Jump to content

JAG

Members
  • Posts

    5
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Maniac, The rootkit appears to be dead: Combo-Fix.txt: ComboFix 10-05-10.01 - Admin 05/11/2010 7:45.3.1 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.150 [GMT -7:00] Running from: C:\Combo-Fix.exe Command switches used :: C:\CFScript.txt AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Admin\Local Settings\Application Data\avG c:\documents and settings\All Users\Application Data\avG c:\program files\LimeWire c:\program files\LimeWire\clink.jar c:\program files\LimeWire\commons-httpclient.jar c:\program files\LimeWire\commons-logging.jar c:\program files\LimeWire\commons-net.jar c:\program files\LimeWire\daap.jar c:\program files\LimeWire\GenericWindowsUtils.dll c:\program files\LimeWire\i18n.jar c:\program files\LimeWire\icu4j.jar c:\program files\LimeWire\id3v2.jar c:\program files\LimeWire\jcraft.jar c:\program files\LimeWire\jl011.jar c:\program files\LimeWire\jmdns.jar c:\program files\LimeWire\LimeWire.jar c:\program files\LimeWire\LimeWire20.dll c:\program files\LimeWire\log4j.jar c:\program files\LimeWire\looks.jar c:\program files\LimeWire\MessagesBundles.jar c:\program files\LimeWire\mp3sp14.jar c:\program files\LimeWire\ProgressTabs.jar c:\program files\LimeWire\themes.jar c:\program files\LimeWire\tritonus.jar c:\program files\LimeWire\vorbis.jar c:\program files\LimeWire\WindowsFirewall.dll c:\program files\LimeWire\WindowsV5PlusUtils.dll c:\program files\LimeWire\xerces.jar c:\program files\LimeWire\xml-apis.jar c:\program files\Sophos c:\program files\Sophos\Sophos Anti-Rootkit\helper.exe c:\program files\Sophos\Sophos Anti-Rootkit\MEMSWEEP.sys c:\program files\Sophos\Sophos Anti-Rootkit\sar1.dll c:\program files\Sophos\Sophos Anti-Rootkit\sar2.dll c:\program files\Sophos\Sophos Anti-Rootkit\sar3.dll c:\program files\Sophos\Sophos Anti-Rootkit\sar4.dll c:\program files\Sophos\Sophos Anti-Rootkit\sar5.dll c:\program files\Sophos\Sophos Anti-Rootkit\sar6.dll c:\program files\Sophos\Sophos Anti-Rootkit\sarcli.exe c:\program files\Sophos\Sophos Anti-Rootkit\sargui.chm c:\program files\Sophos\Sophos Anti-Rootkit\sargui.exe c:\program files\Sophos\Sophos Anti-Rootkit\sarman.pdf c:\program files\Sophos\Sophos Anti-Rootkit\savrkboottasks.sys c:\windows\system32\drivers\bcoijj.sys Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected Restored copy from - c:\windows\ERDNT\cache\atapi.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_BCOIJJ -------\Service_bcoijj ((((((((((((((((((((((((( Files Created from 2010-04-11 to 2010-05-11 ))))))))))))))))))))))))))))))) . 2010-05-10 19:37 . 2010-05-10 19:25 3686515 ----a-r- C:\Combo-Fix.exe 2010-05-10 16:36 . 2008-06-12 10:09 33088 ----a-w- c:\documents and settings\Admin\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2010-05-09 00:10 . 2010-05-09 00:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-05-07 02:36 . 2010-05-07 02:36 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes 2010-05-06 05:45 . 2010-05-06 05:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe 2010-05-06 05:45 . 2010-05-06 05:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google 2010-05-06 02:22 . 2010-05-06 05:44 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft 2010-05-06 02:22 . 2010-05-07 02:17 -------- d-----w- c:\documents and settings\Administrator 2010-04-29 12:20 . 2004-08-04 05:59 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys 2010-04-29 12:20 . 2004-08-04 05:59 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys 2010-04-29 12:20 . 2004-08-04 06:00 8192 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys 2010-04-29 12:20 . 2004-08-04 06:00 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys 2010-04-29 12:20 . 2004-08-04 06:00 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys 2010-04-29 12:20 . 2004-08-04 06:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys 2010-04-19 01:13 . 2010-04-19 01:13 -------- d-----w- c:\program files\MSECache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-11 14:57 . 2006-12-26 22:12 -------- d-----w- c:\program files\Symantec AntiVirus 2010-05-10 16:38 . 2006-12-27 01:29 -------- d-----w- c:\program files\Common Files\Adobe 2010-05-06 05:23 . 2010-05-06 05:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-05-06 05:23 . 2010-05-06 05:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-06 05:23 . 2010-05-06 05:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-04-29 22:39 . 2010-05-06 05:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 22:39 . 2010-05-06 05:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-29 12:22 . 2006-12-26 21:47 81536 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-03-10 08:02 . 2004-08-04 01:07 417792 ----a-w- c:\windows\system32\vbscript.dll 2010-03-02 00:17 . 2010-03-02 00:17 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe 2010-03-02 00:03 . 2010-03-02 00:03 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe 2010-02-26 06:05 . 2004-08-04 01:07 668672 ----a-w- c:\windows\system32\wininet.dll 2010-02-26 06:05 . 2004-08-04 01:07 81920 ----a-w- c:\windows\system32\ieencode.dll 2010-02-24 12:31 . 2004-08-04 01:07 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 13:19 . 2004-08-04 01:07 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 12:39 . 2004-08-03 22:59 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-12 04:47 . 2004-08-04 01:07 100864 ----a-w- c:\windows\system32\6to4svc.dll 2010-02-11 12:01 . 2004-08-04 01:07 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 68856] "Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Tweak UI"="TWEAKUI.CPL" [2000-06-18 106544] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-24 85696] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-09 32768] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-13 155648] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480] "nwiz"="nwiz.exe" [2006-10-22 1622016] "NvMediaCenter"="NvMCTray.dll" [2006-10-22 86016] "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328] "StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-17 36864] "TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-04-01 155648] "Omnipage"="c:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 49152] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 75520] "MBBalloon"="c:\program files\HOTALBUMMyBOX\MBBalloon.exe" [2007-11-30 789144] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608] "Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952] c:\documents and settings\All Users\Start Menu\Programs\Startup\ ImageMixer for HDD Camcorder.lnk - c:\program files\PIXELA\ImageMixer for HDD Camcorder\IMx3Launcher.exe [2007-1-1 1871872] MediaChecker.lnk - c:\program files\HOTALBUMMyBOX\MediaChecker.exe [2007-11-30 915096] NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-1-1 118784] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [1/18/2009 5:27 PM 15172] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 9:36 PM 135664] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\92.tmp --> c:\windows\system32\92.tmp [?] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 8:27 PM 124608] --- Other Services/Drivers In Memory --- *Deregistered* - EraserUtilDrvI9 . Contents of the 'Scheduled Tasks' folder 2010-03-22 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34] 2010-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 04:36] 2010-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 04:36] . . ------- Supplementary Scan ------- . uStart Page = hxxp://ca.yahoo.com/ uSearch Page = hxxp://www.google.com uDefault_Search_URL = hxxp://www.google.com/ie uSearch Bar = hxxp://www.google.com/ie mDefault_Search_URL = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = ;*.local;<local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html . - - - - ORPHANS REMOVED - - - - AddRemove-Sophos-AntiRootkit - c:\program files\Sophos\Sophos Anti-Rootkit\helper.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-11 07:57 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\92.tmp" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*] "OODEFRAG10.00.00.01WORKSTATION"="9A64CDEB45075964172DACC1ED004EB3AEA6F8AAE1D215446BCB94808CD07214F3BCC28B63C 90816E15F47A46FCCFE3E96CF112C794A37E12520004CB97595DE4F692B90157C559F10ADC1C8F89 6 71DC3205FD3DB5D8974680239FB2715DB3E47A21F9BE33BE81DDA6A4136F6B61B6FEBC9E127BECC7 4 CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74 C A6A0AC4980AC7933A2D97226D213B555A6A0AC4980AC7933A6A0AC4980AC79338EFBF9D76CBF9282 D 1B7BD2100BC64EB49BA4AB6057698F6D4B6A0EEF76F3C387AB8AF9DF02EE30022FCF8B2C2CD7281A 1 4002E674A1350599AF8FFB8469473023E2BA8AFB0E505D4A64D2DF567A07005C4F85ECB1F98E9D82 F 56BC4D52E9BD4311ECE2C898DEEEF604DCD3633F89D0F9CA052F5D1DD265BDFB8C5B640E5DFD1C03 4 AE51473E2D976DB7070985E4065DF80EF3749F10D1DBF4CC42854A1D8E576411358F1B14C8B2F0CA A CE92DBAE59C7C17911F1738BBC27AA898A8AE43F5162046CEBD1CE95726DBCF7FB5C05F3603A5DD6 1 F06B62DF369CE9955A5B2EBAC9EC09FDF8147B3FDB1435D6860716C349692AACA580FC12E07A4F9A 1 C7215512BB731D6A1046C3CBFF40B9D407C0CAE2EACE5D5C1705C7772A83D192E4A94067AE23C035 A 1FC060C14B89CF06D2CEEC714CA0CD0A0938899BAF3B1C1A6FADF6FC424B400CCDE08C58D80A02C0 E D4F45DA950D9B09CB2A969389F43F289E4596779F23DF64AA9CF9F9540AD81FE5E5D6B34D83DC8DE D B23F162A3BB1EA4AA12DB836ACC6D0842434A4682B1112874C9048A8FBBFA8D8367AE1718138B39A F 1540DB875EC08608C9BD932B3F5CDD321B7EA54170630AAF91238B95F2C9868C37ACBCCACE180754 F 621C448E6B4CFEE566726E9809BFB4AB23E04E90F8F6C28D63C9892945762E4A9174A3C7664AF102 8 73689653335FB5820256FF61F6DEC262663FCE1CDEA2ABE06F04B12F349C8BFDC162E8A04B23BF5C E 55519332DD5C4C2BF829F54422BE526CA1A9442F0ED3CDFAF156B40E9CDE5AC7449B8FDAF0BB1EB3 E D01A48423F18E4B9A20564D22973D4B3170B87A2088BF79C66A38D611EAA0D129EED2813A7F5F797 5 046891514D0509BC608C02A80F48A6384EFA736DFABCEB974F8AC079D797A2CE20B958AFE001C601 7 D4B7569F9F5E378CAED977832BEBDA774F759331DEC4646B133100FF26DE7F0923438D887B01BE75 7 C7BAEA0CD655CDA1EBFAFE27F6B8806CDB398BD86EA503DE2940B129C20BEFE1E368BFB699158090 D B66BA0335A127F5E36BFE99888C2F94B11B70855C44794843C1B415FEB33D6EDF6F056E077DE6E61 C D10E72287EF35BF8E55875112DF25F0AFA4E3EE43D03DCB580C35D341A6F4EFAA71C551BAE524D4D D 4EE86D87FCF6F7F5C52FA098FD46F" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2912) c:\program files\ScanSoft\OmniPageSE\ophook32.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\nvsvc32.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\windows\system32\wdfmgr.exe c:\program files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2010-05-11 08:03:41 - machine was rebooted ComboFix-quarantined-files.txt 2010-05-11 15:03 ComboFix2.txt 2010-05-10 19:56 ComboFix3.txt 2010-05-09 08:02 Pre-Run: 39,489,945,600 bytes free Post-Run: 39,454,900,224 bytes free - - End Of File - - BA5967F55135369A96B30C1BCEE52DE2 MBAM: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4090 Windows 5.1.2600 Service Pack 2 Internet Explorer 6.0.2900.2180 5/11/2010 8:19:22 AM mbam-log-2010-05-11 (08-19-22).txt Scan type: Quick scan Objects scanned: 124628 Time elapsed: 12 minute(s), 20 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) I am now running a full scan and will post the result later but I think it id done. Thank You!!
  2. ComboFix 10-05-10.01 - Admin 05/10/2010 12:41:21.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.126 [GMT -7:00] Running from: C:\Combo-Fix.exe AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Mozilla Firefox\components\nsAdproFFx.xpt . ((((((((((((((((((((((((( Files Created from 2010-04-10 to 2010-05-10 ))))))))))))))))))))))))))))))) . 2010-05-10 19:37 . 2010-05-10 19:25 3686515 ----a-r- C:\Combo-Fix.exe 2010-05-10 16:36 . 2008-06-12 10:09 33088 ----a-w- c:\documents and settings\Admin\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2010-05-10 01:57 . 2010-05-10 01:57 -------- d-----w- c:\program files\Sophos 2010-05-09 00:10 . 2010-05-09 00:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-05-07 02:36 . 2010-05-07 02:36 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes 2010-05-06 05:45 . 2010-05-06 05:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe 2010-05-06 05:45 . 2010-05-06 05:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google 2010-05-06 02:22 . 2010-05-06 05:44 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft 2010-05-06 02:22 . 2010-05-07 02:17 -------- d-----w- c:\documents and settings\Administrator 2010-04-29 12:21 . 2010-05-10 19:52 823808 ----a-w- c:\windows\system32\drivers\bcoijj.sys 2010-04-29 12:20 . 2004-08-04 05:59 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys 2010-04-29 12:20 . 2004-08-04 05:59 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys 2010-04-29 12:20 . 2010-04-29 12:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avG 2010-04-29 12:20 . 2010-04-29 12:20 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\avG 2010-04-29 12:20 . 2004-08-04 06:00 8192 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys 2010-04-29 12:20 . 2004-08-04 06:00 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys 2010-04-29 12:20 . 2004-08-04 06:00 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys 2010-04-29 12:20 . 2004-08-04 06:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys 2010-04-19 01:13 . 2010-04-19 01:13 -------- d-----w- c:\program files\MSECache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-10 19:39 . 2006-12-26 22:12 -------- d-----w- c:\program files\Symantec AntiVirus 2010-05-10 16:39 . 2006-12-26 23:01 -------- d-----w- c:\program files\LimeWire 2010-05-10 16:38 . 2006-12-27 01:29 -------- d-----w- c:\program files\Common Files\Adobe 2010-05-06 05:23 . 2010-05-06 05:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-05-06 05:23 . 2010-05-06 05:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-06 05:23 . 2010-05-06 05:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-04-29 22:39 . 2010-05-06 05:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 22:39 . 2010-05-06 05:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-29 12:22 . 2006-12-26 21:47 81536 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-03-10 08:02 . 2004-08-04 01:07 417792 ----a-w- c:\windows\system32\vbscript.dll 2010-03-02 00:17 . 2010-03-02 00:17 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe 2010-03-02 00:03 . 2010-03-02 00:03 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe 2010-02-26 06:05 . 2004-08-04 01:07 668672 ----a-w- c:\windows\system32\wininet.dll 2010-02-26 06:05 . 2004-08-04 01:07 81920 ----a-w- c:\windows\system32\ieencode.dll 2010-02-24 12:31 . 2004-08-04 01:07 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 13:19 . 2004-08-04 01:07 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 12:39 . 2004-08-03 22:59 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-12 04:47 . 2004-08-04 01:07 100864 ----a-w- c:\windows\system32\6to4svc.dll 2010-02-11 12:01 . 2004-08-04 01:07 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 68856] "Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Tweak UI"="TWEAKUI.CPL" [2000-06-18 106544] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-24 85696] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-09 32768] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-13 155648] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480] "nwiz"="nwiz.exe" [2006-10-22 1622016] "NvMediaCenter"="NvMCTray.dll" [2006-10-22 86016] "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328] "StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-17 36864] "TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-04-01 155648] "Omnipage"="c:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 49152] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 75520] "MBBalloon"="c:\program files\HOTALBUMMyBOX\MBBalloon.exe" [2007-11-30 789144] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608] "Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952] c:\documents and settings\All Users\Start Menu\Programs\Startup\ ImageMixer for HDD Camcorder.lnk - c:\program files\PIXELA\ImageMixer for HDD Camcorder\IMx3Launcher.exe [2007-1-1 1871872] MediaChecker.lnk - c:\program files\HOTALBUMMyBOX\MediaChecker.exe [2007-11-30 915096] NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-1-1 118784] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [1/18/2009 5:27 PM 15172] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 9:36 PM 135664] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\92.tmp --> c:\windows\system32\92.tmp [?] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 8:27 PM 124608] --- Other Services/Drivers In Memory --- *Deregistered* - bcoijj *Deregistered* - EraserUtilDrvI9 *Deregistered* - EraserUtilRebootDrv . Contents of the 'Scheduled Tasks' folder 2010-03-22 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34] 2010-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 04:36] 2010-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 04:36] . . ------- Supplementary Scan ------- . uStart Page = hxxp://ca.yahoo.com/ uSearch Page = hxxp://www.google.com uDefault_Search_URL = hxxp://www.google.com/ie uSearch Bar = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = ;*.local;<local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-10 12:52 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\92.tmp" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bcoijj] . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*] "OODEFRAG10.00.00.01WORKSTATION"="9A64CDEB45075964172DACC1ED004EB3AEA6F8AAE1D215446BCB94808CD07214F3BCC28B63C 90816E15F47A46FCCFE3E96CF112C794A37E12520004CB97595DE4F692B90157C559F10ADC1C8F89 6 71DC3205FD3DB5D8974680239FB2715DB3E47A21F9BE33BE81DDA6A4136F6B61B6FEBC9E127BECC7 4 CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74 C A6A0AC4980AC7933A2D97226D213B555A6A0AC4980AC7933A6A0AC4980AC79338EFBF9D76CBF9282 D 1B7BD2100BC64EB49BA4AB6057698F6D4B6A0EEF76F3C387AB8AF9DF02EE30022FCF8B2C2CD7281A 1 4002E674A1350599AF8FFB8469473023E2BA8AFB0E505D4A64D2DF567A07005C4F85ECB1F98E9D82 F 56BC4D52E9BD4311ECE2C898DEEEF604DCD3633F89D0F9CA052F5D1DD265BDFB8C5B640E5DFD1C03 4 AE51473E2D976DB7070985E4065DF80EF3749F10D1DBF4CC42854A1D8E576411358F1B14C8B2F0CA A CE92DBAE59C7C17911F1738BBC27AA898A8AE43F5162046CEBD1CE95726DBCF7FB5C05F3603A5DD6 1 F06B62DF369CE9955A5B2EBAC9EC09FDF8147B3FDB1435D6860716C349692AACA580FC12E07A4F9A 1 C7215512BB731D6A1046C3CBFF40B9D407C0CAE2EACE5D5C1705C7772A83D192E4A94067AE23C035 A 1FC060C14B89CF06D2CEEC714CA0CD0A0938899BAF3B1C1A6FADF6FC424B400CCDE08C58D80A02C0 E D4F45DA950D9B09CB2A969389F43F289E4596779F23DF64AA9CF9F9540AD81FE5E5D6B34D83DC8DE D B23F162A3BB1EA4AA12DB836ACC6D0842434A4682B1112874C9048A8FBBFA8D8367AE1718138B39A F 1540DB875EC08608C9BD932B3F5CDD321B7EA54170630AAF91238B95F2C9868C37ACBCCACE180754 F 621C448E6B4CFEE566726E9809BFB4AB23E04E90F8F6C28D63C9892945762E4A9174A3C7664AF102 8 73689653335FB5820256FF61F6DEC262663FCE1CDEA2ABE06F04B12F349C8BFDC162E8A04B23BF5C E 55519332DD5C4C2BF829F54422BE526CA1A9442F0ED3CDFAF156B40E9CDE5AC7449B8FDAF0BB1EB3 E D01A48423F18E4B9A20564D22973D4B3170B87A2088BF79C66A38D611EAA0D129EED2813A7F5F797 5 046891514D0509BC608C02A80F48A6384EFA736DFABCEB974F8AC079D797A2CE20B958AFE001C601 7 D4B7569F9F5E378CAED977832BEBDA774F759331DEC4646B133100FF26DE7F0923438D887B01BE75 7 C7BAEA0CD655CDA1EBFAFE27F6B8806CDB398BD86EA503DE2940B129C20BEFE1E368BFB699158090 D B66BA0335A127F5E36BFE99888C2F94B11B70855C44794843C1B415FEB33D6EDF6F056E077DE6E61 C D10E72287EF35BF8E55875112DF25F0AFA4E3EE43D03DCB580C35D341A6F4EFAA71C551BAE524D4D D 4EE86D87FCF6F7F5C52FA098FD46F" . Completion time: 2010-05-10 12:56:17 ComboFix-quarantined-files.txt 2010-05-10 19:56 ComboFix2.txt 2010-05-09 08:02 Pre-Run: 39,490,117,632 bytes free Post-Run: 39,483,899,904 bytes free - - End Of File - - FB704BA2A21587842A26D914BD383C15
  3. Borislav, Thanks for your assistance! MBAM log: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4086 Windows 5.1.2600 Service Pack 2 Internet Explorer 6.0.2900.2180 5/10/2010 10:00:17 AM mbam-log-2010-05-10 (10-00-17).txt Scan type: Quick scan Objects scanned: 124563 Time elapsed: 13 minute(s), 25 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\drivers\bcoijj.sys (Rootkit.Agent) -> Delete on reboot. DDS.TXT: DDS (Ver_10-03-17.01) - NTFSx86 Run by Admin at 10:08:55.10 on Mon 05/10/2010 Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.5.0_12 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.120 [GMT -7:00] AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe C:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe C:\Program Files\PIXELA\ImageMixer for HDD Camcorder\IMx3Launcher.exe C:\Program Files\HOTALBUMMyBOX\MediaChecker.exe C:\Program Files\Nikon\PictureProject\NkbMonitor.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\iPod\bin\iPodService.exe C:\Documents and Settings\Admin\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://ca.yahoo.com/ uSearch Page = hxxp://www.google.com uDefault_Search_URL = hxxp://www.google.com/ie uSearch Bar = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = ;*.local;<local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_12\bin\ssv.dll BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [vptray] c:\progra~1\symant~1\VPTray.exe mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe" mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe" mRun: [statusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe mRun: [Omnipage] c:\program files\scansoft\omnipagese\opware32.exe mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.5.0_12\bin\jusched.exe" mRun: [MBBalloon] c:\program files\hotalbummybox\MBBalloon.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer for hdd camcorder\IMx3Launcher.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mediac~1.lnk - c:\program files\hotalbummybox\MediaChecker.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_12\bin\ssv.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL Notify: NavLogon - c:\windows\system32\NavLogon.dll ============= SERVICES / DRIVERS =============== R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [2009-1-18 15172] R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232] R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392] R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-6-23 1715904] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100509.002\naveng.sys [2010-5-9 84912] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100509.002\navex15.sys [2010-5-9 1324720] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664] S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\92.tmp --> c:\windows\system32\92.tmp [?] S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-6-23 124608] =============== Created Last 30 ================ 2010-05-10 01:57:22 0 d-----w- c:\program files\Sophos 2010-05-09 23:16:07 0 ----a-w- c:\documents and settings\admin\defogger_reenable 2010-05-09 00:34:16 0 d-sha-r- C:\cmdcons 2010-05-09 00:24:29 98816 ----a-w- c:\windows\sed.exe 2010-05-09 00:24:29 77312 ----a-w- c:\windows\MBR.exe 2010-05-09 00:24:29 256512 ----a-w- c:\windows\PEV.exe 2010-05-09 00:24:29 161792 ----a-w- c:\windows\SWREG.exe 2010-05-07 02:36:21 0 d-----w- c:\docume~1\admin\applic~1\Malwarebytes 2010-05-06 05:23:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-06 05:23:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-06 05:23:03 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-06 05:23:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-04-29 12:28:45 442 ----a-w- C:\config.ini 2010-04-29 12:21:15 823808 ----a-w- c:\windows\system32\drivers\bcoijj.sys 2010-04-29 12:20:43 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys 2010-04-29 12:20:43 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys 2010-04-29 12:20:39 0 d-----w- c:\docume~1\alluse~1\applic~1\avG 2010-04-29 12:20:24 8192 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys 2010-04-29 12:20:24 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys 2010-04-29 12:20:15 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys 2010-04-29 12:20:15 8192 ----a-w- c:\windows\system32\drivers\changer.sys 2010-04-19 01:13:55 0 d-----w- c:\program files\MSECache ==================== Find3M ==================== 2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll 2010-02-26 06:05:09 668672 ----a-w- c:\windows\system32\wininet.dll 2010-02-26 06:05:05 81920 ----a-w- c:\windows\system32\ieencode.dll 2010-02-16 13:19:55 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 12:39:04 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\6to4svc.dll ============= FINISH: 10:09:33.35 ===============
  4. I have completed the scans as instructed: Any help is appreciated. I am a reseller interested in possibly purchasing site licenses. DDS.TXT: DDS (Ver_10-03-17.01) - NTFSx86 Run by Admin at 16:54:24.60 on Sun 05/09/2010 Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.5.0_12 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.50 [GMT -7:00] AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe C:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe C:\Program Files\PIXELA\ImageMixer for HDD Camcorder\IMx3Launcher.exe C:\Program Files\HOTALBUMMyBOX\MediaChecker.exe C:\Program Files\Nikon\PictureProject\NkbMonitor.exe "C:\WINDOWS\System32\svchost.exe" C:\WINDOWS\system32\wuauclt.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\internet explorer\iexplore.exe C:\Documents and Settings\Admin\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://ca.yahoo.com/ uSearch Page = hxxp://www.google.com uDefault_Search_URL = hxxp://www.google.com/ie uSearch Bar = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = ;*.local;<local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_12\bin\ssv.dll BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [vptray] c:\progra~1\symant~1\VPTray.exe mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe" mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe" mRun: [statusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe mRun: [Omnipage] c:\program files\scansoft\omnipagese\opware32.exe mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.5.0_12\bin\jusched.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [MBBalloon] c:\program files\hotalbummybox\MBBalloon.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer for hdd camcorder\IMx3Launcher.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mediac~1.lnk - c:\program files\hotalbummybox\MediaChecker.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_12\bin\ssv.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL Notify: NavLogon - c:\windows\system32\NavLogon.dll ============= SERVICES / DRIVERS =============== R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [2009-1-18 15172] R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232] R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896] R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-10-29 587096] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392] R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-6-23 1715904] R3 EraserUtilDrvI9;EraserUtilDrvI9;c:\program files\common files\symantec shared\eengine\EraserUtilDrvI9.sys [2010-5-9 102448] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100509.002\naveng.sys [2010-5-9 84912] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100509.002\navex15.sys [2010-5-9 1324720] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664] S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568] S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-6-23 124608] =============== Created Last 30 ================ 2010-05-09 23:16:07 0 ----a-w- c:\documents and settings\admin\defogger_reenable 2010-05-09 00:34:16 0 d-sha-r- C:\cmdcons 2010-05-09 00:24:29 98816 ----a-w- c:\windows\sed.exe 2010-05-09 00:24:29 77312 ----a-w- c:\windows\MBR.exe 2010-05-09 00:24:29 256512 ----a-w- c:\windows\PEV.exe 2010-05-09 00:24:29 161792 ----a-w- c:\windows\SWREG.exe 2010-05-07 02:36:21 0 d-----w- c:\docume~1\admin\applic~1\Malwarebytes 2010-05-06 05:23:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-06 05:23:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-06 05:23:03 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-06 05:23:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-04-29 12:28:45 442 ----a-w- C:\config.ini 2010-04-29 12:21:15 823808 ----a-w- c:\windows\system32\drivers\bcoijj.sys 2010-04-29 12:20:43 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys 2010-04-29 12:20:43 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys 2010-04-29 12:20:39 0 d-----w- c:\docume~1\alluse~1\applic~1\avG 2010-04-29 12:20:24 8192 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys 2010-04-29 12:20:24 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys 2010-04-29 12:20:15 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys 2010-04-29 12:20:15 8192 ----a-w- c:\windows\system32\drivers\changer.sys 2010-04-19 01:13:55 0 d-----w- c:\program files\MSECache ==================== Find3M ==================== 2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll 2010-02-26 06:05:09 668672 ----a-w- c:\windows\system32\wininet.dll 2010-02-26 06:05:05 81920 ----a-w- c:\windows\system32\ieencode.dll 2010-02-16 13:19:55 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 12:39:04 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\6to4svc.dll ============= FINISH: 16:55:03.43 =============== mbam_log_2010_05_09__15_48_24_.txt ark.zip Attach.zip
  5. I have run many passes of malwarebytes, then combofix, then attached run. I am running malwarebytes again as I post this. Time to wipe and reload? mbam_log_2010_05_09__13_30_33_.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.