Help - Search - Members - Calendar
Full Version: Rootrepeal Log, cant find the (CLB Driver) bad .sys file.
Malwarebytes Forum > Computer Help > Malware Removal - HijackThis Logs
JediLord
Jun 6 2009, 06:34 PM
Here is my rootrepeal log. Any idea which one of these is teh bad CLB Driver I should wipe?

Jedi-





ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/06/06 13:31
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: Achernar.sys
Image Path: Achernar.sys
Address: 0xBAB38000 Size: 16768 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xBA779000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2142208 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xA81C1000 Size: 138368 File Visible: - Signed: -
Status: -

Name: Aldebaran.sys
Image Path: C:\WINDOWS\System32\Drivers\Aldebaran.sys
Address: 0xBA540000 Size: 11520 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xBA70B000 Size: 95360 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xBAFC8000 Size: 3072 File Visible: - Signed: -
Status: -

Name: b57xp32.sys
Image Path: C:\WINDOWS\system32\DRIVERS\b57xp32.sys
Address: 0xB970B000 Size: 132352 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xBADB2000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BHDrvx86.sys
Image Path: C:\WINDOWS\system32\drivers\NAV\1005000.086\BHDrvx86.sys
Address: 0xA7FEF000 Size: 270336 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xBACB8000 Size: 12288 File Visible: - Signed: -
Status: -

Name: ccHPx86.sys
Image Path: C:\WINDOWS\system32\drivers\NAV\1005000.086\ccHPx86.sys
Address: 0xA8031000 Size: 503808 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xB98D3000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xB9923000 Size: 49536 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xBA8E8000 Size: 53248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xBA8D8000 Size: 36352 File Visible: - Signed: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xBA723000 Size: 153344 File Visible: - Signed: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xBADAC000 Size: 5888 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xBAA88000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA7FAF000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADC6000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xA8661000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xBAF5B000 Size: 4096 File Visible: - Signed: -
Status: -

Name: eeCtrl.sys
Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
Address: 0xA80C9000 Size: 385024 File Visible: - Signed: -
Status: -

Name: EraserUtilRebootDrv.sys
Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
Address: 0xA80AC000 Size: 118784 File Visible: - Signed: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys
Address: 0xBAB78000 Size: 27392 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xBA998000 Size: 34944 File Visible: - Signed: -
Status: -

Name: fltMgr.sys
Image Path: fltMgr.sys
Address: 0xBA6EB000 Size: 128896 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xBADB0000 Size: 7936 File Visible: - Signed: -
Status: -

Name: fssfltr_tdi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
Address: 0xB98F3000 Size: 48128 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xBA749000 Size: 125056 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806E2000 Size: 134400 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xB972C000 Size: 151552 File Visible: - Signed: -
Status: -

Name: HdAudio.sys
Image Path: C:\WINDOWS\system32\drivers\HdAudio.sys
Address: 0xA9489000 Size: 167936 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xBAAF8000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xBABD8000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xBAD7C000 Size: 9600 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xA77DE000 Size: 262784 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xBA9C8000 Size: 52736 File Visible: - Signed: -
Status: -

Name: ialmdd5.DLL
Image Path: C:\WINDOWS\System32\ialmdd5.DLL
Address: 0xBFA3A000 Size: 925696 File Visible: - Signed: -
Status: -

Name: ialmdev5.DLL
Image Path: C:\WINDOWS\System32\ialmdev5.DLL
Address: 0xBFA05000 Size: 217088 File Visible: - Signed: -
Status: -

Name: ialmdnt5.dll
Image Path: C:\WINDOWS\System32\ialmdnt5.dll
Address: 0xBF9E3000 Size: 139264 File Visible: - Signed: -
Status: -

Name: ialmnt5.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
Address: 0xB9765000 Size: 1302208 File Visible: - Signed: -
Status: -

Name: ialmrnt5.dll
Image Path: C:\WINDOWS\System32\ialmrnt5.dll
Address: 0xBF9D5000 Size: 57344 File Visible: - Signed: -
Status: -

Name: IDSxpx86.sys
Image Path: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090528.001\IDSxpx86.sys
Address: 0xA820B000 Size: 294912 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xB9933000 Size: 41856 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xB9903000 Size: 36096 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xA8319000 Size: 74752 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xBA8A8000 Size: 35840 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xBAB70000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xBADA8000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xA5F10000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xB96B1000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xBA650000 Size: 92032 File Visible: - Signed: -
Status: -

Name: LV302AV.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\LV302AV.SYS
Address: 0xA8521000 Size: 221184 File Visible: - Signed: -
Status: -

Name: LVUSBSta.sys
Image Path: C:\WINDOWS\system32\DRIVERS\LVUSBSta.sys
Address: 0xBAB08000 Size: 45056 File Visible: - Signed: -
Status: -

Name: mbamswissarmy.sys
Image Path: C:\WINDOWS\system32\drivers\mbamswissarmy.sys
Address: 0xBABA8000 Size: 32768 File Visible: - Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xBAF3B000 Size: 2560 File Visible: No Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xBADB4000 Size: 4224 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xBAB48000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xBAD80000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xBA8B8000 Size: 42240 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xA7C42000 Size: 179584 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xA8127000 Size: 453632 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xBAC18000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xBAA18000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xB9F3F000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xBA574000 Size: 107904 File Visible: - Signed: -
Status: -

Name: NAVENG.SYS
Image Path: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090605.040\NAVENG.SYS
Address: 0xA834C000 Size: 82400 File Visible: - Signed: -
Status: -

Name: NAVEX15.SYS
Image Path: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090605.040\NAVEX15.SYS
Address: 0xA8361000 Size: 869440 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0x8A691000 Size: 182912 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xBA530000 Size: 9600 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xA7E7B000 Size: 12928 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB969A000 Size: 91776 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xBAA48000 Size: 38016 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xBA988000 Size: 34560 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xA81E3000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xBAC20000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xBA5C3000 Size: 574464 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2142208 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xBAF4C000 Size: 2944 File Visible: - Signed: -
Status: -

Name: nwlnkipx.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
Address: 0xA7DD0000 Size: 88448 File Visible: - Signed: -
Status: -

Name: nwlnknb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
Address: 0xB98E3000 Size: 63232 File Visible: - Signed: -
Status: -

Name: nwlnkspx.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
Address: 0xA8476000 Size: 55936 File Visible: - Signed: -
Status: -

Name: nwrdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nwrdr.sys
Address: 0xA7C6E000 Size: 163584 File Visible: - Signed: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xB96D4000 Size: 80128 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xBAB30000 Size: 18688 File Visible: - Signed: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xBAE38000 Size: 6784 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xBA768000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xBAE70000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xBAB28000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PCTCore.sys
Image Path: PCTCore.sys
Address: 0xBA6B6000 Size: 143360 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2142208 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xA9465000 Size: 147456 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB9689000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xBAB80000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xBA8F8000 Size: 35712 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xBADA0000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xBA9E8000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xBA9F8000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xBAA08000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xBAB88000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2142208 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xA8196000 Size: 174592 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xBADB6000 Size: 4224 File Visible: - Signed: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xB9658000 Size: 196864 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xB9913000 Size: 57472 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA673E000 Size: 49152 File Visible: No Signed: -
Status: -

Name: secdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\secdrv.sys
Address: 0xA72F9000 Size: 40960 File Visible: - Signed: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xBA544000 Size: 15488 File Visible: - Signed: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xBA9D8000 Size: 64896 File Visible: - Signed: -
Status: -

Name: sfc.SYS
Image Path: C:\WINDOWS\System32\Drivers\sfc.SYS
Address: 0xA6FED000 Size: 11808 File Visible: No Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xBA6D9000 Size: 73472 File Visible: - Signed: -
Status: -

Name: SRTSP.SYS
Image Path: C:\WINDOWS\system32\drivers\NAV\1005000.086\SRTSP.SYS
Address: 0xA8557000 Size: 335872 File Visible: - Signed: -
Status: -

Name: SRTSPX.SYS
Image Path: C:\WINDOWS\system32\drivers\NAV\1005000.086\SRTSPX.SYS
Address: 0xBA968000 Size: 36992 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xA769C000 Size: 333184 File Visible: - Signed: -
Status: -

Name: STREAM.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\STREAM.SYS
Address: 0xBAB18000 Size: 49152 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xBAE0A000 Size: 4352 File Visible: - Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xBA667000 Size: 323584 File Visible: No Signed: -
Status: -

Name: SYMEVENT.SYS
Image Path: C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
Address: 0xA8268000 Size: 151552 File Visible: - Signed: -
Status: -

Name: SYMFW.SYS
Image Path: C:\WINDOWS\system32\drivers\NAV\1005000.086\SYMFW.SYS
Address: 0xA8253000 Size: 83072 File Visible: - Signed: -
Status: -

Name: SYMIDS.SYS
Image Path: C:\WINDOWS\system32\drivers\NAV\1005000.086\SYMIDS.SYS
Address: 0xBAC38000 Size: 28032 File Visible: - Signed: -
Status: -

Name: SymIM.sys
Image Path: C:\WINDOWS\system32\DRIVERS\SymIM.sys
Address: 0xBAB90000 Size: 29696 File Visible: - Signed: -
Status: -

Name: symlcbrd.sys
Image Path: C:\WINDOWS\system32\drivers\symlcbrd.sys
Address: 0xBABA0000 Size: 24576 File Visible: - Signed: -
Status: -

Name: SYMNDIS.SYS
Image Path: C:\WINDOWS\system32\drivers\NAV\1005000.086\SYMNDIS.SYS
Address: 0xBAC30000 Size: 30592 File Visible: - Signed: -
Status: -

Name: SYMTDI.SYS
Image Path: C:\WINDOWS\system32\drivers\NAV\1005000.086\SYMTDI.SYS
Address: 0xA828D000 Size: 210688 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xA7BDA000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xA82C1000 Size: 360320 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xBAB98000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xBAA28000 Size: 40704 File Visible: - Signed: -
Status: -

Name: tmcomm.sys
Image Path: C:\WINDOWS\system32\drivers\tmcomm.sys
Address: 0xA78A7000 Size: 176128 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB95FF000 Size: 364160 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xBAE28000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xBACB0000 Size: 26624 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xBAAE8000 Size: 57600 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB96E8000 Size: 143360 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xBACA8000 Size: 20480 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xBAC10000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB9751000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xBA8C8000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xBA978000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xBABB0000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xA7842000 Size: 82944 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: wmiacpi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
Address: 0xBA534000 Size: 8832 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xBADAA000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2142208 File Visible: - Signed: -
Status: -
miekiemoes
Jun 7 2009, 10:27 AM
Hi,

Can you run Malwarebytes?
If so, please post the log together with a HijackThislog.

In case you can't run Malwarebytes, Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  2. During the download, rename Combofix to Combo-Fix as follows:





  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------
  7. Double click on combo-Fix.exe & follow the prompts.
  8. When finished, it will produce a report for you.
  9. Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."
JediLord
Jun 7 2009, 11:57 AM
Here is the new logs after running Combo-Fix as instructed and HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:54:14 AM, on 6/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1244330446593
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{95B1AEF2-DECC-4B25-85F1-AA17CEC38BB8}: NameServer = 192.168.254.254
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: avast!avscontrolservice - Unknown owner - C:\WINDOWS\System32\avast!AVSControlService.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8458 bytes




ComboFix 09-06-06.03 - Scotarnjo 06/07/2009 6:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1410 [GMT -5:00]
Running from: c:\documents and settings\Scotarnjo\Desktop\rootbuster\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\SCOTAR~1\APPLIC~1\wiaserva.log
c:\docume~1\SCOTAR~1\APPLIC~1\wiaservg.log
c:\docume~1\SCOTAR~1\LOCALS~1\Temp\IadHide4.dll
c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm
c:\documents and settings\Scotarnjo\Local Settings\Temp\IadHide4.dll
c:\program files\Microsoft Common
c:\windows\aceeeg.ini
c:\windows\system32\__c008D1C4.dat
c:\windows\system32\sysloc
c:\windows\system32\sysloc\sysloc.dll
c:\windows\system32\TDSSitpe.dat

Infected copy of c:\windows\system32\sfcfiles.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\sfcfiles.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SFC
-------\Legacy_TDSSSERV.SYS
-------\Service_sfc
-------\Service_TDSSserv.sys
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-05-07 to 2009-06-07 )))))))))))))))))))))))))))))))
.

2009-06-07 11:39 . 2009-06-07 11:33 182912 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2009-06-07 01:48 . 2009-05-09 18:20 89104 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090606.039\NAVENG.SYS
2009-06-07 01:48 . 2009-05-09 18:20 876144 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090606.039\NAVEX15.SYS
2009-06-07 01:48 . 2009-05-09 18:20 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090606.039\NAVENG32.DLL
2009-06-07 01:48 . 2009-05-09 18:20 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090606.039\NAVEX32A.DLL
2009-06-07 01:48 . 2009-05-09 18:20 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090606.039\EECTRL.SYS
2009-06-07 01:48 . 2009-05-09 18:20 101936 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090606.039\ERASER.SYS
2009-06-07 01:48 . 2009-05-09 18:20 259368 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090606.039\ECMSVR32.DLL
2009-06-07 01:48 . 2009-05-09 18:19 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090606.039\CCERASER.DLL
2009-06-06 22:14 . 2009-06-06 22:14 -------- d-----w- c:\program files\Trend Micro
2009-06-06 17:24 . 2009-06-06 17:25 -------- dc-h--w- c:\windows\ie8
2009-06-06 16:56 . 2009-06-06 17:16 -------- d-----w- C:\bfaa24cf73bbcf680408f6b3440804e6
2009-06-06 15:38 . 2009-06-06 16:55 -------- d-----w- C:\515a62d7ee311f5dcddd
2009-06-06 14:08 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-06 14:08 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-06 13:49 . 2008-12-11 13:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-06 13:49 . 2009-04-03 16:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-06 13:49 . 2008-12-18 17:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-06 13:48 . 2009-06-06 22:53 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-06 13:48 . 2008-12-10 16:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-06 13:48 . 2009-06-06 15:41 -------- d-----w- c:\program files\Spyware Doctor
2009-06-06 13:48 . 2009-06-06 13:48 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-06-06 13:48 . 2009-06-06 13:48 -------- d-----w- c:\docume~1\SCOTAR~1\APPLIC~1\PC Tools
2009-06-05 12:16 . 2009-06-05 12:16 -------- d-----w- c:\program files\RegCleaner
2009-06-05 02:09 . 2009-06-05 02:09 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-06-05 00:28 . 2009-05-09 18:20 165240 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2009-06-04 23:45 . 2009-06-04 23:45 -------- d-----r- c:\program files\Norton Support
2009-06-04 22:23 . 2009-06-04 22:23 -------- d-----w- c:\program files\FileASSASSIN
2009-06-04 11:37 . 2009-06-04 11:37 9728 ----a-w- C:\xnljcwib.exe
2009-06-04 11:37 . 2009-06-04 11:37 38400 ----a-w- C:\buvppwg.exe
2009-06-04 11:36 . 2009-06-04 11:36 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-04 11:34 . 2009-06-04 11:34 -------- d-sh--w- c:\windows\system32\config\systemprofile\IECompatCache
2009-06-04 11:34 . 2009-06-04 11:34 38400 ----a-w- C:\lquq.exe
2009-06-02 16:05 . 2009-06-02 16:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-05-31 03:19 . 2009-05-31 03:19 18184984 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\msgup900_2162_us.exe
2009-05-29 19:50 . 2009-03-16 20:03 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\Scxpx86.dll
2009-05-29 19:50 . 2009-05-09 18:20 396848 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\IDSviA64.sys
2009-05-29 19:50 . 2009-05-09 18:20 292912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\IDSvix86.sys
2009-05-29 19:50 . 2009-05-09 18:20 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\IDSXpx86.sys
2009-05-29 19:50 . 2009-05-09 18:20 447864 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\IDSxpx86.dll
2009-05-19 19:25 . 2009-05-09 18:20 396848 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSviA64.sys
2009-05-19 19:25 . 2009-05-09 18:20 292912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSvix86.sys
2009-05-19 19:25 . 2009-05-09 18:20 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSXpx86.sys
2009-05-19 19:25 . 2009-05-09 18:20 447864 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSxpx86.dll
2009-05-19 19:25 . 2009-03-16 20:03 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\Scxpx86.dll
2009-05-10 22:53 . 2009-05-10 22:53 -------- d-----w- c:\documents and settings\Scotarnjo\Local Settings\Application Data\Symantec
2009-05-09 20:35 . 2009-05-09 21:35 -------- d-----w- c:\docume~1\SCOTAR~1\APPLIC~1\GetRightToGo
2009-05-09 18:20 . 2009-05-09 18:20 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-05-09 18:20 . 2009-05-09 18:20 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-05-09 18:20 . 2009-05-09 18:20 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-09 18:20 . 2009-05-09 18:20 -------- d-----w- c:\program files\Symantec
2009-05-09 18:20 . 2009-05-09 18:20 396848 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvia64.sys
2009-05-09 18:20 . 2009-05-09 18:20 292912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-05-09 18:20 . 2009-05-09 18:20 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.sys
2009-05-09 18:20 . 2009-05-09 18:20 1290592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2009-05-09 18:20 . 2009-05-09 18:20 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2009-05-09 18:20 . 2009-05-09 18:20 447864 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\idsxpx86.dll
2009-05-09 18:19 . 2009-05-09 18:19 796016 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2009-05-09 18:18 . 2009-05-09 18:18 -------- d-----w- c:\windows\system32\drivers\NAV
2009-05-09 18:18 . 2009-05-09 18:19 -------- d-----w- c:\program files\Norton AntiVirus
2009-05-09 18:13 . 2009-05-09 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2009-05-09 18:13 . 2009-05-09 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-05-09 18:12 . 2009-05-09 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-05-09 18:12 . 2009-05-09 18:12 -------- d-----w- c:\program files\NortonInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-07 04:44 . 2005-11-12 19:39 67944 ----a-w- c:\documents and settings\Scotarnjo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-07 03:54 . 2006-02-20 22:20 -------- d-----w- c:\program files\Java
2009-06-07 03:28 . 2005-11-10 23:11 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-07 01:30 . 2008-12-23 22:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-06 14:08 . 2008-12-23 20:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-06 13:48 . 2006-03-02 18:47 -------- d-----w- c:\program files\Google
2009-06-06 13:23 . 2004-08-03 22:58 7552 ----a-w- c:\windows\system32\drivers\mskssrv.sys
2009-06-05 18:57 . 2006-10-28 12:53 -------- d-----w- c:\program files\World of Warcraft
2009-06-05 18:41 . 2006-04-20 09:15 -------- d-----w- c:\program files\Viewpoint
2009-06-05 18:41 . 2006-04-20 09:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-05 18:40 . 2007-01-19 04:44 -------- d-----w- c:\docume~1\SCOTAR~1\APPLIC~1\Viewpoint
2009-06-05 13:24 . 2006-03-25 04:14 -------- d-----w- c:\program files\LimeWire
2009-06-04 11:36 . 2006-02-28 12:00 212480 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-05-09 18:22 . 2005-11-10 02:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-05-09 18:20 . 2009-05-09 18:20 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-05-09 18:20 . 2009-05-09 18:20 7386 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-05-09 18:18 . 2005-11-10 02:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-05-06 19:08 . 2009-04-28 20:52 18189072 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\msgup900_2152_us.exe
2009-05-05 00:14 . 2005-11-11 00:00 -------- d-----w- c:\program files\Lx_cats
2009-05-04 05:16 . 2009-05-04 05:16 -------- d-----w- c:\program files\CCleaner
2009-05-03 02:45 . 2009-05-03 02:45 -------- d-----w- c:\docume~1\SCOTAR~1\APPLIC~1\Uniblue
2009-05-02 19:52 . 2009-05-02 19:52 -------- d-----w- c:\program files\AIM6
2009-05-02 19:52 . 2009-05-02 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-05-02 19:16 . 2009-04-02 18:05 -------- d-----w- c:\program files\Common Files\FotoWire
2009-04-28 20:54 . 2006-12-16 11:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-04-21 14:46 . 2009-04-21 14:46 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-04-02 17:55 . 2009-04-02 17:55 81920 ------r- c:\windows\bwUnin-6.1.4.68-8876480L.exe
2009-03-16 20:03 . 2009-03-16 20:03 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll
.

------- Sigcheck -------

[7] 2009-06-07 11:33 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\dllcache\ndis.sys
[-] 2009-06-04 11:36 212480 1DDCD4F10C093B87A59A0FBA97E8462D c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-09-24 05:30 . 2006-01-13 02:52 483328 c:\program files\Adobe\Acrobat 7.0\Distillr\bak\Acrotray.exe

2006-05-10 00:24 . 2006-05-10 00:24 50760 c:\program files\Common Files\AOL\1145524522\ee\bak\AOLSoftware.exe

2006-02-17 16:59 . 2006-02-17 16:59 124520 c:\program files\Common Files\AOL\IPHSend\bak\IPHSend.exe

2003-09-14 02:36 . 2003-09-14 02:36 50688 c:\program files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe

2006-09-28 11:58 . 2006-07-14 20:03 107008 c:\program files\j2 Messenger 4.2\bak\J2GDllCmd.exe

2006-10-18 11:22 . 2004-02-24 17:10 57344 c:\program files\Lexmark 5200 series\bak\lxbtbmgr.exe

2006-08-19 12:06 . 2006-08-19 12:06 282624 c:\program files\QuickTime\bak\qttask.exe

2007-03-10 19:36 . 2006-02-28 12:00 208952 c:\windows\ime\imjp8_1\bak\IMJPMIG.EXE
2007-03-10 19:36 . 2006-02-28 12:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe

2007-03-10 19:36 . 2006-02-28 12:00 44032 c:\windows\ime\imkr6_1\bak\IMEKRMIG.EXE
2007-03-10 19:36 . 2006-02-28 12:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe

2006-02-28 12:00 . 2006-02-28 12:00 15360 c:\windows\system32\bak\ctfmon.exe
2006-02-28 12:00 . 2006-02-28 12:00 15360 c:\windows\system32\ctfmon.exe

2005-09-20 16:32 . 2005-09-20 16:32 77824 c:\windows\system32\bak\hkcmd.exe

2005-09-20 16:36 . 2005-09-20 16:36 114688 c:\windows\system32\bak\igfxpers.exe

2005-09-20 16:35 . 2005-09-20 16:35 94208 c:\windows\system32\bak\igfxtray.exe

2006-04-07 13:05 . 2001-07-09 16:50 155648 c:\windows\system32\bak\NeroCheck.exe

2007-03-10 19:37 . 2006-02-28 12:00 59392 c:\windows\system32\IME\PINTLGNT\bak\ImScInst.exe
2007-03-10 19:37 . 2006-02-28 12:00 59392 c:\windows\system32\IME\PINTLGNT\imscinst.exe

2007-03-10 19:37 . 2006-02-28 12:00 455168 c:\windows\system32\IME\TINTLGNT\bak\TINTSETP.EXE
2007-03-10 19:37 . 2006-02-28 12:00 455168 c:\windows\system32\IME\TINTLGNT\tintsetp.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [N/A]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2004-06-01 196608]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2009-04-02 20480]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-04-27 49968]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-06 39408]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2009-4-2 450560]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\c:^documents and settings^scotarnjo^start menu^programs^startup^powerreg scheduler.exe]
path=c:\documents and settings\Scotarnjo\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Mail\\wlmail.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Norton AntiVirus\\Engine\\16.5.0.134\\ccSvcHst.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:blizzard downloader
"6112:TCP"= 6112:TCP:blizzard downloader

R0 Achernar;Achernar - SCSI Command Filters;c:\windows\system32\drivers\Achernar.sys [2/21/2009 11:13 PM 16855]
R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/6/2009 8:49 AM 130936]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [5/9/2009 1:20 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [5/9/2009 1:20 PM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [5/9/2009 1:20 PM 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\IDSXpx86.sys [5/29/2009 2:50 PM 276344]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [3/26/2009 2:54 PM 55152]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [5/9/2009 1:20 PM 115560]
R2 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/6/2009 8:48 AM 348752]
R3 Aldebaran;Aldebaran - SCSI Command Filters;c:\windows\system32\drivers\Aldebaran.sys [2/21/2009 11:13 PM 21808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/6/2009 1:51 PM 101936]
S1 7911a769;7911a769;c:\windows\system32\drivers\7911a769.sys --> c:\windows\system32\drivers\7911a769.sys [?]
S2 avast!avscontrolservice;avast!avscontrolservice;c:\windows\System32\avast!AVSControlService.exe -k netsvcs --> c:\windows\System32\avast!AVSControlService.exe -k netsvcs [?]
S2 Ca536av;FashionCam Video Camera Device;c:\windows\system32\drivers\Ca536av.sys [3/4/2006 2:48 PM 514859]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/6/2009 9:08 AM 40160]
S3 USBCamera;FashionCam Digital Still Camera Device;c:\windows\system32\drivers\Bulk536.sys [3/4/2006 2:48 PM 11048]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60b49e34-c7cc-11d0-8953-00a0c90347ff}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-06-07 c:\windows\Tasks\User_Feed_Synchronization-{9C40644F-AE8D-44C9-BE50-A84056159EBE}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
- - - - ORPHANS REMOVED - - - -

Notify-__c007D907 - c:\windows\system32\__c007D907.dat
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>;localhost
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
IE: &Search
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
TCP: {95B1AEF2-DECC-4B25-85F1-AA17CEC38BB8} = 192.168.254.254
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\docume~1\SCOTAR~1\APPLIC~1\Mozilla\Firefox\Profiles\l4vdvhb3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-07 06:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1020)
c:\windows\system32\NavLogon.dll

- - - - - - - > 'explorer.exe'(2080)
c:\windows\system32\ieframe.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\control.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2009-06-07 6:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-07 11:50

Pre-Run: 19,840,434,176 bytes free
Post-Run: 21,485,600,768 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

314 --- E O F --- 2009-05-09 11:16
miekiemoes
Jun 7 2009, 04:31 PM
Hi,

What a mess....

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

QUOTE
File::
C:\xnljcwib.exe
C:\buvppwg.exe
C:\lquq.exe
FCOPY::
c:\windows\system32\dllcache\ndis.sys | c:\windows\system32\drivers\ndis.sys
Folder::
c:\windows\ime\imjp8_1\bak
c:\windows\system32\IME\PINTLGNT\bak
c:\windows\system32\bak
c:\windows\ime\imkr6_1\bak
AWF::
c:\windows\system32\bak\NeroCheck.exe
c:\program files\Adobe\Acrobat 7.0\Distillr\bak\Acrotray.exe
c:\program files\Common Files\AOL\1145524522\ee\bak\AOLSoftware.exe
c:\program files\Common Files\AOL\IPHSend\bak\IPHSend.exe
c:\program files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe
c:\program files\j2 Messenger 4.2\bak\J2GDllCmd.exe
c:\program files\Lexmark 5200 series\bak\lxbtbmgr.exe
c:\program files\QuickTime\bak\qttask.exe
c:\windows\system32\bak\hkcmd.exe
c:\windows\system32\bak\igfxpers.exe
c:\windows\system32\bak\igfxtray.exe
Driver::
7911a769
Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"=-
[-HKLM\~\startupfolder\c:^documents and settings^scotarnjo^start menu^programs^startup^powerreg scheduler.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
JediLord
Jun 7 2009, 10:07 PM
ok. thank you
miekiemoes
Jun 8 2009, 07:07 AM
Hi,

Don't forget to post the logs afterwards.
JediLord
Jun 8 2009, 11:20 PM
ComboFix 09-06-08.02 - Scotarnjo 06/08/2009 18:04.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1482 [GMT -5:00]
Running from: c:\documents and settings\Scotarnjo\Desktop\rootbuster\Combo-Fix.exe
Command switches used :: c:\documents and settings\Scotarnjo\Desktop\rootbuster\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FILE ::
"C:\buvppwg.exe"
"C:\lquq.exe"
"C:\xnljcwib.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\SCOTAR~1\LOCALS~1\Temp\IadHide4.dll
c:\documents and settings\Scotarnjo\Local Settings\temp\IadHide4.dll
c:\windows\ime\imjp8_1\bak
c:\windows\ime\imjp8_1\bak\IMJPMIG.EXE
c:\windows\ime\imkr6_1\bak
c:\windows\ime\imkr6_1\bak\IMEKRMIG.EXE
c:\windows\system32\bak
c:\windows\system32\bak\ctfmon.exe
c:\windows\system32\IME\PINTLGNT\bak
c:\windows\system32\IME\PINTLGNT\bak\ImScInst.exe

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\ndis.sys --> c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_7911a769


((((((((((((((((((((((((( Files Created from 2009-05-08 to 2009-06-08 )))))))))))))))))))))))))))))))
.

2009-06-08 23:11 . 2009-05-09 18:20 165240 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2009-06-08 23:00 . 2009-05-09 18:20 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090604.001\IDSXpx86.sys
2009-06-08 23:00 . 2009-05-09 18:20 447864 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090604.001\IDSxpx86.dll
2009-06-08 23:00 . 2009-03-16 20:03 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090604.001\Scxpx86.dll
2009-06-08 23:00 . 2009-05-09 18:20 396848 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090604.001\IDSviA64.sys
2009-06-08 23:00 . 2009-05-09 18:20 292912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090604.001\IDSvix86.sys
2009-06-08 15:41 . 2009-05-09 18:20 89104 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090608.007\NAVENG.SYS
2009-06-08 15:41 . 2009-05-09 18:20 876144 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090608.007\NAVEX15.SYS
2009-06-08 15:41 . 2009-05-09 18:20 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090608.007\NAVENG32.DLL
2009-06-08 15:41 . 2009-05-09 18:20 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090608.007\NAVEX32A.DLL
2009-06-08 15:41 . 2009-05-09 18:20 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090608.007\EECTRL.SYS
2009-06-08 15:41 . 2009-05-09 18:20 101936 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090608.007\ERASER.SYS
2009-06-08 15:41 . 2009-05-09 18:20 259368 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090608.007\ECMSVR32.DLL
2009-06-08 15:41 . 2009-05-09 18:19 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090608.007\CCERASER.DLL
2009-06-07 04:11 . 2009-06-07 04:11 152576 ----a-w- c:\documents and settings\Scotarnjo\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-06 22:14 . 2009-06-06 22:14 -------- d-----w- c:\program files\Trend Micro
2009-06-06 17:24 . 2009-06-06 17:25 -------- dc-h--w- c:\windows\ie8
2009-06-06 16:56 . 2009-06-06 17:16 -------- d-----w- C:\bfaa24cf73bbcf680408f6b3440804e6
2009-06-06 15:38 . 2009-06-06 16:55 -------- d-----w- C:\515a62d7ee311f5dcddd
2009-06-06 14:08 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-06 14:08 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-06 13:49 . 2008-12-11 13:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-06 13:49 . 2009-04-03 16:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-06 13:49 . 2008-12-18 17:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-06 13:48 . 2009-06-06 22:53 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-06 13:48 . 2008-12-10 16:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-06 13:48 . 2009-06-06 15:41 -------- d-----w- c:\program files\Spyware Doctor
2009-06-06 13:48 . 2009-06-06 13:48 -------- d-----w- c:\documents and settings\Scotarnjo\Application Data\PC Tools
2009-06-06 13:48 . 2009-06-06 13:48 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-06-05 12:16 . 2009-06-05 12:16 -------- d-----w- c:\program files\RegCleaner
2009-06-05 02:09 . 2009-06-05 02:09 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-06-04 23:45 . 2009-06-04 23:45 -------- d-----r- c:\program files\Norton Support
2009-06-04 22:23 . 2009-06-04 22:23 -------- d-----w- c:\program files\FileASSASSIN
2009-06-04 11:36 . 2009-06-04 11:36 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-04 11:34 . 2009-06-04 11:34 -------- d-sh--w- c:\windows\system32\config\systemprofile\IECompatCache
2009-06-02 16:05 . 2009-06-02 16:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-05-31 03:19 . 2009-05-31 03:19 18184984 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\msgup900_2162_us.exe
2009-05-29 19:50 . 2009-03-16 20:03 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\Scxpx86.dll
2009-05-29 19:50 . 2009-05-09 18:20 396848 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\IDSviA64.sys
2009-05-29 19:50 . 2009-05-09 18:20 292912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\IDSvix86.sys
2009-05-29 19:50 . 2009-05-09 18:20 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\IDSXpx86.sys
2009-05-29 19:50 . 2009-05-09 18:20 447864 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\IDSxpx86.dll
2009-05-10 22:53 . 2009-05-10 22:53 -------- d-----w- c:\documents and settings\Scotarnjo\Local Settings\Application Data\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-08 23:12 . 2006-08-19 12:06 -------- d-----w- c:\program files\QuickTime
2009-06-08 23:04 . 2006-09-28 11:58 -------- d-----w- c:\program files\j2 Messenger 4.2
2009-06-08 23:04 . 2005-11-10 23:58 -------- d-----w- c:\program files\Lexmark 5200 series
2009-06-07 11:33 . 2006-02-28 12:00 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-07 04:44 . 2005-11-12 19:39 67944 ----a-w- c:\documents and settings\Scotarnjo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-07 03:54 . 2006-02-20 22:20 -------- d-----w- c:\program files\Java
2009-06-07 03:28 . 2005-11-10 23:11 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-07 01:30 . 2008-12-23 22:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-06 14:08 . 2008-12-23 20:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-06 13:48 . 2006-03-02 18:47 -------- d-----w- c:\program files\Google
2009-06-06 13:23 . 2004-08-03 22:58 7552 ----a-w- c:\windows\system32\drivers\mskssrv.sys
2009-06-05 18:57 . 2006-10-28 12:53 -------- d-----w- c:\program files\World of Warcraft
2009-06-05 18:41 . 2006-04-20 09:15 -------- d-----w- c:\program files\Viewpoint
2009-06-05 18:41 . 2006-04-20 09:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-05 18:40 . 2007-01-19 04:44 -------- d-----w- c:\documents and settings\Scotarnjo\Application Data\Viewpoint
2009-06-05 13:24 . 2006-03-25 04:14 -------- d-----w- c:\program files\LimeWire
2009-05-09 21:35 . 2009-05-09 20:35 -------- d-----w- c:\documents and settings\Scotarnjo\Application Data\GetRightToGo
2009-05-09 18:22 . 2005-11-10 02:57 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-05-09 18:21 . 2009-05-09 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-05-09 18:20 . 2009-05-09 18:20 -------- d-----w- c:\program files\Symantec
2009-05-09 18:20 . 2009-05-09 18:20 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-05-09 18:20 . 2009-05-09 18:20 7386 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-05-09 18:20 . 2009-05-09 18:20 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-05-09 18:20 . 2009-05-09 18:20 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-09 18:20 . 2009-05-09 18:20 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-05-09 18:20 . 2009-05-09 18:20 396848 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvia64.sys
2009-05-09 18:20 . 2009-05-09 18:20 292912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-05-09 18:20 . 2009-05-09 18:20 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.sys
2009-05-09 18:20 . 2009-05-09 18:20 1290592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2009-05-09 18:20 . 2009-05-09 18:20 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2009-05-09 18:20 . 2009-05-09 18:20 447864 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\idsxpx86.dll
2009-05-09 18:19 . 2009-05-09 18:19 796016 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2009-05-09 18:19 . 2009-05-09 18:18 -------- d-----w- c:\program files\Norton AntiVirus
2009-05-09 18:18 . 2005-11-10 02:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-05-09 18:18 . 2009-05-09 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-05-09 18:13 . 2009-05-09 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2009-05-09 18:12 . 2009-05-09 18:12 -------- d-----w- c:\program files\NortonInstaller
2009-05-06 19:08 . 2009-04-28 20:52 18189072 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\msgup900_2152_us.exe
2009-05-05 00:14 . 2005-11-11 00:00 -------- d-----w- c:\program files\Lx_cats
2009-05-04 05:16 . 2009-05-04 05:16 -------- d-----w- c:\program files\CCleaner
2009-05-03 02:45 . 2009-05-03 02:45 -------- d-----w- c:\documents and settings\Scotarnjo\Application Data\Uniblue
2009-05-02 19:52 . 2009-05-02 19:52 -------- d-----w- c:\program files\AIM6
2009-05-02 19:52 . 2009-05-02 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-05-02 19:16 . 2009-04-02 18:05 -------- d-----w- c:\program files\Common Files\FotoWire
2009-04-28 20:54 . 2006-12-16 11:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-04-21 14:46 . 2009-04-21 14:46 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-04-02 17:55 . 2009-04-02 17:55 81920 ------r- c:\windows\bwUnin-6.1.4.68-8876480L.exe
2009-03-16 20:03 . 2009-03-16 20:03 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-07_11.43.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-08 22:50 . 2009-06-08 22:50 16384 c:\windows\Temp\Perflib_Perfdata_b40.dat
+ 2009-06-08 23:12 . 2009-06-08 23:12 16384 c:\windows\Temp\Perflib_Perfdata_924.dat
+ 2009-06-08 23:12 . 2009-06-08 23:12 16384 c:\windows\Temp\Perflib_Perfdata_12c.dat
+ 2009-06-08 23:11 . 2009-06-08 23:11 16384 c:\windows\Temp\Perflib_Perfdata_108.dat
+ 2009-06-07 19:51 . 2009-06-07 19:51 89102 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2005-09-20 16:35 . 2005-09-20 16:35 94208 c:\windows\system32\igfxtray.exe
+ 2005-09-20 16:32 . 2005-09-20 16:32 77824 c:\windows\system32\hkcmd.exe
+ 2007-03-16 00:17 . 2009-03-11 03:18 934792 c:\windows\system32\WgaTray.exe
+ 2007-03-16 00:16 . 2009-03-11 03:18 239496 c:\windows\system32\WgaLogon.dll
+ 2006-04-07 13:05 . 2001-07-09 16:50 155648 c:\windows\system32\NeroCheck.exe
+ 2009-02-03 02:07 . 2009-02-03 02:07 240544 c:\windows\system32\Macromed\Flash\FlashUtil10b.exe
+ 2005-09-20 16:36 . 2005-09-20 16:36 114688 c:\windows\system32\igfxpers.exe
+ 2007-03-16 00:17 . 2009-03-11 03:18 934792 c:\windows\system32\dllcache\WgaTray.exe
+ 2007-03-16 00:16 . 2009-03-11 03:18 239496 c:\windows\system32\dllcache\wgaLogon.dll
+ 2006-02-28 12:00 . 2009-06-07 11:33 182912 c:\windows\system32\dllcache\ndis.sys
- 2009-06-07 11:39 . 2009-06-07 11:33 182912 c:\windows\system32\dllcache\ndis.sys
+ 2006-05-17 17:23 . 2009-03-11 03:18 1482112 c:\windows\system32\LegitCheckControl.dll
+ 2009-02-02 23:07 . 2009-02-02 23:07 1914440 c:\windows\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
+ 2005-12-17 14:18 . 2009-05-07 07:16 24699336 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2004-06-01 196608]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2009-04-02 20480]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-04-27 49968]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-06 39408]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2009-4-2 450560]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Mail\\wlmail.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Norton AntiVirus\\Engine\\16.5.0.134\\ccSvcHst.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:blizzard downloader
"6112:TCP"= 6112:TCP:blizzard downloader

R0 Achernar;Achernar - SCSI Command Filters;c:\windows\system32\drivers\Achernar.sys [2/21/2009 11:13 PM 16855]
R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/6/2009 8:49 AM 130936]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [5/9/2009 1:20 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [5/9/2009 1:20 PM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [5/9/2009 1:20 PM 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090604.001\IDSXpx86.sys [6/8/2009 6:00 PM 276344]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [3/26/2009 2:54 PM 55152]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [5/9/2009 1:20 PM 115560]
R2 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/6/2009 8:48 AM 348752]
R3 Aldebaran;Aldebaran - SCSI Command Filters;c:\windows\system32\drivers\Aldebaran.sys [2/21/2009 11:13 PM 21808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/6/2009 1:51 PM 101936]
S2 avast!avscontrolservice;avast!avscontrolservice;c:\windows\System32\avast!AVSControlService.exe -k netsvcs --> c:\windows\System32\avast!AVSControlService.exe -k netsvcs [?]
S2 Ca536av;FashionCam Video Camera Device;c:\windows\system32\drivers\Ca536av.sys [3/4/2006 2:48 PM 514859]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]
S3 USBCamera;FashionCam Digital Still Camera Device;c:\windows\system32\drivers\Bulk536.sys [3/4/2006 2:48 PM 11048]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60b49e34-c7cc-11d0-8953-00a0c90347ff}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-06-08 c:\windows\Tasks\User_Feed_Synchronization-{9C40644F-AE8D-44C9-BE50-A84056159EBE}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>;localhost
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
IE: &Search
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
TCP: {95B1AEF2-DECC-4B25-85F1-AA17CEC38BB8} = 192.168.254.254
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\Scotarnjo\Application Data\Mozilla\Firefox\Profiles\l4vdvhb3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-08 18:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1012)
c:\windows\system32\NavLogon.dll

- - - - - - - > 'explorer.exe'(3484)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
.
**************************************************************************
.
Completion time: 2009-06-08 18:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-08 23:17
ComboFix2.txt 2009-06-07 11:50

Pre-Run: 21,267,030,016 bytes free
Post-Run: 21,255,057,408 bytes free

281 --- E O F --- 2009-06-08 08:06
miekiemoes
Jun 9 2009, 05:13 AM
Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
JediLord
Jun 9 2009, 12:03 PM
Thanks for all your help, things are alot better now. But I still get this notice of infection of PACKED.GENERIC.200. Norton AV 2009 won't remove it. Any further suggestions.

And one thing I did note when I ran MalwareBytes again is the 11 infections that were contained in the Norton folders. Sick to think I pay for a service that gets infected and can't clean itself.

What is the best AV out there?

JL-


ps. will be donating through paypal smile.gif
miekiemoes
Jun 9 2009, 12:14 PM
QUOTE
ut I still get this notice of infection of PACKED.GENERIC.200. Norton AV 2009 won't remove it. Any further suggestions.
This looks like a generic detection, so this means it isn't always malware. Anyway, the only way I can help you with that is if you would tell me what exact file is being flagged by Norton like that. So what file + where it is located. Without that info, I can't do anything.

QUOTE
What is the best AV out there?
There is no best Antivirus. I mean, this is different for everyone. This all depends what you expect from an Antivirus. For example, some AVs are great in detection but may also have a lot of False positives and cause a huge system slowdown. Some others are also good, but difficult to configure. Others are still good in detection, not great, but run really fast and are easy to configure etc etc..
So basically, it's a matter of trying an Antivirus (trial period) and decide.
I use Avira Premium Security Suite. They also have a free version: Avira personal (that's without the firewall and extra additions).

Keep in mind, if you want to test another Antivirus, you have to uninstall your current Antivirus first, because more than 1 Antivirus installed, even though you would disable one, causes a lot of problems.
JediLord
Jun 10 2009, 05:30 PM
Thanks for the help and advice Mike.

I guess I will stick with Norton sine it's paid for.

As far as finding the file path, I can't. Norton says it is the following: globalroot/windows/system32

No clue where it is found at.
miekiemoes
Jun 10 2009, 06:13 PM
Hi,

And what is the name of the file?
JediLord
Jun 16 2009, 02:22 AM
Mike, this is what I have. Any idea on where this GLOBALROOT directory is?


Unresolved Threats:
Packed.Generic.200
Type: Anomaly
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Heuristic Virus
Status: Remove Failed
-----------
3 Files
globalroot\systemroot\system32\uacxdqmnohbhlovylb.dll - Failed
globalroot\systemroot\system32\uacxdqmnohbhlovylb.dll - No action taken
globalroot\systemroot\system32\uacxdqmnohbhlovylb.dll - No action taken
1 Browser Cache
miekiemoes
Jun 16 2009, 07:39 AM
Hi,

Can you redownload and run Combofix again? Because it looks like it reinstalled itself again.
JediLord
Jun 16 2009, 08:46 AM
Hi,

No, it didn't reinstall itself. It's like just a bogus notice from Norton each time. I'm just trying to figure out how it keeps showing up. Everything else is good.

But I'll do combofix if you think I should, your call.

JL-




QUOTE (miekiemoes @ Jun 16 2009, 07:39 AM) *
Hi,

Can you redownload and run Combofix again? Because it looks like it reinstalled itself again.
miekiemoes
Jun 16 2009, 08:47 AM
Yes, please run Combofix.

Also, is this computer a part of a network?
miekiemoes
Jun 25 2009, 07:59 PM
Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.