Blade81,
I’m currently running ComboFix on the infected box. I read your instructions but forgot to disable NAV before starting ComboFix. Do you want the log file that it produces on this run or should I wait for it to finish, then disable NAV and then run it again?
Sorry for the botched execution.
George
Hi,
If ComboFix is able to finish then log from this current run is ok.
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
Blade81,
I’ve included below the ComboFix report, DDS reports and the GMER report.
I have started the Kaspersky online scan. It took around 5 hours to run the other day. I’ll post it’s log when it finishes.
I uninstalled the software that you requested. I’ll defer installation of Adobe Reader until the end of our cleaning process.
The following messages were generated during the uninstallation of Adobe Acrobat 4.0:
---------------------------
Unable to delete folder 'C:\Program Files\Common Files\Adobe\TypeSpt'.
Unable to delete folder 'C:\Program Files\Common Files\Adobe\Web'.
Unable to delete folder 'C:\Program Files\Common Files\Adobe'.
Unable to delete folder 'C:\Program Files\Adobe'.
Unable to delete all subkeys under 'HKEY_CLASSES_ROOT\.pdf'.
Unable to delete all subkeys under 'HKEY_CLASSES_ROOT\AcroExch.Document'.
Unable to delete all subkeys under 'HKEY_CLASSES_ROOT\AcroExch.Document\shell\open\command'.
Unable to delete all subkeys under 'HKEY_CLASSES_ROOT\AcroExch.Document\CLSID'.
Unable to delete all subkeys under 'HKEY_CLASSES_ROOT\.rmf'.
Unable to delete all subkeys under 'HKEY_CLASSES_ROOT\.pdf'.
Unable to delete registry value 'HKEY_CLASSES_ROOT\.pdf\Content Type'.
---------------------------
I did not take any action based on these messages. Please let me know if there’s anything that you’d like me to do related to these messages.
The following messages were generated during the uninstallation of Java 2 Runtime Environment Standard Edition v1.3.1_01:
---------------------------
Unable to delete folder 'C:\Program Files\JavaSoft\JRE\1.3.1_01\lib\applet'.
Unable to delete folder 'C:\Program Files\JavaSoft\JRE\1.3.1_01\lib'.
Unable to delete folder 'C:\Program Files\JavaSoft\JRE\1.3.1_01'.
Unable to delete folder 'C:\Program Files\JavaSoft\JRE'.
Unable to delete folder 'C:\Program Files\JavaSoft'.
Unable to delete all subkeys under 'HKEY_CLASSES_ROOT\.jar'.
Unable to delete all subkeys under 'HKEY_CLASSES_ROOT\jarfile'.
Unable to delete all subkeys under 'HKEY_CLASSES_ROOT\JavaPlugin'.
Unable to delete all subkeys under 'HKEY_CLASSES_ROOT\JavaPlugin\CLSID'.
---------------------------
I did not take any action based on these messages. Please let me know if there’s anything that you’d like me to do related to these messages.
Once again, thank you for all of your help.
George
ComboFix log:
ComboFix 10-04-21.01 - gm 04/25/2010 12:28:07.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1023.637 [GMT -5:00]
Running from: c:\documents and settings\gm\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\gm\Desktop\CFScript.txt
FILE ::
"c:\windows\system32\-1"
"c:\windows\system32\jvieSCbad.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\-1
c:\windows\system32\jvieSCbad.dll
Infected copy of c:\windows\system32\drivers\DMLOAD.SYS was found and disinfected
Restored copy from - Kitty had a snack :p
c:\windows\system32\d3d9.dll . . . is missing!!
.
((((((((((((((((((((((((( Files Created from 2010-03-25 to 2010-04-25 )))))))))))))))))))))))))))))))
.
2010-04-25 13:33 . 2010-04-25 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-04-24 15:10 . 2010-04-24 15:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-04-22 18:48 . 2010-04-22 18:48 388096 ----a-r- c:\documents and settings\gm\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-04-22 18:48 . 2010-04-22 18:48 -------- d-----w- c:\program files\Trend Micro
2010-04-22 18:38 . 2010-04-22 18:39 -------- d-----w- c:\program files\ERUNT
2010-04-20 23:27 . 2010-04-20 23:27 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2010-04-19 19:49 . 2010-04-19 19:49 -------- d-----w- c:\program files\SysinternalsSuite
2010-04-19 16:09 . 2010-04-19 16:10 -------- d-----w- c:\program files\Wireshark
2010-04-18 22:01 . 2010-04-18 22:01 -------- d-----w- c:\program files\WhoIs
2010-04-18 21:46 . 2010-04-18 21:46 -------- d-----w- c:\program files\RootkitRevealer
2010-04-18 21:11 . 2010-04-18 21:11 -------- d-----w- c:\program files\Autoruns
2010-04-18 14:32 . 2010-04-18 14:32 -------- d-----w- c:\documents and settings\gm\Local Settings\Application Data\Temp
2010-04-18 14:27 . 2010-04-18 14:27 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-04-17 10:45 . 2010-04-17 10:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-04-04 17:29 . 2010-04-04 17:29 2994016 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockMO.exe
2010-03-28 17:26 . 2010-03-28 17:26 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-25 17:21 . 2001-08-18 12:00 5888 ----a-w- c:\windows\system32\drivers\DMLOAD.SYS
2010-04-25 17:21 . 2002-06-20 04:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-24 00:49 . 2002-12-15 21:44 -------- d-----w- c:\program files\NewsRover
2010-04-20 14:16 . 2007-02-19 19:34 -------- d-----w- c:\program files\ProcessExplorer
2010-04-19 16:10 . 2009-04-29 22:40 -------- d-----w- c:\program files\WinPcap
2010-04-18 16:20 . 2004-11-14 13:31 -------- d-----w- c:\program files\Yahoo!
2010-04-18 15:31 . 2007-05-03 12:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-04-18 15:31 . 2009-04-17 01:46 -------- d-----w- c:\documents and settings\gm\Application Data\Yahoo!
2010-04-18 14:31 . 2005-02-23 22:25 -------- d-----w- c:\documents and settings\gm\Application Data\WeatherBug
2010-04-18 14:26 . 2005-07-26 07:34 -------- d-----w- c:\program files\Googlebad
2010-04-17 09:57 . 2004-07-15 17:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-17 01:56 . 2004-07-15 17:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-16 13:29 . 2006-06-24 15:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-16 13:29 . 2007-05-14 19:41 -------- d-----w- c:\program files\TD AMERITRADE
2010-03-30 05:45 . 2002-12-22 18:54 -------- d-----w- c:\program files\Pwrchute
2010-03-28 17:25 . 2008-02-10 22:28 -------- d-----w- c:\documents and settings\gm\Application Data\TaxCut
2010-03-25 13:07 . 2002-06-20 04:22 -------- d-----w- c:\program files\PhoneTools
2010-02-08 17:21 . 2005-07-12 18:06 82232 ----a-w- c:\documents and settings\gm\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( SnapShot@2010-04-25_15.31.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-20 14:17 . 2010-04-25 17:25 49152 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-04-20 14:17 . 2010-04-25 15:11 49152 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2002-06-20 04:11 . 2010-04-25 17:25 49152 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2002-06-20 04:11 . 2010-04-25 15:11 49152 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2002-06-20 04:11 . 2010-04-25 17:25 49152 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2002-06-20 04:11 . 2010-04-25 15:11 49152 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2002-11-15 18:31 . 2010-04-25 17:26 213080 c:\windows\SYSTEM32\INETSRV\MetaBase.bin
- 2002-11-15 18:31 . 2010-04-25 15:12 213080 c:\windows\SYSTEM32\INETSRV\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessengerLATER.exex -quiet" [X]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTWinModem1"="ltmsgLATER.exe 9" [X]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472]
"DellTouch"="c:\windows\MMKeybd.exe" [2001-09-05 163840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-02-06 77824]
"nwiz"="nwiz.exe" [2003-07-28 323584]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 84640]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2006-09-06 26248]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"DaProcExp"="c:\program files\ProcessExplorer\procexp.exe" [2010-04-15 3879288]
"DaWireShark"="c:\program files\Wireshark\wireshark.exe" [2010-03-31 2217984]
"TraySantaCruz"="c:\windows\System32\tbctray.exe" [2002-04-03 290816]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2002-11-20 51200]
c:\documents and settings\gm\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\gm\Start Menu\Programs\Startup\Later
Pandora.lnk - c:\program files\Pandora\Pandora.exe [2009-9-3 95744]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\Later
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-2-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-14 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-14 53248]
Shortcut to procexp.exe.lnk - c:\program files\ProcessExplorer\procexp.exe [2007-2-19 3879288]
Wireshark.lnk - c:\program files\Wireshark\wireshark.exe [2010-3-31 2217984]
R2 agentcd;DriverAgent Class Driver;c:\windows\SYSTEM32\AgentCD.sys [6/19/2002 11:24 PM 196096]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [4/6/2009 4:05 PM 712048]
R2 Mojave;Dazzle Mojave Device;c:\windows\SYSTEM32\DRIVERS\Mojave.sys [6/19/2002 11:23 PM 119276]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [10/20/2009 1:19 PM 50704]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/5/2008 12:43 PM 99376]
R3 tbcspud;Santa Cruz Driver;c:\windows\SYSTEM32\DRIVERS\tbcspud.sys [7/2/2009 3:21 PM 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\SYSTEM32\DRIVERS\tbcwdm.sys [7/2/2009 3:21 PM 545088]
S2 APCPBEServer;APC PBE Server;c:\program files\APC\PowerChute Business Edition\server\pbeserver.exe --> c:\program files\APC\PowerChute Business Edition\server\pbeserver.exe [?]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [4/6/2009 4:05 PM 712048]
S3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [7/2/2009 3:21 PM 19232]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
2010-04-24 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - gm.job
- c:\progra~1\NORTON~2\NORTON~1\Navw32.exe [2006-09-07 05:38]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
DPF: Microsoft WFC Forms Designer - file://d:\vj98\wfcforms.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Visual Studio 6 Extensibility Libraries - file://d:\vj98\vstudio6.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-25 12:41
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x872EFAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7583aac
\Driver\ACPI -> ACPI.sys @ 0xf74e8740
\Driver\atapi -> atapi.sys @ 0xf748f03c
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8058e444
ParseProcedure -> ntoskrnl.exe @ 0x8055a85b
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8058e444
ParseProcedure -> ntoskrnl.exe @ 0x8055a85b
NDIS: GVC-REALTEK Ethernet 10/100 PCI Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf73c5630
PacketIndicateHandler -> NDIS.sys @ 0xf73d0480
SendHandler -> NDIS.sys @ 0xf73c5779
user & kernel MBR OK
**************************************************************************
"PBEBackupImagePath"="%SystemRoot%\System32\ups.exe"
"OldImagePath"=" "
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-4212676017-2704639424-2437969446-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(872)
c:\windows\system32\ODBC32.dll
- - - - - - - > 'lsass.exe'(928)
c:\windows\System32\dssenh.dll
.
Completion time: 2010-04-25 12:47:37
ComboFix-quarantined-files.txt 2010-04-25 17:47
ComboFix2.txt 2010-04-25 15:40
Pre-Run: 38,121,037,824 bytes free
Post-Run: 38,101,159,936 bytes free
- - End Of File - - CCE0902185665556DBF9F50F5CC5D2C2
DDS.txt:
DDS (Ver_10-03-17.01) - NTFSx86
Run by gm at 13:34:33.17 on Sun 04/25/2010
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1023.610 [GMT -5:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\ProcessExplorer\procexp.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\tbctray.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\ctfmon.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\gm\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32NOMORE.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swgNOMORE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessengerLATER.exex" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [LTWinModem1] ltmsgLATER.exe 9
mRun: [DellTouch] c:\windows\MMKeybd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [DaProcExp] "c:\program files\processexplorer\procexp.exe"
mRun: [DaWireShark] "c:\program files\wireshark\wireshark.exe" -k
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TraySantaCruz] c:\windows\system32\tbctray.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\gm\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\gm\startm~1\programs\startup\later\pandora.lnk - c:\program files\pandora\Pandora.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\shortc~1.lnk - c:\program files\processexplorer\procexp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\wiresh~1.lnk - c:\program files\wireshark\wireshark.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
DPF: Microsoft WFC Forms Designer - file://d:\vj98\wfcforms.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Visual Studio 6 Extensibility Libraries - file://d:\vj98\vstudio6.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {0348CD18-6EFE-415B-AF32-58F08FA29B33}
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6}
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1271962936562
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.531087963
DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6}
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R2 agentcd;DriverAgent Class Driver;c:\windows\system32\AgentCD.sys [2002-6-19 196096]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 105632]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 105632]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-4-6 712048]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-4-6 712048]
R2 Mojave;Dazzle Mojave Device;c:\windows\system32\drivers\Mojave.sys [2002-6-19 119276]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2008-3-15 1251720]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-5 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20080924.003\NAVENG.SYS [2008-9-24 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20080924.003\NAVEX15.SYS [2008-9-24 873552]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2009-7-2 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2009-7-2 545088]
S2 APCPBEServer;APC PBE Server;c:\program files\apc\powerchute business edition\server\pbeserver.exe --> c:\program files\apc\powerchute business edition\server\pbeserver.exe [?]
S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 vtdg46xx;vtdg46xx;c:\progra~1\turtle~1\santac~1\contro~1\vtdg46xx.sys [2009-7-2 19232]
=============== Created Last 30 ================
2010-04-25 18:24:21 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-25 18:24:21 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-25 15:00:40 0 d-sha-r- C:\cmdcons
2010-04-25 14:59:08 98816 ----a-w- c:\windows\sed.exe
2010-04-25 14:59:08 77312 ----a-w- c:\windows\MBR.exe
2010-04-25 14:59:08 261632 ----a-w- c:\windows\PEV.exe
2010-04-25 14:59:08 161792 ----a-w- c:\windows\SWREG.exe
2010-04-22 18:48:41 0 d-----w- c:\program files\Trend Micro
2010-04-22 17:03:39 0 d-----w- c:\windows\pss
2010-04-20 21:25:05 54156 ---ha-w- c:\windows\QTFont.qfn
2010-04-20 21:25:05 1409 ----a-w- c:\windows\QTFont.for
2010-04-19 19:49:05 0 d-----w- c:\program files\SysinternalsSuite
2010-04-19 16:09:31 0 d-----w- c:\program files\Wireshark
2010-04-18 22:01:30 0 d-----w- c:\program files\WhoIs
2010-04-18 21:46:24 0 d-----w- c:\program files\RootkitRevealer
2010-04-18 21:11:08 0 d-----w- c:\program files\Autoruns
2010-04-17 10:45:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
==================== Find3M ====================
2010-04-25 17:21:58 5888 ----a-w- c:\windows\system32\drivers\DMLOAD.SYS
2010-02-04 23:25:19 82232 ----a-w- c:\docume~1\gm\applic~1\GDIPFONTCACHEV1.DAT
============= FINISH: 13:35:45.87 ===============
Attach.txt:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 6/24/2002 3:54:21 PM
System Uptime: 4/25/2010 1:27:01 PM (0 hours ago)
Motherboard: Dell Computer Corporation | | Dimension 8200
Processor: Intel(R) Pentium(R) 4 CPU 2.53GHz | Microprocessor | 2519/133mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 112 GiB total, 35.285 GiB free.
D: is CDROM (CDFS)
E: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP2466: 1/25/2010 9:23:53 PM - System Checkpoint
RP2467: 1/26/2010 9:24:11 PM - System Checkpoint
RP2468: 1/27/2010 10:24:12 PM - System Checkpoint
RP2469: 1/28/2010 11:47:50 PM - System Checkpoint
RP2470: 1/30/2010 12:24:21 AM - System Checkpoint
RP2471: 1/31/2010 1:24:34 AM - System Checkpoint
RP2472: 2/1/2010 9:28:12 PM - System Checkpoint
RP2473: 2/8/2010 1:56:30 PM - System Checkpoint
RP2474: 2/9/2010 5:40:54 PM - System Checkpoint
RP2475: 2/11/2010 9:33:16 PM - System Checkpoint
RP2476: 2/13/2010 12:53:31 AM - System Checkpoint
RP2477: 2/14/2010 1:43:31 AM - System Checkpoint
RP2478: 2/15/2010 2:08:36 AM - System Checkpoint
RP2479: 2/16/2010 2:46:22 AM - System Checkpoint
RP2480: 2/17/2010 3:03:20 AM - System Checkpoint
RP2481: 2/18/2010 4:03:22 AM - System Checkpoint
RP2482: 2/18/2010 3:26:52 PM - Installed H&R Block Deluxe + Efile + State 2009.
RP2483: 2/18/2010 3:29:53 PM - Installed DeductionPro 2009
RP2484: 2/21/2010 7:55:48 AM - System Checkpoint
RP2485: 2/22/2010 10:01:27 AM - System Checkpoint
RP2486: 2/23/2010 3:36:11 PM - System Checkpoint
RP2487: 2/24/2010 4:03:28 PM - System Checkpoint
RP2488: 2/25/2010 5:22:55 PM - System Checkpoint
RP2489: 2/26/2010 5:37:35 PM - System Checkpoint
RP2490: 2/27/2010 7:21:38 PM - System Checkpoint
RP2491: 2/28/2010 7:57:07 PM - System Checkpoint
RP2492: 3/1/2010 8:19:04 PM - System Checkpoint
RP2493: 3/2/2010 9:09:26 PM - System Checkpoint
RP2494: 3/3/2010 9:47:19 PM - System Checkpoint
RP2495: 3/4/2010 10:47:21 PM - System Checkpoint
RP2496: 3/5/2010 11:47:21 PM - System Checkpoint
RP2497: 3/7/2010 12:47:21 AM - System Checkpoint
RP2498: 3/8/2010 1:47:21 AM - System Checkpoint
RP2499: 3/9/2010 2:46:15 AM - System Checkpoint
RP2500: 3/10/2010 2:47:22 AM - System Checkpoint
RP2501: 3/11/2010 2:58:12 AM - System Checkpoint
RP2502: 3/12/2010 1:54:44 PM - System Checkpoint
RP2503: 3/13/2010 1:58:58 PM - System Checkpoint
RP2504: 3/14/2010 3:01:02 PM - System Checkpoint
RP2505: 3/15/2010 4:04:15 PM - System Checkpoint
RP2506: 3/16/2010 4:10:14 PM - System Checkpoint
RP2507: 3/17/2010 8:36:58 PM - System Checkpoint
RP2508: 3/19/2010 10:16:20 AM - System Checkpoint
RP2509: 3/21/2010 3:54:32 PM - System Checkpoint
RP2510: 3/22/2010 5:00:37 PM - System Checkpoint
RP2511: 3/24/2010 5:24:08 PM - System Checkpoint
RP2512: 3/25/2010 6:05:07 PM - System Checkpoint
RP2513: 3/26/2010 8:01:32 PM - System Checkpoint
RP2514: 3/28/2010 7:07:49 PM - System Checkpoint
RP2515: 3/29/2010 7:48:47 PM - System Checkpoint
RP2516: 3/30/2010 8:19:10 PM - System Checkpoint
RP2517: 3/31/2010 9:15:17 PM - System Checkpoint
RP2518: 4/1/2010 9:48:44 PM - System Checkpoint
RP2519: 4/2/2010 10:03:19 PM - System Checkpoint
RP2520: 4/3/2010 11:20:19 PM - System Checkpoint
RP2521: 4/4/2010 12:30:01 PM - Installed H&R Block Missouri 2009.
RP2522: 4/5/2010 7:14:54 PM - System Checkpoint
RP2523: 4/6/2010 11:39:52 PM - System Checkpoint
RP2524: 4/8/2010 11:47:04 AM - System Checkpoint
RP2525: 4/9/2010 11:53:14 AM - System Checkpoint
RP2526: 4/10/2010 12:13:16 PM - System Checkpoint
RP2527: 4/11/2010 1:01:18 PM - System Checkpoint
RP2528: 4/12/2010 1:50:47 PM - System Checkpoint
RP2529: 4/13/2010 4:57:31 PM - System Checkpoint
RP2530: 4/14/2010 5:27:20 PM - System Checkpoint
RP2531: 4/15/2010 6:30:30 PM - System Checkpoint
RP2532: 4/17/2010 10:04:17 AM - System Checkpoint
RP2533: 4/18/2010 12:28:44 PM - System Checkpoint
RP2534: 4/19/2010 5:40:02 PM - System Checkpoint
RP2535: 4/20/2010 10:09:01 PM - System Checkpoint
RP2536: 4/22/2010 1:48:40 PM - Installed HiJackThis
RP2537: 4/24/2010 2:00:25 AM - System Checkpoint
RP2538: 4/25/2010 2:34:19 AM - System Checkpoint
RP2539: 4/25/2010 1:06:24 PM - Removed J2SE Runtime Environment 5.0 Update 7
RP2540: 4/25/2010 1:09:51 PM - Removed Java(TM) SE Runtime Environment 6 Update 1
RP2541: 4/25/2010 1:16:48 PM - Removed Adobe Reader 7.0.8
RP2542: 4/25/2010 1:18:45 PM - Removed Shockwave Player
RP2543: 4/25/2010 1:23:47 PM - Installed Java(TM) 6 Update 20
==== Installed Programs ======================
ABBYY FineReader 5.0 Sprint
Adobe AIR
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop Elements 2.0
AOL Instant Messenger
APC PowerChute Business Edition Agent
APC PowerChute Business Edition Console
APC PowerChute Business Edition Server
AppCore
Atomic Clock Sync
AV
Borland C++ 5.02
ccCommon
CDMaster32
CreativeProjects
CreativeProjectsTemplates
CueTour
DeductionPro 2003
DeductionPro 2004-05
DeductionPro 2005-06
DeductionPro 2006
DeductionPro 2007
DeductionPro 2008
DeductionPro 2009
Dell | Support
Dell Picture Studio - Image Expert 2000
Dell Solution Center
DellTouch
Destinations
Director
DivX Codec
Easy CD Creator 5 Basic
EPSON Copy Utility
EPSON Photo Print
EPSON Scan
EPSON Smart Panel
ERUNT 1.1j
Family Lawyer 2000
Forté Agent
GanttProject 2.0.9
Garmin City Navigator North America NT 2010.10 Update
Garmin POI Loader
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
GoToMeeting 4.0.0.320
H&R Block Deluxe + Efile + State 2009
H&R Block Missouri 2009
Help and Support Customization
HiJackThis
HP Deskjet 6800
HP Diagnostic Assistant
HP Photo & Imaging 4.1
HP Update
HPSystemDiagnostics
IE2K
InstantShare
Intel Processor Frequency ID Utility
InterActual Player
iolo technologies' Search and Recover
Island Hopper Scenario A
Java Auto Updater
Java(TM) 6 Update 20
Legal Search
LiveUpdate 3.1 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Lucent Win Modem
MapSource
MapSource - City Select North America v7
MGI VideoWave 4
Microsoft .NET Framework 1.1
Microsoft ActiveSync 3.7
Microsoft Assembler Version 6.15
Microsoft Data Access Components KB870669
Microsoft FrontPage 2002
Microsoft Interactive Training
Microsoft Money 2005
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Publisher 2002
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J++ 6.0
Microsoft Visual Studio 6.0 Professional Edition
MindSpring PipeLine+ 2.60-32
Miro
Modem Helper
Movie Studio 2 Hardware
MSDN Library - Visual Studio 6.0a
MSN Add-in for Windows Messenger
MSN Music Assistant
MSRedist
MUSICMATCH Jukebox
MyDVD
News Rover
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
NVIDIA Windows 2000/XP Display Drivers
Overland
Pandora
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
PhoneTools
PowerChute plus 5.2
PowerDVD
Presto! BizCard 4.1 Eng
PrintScreen
QFolder
QuickProjects
QuickTime
RealPlayer
Realtek RTL8139 Diagnostics Program
Santa Cruz
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB914798)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
SkinsHP1
SmartDraw 7 Trial Edition
SPBBC 32bit
Spybot - Search & Destroy
SpywareBlaster v3.2
Street Atlas USA 4.0
Symantec KB-DocID:2003093015493306
Symantec Real Time Storage Protection Component
Symantec Technical Support Web Controls
SymNet
TaxCut 2003
TaxCut 2004
TaxCut Deluxe 2005
TaxCut Missouri 2007
TaxCut Missouri 2008
TaxCut Premium + State + Efile 2008
TaxCut Premium + State 2007
TaxCut Premium 2006
TD AMERITRADE StrategyDesk 1.2
TD AMERITRADE StrategyDesk 1.3
TD AMERITRADE StrategyDesk 2.0
TD AMERITRADE StrategyDesk 2.1
TD AMERITRADE StrategyDesk 2.2
TD AMERITRADE StrategyDesk 2.3
TD AMERITRADE StrategyDesk 3.3_2 (C:\Program Files\TD AMERITRADE\StrategyDesk)
TD AMERITRADE StrategyDesk 3.4_3 (C:\Program Files\TD AMERITRADE\StrategyDesk)
The Plain-Language Law Dictionary
TrayApp
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
VBA & Macros for Excel Project Files
VideoLAN VLC media player 0.7.2
Viewpoint Manager (Remove Only)
Viewpoint Media Player (Remove Only)
vr3d
WeatherBug
WebEx
WebFldrs XP
WebReg
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB810217
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB824151
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839643
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
Windows XP Hotfix (SP2) Q811114
Windows XP Hotfix (SP2) Q819696
Windows XP Service Pack 1a
WinMX
WinPcap 4.1.1
WinZip
Wireshark 1.2.7
XviD MPEG-4 Video Codec
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
==== Event Viewer Messages From Past Week ========
4/25/2010 7:26:43 AM, error: Service Control Manager [7000] - The iolo FileInfoList Service service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
4/25/2010 5:55:20 AM, error: Service Control Manager [7001] - The Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) service depends on the Remote Access Connection Manager service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
4/25/2010 5:12:19 AM, error: Service Control Manager [7000] - The wscsvc service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
4/25/2010 2:57:26 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
4/25/2010 2:56:28 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
4/25/2010 2:50:54 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl FileDisk Fips Processor SPBBCDrv SRTSPL SRTSPX SYMTDI
4/25/2010 2:50:54 AM, error: Service Control Manager [7001] - The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
4/25/2010 2:50:54 AM, error: Service Control Manager [7001] - The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
4/25/2010 2:50:54 AM, error: Service Control Manager [7001] - The FTP Publishing service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
4/25/2010 2:49:13 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/22/2010 6:08:15 AM, error: Service Control Manager [7001] - The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error: The executable program that this service is configured to run in does not implement the service.
4/22/2010 6:08:15 AM, error: Service Control Manager [7001] - The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error: The executable program that this service is configured to run in does not implement the service.
4/22/2010 6:08:15 AM, error: Service Control Manager [7001] - The FTP Publishing service depends on the IIS Admin service which failed to start because of the following error: The executable program that this service is configured to run in does not implement the service.
4/22/2010 6:08:15 AM, error: Service Control Manager [7000] - The IIS Admin service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
4/20/2010 8:40:35 AM, error: BROWSER [8007] - The browser was unable to update the service status bits. The data is the error.
4/20/2010 4:50:56 PM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.
4/20/2010 4:39:28 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\oembios.sig has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 0.0.0.1.
4/20/2010 4:39:28 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\oembios.dat has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 0.0.0.1.
4/20/2010 4:39:28 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\oembios.sig could not be restored to its original, valid version. The file version of the bad file is 0.0.0.1 The specific error code is 0x800b0100 [No signature was present in the subject. ].
4/20/2010 4:39:28 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\oembios.dat could not be restored to its original, valid version. The file version of the bad file is 0.0.0.1 The specific error code is 0x800b0100 [No signature was present in the subject. ].
4/20/2010 4:39:27 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\oembios.bin could not be restored to its original, valid version. The file version of the bad file is 0.0.0.1 The specific error code is 0x800b0100 [No signature was present in the subject. ].
4/20/2010 4:39:26 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\oembios.bin has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 0.0.0.1.
4/20/2010 4:38:52 PM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
4/20/2010 4:37:55 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Automatic LiveUpdate Scheduler service to connect.
4/20/2010 4:37:55 AM, error: Service Control Manager [7003] - The SRTSP service depends on the following nonexistent service: FltMgr
4/20/2010 4:37:55 AM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The system cannot find the path specified.
4/20/2010 4:37:55 AM, error: Service Control Manager [7000] - The Automatic LiveUpdate Scheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/20/2010 4:37:55 AM, error: Service Control Manager [7000] - The APC PBE Server service failed to start due to the following error: The system cannot find the file specified.
4/20/2010 4:36:55 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
4/20/2010 4:36:55 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
4/20/2010 4:15:13 AM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 929526FAAD7B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/20/2010 3:03:40 PM, error: DCOM [10009] - DCOM was unable to communicate with the computer D using any of the configured protocols.
4/19/2010 9:36:22 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 929526FAAD7B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/19/2010 8:04:15 AM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.100 with the system having network hardware address 00:18:DE:86:97:A9. Network operations on this system may be disrupted as a result.
4/19/2010 6:13:36 AM, error: Dhcp [1002] - The IP address lease 192.168.1.104 for the Network Card with network address 929526FAAD7B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/19/2010 2:26:11 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.102 with the system having network hardware address 00:25:A0:70:AA:E9. Network operations on this system may be disrupted as a result.
4/19/2010 10:45:07 AM, error: DCOM [10002] - Access denied attempting to launch a DCOM Server. The server is: {0C0A3666-30C9-11D0-8F20-00805F2CD064} The user is IWAM_DMAIN/DMAIN, SID=S-1-5-21-4212676017-2704639424-2437969446-1008.
4/19/2010 10:22:34 AM, error: Service Control Manager [7023] - The Machine Debug Manager service terminated with the following error: The class is configured to run as a security id different from the caller
4/18/2010 5:00:49 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.100 with the system having network hardware address 00:90:4B:F5:A0:69. Network operations on this system may be disrupted as a result.
4/18/2010 4:30:50 AM, error: Service Control Manager [7023] - The Google Update Service (gupdate) service terminated with the following error: The class is configured to run as a security id different from the caller
4/18/2010 3:36:29 AM, error: Dhcp [1002] - The IP address lease 192.168.1.105 for the Network Card with network address 929526FAAD7B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/18/2010 2:16:56 PM, error: Service Control Manager [7005] - The RpcImpersonateClient call failed with the following error: No security context is available to allow impersonation.
==== End Of File ===========================
GMER report:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-25 13:44:34
Windows 5.1.2600 Service Pack 1
Running: 35wodyyo.exe; Driver: C:\DOCUME~1\gm\LOCALS~1\Temp\axtdapod.sys
---- System - GMER 1.0.15 ----
SSDT 86E74A50 ZwAlertResumeThread
SSDT 870918B8 ZwAlertThread
SSDT 87044DA0 ZwAllocateVirtualMemory
SSDT 87068FB0 ZwConnectPort
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xADC83EB0]
SSDT 86E507C0 ZwCreateMutant
SSDT 871463D0 ZwCreateThread
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xADC84130]
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xADC84690]
SSDT 87056CC8 ZwFreeVirtualMemory
SSDT 86F57448 ZwImpersonateAnonymousToken
SSDT 86E76E78 ZwImpersonateThread
SSDT 871F0BA8 ZwMapViewOfSection
SSDT 86E6ABE8 ZwOpenEvent
SSDT 86E76A50 ZwOpenProcessToken
SSDT 86DCEA58 ZwOpenThreadToken
SSDT 86DE9C48 ZwResumeThread
SSDT 8718FAF0 ZwSetContextThread
SSDT 86DBBA18 ZwSetInformationProcess
SSDT 87129AB8 ZwSetInformationThread
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xADC848E0]
SSDT 86E68A50 ZwSuspendProcess
SSDT 86F1BE78 ZwSuspendThread
SSDT 86F04E78 ZwTerminateProcess
SSDT 870B47C0 ZwTerminateThread
SSDT 8700A818 ZwUnmapViewOfSection
SSDT 87054AE8 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!_abnormal_termination + 20E 804DE7C0 4 Bytes CALL EFD4CE70
.text ntoskrnl.exe!_abnormal_termination + 24A 804DE7FC 4 Bytes JMP 5B8586DC
.text ntoskrnl.exe!_abnormal_termination + 49A 804DEA4C 4 Bytes CALL 34D4EF9B
.rsrc C:\WINDOWS\system32\drivers\dmload.sys entry point in ".rsrc" section [0xF7A36114]
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF259E340, 0xFFF3F, 0xF8000020]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF9B8300, 0x234A20, 0xF8000020]
? C:\WINDOWS\System32\Drivers\PROCEXP141.SYS The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!NtProtectVirtualMemory 77F5BCC8 5 Bytes JMP 006C000A
.text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!NtWriteVirtualMemory 77F5C588 5 Bytes JMP 006D000A
.text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!KiUserExceptionDispatcher 77F75DAC 5 Bytes JMP 0066000C
.text C:\WINDOWS\System32\svchost.exe[1240] ole32.dll!CoCreateInstance 4FEDF9E6 5 Bytes JMP 00FE000B
.text C:\WINDOWS\System32\svchost.exe[1240] USER32.dll!GetCursorPos 77D48DF4 5 Bytes JMP 00FF000B
.text C:\WINDOWS\Explorer.EXE[1960] ntdll.dll!NtProtectVirtualMemory 77F5BCC8 5 Bytes JMP 0097000A
.text C:\WINDOWS\Explorer.EXE[1960] ntdll.dll!NtWriteVirtualMemory 77F5C588 5 Bytes JMP 0098000A
.text C:\WINDOWS\Explorer.EXE[1960] ntdll.dll!KiUserExceptionDispatcher 77F75DAC 5 Bytes JMP 0096000C
.text C:\Program Files\internet explorer\iexplore.exe[2900] ntdll.dll!NtProtectVirtualMemory 77F5BCC8 5 Bytes JMP 00A5000A
.text C:\Program Files\internet explorer\iexplore.exe[2900] ntdll.dll!NtWriteVirtualMemory 77F5C588 5 Bytes JMP 00A6000A
.text C:\Program Files\internet explorer\iexplore.exe[2900] ntdll.dll!KiUserExceptionDispatcher 77F75DAC 5 Bytes JMP 00A4000C
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
Device -> \Driver\atapi \Device\Harddisk0\DR0 872EFAC8
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\dmload.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
Blade81,
Below is the Kaspersky report. My previous post contains the other reports that you requested.
I hope you got a good night's rest. You seem to work long hours here!
Thanks again,
George
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, April 25, 2010
Operating system: Microsoft Windows XP Professional Service Pack 1 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, April 25, 2010 17:10:26
Records in database: 3980805
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
Scan statistics:
Objects scanned: 161075
Threats found: 8
Infected objects found: 18
Suspicious objects found: 4
Scan duration: 04:28:12
File name / Threat / Threats count
C:\Documents and Settings\gm\Local Settings\Application Data\avebad.exe.xxx Infected: Packed.Win32.Katusha.j 1
C:\Documents and Settings\gm\Local Settings\Application Data\Microsoft\Outlook\OldOutlook.pst Infected: Trojan-Spy.HTML.Citifraud.ai 5
C:\Documents and Settings\gm\Local Settings\Application Data\Microsoft\Outlook\OldOutlook.pst Infected: Trojan-Spy.HTML.Citifraud.ae 1
C:\Documents and Settings\gm\Local Settings\Application Data\Microsoft\Outlook\OldOutlook.pst Infected: Trojan-Spy.HTML.Bankfraud.u 1
C:\Documents and Settings\gm\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan-Spy.HTML.Citifraud.ai 5
C:\Documents and Settings\gm\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan-Spy.HTML.Citifraud.ae 1
C:\Documents and Settings\gm\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan-Spy.HTML.Bankfraud.u 1
C:\Eudora\mambaman\In.mbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Eudora\Trash.mbx Suspicious: Exploit.HTML.Iframe.FileDownload 3
C:\Program Files\AWS\WeatherBug\WeatherBugInstall.exe Infected: not-a-virus:AdWare.Win32.MyWay.j 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\DMLOAD.SYS.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\WINDOWS\SYSTEM32\Macromed\AUTHORWA\NP32ASW\AW65\cCopyFile.u32 Infected: Trojan.Win32.Genome.dkpu 1
Selected area has been scanned.
Hi,
Click start->run->type cmd.exe and press enter. Copy paste following code box content into command prompt window (window will close itself when finished):
Next steps should be printed out since you won't be able to access them from recovery console.Code:copy %systemroot%\system32\drivers\dmload.sys %systemroot% echo copy dmload.sys system32\drivers>%systemroot%\fix.bat echo del dmload.sys>>%systemroot%\fix.bat exit cls
1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 2 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:
batch fix.bat
6. At the next prompt, type the following bolded text, and press Enter:
exit
Windows will now begin loading. Run GMER again and post back its report.
Last edited by Blade81; 2010-04-26 at 15:08.
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
Blade81,
When prompted to enter the installation number I entered 2 and pressed the Enter key. The Recovery Console then responded with "Invalid selection. Please select a valid installation number." and once again prompted for an installation number to be entered. I entered 2 again and got the same response.
I'm still at that point on the infected box. Next step?
George
Does it let you enter 1?
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
Blade81,
1 worked. The GMER report follows.
George
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-26 08:41:03
Windows 5.1.2600 Service Pack 1
Running: 35wodyyo.exe; Driver: C:\DOCUME~1\gm\LOCALS~1\Temp\axtdapod.sys
---- System - GMER 1.0.15 ----
SSDT 870CE058 ZwAlertResumeThread
SSDT 87091058 ZwAlertThread
SSDT 872DA688 ZwAllocateVirtualMemory
SSDT 8717A810 ZwConnectPort
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xEC58AEB0]
SSDT 871B2070 ZwCreateMutant
SSDT 871AB9C0 ZwCreateThread
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xEC58B130]
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xEC58B690]
SSDT 860DDF78 ZwFreeVirtualMemory
SSDT 870D0058 ZwImpersonateAnonymousToken
SSDT 870B9058 ZwImpersonateThread
SSDT 872836D8 ZwMapViewOfSection
SSDT 87361058 ZwOpenEvent
SSDT 871A5DE8 ZwOpenProcessToken
SSDT 873A0788 ZwOpenThreadToken
SSDT 8726C1D0 ZwResumeThread
SSDT 8726B058 ZwSetContextThread
SSDT 871B27D0 ZwSetInformationProcess
SSDT 87181218 ZwSetInformationThread
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xEC58B8E0]
SSDT 870AA058 ZwSuspendProcess
SSDT 870CB1E8 ZwSuspendThread
SSDT 8715F118 ZwTerminateProcess
SSDT 8715F3C8 ZwTerminateThread
SSDT 870A6E78 ZwUnmapViewOfSection
SSDT 87177298 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!_abnormal_termination + 142 804DE6F4 2 Bytes [30, B1]
.text ntoskrnl.exe!_abnormal_termination + 145 804DE6F7 1 Byte [EC]
.text ntoskrnl.exe!_abnormal_termination + 232 804DE7E4 4 Bytes CALL 31D50246
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF6B3F340, 0xFFF3F, 0xF8000020]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF9B8300, 0x234A20, 0xF8000020]
? C:\WINDOWS\System32\Drivers\PROCEXP141.SYS The system cannot find the file specified. !
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \FileSystem\Fastfat \Fat B7F85143
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
---- EOF - GMER 1.0.15 ----
Good. Let's get back to those earlier results now.
Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Delete this file if found:
C:\Documents and Settings\gm\Local Settings\Application Data\avebad.exe.xxx
Then you should check email messages in these two post files and delete suspicious looking messages if found:
C:\Documents and Settings\gm\Local Settings\Application Data\Microsoft\Outlook\OldOutlook.pst
C:\Documents and Settings\gm\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst
C:\Eudora\mambaman\In.mbx
C:\Eudora\Trash.mbx (probably better to empty this whole trash mailbox)
What is the issue status now?
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
Blade81,
The first thing I noticed was that it’s a lot faster now!
Going back to my original post:
Most of the problems have been resolved.
I can now access the Microsoft Update web page. I assume that updating to SP3 will be a high priority once this thread is closed since that will be a prerequisite to upgrading my AV software.
I haven’t seen any pop-ups that I had been getting when Googling topics like Spybot or Norton Antivirus.
I’m no longer seeing any Internet connections to the sites in India and Russia.
One major annoying problem that I never mentioned has also been resolved; closing IE now results in the termination of the process whereas before the window disappeared but the process remained.
The problem whereby something tries to change the value of registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer from a DWORD value of x00000091 to a Binary 91 00 00 00 is still present. When I tell TeaTimer to deny the change and remember the decision, the attempt is repeated at 1 second intervals. The log entry is:
4/26/2010 9:35:05 AM Denied (based on user blacklist) value "NoDriveTypeAutoRun" (new data: "hex:91,00,00,") changed in System Startup user entry!
Using Process Explorer, it would appear that the Explorer.exe process is the entity that is trying to change the registry entry. I see regular activity in the Explorer.exe process when I let TeaTimer block the change which is attempted at 1 second intervals. That activity basically disappears when I remove the TeaTimer rule and let it prompt me for Allow/Deny. Within the Explorer.exe process, it would appear that the activity is taking place within the thread with start address SHLWAPI.dll!Ordinal541+0xfe .
The effect of this appears to be that of disabling the autostart function when I load a CD. Compared with the issues that you’ve resolved, this is fairly minor. On the other hand, it would appear to be something that shouldn’t be happening and maybe there are other things happening as well that we’re not seeing.
Do you have any suggestions?
George
Posting Permissions
