Sign In
Create Account
0
Hi,
I've been fighting what seems to be a rootkit infection. I read and followed the instructions posted in the sticky topic:
I'm infected - What do I do now?... and so now I'm including my HJT log.
The general symptoms are: MBAM finds stuff like:
Memory Modules Infected:
\\?\globalroot\systemroot\system32\UACtolplkttbtsajpe.dll (Trojan.TDSS) -> Delete on reboot.
Files Infected:
\\?\globalroot\systemroot\system32\UACtolplkttbtsajpe.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
But the stuff to be deleted on reboot always resurrects itself. I'm hoping the ninjas here can help me eradicate this.
Thanks,
KM
===BEGIN HJT LOG===
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:12 PM, on 6/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\apps\sound\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\GearHead\Wheel Mouse\5.3\MOUSE32A.EXE
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\apps\sound\iTunes_{USER}\iTunesHelper.exe
C:\apps\graphics\2d\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\apps\graphics\2d\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe
C:\Program Files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\apps\web\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1080102
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.malwareby...?showtopic=9573
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1080102
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Tunebite_WebRipPlugin Class - {AA102584-3B97-47e7-B9BC-75D54C110A7D} - C:\apps\Utils\RapidSolution\Tunebite\plugins\IE\TB_WebRipIePlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [WinampAgent] C:\apps\sound\Winamp\winampa.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\GearHead\Wheel Mouse\5.3\MOUSE32A.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\apps\sound\iTunes_{USER}\iTunesHelper.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\apps\graphics\2d\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\GODFUCKINGDAMMIT.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alias SketchBook Snapshot.lnk = C:\apps\graphics\2d\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe
O4 - Global Startup: ImageMixer 3 SE Camera Monitor.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = usc.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = usc.edu
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\apps\web\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
--
End of file - 13746 bytes
-
This topic is locked
#1
Posted 18 June 2009 - 11:03 PM
-
- Members
-
- 9 posts
New Member
- Location:Los Angeles, CA, US PST
Back to top
#2
Posted 19 June 2009 - 12:07 PM
-
- Administrators
-
- 7,127 posts
Forum Deity
- Gender:Female
- Location:Belgium
Hi,
* Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingc...to-use-combofix
Post the log from ComboFix in your next reply.
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
* Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingc...to-use-combofix
Post the log from ComboFix in your next reply.
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
#3
Posted 19 June 2009 - 06:11 PM
-
- Members
-
- 9 posts
New Member
- Location:Los Angeles, CA, US PST
Thank you for your reply! Here is the combo fix log:
ComboFix 09-06-18.02 - Mitch 06/19/2009 10:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1511 [GMT -7:00]
Running from: c:\documents and settings\Mitch\Desktop\foobar.exe
Command switches used :: c:\documents and settings\Mitch\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\driver
c:\windows\system32\drivers\UACnqvhtxingxjpxqg.sys
c:\windows\system32\UACifjfwcdpfnunxbc.dat
c:\windows\system32\UACkbcihutcyidpywo.log
c:\windows\system32\UACnlbjhwhehsbehei.dll
c:\windows\system32\UACsjnjqown.dat
c:\windows\system32\UACsrrwndmlgfivruv.log
c:\windows\system32\UACtolplkttbtsajpe.dll
c:\windows\system32\UACuipbqjnlhhikbit.log
c:\windows\system32\UACxnjsyidsnwylixx.dll
c:\windows\system32\UACxnlafitmxhmbwmh.dll
c:\windows\system32\UACyhdaokopeaxpvmv.dll
c:\windows\system32\_003329_.tmp.dll
c:\windows\system32\_003330_.tmp.dll
c:\windows\system32\_003331_.tmp.dll
c:\windows\system32\_003332_.tmp.dll
c:\windows\system32\_003336_.tmp.dll
c:\windows\system32\_003337_.tmp.dll
c:\windows\system32\_003338_.tmp.dll
c:\windows\system32\_003339_.tmp.dll
c:\windows\system32\_003340_.tmp.dll
c:\windows\system32\_003341_.tmp.dll
c:\windows\system32\_003342_.tmp.dll
c:\windows\system32\_003343_.tmp.dll
c:\windows\system32\_003344_.tmp.dll
c:\windows\system32\_003345_.tmp.dll
c:\windows\system32\_003348_.tmp.dll
c:\windows\system32\_003349_.tmp.dll
c:\windows\system32\_003351_.tmp.dll
c:\windows\system32\_003352_.tmp.dll
c:\windows\system32\_003353_.tmp.dll
c:\windows\system32\_003355_.tmp.dll
c:\windows\system32\_003356_.tmp.dll
c:\windows\system32\_003358_.tmp.dll
c:\windows\system32\_003359_.tmp.dll
c:\windows\system32\_003361_.tmp.dll
c:\windows\system32\_003362_.tmp.dll
c:\windows\system32\_003363_.tmp.dll
c:\windows\system32\_003364_.tmp.dll
c:\windows\system32\_003365_.tmp.dll
c:\windows\system32\_003366_.tmp.dll
c:\windows\system32\_003368_.tmp.dll
c:\windows\system32\_003369_.tmp.dll
c:\windows\system32\_003370_.tmp.dll
c:\windows\system32\_003371_.tmp.dll
c:\windows\system32\_003372_.tmp.dll
c:\windows\system32\_003373_.tmp.dll
c:\windows\system32\_003374_.tmp.dll
c:\windows\system32\_003375_.tmp.dll
c:\windows\system32\_003378_.tmp.dll
c:\windows\system32\_003379_.tmp.dll
c:\windows\system32\_003380_.tmp.dll
c:\windows\system32\_003381_.tmp.dll
c:\windows\system32\_003382_.tmp.dll
c:\windows\system32\_003383_.tmp.dll
c:\windows\system32\_003384_.tmp.dll
c:\windows\system32\_003386_.tmp.dll
c:\windows\system32\_003387_.tmp.dll
c:\windows\system32\_003388_.tmp.dll
c:\windows\system32\_003389_.tmp.dll
c:\windows\system32\_003390_.tmp.dll
c:\windows\system32\_003391_.tmp.dll
c:\windows\system32\_003393_.tmp.dll
c:\windows\system32\_003396_.tmp.dll
c:\windows\system32\_003397_.tmp.dll
c:\windows\system32\_003401_.tmp.dll
c:\windows\system32\_003402_.tmp.dll
c:\windows\system32\_003404_.tmp.dll
c:\windows\system32\_003407_.tmp.dll
c:\windows\system32\_003409_.tmp.dll
c:\windows\system32\_003410_.tmp.dll
c:\windows\system32\_003411_.tmp.dll
c:\windows\system32\_003412_.tmp.dll
c:\windows\system32\_003415_.tmp.dll
c:\windows\system32\_003416_.tmp.dll
c:\windows\system32\_003417_.tmp.dll
c:\windows\system32\_003418_.tmp.dll
c:\windows\system32\_003419_.tmp.dll
c:\windows\system32\_003424_.tmp.dll
c:\windows\system32\_003426_.tmp.dll
c:\windows\system32\cookie1.dat
c:\windows\system32\drivers\UACnqvhtxingxjpxqg.sys
c:\windows\system32\tb.dr
c:\windows\system32\UACifjfwcdpfnunxbc.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkbcihutcyidpywo.log
c:\windows\system32\UACnlbjhwhehsbehei.dll
c:\windows\system32\UACsrrwndmlgfivruv.log
c:\windows\system32\UACtolplkttbtsajpe.dll
c:\windows\system32\UACuipbqjnlhhikbit.log
c:\windows\system32\UACxnjsyidsnwylixx.dll
c:\windows\system32\UACxnlafitmxhmbwmh.dll
c:\windows\system32\UACyhdaokopeaxpvmv.dll
c:\windows\system32\ypmqpcqe.ini
c:\windows\wiaserviv.log
c:\windows\wiaservv.log
----- BITS: Possible infected sites -----
hxxp://downloadsoftwareserver.com
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\i386\proquota.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_UACd.sys
-------\Legacy_DRIVER
-------\Legacy_DRIVERDRV
-------\Service_driver
-------\Service_driverdrv
((((((((((((((((((((((((( Files Created from 2009-05-19 to 2009-06-19 )))))))))))))))))))))))))))))))
.
2009-06-19 17:50 . 2004-08-04 11:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-19 17:50 . 2004-08-04 11:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-06-18 22:25 . 2009-03-05 05:28 89088 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{3BAB4914-9CC1-4CC2-A3DA-56EF62DFD373}\System32\atl71.dll
2009-06-18 09:29 . 2009-06-18 17:07 117760 ----a-w- c:\documents and settings\Mitch\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-18 09:29 . 2009-06-18 09:29 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-18 09:26 . 2009-06-18 09:26 -------- d-----w- c:\documents and settings\Mitch\Application Data\SUPERAntiSpyware.com
2009-06-18 09:26 . 2009-06-18 09:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-18 05:19 . 2009-06-18 05:19 -------- d-----w- c:\documents and settings\Nankyung\Local Settings\Application Data\RapidSolution
2009-06-18 05:18 . 2009-06-18 05:18 -------- d-----w- c:\documents and settings\Nankyung\Application Data\WTablet
2009-06-18 02:11 . 2009-06-18 02:11 1 ---h--w- c:\windows\jmmark2.dat
2009-06-17 20:33 . 2009-03-24 23:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-17 10:19 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 10:19 . 2009-06-17 10:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-17 10:19 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-15 07:58 . 2009-06-15 07:58 -------- d-----w- c:\windows\system32\Adobe
2009-06-09 22:03 . 2009-06-09 22:04 -------- d-----w- c:\documents and settings\Mitch\Application Data\ZoomBrowser EX
2009-06-09 07:06 . 2009-06-09 07:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Ableton
2009-06-09 07:06 . 2009-06-09 07:06 -------- d-----w- c:\documents and settings\Mitch\Application Data\Ableton
2009-05-30 09:13 . 2009-05-30 09:13 -------- d-----w- c:\documents and settings\Mitch\.thumbnails
2009-05-30 05:17 . 2009-05-30 05:17 390664 ----a-w- c:\documents and settings\Mitch\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-27 04:38 . 2009-06-19 17:53 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-19 17:58 . 2009-03-27 05:01 -------- d-----w- c:\documents and settings\Mitch\Application Data\WTablet
2009-06-18 22:27 . 2008-01-06 09:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-18 22:26 . 2008-01-06 09:20 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-18 22:26 . 2009-06-18 22:26 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-18 22:26 . 2009-06-18 22:26 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-06-18 22:26 . 2009-06-18 22:26 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-18 22:26 . 2009-06-18 22:26 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-18 22:26 . 2008-01-06 09:20 -------- d-----w- c:\program files\Symantec
2009-06-18 05:35 . 2008-01-06 09:20 -------- d-----w- c:\program files\Symantec AntiVirus
2009-06-18 05:19 . 2008-01-05 06:13 41824 ----a-w- c:\documents and settings\Nankyung\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-09 22:04 . 2008-12-20 05:31 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-05-28 04:14 . 2008-01-02 15:19 -------- d-----w- c:\program files\Google
2009-05-20 02:46 . 2008-01-20 05:22 368640 ----a-w- c:\windows\system32\ReWire.dll
2009-05-20 02:46 . 2008-01-20 05:22 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2009-04-15 05:36 . 2009-04-15 05:36 495616 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\EncodingBackend\lame_enc.dll
2009-04-15 05:10 . 2009-04-15 05:10 466944 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\MusicLoad.dll
2009-04-15 05:10 . 2009-04-15 05:10 197912 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\PlgSoundclick.dll
2009-04-15 05:10 . 2009-04-15 05:10 177432 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\PlgIJigg.dll
2009-04-15 05:10 . 2009-04-15 05:10 169240 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\PlgPandora.dll
2009-04-15 05:10 . 2009-04-15 05:10 136472 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\PlgLastfm.dll
2009-04-15 05:10 . 2009-04-15 05:09 1258776 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\RadioRip.dll
2009-04-11 08:27 . 2008-09-04 07:02 1915520 ----a-w- c:\documents and settings\Mitch\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-02 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-15 8523776]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-27 178712]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-12 1015808]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"WinampAgent"="c:\apps\sound\Winamp\winampa.exe" [2007-12-20 37376]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-26 185896]
"LWBMOUSE"="c:\program files\GearHead\Wheel Mouse\5.3\MOUSE32A.EXE" [2002-05-24 357376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-15 81920]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"iTunesHelper"="c:\apps\sound\iTunes_Mitch\iTunesHelper.exe" [2008-09-11 289576]
"Acrobat Assistant 7.0"="c:\apps\graphics\2d\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-03-05 115560]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-01-15 1626112]
c:\documents and settings\Mitch\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-1-19 113664]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-12-16 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-1-19 113664]
Alias SketchBook Snapshot.lnk - c:\apps\graphics\2d\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe [2005-6-3 233472]
ImageMixer 3 SE Camera Monitor.lnk - c:\program files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe [2008-12-19 253952]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\apps\web\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\apps\web\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\apps\\web\\BitComet\\BitComet.exe"=
"c:\\apps\\graphics\\3d\\Autodesk\\Maya2008\\bin\\maya.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\apps\\sound\\iTunes_Mitch\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Quake2\\quake2.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14074:TCP"= 14074:TCP:BitComet 14074 TCP
"14074:UDP"= 14074:UDP:BitComet 14074 UDP
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"8085:TCP"= 8085:TCP:driver
R1 SASDIFSV;SASDIFSV;c:\apps\web\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\apps\web\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/11/2007 1:45 AM 124832]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 1:30 PM 79168]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [3/26/2009 10:00 PM 1373480]
S2 SqtechUsb;SCAN05C/D USB Driver;c:\windows\system32\drivers\Fusb100.sys [3/15/2008 12:05 AM 64769]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/14/2009 11:23 PM 101936]
S3 SASENUM;SASENUM;c:\apps\web\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S4 BrlAPI;BrlAPI;c:\cygwin\bin\cygrunsrv.exe --> c:\cygwin\bin\cygrunsrv.exe [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\apps\programming\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 8:01 AM 2799808]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
2009-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
- - - - ORPHANS REMOVED - - - -
Notify-dimsntfy - (no file)
Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.malwarebytes.org/forums/index.php?showtopic=9573
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\apps\web\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\apps\web\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\apps\web\BitComet\BitComet.exe/AddAllLink.htm
IE: Convert link target to Adobe PDF - c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-19 10:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(584)
c:\apps\web\SUPERAntiSpyware\SASWINLO.dll
- - - - - - - > 'explorer.exe'(3464)
c:\program files\GearHead\Wheel Mouse\5.3\MOUDL32A.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PSIService.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\WTablet\Wacom_TabletUser.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-19 11:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-19 18:02
Pre-Run: 20,351,991,808 bytes free
Post-Run: 20,307,562,496 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
337 --- E O F --- 2008-10-14 06:32
ComboFix 09-06-18.02 - Mitch 06/19/2009 10:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1511 [GMT -7:00]
Running from: c:\documents and settings\Mitch\Desktop\foobar.exe
Command switches used :: c:\documents and settings\Mitch\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\driver
c:\windows\system32\drivers\UACnqvhtxingxjpxqg.sys
c:\windows\system32\UACifjfwcdpfnunxbc.dat
c:\windows\system32\UACkbcihutcyidpywo.log
c:\windows\system32\UACnlbjhwhehsbehei.dll
c:\windows\system32\UACsjnjqown.dat
c:\windows\system32\UACsrrwndmlgfivruv.log
c:\windows\system32\UACtolplkttbtsajpe.dll
c:\windows\system32\UACuipbqjnlhhikbit.log
c:\windows\system32\UACxnjsyidsnwylixx.dll
c:\windows\system32\UACxnlafitmxhmbwmh.dll
c:\windows\system32\UACyhdaokopeaxpvmv.dll
c:\windows\system32\_003329_.tmp.dll
c:\windows\system32\_003330_.tmp.dll
c:\windows\system32\_003331_.tmp.dll
c:\windows\system32\_003332_.tmp.dll
c:\windows\system32\_003336_.tmp.dll
c:\windows\system32\_003337_.tmp.dll
c:\windows\system32\_003338_.tmp.dll
c:\windows\system32\_003339_.tmp.dll
c:\windows\system32\_003340_.tmp.dll
c:\windows\system32\_003341_.tmp.dll
c:\windows\system32\_003342_.tmp.dll
c:\windows\system32\_003343_.tmp.dll
c:\windows\system32\_003344_.tmp.dll
c:\windows\system32\_003345_.tmp.dll
c:\windows\system32\_003348_.tmp.dll
c:\windows\system32\_003349_.tmp.dll
c:\windows\system32\_003351_.tmp.dll
c:\windows\system32\_003352_.tmp.dll
c:\windows\system32\_003353_.tmp.dll
c:\windows\system32\_003355_.tmp.dll
c:\windows\system32\_003356_.tmp.dll
c:\windows\system32\_003358_.tmp.dll
c:\windows\system32\_003359_.tmp.dll
c:\windows\system32\_003361_.tmp.dll
c:\windows\system32\_003362_.tmp.dll
c:\windows\system32\_003363_.tmp.dll
c:\windows\system32\_003364_.tmp.dll
c:\windows\system32\_003365_.tmp.dll
c:\windows\system32\_003366_.tmp.dll
c:\windows\system32\_003368_.tmp.dll
c:\windows\system32\_003369_.tmp.dll
c:\windows\system32\_003370_.tmp.dll
c:\windows\system32\_003371_.tmp.dll
c:\windows\system32\_003372_.tmp.dll
c:\windows\system32\_003373_.tmp.dll
c:\windows\system32\_003374_.tmp.dll
c:\windows\system32\_003375_.tmp.dll
c:\windows\system32\_003378_.tmp.dll
c:\windows\system32\_003379_.tmp.dll
c:\windows\system32\_003380_.tmp.dll
c:\windows\system32\_003381_.tmp.dll
c:\windows\system32\_003382_.tmp.dll
c:\windows\system32\_003383_.tmp.dll
c:\windows\system32\_003384_.tmp.dll
c:\windows\system32\_003386_.tmp.dll
c:\windows\system32\_003387_.tmp.dll
c:\windows\system32\_003388_.tmp.dll
c:\windows\system32\_003389_.tmp.dll
c:\windows\system32\_003390_.tmp.dll
c:\windows\system32\_003391_.tmp.dll
c:\windows\system32\_003393_.tmp.dll
c:\windows\system32\_003396_.tmp.dll
c:\windows\system32\_003397_.tmp.dll
c:\windows\system32\_003401_.tmp.dll
c:\windows\system32\_003402_.tmp.dll
c:\windows\system32\_003404_.tmp.dll
c:\windows\system32\_003407_.tmp.dll
c:\windows\system32\_003409_.tmp.dll
c:\windows\system32\_003410_.tmp.dll
c:\windows\system32\_003411_.tmp.dll
c:\windows\system32\_003412_.tmp.dll
c:\windows\system32\_003415_.tmp.dll
c:\windows\system32\_003416_.tmp.dll
c:\windows\system32\_003417_.tmp.dll
c:\windows\system32\_003418_.tmp.dll
c:\windows\system32\_003419_.tmp.dll
c:\windows\system32\_003424_.tmp.dll
c:\windows\system32\_003426_.tmp.dll
c:\windows\system32\cookie1.dat
c:\windows\system32\drivers\UACnqvhtxingxjpxqg.sys
c:\windows\system32\tb.dr
c:\windows\system32\UACifjfwcdpfnunxbc.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkbcihutcyidpywo.log
c:\windows\system32\UACnlbjhwhehsbehei.dll
c:\windows\system32\UACsrrwndmlgfivruv.log
c:\windows\system32\UACtolplkttbtsajpe.dll
c:\windows\system32\UACuipbqjnlhhikbit.log
c:\windows\system32\UACxnjsyidsnwylixx.dll
c:\windows\system32\UACxnlafitmxhmbwmh.dll
c:\windows\system32\UACyhdaokopeaxpvmv.dll
c:\windows\system32\ypmqpcqe.ini
c:\windows\wiaserviv.log
c:\windows\wiaservv.log
----- BITS: Possible infected sites -----
hxxp://downloadsoftwareserver.com
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\i386\proquota.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_UACd.sys
-------\Legacy_DRIVER
-------\Legacy_DRIVERDRV
-------\Service_driver
-------\Service_driverdrv
((((((((((((((((((((((((( Files Created from 2009-05-19 to 2009-06-19 )))))))))))))))))))))))))))))))
.
2009-06-19 17:50 . 2004-08-04 11:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-19 17:50 . 2004-08-04 11:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-06-18 22:25 . 2009-03-05 05:28 89088 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{3BAB4914-9CC1-4CC2-A3DA-56EF62DFD373}\System32\atl71.dll
2009-06-18 09:29 . 2009-06-18 17:07 117760 ----a-w- c:\documents and settings\Mitch\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-18 09:29 . 2009-06-18 09:29 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-18 09:26 . 2009-06-18 09:26 -------- d-----w- c:\documents and settings\Mitch\Application Data\SUPERAntiSpyware.com
2009-06-18 09:26 . 2009-06-18 09:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-18 05:19 . 2009-06-18 05:19 -------- d-----w- c:\documents and settings\Nankyung\Local Settings\Application Data\RapidSolution
2009-06-18 05:18 . 2009-06-18 05:18 -------- d-----w- c:\documents and settings\Nankyung\Application Data\WTablet
2009-06-18 02:11 . 2009-06-18 02:11 1 ---h--w- c:\windows\jmmark2.dat
2009-06-17 20:33 . 2009-03-24 23:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-17 10:19 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 10:19 . 2009-06-17 10:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-17 10:19 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-15 07:58 . 2009-06-15 07:58 -------- d-----w- c:\windows\system32\Adobe
2009-06-09 22:03 . 2009-06-09 22:04 -------- d-----w- c:\documents and settings\Mitch\Application Data\ZoomBrowser EX
2009-06-09 07:06 . 2009-06-09 07:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Ableton
2009-06-09 07:06 . 2009-06-09 07:06 -------- d-----w- c:\documents and settings\Mitch\Application Data\Ableton
2009-05-30 09:13 . 2009-05-30 09:13 -------- d-----w- c:\documents and settings\Mitch\.thumbnails
2009-05-30 05:17 . 2009-05-30 05:17 390664 ----a-w- c:\documents and settings\Mitch\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-27 04:38 . 2009-06-19 17:53 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-19 17:58 . 2009-03-27 05:01 -------- d-----w- c:\documents and settings\Mitch\Application Data\WTablet
2009-06-18 22:27 . 2008-01-06 09:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-18 22:26 . 2008-01-06 09:20 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-18 22:26 . 2009-06-18 22:26 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-18 22:26 . 2009-06-18 22:26 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-06-18 22:26 . 2009-06-18 22:26 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-18 22:26 . 2009-06-18 22:26 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-18 22:26 . 2008-01-06 09:20 -------- d-----w- c:\program files\Symantec
2009-06-18 05:35 . 2008-01-06 09:20 -------- d-----w- c:\program files\Symantec AntiVirus
2009-06-18 05:19 . 2008-01-05 06:13 41824 ----a-w- c:\documents and settings\Nankyung\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-09 22:04 . 2008-12-20 05:31 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-05-28 04:14 . 2008-01-02 15:19 -------- d-----w- c:\program files\Google
2009-05-20 02:46 . 2008-01-20 05:22 368640 ----a-w- c:\windows\system32\ReWire.dll
2009-05-20 02:46 . 2008-01-20 05:22 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2009-04-15 05:36 . 2009-04-15 05:36 495616 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\EncodingBackend\lame_enc.dll
2009-04-15 05:10 . 2009-04-15 05:10 466944 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\MusicLoad.dll
2009-04-15 05:10 . 2009-04-15 05:10 197912 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\PlgSoundclick.dll
2009-04-15 05:10 . 2009-04-15 05:10 177432 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\PlgIJigg.dll
2009-04-15 05:10 . 2009-04-15 05:10 169240 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\PlgPandora.dll
2009-04-15 05:10 . 2009-04-15 05:10 136472 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\PlgLastfm.dll
2009-04-15 05:10 . 2009-04-15 05:09 1258776 ----a-w- c:\documents and settings\All Users\Application Data\RapidSolution\Tunebite\WebRipDLLs\RadioRip.dll
2009-04-11 08:27 . 2008-09-04 07:02 1915520 ----a-w- c:\documents and settings\Mitch\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-02 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-15 8523776]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-27 178712]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-12 1015808]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"WinampAgent"="c:\apps\sound\Winamp\winampa.exe" [2007-12-20 37376]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-26 185896]
"LWBMOUSE"="c:\program files\GearHead\Wheel Mouse\5.3\MOUSE32A.EXE" [2002-05-24 357376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-15 81920]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"iTunesHelper"="c:\apps\sound\iTunes_Mitch\iTunesHelper.exe" [2008-09-11 289576]
"Acrobat Assistant 7.0"="c:\apps\graphics\2d\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-03-05 115560]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-01-15 1626112]
c:\documents and settings\Mitch\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-1-19 113664]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-12-16 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-1-19 113664]
Alias SketchBook Snapshot.lnk - c:\apps\graphics\2d\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe [2005-6-3 233472]
ImageMixer 3 SE Camera Monitor.lnk - c:\program files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe [2008-12-19 253952]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\apps\web\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\apps\web\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\apps\\web\\BitComet\\BitComet.exe"=
"c:\\apps\\graphics\\3d\\Autodesk\\Maya2008\\bin\\maya.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\apps\\sound\\iTunes_Mitch\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Quake2\\quake2.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14074:TCP"= 14074:TCP:BitComet 14074 TCP
"14074:UDP"= 14074:UDP:BitComet 14074 UDP
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"8085:TCP"= 8085:TCP:driver
R1 SASDIFSV;SASDIFSV;c:\apps\web\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\apps\web\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/11/2007 1:45 AM 124832]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 1:30 PM 79168]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [3/26/2009 10:00 PM 1373480]
S2 SqtechUsb;SCAN05C/D USB Driver;c:\windows\system32\drivers\Fusb100.sys [3/15/2008 12:05 AM 64769]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/14/2009 11:23 PM 101936]
S3 SASENUM;SASENUM;c:\apps\web\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S4 BrlAPI;BrlAPI;c:\cygwin\bin\cygrunsrv.exe --> c:\cygwin\bin\cygrunsrv.exe [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\apps\programming\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 8:01 AM 2799808]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
2009-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
- - - - ORPHANS REMOVED - - - -
Notify-dimsntfy - (no file)
Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.malwarebytes.org/forums/index.php?showtopic=9573
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\apps\web\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\apps\web\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\apps\web\BitComet\BitComet.exe/AddAllLink.htm
IE: Convert link target to Adobe PDF - c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-19 10:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(584)
c:\apps\web\SUPERAntiSpyware\SASWINLO.dll
- - - - - - - > 'explorer.exe'(3464)
c:\program files\GearHead\Wheel Mouse\5.3\MOUDL32A.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PSIService.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\WTablet\Wacom_TabletUser.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\apps\graphics\2d\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-19 11:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-19 18:02
Pre-Run: 20,351,991,808 bytes free
Post-Run: 20,307,562,496 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
337 --- E O F --- 2008-10-14 06:32
#4
Posted 19 June 2009 - 06:25 PM
-
- Administrators
-
- 7,127 posts
Forum Deity
- Gender:Female
- Location:Belgium
Hi,
This looks Ok again.
* Go to start > run and copy and paste next command in the field:
ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.
This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
Let me know in your next reply how things are now.
This looks Ok again.
* Go to start > run and copy and paste next command in the field:
ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.
This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
Let me know in your next reply how things are now.
#5
Posted 20 June 2009 - 11:09 AM
-
- Members
-
- 9 posts
New Member
- Location:Los Angeles, CA, US PST
Thanks very much for your help! Things seem to be back to normal. I am including the log result of a full system scan from Malwarebytes below. I am able to keep Symantec Endpoint Protection running now, so I will run a full system scan using that as well and see if anything turns up. Should I run HJT again as well?
Thanks,
KM
===Begin MBAM log===
Malwarebytes' Anti-Malware 1.38
Database version: 2309
Windows 5.1.2600 Service Pack 2
6/20/2009 2:44:37 AM
mbam-log-2009-06-20 (02-44-37).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 391057
Time elapsed: 2 hour(s), 26 minute(s), 44 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Thanks,
KM
===Begin MBAM log===
Malwarebytes' Anti-Malware 1.38
Database version: 2309
Windows 5.1.2600 Service Pack 2
6/20/2009 2:44:37 AM
mbam-log-2009-06-20 (02-44-37).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 391057
Time elapsed: 2 hour(s), 26 minute(s), 44 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
#6
Posted 20 June 2009 - 11:12 AM
-
- Administrators
-
- 7,127 posts
Forum Deity
- Gender:Female
- Location:Belgium
Hi,
No need to run HJT since the Combofix log actually shows more than HijackThis does and that one looked clean again.
Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.
Happy Surfing again!
No need to run HJT since the Combofix log actually shows more than HijackThis does and that one looked clean again.
Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.
Happy Surfing again!
#7
Posted 21 June 2009 - 09:50 PM
-
- Members
-
- 9 posts
New Member
- Location:Los Angeles, CA, US PST
Thank you very much for your help!
miekiemoes, on Jun 20 2009, 04:12 AM, said:
Hi,
No need to run HJT since the Combofix log actually shows more than HijackThis does and that one looked clean again.
Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.
Happy Surfing again!
No need to run HJT since the Combofix log actually shows more than HijackThis does and that one looked clean again.
Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.
Happy Surfing again!
#8
Posted 22 June 2009 - 08:33 AM
-
- Administrators
-
- 7,127 posts
Forum Deity
- Gender:Female
- Location:Belgium
You're most welcome
#9
Posted 25 June 2009 - 08:02 PM
-
- Administrators
-
- 7,127 posts
Forum Deity
- Gender:Female
- Location:Belgium
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
