.36
Database version: 2057
Windows 5.1.2600 Service Pack 3
29/04/2009 07:42:05
mbam-log-2009-04-29 (07-42-05).txt
Scan type: Quick Scan
Objects scanned: 96268
Time elapsed: 2 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AntiVirus360Remover (Rogue.AntiVirus360Remover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\HP_Administrator\Application Data\AntiVirus360Remover (Rogue.AntiVirus360Remover) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AntiVirus360Remover\Log (Rogue.AntiVirus360Remover) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AntiVirus360Remover\Settings (Rogue.AntiVirus360Remover) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AntiVirus360Remover\rs.dat (Rogue.AntiVirus360Remover) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AntiVirus360Remover\Log\2009 Apr 22 - 09_49_51 PM_613.log (Rogue.AntiVirus360Remover) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\AntiVirus360Remover\Log\2009 Apr 22 - 09_50_06 PM_440.log (Rogue.AntiVirus360Remover) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\AntiVirus360Remover Scheduled Scan.job (Rogue.AntiVirus360Remover) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gxvxccounter (Trojan.DNSchanger) -> Quarantined and deleted successfully.
then the dss scan log
DDS (Ver_09-03-16.01) - NTFSx86
Run by HP_Administrator at 7:50:07.87 on 29/04/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1313 [GMT 1:00]
AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\b106d09e-674d-48f0-b96f-11c2af0132d0.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\msfeedssync.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
============== Pseudo HJT Report ===============
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\b106d09e-674d-48f0-b96f-11c2af0132d0.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PCDrProfiler]
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
IE: Append to existing PDF
IE: Convert link target to Adobe PDF
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF
IE: E&xport to Microsoft Excel
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {17D667BA-5675-4AAB-9221-08B9379384D4} - hxxp://cdnimg.piczo.com/images/uploader/piczo_fast_uploader.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191177426593
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191488840656
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://cdnimg.piczo.com/images/uploader/piczo_fast_uploader.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
TCP: {DF5413F5-E0D5-421B-96BB-806F247AE1B6} = 194.168.4.100
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
============= SERVICES / DRIVERS ===============
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-26 149352]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2008-2-18 214888]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-26 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-26 149352]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-4-13 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090428.039\NAVENG.SYS [2009-4-29 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090428.039\NAVEX15.SYS [2009-4-29 876144]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-13 23888]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-8-30 13352]
S3 PRODIGY;PRODIGY;c:\windows\system32\drivers\prodigy.sys [2008-6-29 32377]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2008-10-2 31872]
S3 s3117bus;Sony Ericsson Device 3117 driver (WDM);c:\windows\system32\drivers\s3117bus.sys [2008-8-23 90408]
S3 s3117mdfl;Sony Ericsson Device 3117 USB WMC Modem Filter;c:\windows\system32\drivers\s3117mdfl.sys [2008-8-23 15016]
S3 s3117mdm;Sony Ericsson Device 3117 USB WMC Modem Driver;c:\windows\system32\drivers\s3117mdm.sys [2008-8-23 122024]
S3 s3117mgmt;Sony Ericsson Device 3117 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3117mgmt.sys [2008-8-23 115368]
S3 s3117nd5;Sony Ericsson Device 3117 USB Ethernet Emulation SEMC3117 (NDIS);c:\windows\system32\drivers\s3117nd5.sys [2008-8-23 25768]
S3 s3117obex;Sony Ericsson Device 3117 USB WMC OBEX Interface;c:\windows\system32\drivers\s3117obex.sys [2008-8-23 111784]
S3 s3117unic;Sony Ericsson Device 3117 USB Ethernet Emulation SEMC3117 (WDM);c:\windows\system32\drivers\s3117unic.sys [2008-8-23 117544]
S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2009-4-13 1245064]
=============== Created Last 30 ================
2009-04-29 07:33 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2009-04-29 07:31 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-29 07:31 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 07:31 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-29 07:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-29 07:09 0 a------- c:\documents and settings\hp_administrator\settings.dat
2009-04-26 19:30 <DIR> --d----- c:\program files\Trend Micro
2009-04-24 20:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-24 20:09 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-24 20:09 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\SUPERAntiSpyware.com
2009-04-24 20:09 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-04-24 02:16 <DIR> --d----- c:\program files\CCleaner
2009-04-23 13:27 2,660 a------- c:\windows\system32\tmp.reg
2009-04-22 19:35 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-04-16 21:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PopCap
2009-04-15 18:19 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 18:19 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-15 18:18 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-15 18:18 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-15 18:18 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-15 18:18 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 18:18 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-15 18:18 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-15 18:18 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-15 18:18 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 18:18 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-13 08:35 <DIR> --d----- c:\documents and settings\all users\Symantec Temporary Files
2009-04-13 08:08 <DIR> --d----- c:\program files\Norton Internet Security
2009-04-13 08:07 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-13 08:07 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-04-13 08:07 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-13 08:07 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-04-13 08:07 <DIR> --d----- c:\program files\Symantec
2009-04-13 07:49 156 a------- c:\windows\Twunk001.MTX
2009-04-13 07:49 2 a------- c:\windows\Twain001.Mtx
2009-04-13 07:49 0 a------- c:\windows\Twunk002.MTX
2009-04-13 05:54 <DIR> --d----- c:\windows\LMI1.tmp
2009-04-13 03:20 <DIR> --d----- c:\windows\LMI36.tmp
2009-04-13 01:24 <DIR> --d----- c:\windows\LMI12.tmp
2009-04-13 01:20 <DIR> --d----- c:\windows\LMI11.tmp
2009-04-13 00:06 <DIR> --d----- c:\windows\LMI4C.tmp
2009-04-12 22:30 <DIR> --d----- c:\windows\LMI3D.tmp
2009-04-12 19:23 <DIR> --d----- c:\windows\LMI34.tmp
2009-04-12 19:10 <DIR> --d----- c:\windows\LMI33.tmp
==================== Find3M ====================
2009-04-29 07:45 12,409 a------- c:\windows\system32\tablet.dat
2009-03-21 15:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-03-01 05:38 117,092 a------- c:\windows\hpoins11.dat
2009-02-28 05:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 11:20 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 11:20 13,824 a------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 06:14 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-02-19 14:03 579,464 a------- c:\windows\system32\SymNeti.dll
2009-02-19 14:03 207,240 a------- c:\windows\system32\SymRedir.dll
2009-02-09 13:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 13:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 13:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 13:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 12:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 12:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 12:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 12:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 12:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 11:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 11:39 35,328 a------- c:\windows\system32\dllcache\sc.exe
2009-02-06 11:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 20:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 20:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2008-07-14 10:55 308,600 a------- c:\docume~1\alluse~1\applic~1\NortonProtectionMemo.exe
2004-08-10 05:00 94,784 a--sh--- c:\windows\twain.dll
2008-04-14 01:12 50,688 a--sh--- c:\windows\twain_32.dll
2007-01-07 12:19 22 a--sh--- c:\windows\sminst\HPCD.SYS
2008-04-14 01:11 1,028,096 a--sh--- c:\windows\system32\mfc42.dll
2008-04-14 01:12 57,344 a--sh--- c:\windows\system32\msvcirt.dll
2008-04-14 01:12 413,696 a--sh--- c:\windows\system32\msvcp60.dll
2008-04-14 01:12 343,040 a--sh--- c:\windows\system32\msvcrt.dll
2008-04-14 01:12 551,936 a--sh--- c:\windows\system32\oleaut32.dll
2008-04-14 01:12 84,992 a--sh--- c:\windows\system32\olepro32.dll
2008-04-14 01:12 11,776 a--sh--- c:\windows\system32\regsvr32.exe
2008-05-13 23:41 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051320080514\index.dat
============= FINISH: 7:50:55.73 ===============
then the high jack this log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:53:02, on 29/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\b106d09e-674d-48f0-b96f-11c2af0132d0.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\b106d09e-674d-48f0-b96f-11c2af0132d0.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {17D667BA-5675-4AAB-9221-08B9379384D4} (Image Uploader Control) - http://cdnimg.piczo.com/images/uploader/pi...st_uploader.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191177426593
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191488840656
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://cdnimg.piczo.com/images/uploader/pi...st_uploader.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF5413F5-E0D5-421B-96BB-806F247AE1B6}: NameServer = 194.168.4.100
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
--
End of file - 11712 bytes
and the attached file is zipped and attached as stated.
thank you again.
And please can you tell me what these nasty little monsters did.
Dee
Attached Files
-
Attach.zip 4.97K
7 downloads
#4
Posted 29 April 2009 - 04:27 PM
-
- Experts
-
- 1,130 posts
Elite Member
- Location:Westchester County, NY
Thanks for following directions so well. 
You have a rootkit DNS hijacker.
Relaunch RootRepeal
* Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
* Click the "Driver" tab (located at the bottom of the RootRepeal screen)
* Click the "Scan" button
* Click OK and the Driver scan will begin
* When the scan is done, there will be drivers listed, but most if not all of them will be legitimate
* Hidden drivers will bear a "File Visible: No" label and this is what we are looking for (note: some hidden drivers may be legit)
* If the following hidden driver is listed or a similar gxxx.SYS file that begins with a g" and has a ridiculously long name, select it - then right-click the driver and choose "Wipe file"
C:\WINDOWS\system32\drivers\gxvxcewwcmpeojtkqtpmomsysamekxespkexl.sys
* Click the "Save Report"
* Save the log file to your Documents folder as RRDrivers4-20-09.txt
* Post the content of the RootRepeal driver scan log in your next reply.
If you were unable to locate the malicious driver using a driver scan with Rootkit Repeal, try doing the longer file system scan like you did before:
Reboot immediately if you did the wipe file operation. If not, just move on to the next step.
Perform an updated MBAM scan, only if you were able to locate and wipe the malicious driver (SYS file)..
Post the RootRepeal log and the MBAM scan report, as soon as you get them -
Please download Combofix from one of these locations:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
I want you to rename Combofix.exe as you download it to a name of your choice like such as springishere.exe
Notes:
* It is very important that save the newly renamed EXE file to your desktop.
* You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
o Open Firefox
o Click Tools -> Options -> Main
o Under the downloads section check the button that says "Always ask me where to save files".
o Click OK
* For Internet Explorer:
o Choose to save, not open the file
o When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.
Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:
http://www.bleepingc...to-use-combofix
Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingc...opic114351.html
Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.
Running Combofix
In the event you already have Combofix, please delete it as this is a new version.
* Close any open browsers.
* Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
1. Double click on the renamed combofix.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt,
3. Post the contents of that log in your next reply with a new hijackthis log.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix.
Please post a new MBAM log, C:\ComboFix.txt and the RootRepeal log in your next reply.
You have a rootkit DNS hijacker.
Relaunch RootRepeal
* Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
* Click the "Driver" tab (located at the bottom of the RootRepeal screen)
* Click the "Scan" button
* Click OK and the Driver scan will begin
* When the scan is done, there will be drivers listed, but most if not all of them will be legitimate
* Hidden drivers will bear a "File Visible: No" label and this is what we are looking for (note: some hidden drivers may be legit)
* If the following hidden driver is listed or a similar gxxx.SYS file that begins with a g" and has a ridiculously long name, select it - then right-click the driver and choose "Wipe file"
C:\WINDOWS\system32\drivers\gxvxcewwcmpeojtkqtpmomsysamekxespkexl.sys
* Click the "Save Report"
* Save the log file to your Documents folder as RRDrivers4-20-09.txt
* Post the content of the RootRepeal driver scan log in your next reply.
If you were unable to locate the malicious driver using a driver scan with Rootkit Repeal, try doing the longer file system scan like you did before:
- Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
- Click the "File" tab (located at the bottom of the RootRepeal screen)
- Click the "Scan" button
- In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
- Click OK and the file scan will begin
- When the scan is done, there will be files listed, but most if not all of them will be legitimate
- Click the "Save Report" Button
- Save the log file to your Documents folder
- Post the content of the RootRepeal file scan log in your next reply.
Reboot immediately if you did the wipe file operation. If not, just move on to the next step.
Perform an updated MBAM scan, only if you were able to locate and wipe the malicious driver (SYS file)..
Post the RootRepeal log and the MBAM scan report, as soon as you get them -
Please download Combofix from one of these locations:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
I want you to rename Combofix.exe as you download it to a name of your choice like such as springishere.exe
Notes:
* It is very important that save the newly renamed EXE file to your desktop.
* You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
o Open Firefox
o Click Tools -> Options -> Main
o Under the downloads section check the button that says "Always ask me where to save files".
o Click OK
* For Internet Explorer:
o Choose to save, not open the file
o When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.
Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:
http://www.bleepingc...to-use-combofix
Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingc...opic114351.html
Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.
Running Combofix
In the event you already have Combofix, please delete it as this is a new version.
* Close any open browsers.
* Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
1. Double click on the renamed combofix.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt,
3. Post the contents of that log in your next reply with a new hijackthis log.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix.
Please post a new MBAM log, C:\ComboFix.txt and the RootRepeal log in your next reply.
#5
Posted 29 April 2009 - 07:11 PM
-
- Members
-
- 9 posts
New Member
- Gender:Female
- Location:England
negster22, on Apr 29 2009, 05:27 PM, said:
Hi,
Read some other posts and while I was waiting I run malware in safe mode full scan and it found some more. a trojan.DNSchanger and it go rid of that.
I then uninstalled my nortons, run ccleaner twice. Nortons removal tool, all while off the internet.
Then I run combofix here is the log.
ComboFix 09-04-25.01 - HP_Administrator 29/04/2009 14:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1616 [GMT 1:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\HP_Administrator\Application Data\Microsoft\SystemCertificates\Request
c:\windows\system32\drivers\gxvxcewwcmpeojtkqtpmomsysamekxespkexl.sys
c:\windows\system32\gxvxcsvpijngwryhoblfrrrjgegftquoaypxm.dll
c:\windows\system32\mdm.exe
c:\windows\system32\tmp.reg
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_GXVXCSERV.SYS
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.
2009-04-29 12:58 . 2009-04-29 12:58 256 ----a-w c:\documents and settings\All Users\Application Data\Symantec.zip
2009-04-29 10:08 . 2009-04-29 10:08 -------- d-----w c:\documents and settings\All Users\Application Data\PCSettings
2009-04-29 06:33 . 2009-04-29 06:33 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-04-29 06:31 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-29 06:31 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 06:31 . 2009-04-29 06:33 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-29 06:31 . 2009-04-29 06:31 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-29 06:09 . 2009-04-29 06:09 0 ----a-w c:\documents and settings\HP_Administrator\settings.dat
2009-04-26 20:43 . 2009-04-26 20:45 -------- d-----w c:\documents and settings\Deanna & Kira\dont touch
2009-04-26 18:30 . 2009-04-26 18:30 -------- d-----w c:\program files\Trend Micro
2009-04-24 19:15 . 2009-04-24 19:15 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-24 19:09 . 2009-04-26 21:35 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-24 19:09 . 2009-04-24 19:09 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2009-04-24 19:09 . 2009-04-24 19:09 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-24 01:16 . 2009-04-24 01:16 -------- d-----w c:\program files\CCleaner
2009-04-22 18:35 . 2009-04-22 18:35 -------- d-----w c:\program files\SystemRequirementsLab
2009-04-16 20:15 . 2009-04-16 20:15 -------- d-----w c:\documents and settings\All Users\Application Data\PopCap
2009-04-15 17:19 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 17:19 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 17:18 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 17:18 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 17:18 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 17:18 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 17:18 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 17:18 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 17:18 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 17:18 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 17:18 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-13 06:49 . 2009-04-13 06:49 2 ----a-w c:\windows\Twain001.Mtx
2009-04-13 06:49 . 2009-04-13 06:49 156 ----a-w c:\windows\Twunk001.MTX
2009-04-13 06:49 . 2009-04-13 06:49 0 ----a-w c:\windows\Twunk002.MTX
2009-04-13 04:54 . 2009-04-13 08:25 -------- d-----w c:\windows\LMI1.tmp
2009-04-13 02:20 . 2009-04-13 03:40 -------- d-----w c:\windows\LMI36.tmp
2009-04-13 00:24 . 2009-04-13 02:35 -------- d-----w c:\windows\LMI12.tmp
2009-04-13 00:20 . 2009-04-13 02:35 -------- d-----w c:\windows\LMI11.tmp
2009-04-12 23:06 . 2009-04-13 02:35 -------- d-----w c:\windows\LMI4C.tmp
2009-04-12 21:30 . 2009-04-13 02:35 -------- d-----w c:\windows\LMI3D.tmp
2009-04-12 20:12 . 2009-04-12 20:12 -------- d-----w c:\documents and settings\HP_Administrator\Local Settings\Application Data\Symantec
2009-04-12 18:23 . 2009-04-12 18:23 -------- d-----w c:\windows\LMI34.tmp
2009-04-12 18:10 . 2009-04-12 18:10 -------- d-----w c:\windows\LMI33.tmp
2009-04-11 10:39 . 2009-04-11 10:39 -------- d-----w c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 13:53 . 2007-11-11 14:27 12409 ----a-w c:\windows\system32\tablet.dat
2009-04-29 12:32 . 2006-08-31 13:37 -------- d-----w c:\documents and settings\All Users\Application Data\Symante.old
2009-04-29 12:08 . 2006-08-31 13:37 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-24 19:15 . 2008-03-26 02:20 34010 ----a-w C:\mombi.log
2009-04-24 18:47 . 2006-08-31 13:33 -------- d-----w c:\program files\Google
2009-04-23 12:32 . 2009-04-23 12:27 1767 ----a-w C:\rapport.txt
2009-04-13 07:21 . 2009-04-13 06:43 13631488 ----a-w c:\documents and settings\HP_Administrator\NTUSER.LMIRescue.TMP
2009-04-13 05:04 . 2009-04-13 00:51 261367 ----a-w C:\vrq.log
2009-04-12 22:37 . 2007-09-30 21:28 -------- d-----w c:\program files\Lavasoft
2009-04-12 17:06 . 2008-01-22 17:13 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-09 21:05 . 2008-08-23 18:42 -------- d-----w c:\program files\Avanquest update
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-06 14:22 . 2004-08-10 04:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-10 04:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-03 00:18 . 2004-08-10 04:00 826368 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-03-01 04:50 . 2008-03-25 15:33 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\HP
2009-03-01 04:38 . 2009-03-01 04:01 117092 ----a-w c:\windows\hpoins11.dat
2009-03-01 04:36 . 2007-11-27 22:40 391256 ----a-w c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-01 04:25 . 2009-03-01 04:23 -------- d-----w c:\program files\Common Files\HP
2009-03-01 03:30 . 2006-08-31 13:00 -------- d-----w c:\program files\Common Files\Sonic Shared
2009-03-01 03:26 . 2006-08-31 13:18 -------- d-----w c:\program files\Hewlett-Packard
2009-03-01 00:33 . 2006-08-31 12:38 -------- d-----w c:\program files\Java
2009-02-28 04:54 . 2004-08-10 04:00 636072 ----a-w c:\windows\system32\dllcache\iexplore.exe
2009-02-20 10:20 . 2007-06-27 08:27 13824 ----a-w c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2004-08-10 04:00 70656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2004-08-10 04:00 161792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2009-02-09 12:10 . 2004-08-10 04:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 11:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 04:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-10 04:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2008-10-15 07:32 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2004-08-10 04:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 18:02 . 2008-10-15 08:11 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-10 04:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-10-15 08:11 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-15 08:11 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 11:06 . 2004-08-10 04:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-10 04:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:39 . 2004-08-10 04:00 35328 ----a-w c:\windows\system32\dllcache\sc.exe
2009-02-06 10:32 . 2008-10-15 08:11 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 10:32 . 2004-08-10 11:00 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 19:59 . 2004-08-10 04:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-10-18 12:12 . 2008-01-20 16:38 391256 ----a-w c:\documents and settings\Kira & Deanna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-07-14 09:55 . 2008-07-15 19:21 308600 ----a-w c:\documents and settings\All Users\Application Data\NortonProtectionMemo.exe
2007-11-16 21:50 . 2007-09-30 16:33 139 ----a-w c:\documents and settings\HP_Administrator\Local Settings\Application Data\fusioncache.dat
2006-08-31 12:33 . 2007-10-02 18:43 136 ----a-w c:\documents and settings\Kira & Deanna\Local Settings\Application Data\fusioncache.dat
2006-08-31 12:33 . 2006-08-31 12:33 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2004-08-10 04:00 . 2004-08-10 04:00 94784 --sha-w c:\windows\twain.dll
2008-04-14 00:12 . 2004-08-10 04:00 50688 --sha-w c:\windows\twain_32.dll
2007-01-07 11:19 . 2007-10-01 00:10 22 --sha-w c:\windows\SMINST\HPCD.SYS
2008-04-14 00:11 . 2004-08-10 04:00 1028096 --sha-w c:\windows\system32\mfc42.dll
2008-04-14 00:12 . 2004-08-10 04:00 57344 --sha-w c:\windows\system32\msvcirt.dll
2008-04-14 00:12 . 2004-08-10 04:00 413696 --sha-w c:\windows\system32\msvcp60.dll
2008-04-14 00:12 . 2004-08-10 04:00 343040 --sha-w c:\windows\system32\msvcrt.dll
2008-04-14 00:12 . 2004-08-10 04:00 551936 --sha-w c:\windows\system32\oleaut32.dll
2008-04-14 00:12 . 2004-08-10 04:00 84992 --sha-w c:\windows\system32\olepro32.dll
2008-04-14 00:12 . 2004-08-10 04:00 11776 --sha-w c:\windows\system32\regsvr32.exe
2008-05-13 22:41 . 2008-05-13 22:43 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051320080514\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\b106d09e-674d-48f0-b96f-11c2af0132d0.exe" [2009-03-23 1830128]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-15 136600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-31 180269]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-03-20 90112]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-10-25 16855552]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-02 77312]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2008-08-30 13352]
R3 PRODIGY;PRODIGY;c:\windows\system32\Drivers\PRODIGY.SYS [2006-08-29 32377]
R3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\DRIVERS\OVCE.sys [2001-08-17 31872]
R3 s3117bus;Sony Ericsson Device 3117 driver (WDM);c:\windows\system32\DRIVERS\s3117bus.sys [2008-05-12 90408]
R3 s3117mdfl;Sony Ericsson Device 3117 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s3117mdfl.sys [2008-05-12 15016]
R3 s3117mdm;Sony Ericsson Device 3117 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s3117mdm.sys [2008-05-12 122024]
R3 s3117mgmt;Sony Ericsson Device 3117 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s3117mgmt.sys [2008-05-12 115368]
R3 s3117nd5;Sony Ericsson Device 3117 USB Ethernet Emulation SEMC3117 (NDIS);c:\windows\system32\DRIVERS\s3117nd5.sys [2008-05-12 25768]
R3 s3117obex;Sony Ericsson Device 3117 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s3117obex.sys [2008-05-12 111784]
R3 s3117unic;Sony Ericsson Device 3117 USB Ethernet Emulation SEMC3117 (WDM);c:\windows\system32\DRIVERS\s3117unic.sys [2008-05-12 117544]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9c09570-9871-11dc-841b-0016ecc4b98e}]
\Shell\AutoRun\command - k:\.pspware\PSPWareLauncher.exe
.
Contents of the 'Scheduled Tasks' folder
2009-04-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-04-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
2009-04-29 c:\windows\Tasks\User_Feed_Synchronization-{E92EE590-C798-45FD-80D7-0A3611D0DC12}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:58]
.
- - - - ORPHANS REMOVED - - - -
ShellIconOverlayIdentifiers-{E4000AC4-5E5F-4956-807A-C5854405D64F} - %SystemRoot%\system32\VirtualExpander\VEShellExt.dll
HKLM-Run-PCDrProfiler - (no file)
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF
IE: Convert link target to Adobe PDF
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF
IE: E&xport to Microsoft Excel
TCP: {DF5413F5-E0D5-421B-96BB-806F247AE1B6} = 194.168.4.100
DPF: {17D667BA-5675-4AAB-9221-08B9379384D4} - hxxp://cdnimg.piczo.com/images/uploader/piczo_fast_uploader.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 14:58
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(516)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-04-29 15:01
ComboFix-quarantined-files.txt 2009-04-29 14:01
Pre-Run: 29,947,797,504 bytes free
Post-Run: 30,849,449,984 bytes free
263 --- E O F --- 2009-04-27 17:08
It found the file you mentioned.
run malware again. great programme by the way.
Malwarebytes' Anti-Malware 1.36
Database version: 2058
Windows 5.1.2600 Service Pack 3
29/04/2009 14:21:43
mbam-log-2009-04-29 (14-21-43).txt
Scan type: Quick Scan
Objects scanned: 93810
Time elapsed: 16 minute(s), 14 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\gxvxccounter (Trojan.DNSchanger) -> Quarantined and deleted successfully.
new scan
Malwarebytes' Anti-Malware 1.36
Database version: 2058
Windows 5.1.2600 Service Pack 3
29/04/2009 16:42:53
mbam-log-2009-04-29 (16-42-53).txt
Scan type: Quick Scan
Objects scanned: 94130
Time elapsed: 2 minute(s), 58 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
reinstalled nortons it now works and updates.
did a scan with that and it found 2 trojans in the restore points. cleaned them out.
will post another repear log next...
#6
Posted 29 April 2009 - 07:53 PM
-
- Members
-
- 9 posts
New Member
- Gender:Female
- Location:England
[quote name='denisedee' date='Apr 29 2009, 08:11 PM' post='77176']
[quote name='negster22' post='77119' date='Apr 29 2009, 05:27 PM']
Hi here are the rest of the logs. Thank you.
ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/29 20:39
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: C:\Documents and Settings\HP_Administrator\Local Settings\temp\Perflib_Perfdata_e40.dat
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl
Status: Allocation size mismatch (API: 8192, Raw: 4096)
Path: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090429.003\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!
ComboFix 09-04-25.01 - HP_Administrator 29/04/2009 20:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1471 [GMT 1:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *enabled*
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.
2009-04-29 19:18 . 2009-04-29 19:18 -------- d-sh--w c:\documents and settings\HP_Administrator\IETldCache
2009-04-29 18:28 . 2009-04-29 18:28 -------- d-----w c:\windows\ie8updates
2009-04-29 18:27 . 2009-02-28 04:55 105984 ------w c:\windows\system32\dllcache\iecompat.dll
2009-04-29 18:27 . 2009-04-29 18:27 1374 ----a-w c:\windows\imsins.BAK
2009-04-29 18:24 . 2009-04-29 18:27 -------- dc-h--w c:\windows\ie8
2009-04-29 16:03 . 2009-04-29 16:03 -------- d-----r c:\program files\Norton Support
2009-04-29 15:54 . 2009-04-29 15:54 -------- d-----w c:\documents and settings\All Users\Symantec Temporary Files
2009-04-29 15:51 . 2009-04-29 15:51 36400 ----a-r c:\windows\system32\drivers\SymIM.sys
2009-04-29 15:51 . 2009-04-29 15:51 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-04-29 15:51 . 2009-04-29 15:51 7386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-29 15:51 . 2009-04-29 15:51 60808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-04-29 15:51 . 2009-04-29 15:51 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-29 15:51 . 2009-04-29 15:51 -------- d-----w c:\program files\Symantec
2009-04-29 15:50 . 2009-04-29 15:50 -------- d-----w c:\windows\system32\drivers\NIS
2009-04-29 15:50 . 2009-04-29 15:55 -------- d-----w c:\program files\Norton Internet Security
2009-04-29 15:50 . 2009-04-29 15:50 -------- d-----w c:\program files\Windows Sidebar
2009-04-29 15:50 . 2009-04-29 15:50 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-04-29 15:50 . 2009-04-29 15:51 -------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-04-29 15:50 . 2009-04-29 15:55 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-04-29 15:50 . 2009-04-29 15:50 -------- d-----w c:\program files\NortonInstaller
2009-04-29 15:44 . 2009-04-29 15:46 131674 ----a-w C:\MGlogs.zip
2009-04-29 15:43 . 2009-04-29 15:46 -------- d-----w C:\MGtools
2009-04-29 12:58 . 2009-04-29 12:58 256 ----a-w c:\documents and settings\All Users\Application Data\Symantec.zip
2009-04-29 10:08 . 2009-04-29 10:08 -------- d-----w c:\documents and settings\All Users\Application Data\PCSettings
2009-04-29 06:33 . 2009-04-29 06:33 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-04-29 06:31 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-29 06:31 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 06:31 . 2009-04-29 06:33 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-29 06:31 . 2009-04-29 06:31 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-29 06:09 . 2009-04-29 06:09 0 ----a-w c:\documents and settings\HP_Administrator\settings.dat
2009-04-26 20:43 . 2009-04-26 20:45 -------- d-----w c:\documents and settings\Deanna & Kira\dont touch
2009-04-26 18:30 . 2009-04-26 18:30 -------- d-----w c:\program files\Trend Micro
2009-04-24 19:15 . 2009-04-24 19:15 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-24 19:09 . 2009-04-26 21:35 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-24 19:09 . 2009-04-24 19:09 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2009-04-24 19:09 . 2009-04-24 19:09 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-24 01:16 . 2009-04-24 01:16 -------- d-----w c:\program files\CCleaner
2009-04-22 18:35 . 2009-04-22 18:35 -------- d-----w c:\program files\SystemRequirementsLab
2009-04-16 20:15 . 2009-04-16 20:15 -------- d-----w c:\documents and settings\All Users\Application Data\PopCap
2009-04-15 17:19 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 17:19 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 17:18 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 17:18 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 17:18 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 17:18 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 17:18 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 17:18 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 17:18 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 17:18 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 17:18 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-13 06:49 . 2009-04-13 06:49 2 ----a-w c:\windows\Twain001.Mtx
2009-04-13 06:49 . 2009-04-13 06:49 156 ----a-w c:\windows\Twunk001.MTX
2009-04-13 06:49 . 2009-04-13 06:49 0 ----a-w c:\windows\Twunk002.MTX
2009-04-13 04:54 . 2009-04-13 08:25 -------- d-----w c:\windows\LMI1.tmp
2009-04-13 02:20 . 2009-04-13 03:40 -------- d-----w c:\windows\LMI36.tmp
2009-04-13 00:24 . 2009-04-13 02:35 -------- d-----w c:\windows\LMI12.tmp
2009-04-13 00:20 . 2009-04-13 02:35 -------- d-----w c:\windows\LMI11.tmp
2009-04-12 23:06 . 2009-04-13 02:35 -------- d-----w c:\windows\LMI4C.tmp
2009-04-12 21:30 . 2009-04-13 02:35 -------- d-----w c:\windows\LMI3D.tmp
2009-04-12 20:12 . 2009-04-12 20:12 -------- d-----w c:\documents and settings\HP_Administrator\Local Settings\Application Data\Symantec
2009-04-12 18:23 . 2009-04-12 18:23 -------- d-----w c:\windows\LMI34.tmp
2009-04-12 18:10 . 2009-04-12 18:10 -------- d-----w c:\windows\LMI33.tmp
2009-04-11 10:39 . 2009-04-11 10:39 -------- d-----w c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 19:18 . 2007-11-11 14:27 12409 ----a-w c:\windows\system32\tablet.dat
2009-04-29 16:01 . 2006-08-31 13:37 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-29 12:32 . 2006-08-31 13:37 -------- d-----w c:\documents and settings\All Users\Application Data\Symante.old
2009-04-24 19:15 . 2008-03-26 02:20 34010 ----a-w C:\mombi.log
2009-04-24 18:47 . 2006-08-31 13:33 -------- d-----w c:\program files\Google
2009-04-23 12:32 . 2009-04-23 12:27 1767 ----a-w C:\rapport.txt
2009-04-13 07:21 . 2009-04-13 06:43 13631488 ----a-w c:\documents and settings\HP_Administrator\NTUSER.LMIRescue.TMP
2009-04-13 05:04 . 2009-04-13 00:51 261367 ----a-w C:\vrq.log
2009-04-12 22:37 . 2007-09-30 21:28 -------- d-----w c:\program files\Lavasoft
2009-04-12 17:06 . 2008-01-22 17:13 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-09 21:05 . 2008-08-23 18:42 -------- d-----w c:\program files\Avanquest update
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-08 13:09 . 2004-08-10 04:00 638816 ----a-w c:\windows\system32\dllcache\iexplore.exe
2009-03-08 13:09 . 2004-08-10 04:00 391536 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 03:41 . 2004-08-10 04:00 5937152 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-03-08 03:39 . 2007-06-27 14:34 11063808 ----a-w c:\windows\system32\dllcache\ieframe.dll
2009-03-08 03:34 . 2004-08-10 04:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 03:34 . 2004-08-10 04:00 914944 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-03-08 03:34 . 2004-08-10 04:00 1206784 ----a-w c:\windows\system32\dllcache\urlmon.dll
2009-03-08 03:34 . 2004-08-10 04:00 236544 ----a-w c:\windows\system32\dllcache\webcheck.dll
2009-03-08 03:34 . 2004-08-10 04:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 03:34 . 2004-08-10 04:00 43008 ----a-w c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 03:34 . 2004-08-10 04:00 105984 ----a-w c:\windows\system32\dllcache\url.dll
2009-03-08 03:34 . 2004-08-10 04:00 193536 ----a-w c:\windows\system32\dllcache\msrating.dll
2009-03-08 03:34 . 2004-08-10 04:00 109568 ----a-w c:\windows\system32\dllcache\occache.dll
2009-03-08 03:33 . 2004-08-10 04:00 759296 ----a-w c:\windows\system32\dllcache\VGX.dll
2009-03-08 03:33 . 2009-03-08 03:33 18944 ------w c:\windows\system32\dllcache\corpol.dll
2009-03-08 03:33 . 2004-08-10 04:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 03:33 . 2004-08-10 04:00 25600 ----a-w c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 03:33 . 2008-05-09 10:53 726528 ----a-w c:\windows\system32\dllcache\jscript.dll
2009-03-08 03:33 . 2004-08-10 04:00 229376 ----a-w c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 03:33 . 2008-05-09 10:53 420352 ----a-w c:\windows\system32\dllcache\vbscript.dll
2009-03-08 03:33 . 2004-08-10 04:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 03:33 . 2004-08-10 04:00 125952 ----a-w c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 03:32 . 2004-08-10 04:00 72704 ----a-w c:\windows\system32\dllcache\admparse.dll
2009-03-08 03:32 . 2004-08-10 04:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 03:32 . 2004-08-10 04:00 173056 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 03:32 . 2004-08-10 04:00 163840 ----a-w c:\windows\system32\dllcache\ieakui.dll
2009-03-08 03:32 . 2004-08-10 04:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 03:32 . 2004-08-10 04:00 71680 ----a-w c:\windows\system32\dllcache\iesetup.dll
2009-03-08 03:32 . 2004-08-10 04:00 55808 ----a-w c:\windows\system32\dllcache\iernonce.dll
2009-03-08 03:32 . 2004-08-10 04:00 128512 ----a-w c:\windows\system32\dllcache\advpack.dll
2009-03-08 03:32 . 2004-08-10 04:00 94720 ----a-w c:\windows\system32\dllcache\inseng.dll
2009-03-08 03:32 . 2007-06-27 14:34 594432 ----a-w c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 03:32 . 2007-06-27 14:34 1985024 ----a-w c:\windows\system32\dllcache\iertutil.dll
2009-03-08 03:32 . 2004-08-10 04:00 611840 ----a-w c:\windows\system32\dllcache\mstime.dll
2009-03-08 03:24 . 2004-08-10 04:00 68608 ----a-w c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 03:22 . 2004-08-10 04:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-08 03:22 . 2004-08-10 04:00 156160 ----a-w c:\windows\system32\dllcache\msls31.dll
2009-03-08 03:11 . 2007-06-27 14:34 445952 ----a-w c:\windows\system32\dllcache\ieapfltr.dll
2009-03-06 14:22 . 2004-08-10 04:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-01 04:50 . 2008-03-25 15:33 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\HP
2009-03-01 04:38 . 2009-03-01 04:01 117092 ----a-w c:\windows\hpoins11.dat
2009-03-01 04:36 . 2007-11-27 22:40 391256 ----a-w c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-01 04:25 . 2009-03-01 04:23 -------- d-----w c:\program files\Common Files\HP
2009-03-01 03:30 . 2006-08-31 13:00 -------- d-----w c:\program files\Common Files\Sonic Shared
2009-03-01 03:26 . 2006-08-31 13:18 -------- d-----w c:\program files\Hewlett-Packard
2009-03-01 00:33 . 2006-08-31 12:38 -------- d-----w c:\program files\Java
2009-02-20 18:09 . 2004-08-10 04:00 133120 ----a-w c:\windows\system32\dllcache\extmgr.dll
2009-02-20 10:20 . 2007-06-27 08:27 13824 ----a-w c:\windows\system32\dllcache\ieudinit.exe
2009-02-09 12:10 . 2004-08-10 04:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 11:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 04:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-10 04:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2008-10-15 07:32 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2004-08-10 04:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 18:02 . 2008-10-15 08:11 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 20:07 . 2007-04-17 09:32 3698584 ----a-w c:\windows\system32\dllcache\ieapfltr.dat
2009-02-06 11:11 . 2004-08-10 04:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-10-15 08:11 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-15 08:11 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 11:06 . 2004-08-10 04:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-10 04:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:39 . 2004-08-10 04:00 35328 ----a-w c:\windows\system32\dllcache\sc.exe
2009-02-06 10:32 . 2008-10-15 08:11 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 10:32 . 2004-08-10 11:00 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 19:59 . 2004-08-10 04:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-10-18 12:12 . 2008-01-20 16:38 391256 ----a-w c:\documents and settings\Kira & Deanna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-07-14 09:55 . 2008-07-15 19:21 308600 ----a-w c:\documents and settings\All Users\Application Data\NortonProtectionMemo.exe
2007-11-16 21:50 . 2007-09-30 16:33 139 ----a-w c:\documents and settings\HP_Administrator\Local Settings\Application Data\fusioncache.dat
2006-08-31 12:33 . 2007-10-02 18:43 136 ----a-w c:\documents and settings\Kira & Deanna\Local Settings\Application Data\fusioncache.dat
2006-08-31 12:33 . 2006-08-31 12:33 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2004-08-10 04:00 . 2004-08-10 04:00 94784 --sha-w c:\windows\twain.dll
2008-04-14 00:12 . 2004-08-10 04:00 50688 --sha-w c:\windows\twain_32.dll
2007-01-07 11:19 . 2007-10-01 00:10 22 --sha-w c:\windows\SMINST\HPCD.SYS
2008-04-14 00:11 . 2004-08-10 04:00 1028096 --sha-w c:\windows\system32\mfc42.dll
2008-04-14 00:12 . 2004-08-10 04:00 57344 --sha-w c:\windows\system32\msvcirt.dll
2008-04-14 00:12 . 2004-08-10 04:00 413696 --sha-w c:\windows\system32\msvcp60.dll
2008-04-14 00:12 . 2004-08-10 04:00 343040 --sha-w c:\windows\system32\msvcrt.dll
2008-04-14 00:12 . 2004-08-10 04:00 551936 --sha-w c:\windows\system32\oleaut32.dll
2008-04-14 00:12 . 2004-08-10 04:00 84992 --sha-w c:\windows\system32\olepro32.dll
2008-04-14 00:12 . 2004-08-10 04:00 11776 --sha-w c:\windows\system32\regsvr32.exe
2008-05-13 22:41 . 2008-05-13 22:43 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051320080514\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\b106d09e-674d-48f0-b96f-11c2af0132d0.exe" [2009-03-23 1830128]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-15 136600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-03-20 90112]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-31 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-10-25 16855552]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-02 77312]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2008-08-30 13352]
R3 PRODIGY;PRODIGY;c:\windows\system32\Drivers\PRODIGY.SYS [2006-08-29 32377]
R3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\DRIVERS\OVCE.sys [2001-08-17 31872]
R3 s3117bus;Sony Ericsson Device 3117 driver (WDM);c:\windows\system32\DRIVERS\s3117bus.sys [2008-05-12 90408]
R3 s3117mdfl;Sony Ericsson Device 3117 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s3117mdfl.sys [2008-05-12 15016]
R3 s3117mdm;Sony Ericsson Device 3117 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s3117mdm.sys [2008-05-12 122024]
R3 s3117mgmt;Sony Ericsson Device 3117 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s3117mgmt.sys [2008-05-12 115368]
R3 s3117nd5;Sony Ericsson Device 3117 USB Ethernet Emulation SEMC3117 (NDIS);c:\windows\system32\DRIVERS\s3117nd5.sys [2008-05-12 25768]
R3 s3117obex;Sony Ericsson Device 3117 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s3117obex.sys [2008-05-12 111784]
R3 s3117unic;Sony Ericsson Device 3117 USB Ethernet Emulation SEMC3117 (WDM);c:\windows\system32\DRIVERS\s3117unic.sys [2008-05-12 117544]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1005000.087\SYMEFA.SYS [2009-04-29 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1005000.087\BHDrvx86.sys [2009-04-29 258608]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1005000.087\ccHPx86.sys [2009-04-29 482352]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090420.001\IDSxpx86.sys [2009-04-29 276344]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe [2009-04-29 115560]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-04-29 101936]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ERASERUTILREBOOTDRV
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9c09570-9871-11dc-841b-0016ecc4b98e}]
\Shell\AutoRun\command - k:\.pspware\PSPWareLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-04-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-04-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
2009-04-29 c:\windows\Tasks\User_Feed_Synchronization-{E92EE590-C798-45FD-80D7-0A3611D0DC12}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF
IE: Convert link target to Adobe PDF
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF
IE: E&xport to Microsoft Excel
TCP: {DF5413F5-E0D5-421B-96BB-806F247AE1B6} = 194.168.4.100
DPF: {17D667BA-5675-4AAB-9221-08B9379384D4} - hxxp://cdnimg.piczo.com/images/uploader/piczo_fast_uploader.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2009-04-29 20:42
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.5.0.135\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(640)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
- - - - - - - > 'explorer.exe'(3868)
c:\windows\system32\nview.dll
c:\windows\system32\NVWRSENG.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-29 20:45
ComboFix-quarantined-files.txt 2009-04-29 19:45
ComboFix2.txt 2009-04-29 14:01
Pre-Run: 30,383,853,568 bytes free
Post-Run: 30,367,494,144 bytes free
334 --- E O F --- 2009-04-27 17:08
Can you let me know what I was infected with please and what it did. Thank you
[quote name='negster22' post='77119' date='Apr 29 2009, 05:27 PM']
Hi here are the rest of the logs. Thank you.
ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/29 20:39
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: C:\Documents and Settings\HP_Administrator\Local Settings\temp\Perflib_Perfdata_e40.dat
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl
Status: Allocation size mismatch (API: 8192, Raw: 4096)
Path: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090429.003\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!
ComboFix 09-04-25.01 - HP_Administrator 29/04/2009 20:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1471 [GMT 1:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *enabled*
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.
2009-04-29 19:18 . 2009-04-29 19:18 -------- d-sh--w c:\documents and settings\HP_Administrator\IETldCache
2009-04-29 18:28 . 2009-04-29 18:28 -------- d-----w c:\windows\ie8updates
2009-04-29 18:27 . 2009-02-28 04:55 105984 ------w c:\windows\system32\dllcache\iecompat.dll
2009-04-29 18:27 . 2009-04-29 18:27 1374 ----a-w c:\windows\imsins.BAK
2009-04-29 18:24 . 2009-04-29 18:27 -------- dc-h--w c:\windows\ie8
2009-04-29 16:03 . 2009-04-29 16:03 -------- d-----r c:\program files\Norton Support
2009-04-29 15:54 . 2009-04-29 15:54 -------- d-----w c:\documents and settings\All Users\Symantec Temporary Files
2009-04-29 15:51 . 2009-04-29 15:51 36400 ----a-r c:\windows\system32\drivers\SymIM.sys
2009-04-29 15:51 . 2009-04-29 15:51 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-04-29 15:51 . 2009-04-29 15:51 7386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-29 15:51 . 2009-04-29 15:51 60808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-04-29 15:51 . 2009-04-29 15:51 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-29 15:51 . 2009-04-29 15:51 -------- d-----w c:\program files\Symantec
2009-04-29 15:50 . 2009-04-29 15:50 -------- d-----w c:\windows\system32\drivers\NIS
2009-04-29 15:50 . 2009-04-29 15:55 -------- d-----w c:\program files\Norton Internet Security
2009-04-29 15:50 . 2009-04-29 15:50 -------- d-----w c:\program files\Windows Sidebar
2009-04-29 15:50 . 2009-04-29 15:50 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-04-29 15:50 . 2009-04-29 15:51 -------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-04-29 15:50 . 2009-04-29 15:55 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-04-29 15:50 . 2009-04-29 15:50 -------- d-----w c:\program files\NortonInstaller
2009-04-29 15:44 . 2009-04-29 15:46 131674 ----a-w C:\MGlogs.zip
2009-04-29 15:43 . 2009-04-29 15:46 -------- d-----w C:\MGtools
2009-04-29 12:58 . 2009-04-29 12:58 256 ----a-w c:\documents and settings\All Users\Application Data\Symantec.zip
2009-04-29 10:08 . 2009-04-29 10:08 -------- d-----w c:\documents and settings\All Users\Application Data\PCSettings
2009-04-29 06:33 . 2009-04-29 06:33 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-04-29 06:31 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-29 06:31 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 06:31 . 2009-04-29 06:33 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-29 06:31 . 2009-04-29 06:31 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-29 06:09 . 2009-04-29 06:09 0 ----a-w c:\documents and settings\HP_Administrator\settings.dat
2009-04-26 20:43 . 2009-04-26 20:45 -------- d-----w c:\documents and settings\Deanna & Kira\dont touch
2009-04-26 18:30 . 2009-04-26 18:30 -------- d-----w c:\program files\Trend Micro
2009-04-24 19:15 . 2009-04-24 19:15 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-24 19:09 . 2009-04-26 21:35 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-24 19:09 . 2009-04-24 19:09 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2009-04-24 19:09 . 2009-04-24 19:09 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-24 01:16 . 2009-04-24 01:16 -------- d-----w c:\program files\CCleaner
2009-04-22 18:35 . 2009-04-22 18:35 -------- d-----w c:\program files\SystemRequirementsLab
2009-04-16 20:15 . 2009-04-16 20:15 -------- d-----w c:\documents and settings\All Users\Application Data\PopCap
2009-04-15 17:19 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 17:19 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 17:18 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 17:18 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 17:18 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 17:18 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 17:18 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 17:18 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 17:18 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 17:18 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 17:18 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-13 06:49 . 2009-04-13 06:49 2 ----a-w c:\windows\Twain001.Mtx
2009-04-13 06:49 . 2009-04-13 06:49 156 ----a-w c:\windows\Twunk001.MTX
2009-04-13 06:49 . 2009-04-13 06:49 0 ----a-w c:\windows\Twunk002.MTX
2009-04-13 04:54 . 2009-04-13 08:25 -------- d-----w c:\windows\LMI1.tmp
2009-04-13 02:20 . 2009-04-13 03:40 -------- d-----w c:\windows\LMI36.tmp
2009-04-13 00:24 . 2009-04-13 02:35 -------- d-----w c:\windows\LMI12.tmp
2009-04-13 00:20 . 2009-04-13 02:35 -------- d-----w c:\windows\LMI11.tmp
2009-04-12 23:06 . 2009-04-13 02:35 -------- d-----w c:\windows\LMI4C.tmp
2009-04-12 21:30 . 2009-04-13 02:35 -------- d-----w c:\windows\LMI3D.tmp
2009-04-12 20:12 . 2009-04-12 20:12 -------- d-----w c:\documents and settings\HP_Administrator\Local Settings\Application Data\Symantec
2009-04-12 18:23 . 2009-04-12 18:23 -------- d-----w c:\windows\LMI34.tmp
2009-04-12 18:10 . 2009-04-12 18:10 -------- d-----w c:\windows\LMI33.tmp
2009-04-11 10:39 . 2009-04-11 10:39 -------- d-----w c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 19:18 . 2007-11-11 14:27 12409 ----a-w c:\windows\system32\tablet.dat
2009-04-29 16:01 . 2006-08-31 13:37 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-29 12:32 . 2006-08-31 13:37 -------- d-----w c:\documents and settings\All Users\Application Data\Symante.old
2009-04-24 19:15 . 2008-03-26 02:20 34010 ----a-w C:\mombi.log
2009-04-24 18:47 . 2006-08-31 13:33 -------- d-----w c:\program files\Google
2009-04-23 12:32 . 2009-04-23 12:27 1767 ----a-w C:\rapport.txt
2009-04-13 07:21 . 2009-04-13 06:43 13631488 ----a-w c:\documents and settings\HP_Administrator\NTUSER.LMIRescue.TMP
2009-04-13 05:04 . 2009-04-13 00:51 261367 ----a-w C:\vrq.log
2009-04-12 22:37 . 2007-09-30 21:28 -------- d-----w c:\program files\Lavasoft
2009-04-12 17:06 . 2008-01-22 17:13 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-09 21:05 . 2008-08-23 18:42 -------- d-----w c:\program files\Avanquest update
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-08 13:09 . 2004-08-10 04:00 638816 ----a-w c:\windows\system32\dllcache\iexplore.exe
2009-03-08 13:09 . 2004-08-10 04:00 391536 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 03:41 . 2004-08-10 04:00 5937152 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-03-08 03:39 . 2007-06-27 14:34 11063808 ----a-w c:\windows\system32\dllcache\ieframe.dll
2009-03-08 03:34 . 2004-08-10 04:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 03:34 . 2004-08-10 04:00 914944 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-03-08 03:34 . 2004-08-10 04:00 1206784 ----a-w c:\windows\system32\dllcache\urlmon.dll
2009-03-08 03:34 . 2004-08-10 04:00 236544 ----a-w c:\windows\system32\dllcache\webcheck.dll
2009-03-08 03:34 . 2004-08-10 04:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 03:34 . 2004-08-10 04:00 43008 ----a-w c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 03:34 . 2004-08-10 04:00 105984 ----a-w c:\windows\system32\dllcache\url.dll
2009-03-08 03:34 . 2004-08-10 04:00 193536 ----a-w c:\windows\system32\dllcache\msrating.dll
2009-03-08 03:34 . 2004-08-10 04:00 109568 ----a-w c:\windows\system32\dllcache\occache.dll
2009-03-08 03:33 . 2004-08-10 04:00 759296 ----a-w c:\windows\system32\dllcache\VGX.dll
2009-03-08 03:33 . 2009-03-08 03:33 18944 ------w c:\windows\system32\dllcache\corpol.dll
2009-03-08 03:33 . 2004-08-10 04:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 03:33 . 2004-08-10 04:00 25600 ----a-w c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 03:33 . 2008-05-09 10:53 726528 ----a-w c:\windows\system32\dllcache\jscript.dll
2009-03-08 03:33 . 2004-08-10 04:00 229376 ----a-w c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 03:33 . 2008-05-09 10:53 420352 ----a-w c:\windows\system32\dllcache\vbscript.dll
2009-03-08 03:33 . 2004-08-10 04:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 03:33 . 2004-08-10 04:00 125952 ----a-w c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 03:32 . 2004-08-10 04:00 72704 ----a-w c:\windows\system32\dllcache\admparse.dll
2009-03-08 03:32 . 2004-08-10 04:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 03:32 . 2004-08-10 04:00 173056 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 03:32 . 2004-08-10 04:00 163840 ----a-w c:\windows\system32\dllcache\ieakui.dll
2009-03-08 03:32 . 2004-08-10 04:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 03:32 . 2004-08-10 04:00 71680 ----a-w c:\windows\system32\dllcache\iesetup.dll
2009-03-08 03:32 . 2004-08-10 04:00 55808 ----a-w c:\windows\system32\dllcache\iernonce.dll
2009-03-08 03:32 . 2004-08-10 04:00 128512 ----a-w c:\windows\system32\dllcache\advpack.dll
2009-03-08 03:32 . 2004-08-10 04:00 94720 ----a-w c:\windows\system32\dllcache\inseng.dll
2009-03-08 03:32 . 2007-06-27 14:34 594432 ----a-w c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 03:32 . 2007-06-27 14:34 1985024 ----a-w c:\windows\system32\dllcache\iertutil.dll
2009-03-08 03:32 . 2004-08-10 04:00 611840 ----a-w c:\windows\system32\dllcache\mstime.dll
2009-03-08 03:24 . 2004-08-10 04:00 68608 ----a-w c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 03:22 . 2004-08-10 04:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-08 03:22 . 2004-08-10 04:00 156160 ----a-w c:\windows\system32\dllcache\msls31.dll
2009-03-08 03:11 . 2007-06-27 14:34 445952 ----a-w c:\windows\system32\dllcache\ieapfltr.dll
2009-03-06 14:22 . 2004-08-10 04:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-01 04:50 . 2008-03-25 15:33 -------- d-----w c:\documents and settings\HP_Administrator\Application Data\HP
2009-03-01 04:38 . 2009-03-01 04:01 117092 ----a-w c:\windows\hpoins11.dat
2009-03-01 04:36 . 2007-11-27 22:40 391256 ----a-w c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-01 04:25 . 2009-03-01 04:23 -------- d-----w c:\program files\Common Files\HP
2009-03-01 03:30 . 2006-08-31 13:00 -------- d-----w c:\program files\Common Files\Sonic Shared
2009-03-01 03:26 . 2006-08-31 13:18 -------- d-----w c:\program files\Hewlett-Packard
2009-03-01 00:33 . 2006-08-31 12:38 -------- d-----w c:\program files\Java
2009-02-20 18:09 . 2004-08-10 04:00 133120 ----a-w c:\windows\system32\dllcache\extmgr.dll
2009-02-20 10:20 . 2007-06-27 08:27 13824 ----a-w c:\windows\system32\dllcache\ieudinit.exe
2009-02-09 12:10 . 2004-08-10 04:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 11:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 04:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-10 04:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2008-10-15 07:32 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2004-08-10 04:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 18:02 . 2008-10-15 08:11 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 20:07 . 2007-04-17 09:32 3698584 ----a-w c:\windows\system32\dllcache\ieapfltr.dat
2009-02-06 11:11 . 2004-08-10 04:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-10-15 08:11 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-15 08:11 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 11:06 . 2004-08-10 04:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-10 04:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:39 . 2004-08-10 04:00 35328 ----a-w c:\windows\system32\dllcache\sc.exe
2009-02-06 10:32 . 2008-10-15 08:11 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 10:32 . 2004-08-10 11:00 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 19:59 . 2004-08-10 04:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-10-18 12:12 . 2008-01-20 16:38 391256 ----a-w c:\documents and settings\Kira & Deanna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-07-14 09:55 . 2008-07-15 19:21 308600 ----a-w c:\documents and settings\All Users\Application Data\NortonProtectionMemo.exe
2007-11-16 21:50 . 2007-09-30 16:33 139 ----a-w c:\documents and settings\HP_Administrator\Local Settings\Application Data\fusioncache.dat
2006-08-31 12:33 . 2007-10-02 18:43 136 ----a-w c:\documents and settings\Kira & Deanna\Local Settings\Application Data\fusioncache.dat
2006-08-31 12:33 . 2006-08-31 12:33 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2004-08-10 04:00 . 2004-08-10 04:00 94784 --sha-w c:\windows\twain.dll
2008-04-14 00:12 . 2004-08-10 04:00 50688 --sha-w c:\windows\twain_32.dll
2007-01-07 11:19 . 2007-10-01 00:10 22 --sha-w c:\windows\SMINST\HPCD.SYS
2008-04-14 00:11 . 2004-08-10 04:00 1028096 --sha-w c:\windows\system32\mfc42.dll
2008-04-14 00:12 . 2004-08-10 04:00 57344 --sha-w c:\windows\system32\msvcirt.dll
2008-04-14 00:12 . 2004-08-10 04:00 413696 --sha-w c:\windows\system32\msvcp60.dll
2008-04-14 00:12 . 2004-08-10 04:00 343040 --sha-w c:\windows\system32\msvcrt.dll
2008-04-14 00:12 . 2004-08-10 04:00 551936 --sha-w c:\windows\system32\oleaut32.dll
2008-04-14 00:12 . 2004-08-10 04:00 84992 --sha-w c:\windows\system32\olepro32.dll
2008-04-14 00:12 . 2004-08-10 04:00 11776 --sha-w c:\windows\system32\regsvr32.exe
2008-05-13 22:41 . 2008-05-13 22:43 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051320080514\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\b106d09e-674d-48f0-b96f-11c2af0132d0.exe" [2009-03-23 1830128]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-15 136600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-03-20 90112]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-31 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-10-25 16855552]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-02 77312]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2008-08-30 13352]
R3 PRODIGY;PRODIGY;c:\windows\system32\Drivers\PRODIGY.SYS [2006-08-29 32377]
R3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\DRIVERS\OVCE.sys [2001-08-17 31872]
R3 s3117bus;Sony Ericsson Device 3117 driver (WDM);c:\windows\system32\DRIVERS\s3117bus.sys [2008-05-12 90408]
R3 s3117mdfl;Sony Ericsson Device 3117 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s3117mdfl.sys [2008-05-12 15016]
R3 s3117mdm;Sony Ericsson Device 3117 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s3117mdm.sys [2008-05-12 122024]
R3 s3117mgmt;Sony Ericsson Device 3117 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s3117mgmt.sys [2008-05-12 115368]
R3 s3117nd5;Sony Ericsson Device 3117 USB Ethernet Emulation SEMC3117 (NDIS);c:\windows\system32\DRIVERS\s3117nd5.sys [2008-05-12 25768]
R3 s3117obex;Sony Ericsson Device 3117 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s3117obex.sys [2008-05-12 111784]
R3 s3117unic;Sony Ericsson Device 3117 USB Ethernet Emulation SEMC3117 (WDM);c:\windows\system32\DRIVERS\s3117unic.sys [2008-05-12 117544]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1005000.087\SYMEFA.SYS [2009-04-29 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1005000.087\BHDrvx86.sys [2009-04-29 258608]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1005000.087\ccHPx86.sys [2009-04-29 482352]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090420.001\IDSxpx86.sys [2009-04-29 276344]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe [2009-04-29 115560]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-04-29 101936]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ERASERUTILREBOOTDRV
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9c09570-9871-11dc-841b-0016ecc4b98e}]
\Shell\AutoRun\command - k:\.pspware\PSPWareLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-04-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-04-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
2009-04-29 c:\windows\Tasks\User_Feed_Synchronization-{E92EE590-C798-45FD-80D7-0A3611D0DC12}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF
IE: Convert link target to Adobe PDF
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF
IE: E&xport to Microsoft Excel
TCP: {DF5413F5-E0D5-421B-96BB-806F247AE1B6} = 194.168.4.100
DPF: {17D667BA-5675-4AAB-9221-08B9379384D4} - hxxp://cdnimg.piczo.com/images/uploader/piczo_fast_uploader.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2009-04-29 20:42
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.5.0.135\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(640)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
- - - - - - - > 'explorer.exe'(3868)
c:\windows\system32\nview.dll
c:\windows\system32\NVWRSENG.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-29 20:45
ComboFix-quarantined-files.txt 2009-04-29 19:45
ComboFix2.txt 2009-04-29 14:01
Pre-Run: 30,383,853,568 bytes free
Post-Run: 30,367,494,144 bytes free
334 --- E O F --- 2009-04-27 17:08
Can you let me know what I was infected with please and what it did. Thank you
#7
Posted 29 April 2009 - 11:03 PM
-
- Experts
-
- 1,130 posts
Elite Member
- Location:Westchester County, NY
You were infected with a CLB rootkit. There are many variants TDSS, Seneka ,UAC, and GAOPDX. You were infected with the last type listed here:
http://vil.nai.com/v...nt/v_154186.htm
Now, I have to wade through your logs so please be patient for a while. I noticed you said you ran "malware" in safe mode.
Did you mean Malwarebytes' MBAM)? MBAM is not meant to be run in safe mode because it detects active malware, and in safe mode some but not all threats may not be running.
http://vil.nai.com/v...nt/v_154186.htm
Now, I have to wade through your logs so please be patient for a while. I noticed you said you ran "malware" in safe mode.
Did you mean Malwarebytes' MBAM)? MBAM is not meant to be run in safe mode because it detects active malware, and in safe mode some but not all threats may not be running.
#8
Posted 29 April 2009 - 11:43 PM
-
- Experts
-
- 1,130 posts
Elite Member
- Location:Westchester County, NY
By comparing your "before and after" logs it appears you are clean now!
Good job!
I would like to know two things please!
In reference to my previous instructions where I said this in reference to running RootRepeal:
When you said in return about RootRepeal that
1. Did it find the SYS file by using the driver scan OR with the longer file scan?
2. Did you perform the "wipe file" operation on the G**.SYS file you found, as instructed?
BTW, the threat you had was a DNS hijacker that was hidden by a rootkit (cloaking program) to prevent its removal.
I just want to do one more antivirus scan to get a second opinion in order to verify that your system is clean
Please perform a scan with the ESET online virus scanner:
http://www.eset.com/...escan/index.php
Note to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).
To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.
Good job!
I would like to know two things please!
In reference to my previous instructions where I said this in reference to running RootRepeal:
"negster22" said:
If the following hidden driver is listed or a similar gxxx.SYS file that begins with a g" and has a ridiculously long name, select it - then right-click the driver and choose "Wipe file"
C:\WINDOWS\system32\drivers\gxvxcewwcmpeojtkqtpmomsysamekxespkexl.sys
C:\WINDOWS\system32\drivers\gxvxcewwcmpeojtkqtpmomsysamekxespkexl.sys
When you said in return about RootRepeal that
Quote
It found the file you mentioned.
1. Did it find the SYS file by using the driver scan OR with the longer file scan?
2. Did you perform the "wipe file" operation on the G**.SYS file you found, as instructed?
BTW, the threat you had was a DNS hijacker that was hidden by a rootkit (cloaking program) to prevent its removal.
I just want to do one more antivirus scan to get a second opinion in order to verify that your system is clean
Please perform a scan with the ESET online virus scanner:
http://www.eset.com/...escan/index.php
- ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's Guard and any antispyware or HIPS programs you are running.
- Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
- Check the "Yes, I accept the terms of use" box.
- Click "Start"
- Check the boxes the following two boxes:
- enable "Remove found threats"
- Scan unwanted applications
- enable "Remove found threats"
- Click the Scan button to begin scanning.
- When the scan is done the log is automatically saved. To retrieve it
- Close the ESET scan Window.
- Now open a run line by clicking Start >> Run...
- Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box:
- The Scan results will now display in Notepad
- Close the ESET scan Window.
- Please copy and paste the ESET scan report that can be found in this location
C:\Program Files\EsetOnlineScanner\log.txt into your next reply
Note to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).
To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.
#9
Posted 30 April 2009 - 07:30 PM
-
- Members
-
- 9 posts
New Member
- Gender:Female
- Location:England
I run combo fix before repeal and it found and said it deleted the big long g one.
doing an eset scan now will post log when I am done.
Dee
doing an eset scan now will post log when I am done.
Dee
#10
Posted 30 April 2009 - 10:10 PM
-
- Experts
-
- 1,130 posts
Elite Member
- Location:Westchester County, NY
#11
Posted 30 April 2009 - 10:16 PM
-
- Members
-
- 9 posts
New Member
- Gender:Female
- Location:England
denisedee, on Apr 30 2009, 08:30 PM, said:
I run combo fix before repeal and it found and said it deleted the big long g one.
doing an eset scan now will post log when I am done.
Dee
doing an eset scan now will post log when I am done.
Dee
The log as requested
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4046 (20090430)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=f4ab63ac1d7c384995aad9836c2c8e29
# end=finished
# remove_checked=true
# unwanted_checked=false
# utc_time=2009-04-30 09:46:59
# local_time=2009-04-30 10:46:59 (+0000, GMT Daylight Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 3
# scanned=994595
# found=4
# scan_time=12377
C:\Documents and Settings\HP_Administrator\Desktop\Aub mem temp\Hiren's.BootCD.9.7.iso probably unknown NewHeur_PE virus (deleted) 00000000000000000000000000000000
C:\Documents and Settings\HP_Administrator\Desktop\Aub mem temp\Hiren's.BootCD.9.7.iso »ISO »VDefs.exe probably unknown NewHeur_PE virus (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\HP_Administrator\My Documents\Aubs Stuff\extract\Nero-7.8.5.0_eng.exe Win32/Toolbar.AskSBar application (deleted) 00000000000000000000000000000000
C:\Documents and Settings\HP_Administrator\My Documents\Aubs Stuff\extract\Nero-7.8.5.0_eng.exe »RAR »Toolbar.exe Win32/Toolbar.AskSBar application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
Thank you.
Dee
#12
Posted 30 April 2009 - 10:33 PM
-
- Experts
-
- 1,130 posts
Elite Member
- Location:Westchester County, NY
OK- that looks good.
This is why your boot CD was flagged:
We have a few steps to finish up now.
Let's remove Combofix and all its associated files including those in quarantine:
Click start -> run, then copy and paste the following line into the Open box and click OK.
"%userprofile%\desktop\combofix.exe" /u
This will do the following:
You can remove RootRepeal by deleting the contents of the folder it resides in and then the folder itself.
Here are some additional measures you should take to keep your system in good working order and ensure your continued security.
1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI)
Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.
Note: If your firewall prompts you about access, allow it.
2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.
3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.
Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.
Happy Surfing!
This is why your boot CD was flagged:
Quote
Due to the inclusion of illegally copied copyrighted works, Hiren's Boot CD is legally considered "warez" and pirated intellectual property
We have a few steps to finish up now.
Let's remove Combofix and all its associated files including those in quarantine:
Click start -> run, then copy and paste the following line into the Open box and click OK.
"%userprofile%\desktop\combofix.exe" /u
This will do the following:
- Uninstall Combofix and all its associated files and folders.
- It will flush your system restore points and create a new restore point.
- It will rehide your system files and folders
- Reset your system clock
You can remove RootRepeal by deleting the contents of the folder it resides in and then the folder itself.
Here are some additional measures you should take to keep your system in good working order and ensure your continued security.
1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI)
Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.
Note: If your firewall prompts you about access, allow it.
2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.
3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.
Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.
Happy Surfing!
#13
Posted 01 May 2009 - 11:01 AM
-
- Members
-
- 9 posts
New Member
- Gender:Female
- Location:England
Thank you very much, updating the programmes real and adobe sotheyu sould be better.
We think we got hit by are youngest clicking on a pop up. Should told us afterwards so I did checkes but nothing. Like you say oncve you open the door they all come rushing in.
It is really appricated your time and effort and gain I can not say enoth thank yous.
Dee
We think we got hit by are youngest clicking on a pop up. Should told us afterwards so I did checkes but nothing. Like you say oncve you open the door they all come rushing in.
It is really appricated your time and effort and gain I can not say enoth thank yous.
Dee
#14
Posted 01 May 2009 - 03:01 PM
-
- Experts
-
- 1,130 posts
Elite Member
- Location:Westchester County, NY
Glad you're better. Your kind words are enough thanks! 
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
