View Full Version : Thought I cleared virtumonde and vundo
Stephenwolf
2008-12-17, 00:28
Over the weekend, my browser slowed to a crawl, started popping up random websites and Norton Antivirus would display literally 100 messages stating I was trying to send email I did not actually send. I could immediately recognize these unsent emails as spam. It was like my computer was turned into a spambot. My Spybot told me I had virtumonde and Smitfraud (sp?), and Norton Antivirus was occasionally (not every scan, sometimes popping up a message) telling me it had detected Trojan.Vundo. I have run Combofix and now Spybot says I'm clean. My computer runs fine, but the second I connect to the internet, my traffic skyrockets, all web browsers are incredibly slow and unusable, and I get the Norton messages about blocked emais I never sent. Thank you for any help you can provide, this is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:57 PM, on 12/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Vtune\TBPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [TBPanel] C:\Program Files\Vtune\TBPanel.exe /A
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224726238432
O16 - DPF: {d27cdb6e-ae6d-11cf-96b8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O20 - AppInit_DLLs: ygvcxw.dll fbhswm.dll
O20 - Winlogon Notify: ssqnhfdt - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus (norton antivirus) - Unknown owner - C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe (file missing)
O23 - Service: Norton Internet Security (norton internet security) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 4761 bytes
Hi Stephenwolf
Rename HijackThis.exe to Stephenwolf.exe and post back a fresh HijackThis log, please :)
Stephenwolf
2008-12-20, 00:26
Let's try this one.
I ran the scan while connected to the internet when I experience all my problems. In the future, does it make a difference if I'm on or offline when I run these scans?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:20:10 PM, on 12/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Vtune\TBPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\Trend Micro\HijackThis\Stephenwolf.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [TBPanel] C:\Program Files\Vtune\TBPanel.exe /A
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224726238432
O16 - DPF: {d27cdb6e-ae6d-11cf-96b8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O20 - AppInit_DLLs: ygvcxw.dll fbhswm.dll
O20 - Winlogon Notify: ssqnhfdt - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus (norton antivirus) - Unknown owner - C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe (file missing)
O23 - Service: Norton Internet Security (norton internet security) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 4795 bytes
No, it doesn't matter :)
Download gmer.zip (http://gmer.net/gmer.zip) and save to your desktop.
alternate download site 1 (http://hype.free.googlepages.com/gmer.zip)
alternate download site 2 (http://www.castlecops.com/downloads-file-546.html)
Unzip/extract the file to its own folder. (Click here (http://www.bleepingcomputer.com/tutorials/tutorial105.html) for information on how to do this if not sure. Win 2000 users click here (http://www.bleepingcomputer.com/tutorials/tutorial106.html).
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Click on "Settings", then check the first five settings:
*System Protection and Tracing
*Processes
*Save created processes to the log
*Drivers
*Save loaded drivers to the log
You will be prompted to restart your computer. Please do so.
Run Gmer again and click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)"
Important! Please do not select the "Show all" checkbox during the scan..
Stephenwolf
2008-12-20, 15:23
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-20 07:12:55
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.14 ----
SSDT 89BD1118 ZwAlertResumeThread
SSDT 899F01B0 ZwAlertThread
SSDT 89CBE918 ZwAllocateVirtualMemory
SSDT 89CED148 ZwAssignProcessToJobObject
SSDT 89CF1590 ZwConnectPort
SSDT \SystemRoot\System32\drivers\af3f0e1d.sys ZwCreateEvent [0xBAB10095]
SSDT \SystemRoot\System32\drivers\af3f0e1d.sys ZwCreateKey [0xBAB0E185]
SSDT 89BB6F80 ZwCreateMutant
SSDT 89AC10D8 ZwCreateSymbolicLinkObject
SSDT 899220C0 ZwCreateThread
SSDT 899D4E10 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB6E272A0] <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB6E27800] <-- ROOTKIT !!!
SSDT 89ABBD68 ZwDuplicateObject
SSDT 89B34F00 ZwFreeVirtualMemory
SSDT 899AB1A8 ZwImpersonateAnonymousToken
SSDT 89AEFF70 ZwImpersonateThread
SSDT 89CF44C8 ZwLoadDriver
SSDT 89B34D60 ZwMapViewOfSection
SSDT 89B2BE30 ZwOpenEvent
SSDT \SystemRoot\System32\drivers\af3f0e1d.sys ZwOpenKey [0xBAB0E239]
SSDT 89ADAC38 ZwOpenProcess
SSDT 89AFDA88 ZwOpenProcessToken
SSDT 89C20CA0 ZwOpenSection
SSDT 89ABBEF8 ZwOpenThread
SSDT 89AD74D8 ZwProtectVirtualMemory
SSDT 89AD4990 ZwResumeThread
SSDT 89AF2920 ZwSetContextThread
SSDT 89AEE4C0 ZwSetInformationProcess
SSDT 89971F28 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB6E27A50] <-- ROOTKIT !!!
SSDT 89B0A990 ZwSuspendProcess
SSDT 899C81B0 ZwSuspendThread
SSDT 899D1F70 ZwTerminateProcess
SSDT 899A4CA0 ZwTerminateThread
SSDT 89AD8D80 ZwUnmapViewOfSection
SSDT 89ADCF40 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.14 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 2EFE 8050479A 2 Bytes [ AD, 89 ]
? SYMEFA.SYS The system cannot find the file specified. !
? C:\WINDOWS\System32\drivers\af3f0e1d.sys The system cannot find the file specified.
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs af3f0e1d.sys
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip af3f0e1d.sys
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp af3f0e1d.sys
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp af3f0e1d.sys
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp af3f0e1d.sys
Device \Driver\symtdi \Device\SymTDI af3f0e1d.sys
---- Services - GMER 1.0.14 ----
Service C:\WINDOWS\System32\drivers\af3f0e1d.sys (*** hidden *** ) [SYSTEM] af3f0e1d <-- ROOTKIT !!!
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\af3f0e1d@ImagePath \SystemRoot\System32\drivers\af3f0e1d.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\af3f0e1d@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\af3f0e1d@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\af3f0e1d@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet003\Services\af3f0e1d@ImagePath \SystemRoot\System32\drivers\af3f0e1d.sys
Reg HKLM\SYSTEM\ControlSet003\Services\af3f0e1d@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\af3f0e1d@Start 1
Reg HKLM\SYSTEM\ControlSet003\Services\af3f0e1d@ErrorControl 1
---- EOF - GMER 1.0.14 ----
Yes we have a rootkit there.
Run gmer.exe
Click the tab called Processes and click the Safe... button. The computer will reboot and the Gmer screen will open.
Click Files... and browse to the following file:
C:\WINDOWS\System32\drivers\af3f0e1d.sys
Now click Delete
Now click the Services tab. Click the entries in red one by one with your right mouse button and click Delete... Answer Yes to all the warning windows.
When you've removed all the Service entries in red, reboot your computer.
Re-run gmer.
Post a fresh gmer log, please.
Stephenwolf
2008-12-20, 16:30
When I click the Safe... button and my computer restarts, I get a text box saying the computer is now running in GMER SafeMode, followed by another box stating:
LoadLibrary "gmer.dll": The specified module could not be found.
The computer then resumes start up as usual without GMER opening.
Then please re-run combofix.
If it asks to update itself, allow it.
Post back a fresh HijackThis log and a fresh combofix log, please.
Stephenwolf
2008-12-20, 16:48
ComboFix 08-12-14.03 - Stephen 2008-12-20 8:41:00.11 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1673 [GMT -6:00]
Running from: c:\documents and settings\Stephen\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-11-20 to 2008-12-20 )))))))))))))))))))))))))))))))
.
2008-12-20 07:03 . 2008-12-20 08:19 345 --a------ c:\windows\gmer.ini
2008-12-15 20:50 . 2008-12-15 20:50 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-15 17:25 . 2008-12-15 17:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-15 17:25 . 2008-12-15 17:25 <DIR> d-------- c:\documents and settings\Stephen\Application Data\Malwarebytes
2008-12-15 17:25 . 2008-12-15 17:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-15 17:25 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-15 17:25 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-15 17:12 . 2008-12-15 21:22 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-14 21:19 . 2008-12-14 21:19 <DIR> d-------- c:\program files\Trend Micro
2008-12-14 15:24 . 2008-12-14 15:24 <DIR> d-------- c:\documents and settings\Administrator
2008-12-14 12:40 . 2008-12-14 12:40 <DIR> dr------- c:\program files\Norton Support
2008-12-14 12:31 . 2008-12-14 12:30 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys
2008-12-14 12:30 . 2008-12-14 12:30 <DIR> d-------- c:\windows\system32\drivers\NIS
2008-12-14 12:30 . 2008-12-14 12:30 <DIR> d-------- c:\program files\Windows Sidebar
2008-12-14 12:30 . 2008-12-14 12:30 <DIR> d-------- c:\program files\Symantec
2008-12-14 12:30 . 2008-12-14 12:30 <DIR> d-------- c:\program files\Norton Internet Security
2008-12-14 12:30 . 2008-12-14 12:49 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2008-12-14 12:30 . 2008-12-14 12:30 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-14 12:30 . 2008-12-14 12:30 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-14 12:30 . 2008-12-14 12:30 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-14 12:30 . 2008-12-14 12:30 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-12-14 12:27 . 2008-12-14 12:27 <DIR> d-------- c:\program files\NortonInstaller
2008-12-14 12:08 . 2008-12-14 12:08 <DIR> d-------- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2008-12-14 10:53 . 2008-12-14 10:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\PCSettings
2008-12-13 14:09 . 2008-12-13 14:09 <DIR> d-------- c:\windows\system32\drivers\NAV
2008-12-13 14:09 . 2008-12-14 12:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-13 14:09 . 2008-12-14 12:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2008-12-13 13:57 . 2008-12-14 13:55 1,056 --a------ c:\windows\wininit.ini
2008-12-13 13:46 . 2008-12-15 17:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-13 13:20 . 2008-12-20 08:42 93,420 --a------ c:\windows\system32\drivers\af3f0e1d.sys
2008-12-13 13:16 . 2008-12-13 13:16 110,592 --a------ c:\windows\system32\knzg.dll
2008-12-13 13:16 . 2008-12-13 13:16 21,446 --a------ c:\windows\system32\sf.ico
2008-12-13 13:16 . 2008-12-13 13:16 13,942 --a------ c:\windows\system32\m3.ico
2008-12-13 13:16 . 2008-12-13 13:16 3,108 --a------ c:\windows\ios.dat
2008-12-13 07:18 . 2008-12-13 08:08 <DIR> d-------- c:\documents and settings\Stephen\Application Data\AVS Video Converter
2008-12-13 07:14 . 2003-05-22 12:26 638,976 --a------ c:\windows\system32\divx.dll
2008-12-13 07:14 . 2004-07-03 20:59 524,288 --a------ c:\windows\system32\xvidcore.dll
2008-12-13 07:14 . 2003-05-21 23:50 261,632 --a------ c:\windows\system32\mcdvd_32.dll
2008-12-13 07:14 . 2003-05-22 12:26 221,215 --a------ c:\windows\system32\divxdec.ax
2008-12-13 07:14 . 2003-05-21 23:50 156,910 --a------ c:\windows\WMSysPr8.prx
2008-12-13 07:14 . 2004-07-03 21:08 139,264 --a------ c:\windows\system32\xvidvfw.dll
2008-12-13 07:14 . 2003-05-21 23:50 82,944 --a------ c:\windows\system32\vct3216.acm
2008-12-13 07:14 . 2004-02-04 21:11 81,920 --a------ c:\windows\system32\AC3ACM.acm
2008-12-13 07:14 . 2004-09-06 16:06 53,248 --a------ c:\windows\system32\xvid.ax
2008-12-13 07:14 . 2003-05-21 23:50 38,912 --a------ c:\windows\system32\alf2cd.acm
2008-12-13 07:14 . 2000-03-14 20:55 13,239 --a------ c:\windows\system32\Scg726.acm
2008-12-12 23:08 . 2008-12-13 18:58 <DIR> d-------- c:\program files\Common Files\AVSMedia
2008-12-12 23:08 . 2008-12-12 23:08 <DIR> d-------- c:\documents and settings\Stephen\Application Data\AVS4YOU
2008-12-12 23:08 . 2008-12-12 23:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\AVS4YOU
2008-12-12 23:07 . 2008-12-13 18:58 <DIR> d-------- c:\program files\AVS4YOU
2008-12-12 23:07 . 2007-02-27 18:36 1,700,352 --a------ c:\windows\system32\GdiPlus.dll
2008-12-12 23:07 . 2007-02-27 18:36 974,848 --a------ c:\windows\system32\mfc70.dll
2008-12-12 23:07 . 2007-02-27 18:36 487,424 --a------ c:\windows\system32\msvcp70.dll
2008-12-12 23:07 . 2007-02-27 18:36 344,064 --a------ c:\windows\system32\msvcr70.dll
2008-12-12 23:07 . 2007-02-27 18:36 24,576 --a------ c:\windows\system32\msxml3a.dll
2008-12-12 22:06 . 2008-12-12 22:07 <DIR> d-------- C:\Output
2008-12-12 22:05 . 2008-12-12 23:00 <DIR> d-------- c:\program files\Aglare Video Converter Platinum
2008-12-12 22:05 . 2008-12-12 22:05 34 --ah----- c:\windows\system32\VideoConverter_sysquict.dat
2008-12-08 16:48 . 2008-12-08 16:48 <DIR> d-------- c:\program files\Folding@home
2008-12-08 16:31 . 2008-12-08 16:43 <DIR> d-------- c:\documents and settings\Stephen\Application Data\Folding@home-gpu
2008-12-05 18:20 . 2008-12-08 16:11 <DIR> d-------- c:\documents and settings\Stephen\Application Data\Folding@home-x86
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-19 04:00 --------- d-----w c:\documents and settings\Stephen\Application Data\uTorrent
2008-12-15 04:33 --------- d-----w c:\program files\Diablo II
2008-12-14 23:27 --------- d-----w c:\program files\Microsoft Broadband Networking
2008-11-10 22:19 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-10 22:07 --------- d-----w c:\program files\id Software
2008-11-08 19:23 --------- d-----w c:\program files\ZDoomGL
2008-11-04 23:21 --------- d-----w c:\program files\Doom 3
2008-10-31 21:16 --------- d-----w c:\program files\Winamp
2008-10-31 21:16 --------- d-----w c:\documents and settings\Stephen\Application Data\Winamp
2008-10-26 16:32 --------- d-----w c:\program files\Maxis
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 01:22 --------- d-----w c:\documents and settings\Stephen\Application Data\Sony Corporation
2008-10-24 01:19 --------- d-----w c:\program files\Sony Corporation
2008-10-24 01:19 --------- d-----w c:\program files\Sony
2008-10-24 01:19 --------- d-----w c:\program files\Common Files\Sony Shared
2008-10-24 01:18 --------- d-----w c:\documents and settings\All Users\Application Data\Sony Corporation
2008-10-24 00:17 21,840 ----a-w c:\windows\system32\SIntfNT.dll
2008-10-24 00:17 17,212 ----a-w c:\windows\system32\SIntf32.dll
2008-10-24 00:17 12,067 ----a-w c:\windows\system32\SIntf16.dll
2008-10-24 00:07 94,208 ----a-w c:\windows\DIIUnin.exe
2008-10-24 00:07 2,829 ----a-w c:\windows\DIIUnin.pif
2008-10-23 22:50 --------- d-----w c:\program files\NOS
2008-10-23 22:50 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2008-10-23 21:58 --------- d-----w c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2008-10-23 21:36 --------- d-----w c:\program files\Google
2008-10-23 21:15 --------- d-----w c:\program files\Combined Community Codec Pack
2008-10-23 21:13 --------- d-----w c:\documents and settings\Stephen\Application Data\Media Player Classic
2008-10-23 21:12 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-10-23 21:12 --------- d-----w c:\program files\Common Files\Adobe
2008-10-23 21:05 --------- d-----w c:\program files\uTorrent
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 03:51 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-10-23 03:49 --------- d-----w c:\program files\Bonjour
2008-10-23 03:44 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-10-23 02:31 73,728 ----a-w c:\windows\ALCFDRTM.EXE
2008-10-23 02:31 --------- d-----w c:\program files\Vtune
2008-10-23 02:29 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-23 02:25 315,392 ----a-w c:\windows\HideWin.exe
2008-10-23 02:25 --------- d-----w c:\program files\Realtek
2008-10-23 02:20 --------- d-----w c:\program files\Driver
2008-10-23 01:26 --------- d-----w c:\program files\Lan Driver
2008-10-23 01:19 --------- d-----w c:\program files\Marvell
2008-10-23 00:39 --------- d-----w c:\documents and settings\Stephen\Application Data\InstallShield
2008-10-23 00:01 --------- d-----w c:\program files\microsoft frontpage
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
.
((((((((((((((((((((((((((((( snapshot@2008-12-14_16.25.44.64 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-20 13:03:21 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 03:13:02 811,008 ----a-w c:\windows\gmer.exe
- 2008-10-23 22:58:30 25,214 ----a-r c:\windows\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_18be6784.exe
+ 2008-12-14 23:27:11 25,214 ----a-r c:\windows\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_18be6784.exe
- 2008-10-23 22:58:30 25,214 ----a-r c:\windows\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_294823.exe
+ 2008-12-14 23:27:10 25,214 ----a-r c:\windows\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_294823.exe
- 2008-10-23 22:58:30 25,214 ----a-r c:\windows\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_4ae13d6c.exe
+ 2008-12-14 23:27:11 25,214 ----a-r c:\windows\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_4ae13d6c.exe
+ 2008-12-20 13:03:21 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
- 2004-06-21 05:02:10 684,672 ----a-w c:\windows\system32\drivers\MN510-51.sys
+ 2004-06-21 06:02:10 684,672 ----a-w c:\windows\system32\drivers\MN510-51.sys
- 2008-12-14 22:23:04 62,548 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-20 14:29:01 62,548 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-14 22:23:04 401,394 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-20 14:29:01 401,394 ----a-w c:\windows\system32\perfh009.dat
+ 2004-06-21 05:02:10 684,672 ----a-w c:\windows\system32\ReinstallBackups\0006\DriverFiles\Drivers\MN510-51.sys
+ 2008-12-20 14:25:06 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4fc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TBPanel"="c:\program files\Vtune\TBPanel.exe" [2008-07-03 2150400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 81920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Broadband Networking.lnk - c:\windows\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_18be6784.exe [2008-10-23 25214]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnhfdt]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ygvcxw.dll fbhswm.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"20027041717067047730358347851037"=c:\program files\A360\av360.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNUtil.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNTray.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNCfg.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNUpdate.exe"=
R0 symefa;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1000000.07D\SYMEFA.SYS [2008-12-14 309296]
R1 BIOS;BIOS;\??\c:\windows\system32\drivers\BIOS.sys [2008-10-22 13696]
R1 cchp;Symantec Hash Provider;\??\c:\windows\system32\drivers\NIS\1000000.07D\ccHPx86.sys [2008-12-14 362544]
R2 norton internet security;Norton Internet Security;"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 []
S1 bhdrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\NIS\1000000.07D\BHDrvx86.sys [2008-12-14 254512]
S1 idsxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081212.001\IDSxpx86.sys [2008-12-15 274808]
S2 norton antivirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll" /prefetch:1 []
S3 ISLNDIS5;ISLNDIS5 Protocol Driver;\??\c:\progra~1\MICROS~2\ISLNDIS5.SYS [2004-07-19 14887]
*Newly Created Service* - islndis5
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-20 08:42:40
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\norton antivirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll\" /prefetch:1"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\norton internet security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\af3f0e1d]
"ImagePath"="\SystemRoot\System32\drivers\af3f0e1d.sys"
.
Completion time: 2008-12-20 8:43:10
ComboFix-quarantined-files.txt 2008-12-20 14:43:07
ComboFix2.txt 2008-12-18 22:20:43
Pre-Run: 127,016,378,368 bytes free
Post-Run: 127,004,323,840 bytes free
220 --- E O F --- 2008-12-14 23:44:24
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:53 AM, on 12/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Vtune\TBPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Stephenwolf.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [TBPanel] C:\Program Files\Vtune\TBPanel.exe /A
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224726238432
O16 - DPF: {d27cdb6e-ae6d-11cf-96b8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O20 - AppInit_DLLs: ygvcxw.dll fbhswm.dll
O20 - Winlogon Notify: ssqnhfdt - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus (norton antivirus) - Unknown owner - C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe (file missing)
O23 - Service: Norton Internet Security (norton internet security) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 4725 bytes
Open notepad and copy/paste the text in the codebox below into it:
File::
c:\windows\system32\drivers\af3f0e1d.sys
c:\windows\system32\knzg.dll
c:\windows\system32\sf.ico
c:\windows\system32\m3.ico
c:\windows\ios.dat
Folder::
c:\program files\uTorrent
Driver::
af3f0e1d
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnhfdt]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
Stephenwolf
2008-12-20, 17:12
ComboFix 08-12-14.03 - Stephen 2008-12-20 9:05:37.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1641 [GMT -6:00]
Running from: c:\documents and settings\Stephen\Desktop\ComboFix.exe
Command switches used :: F:\CFScript.txt
* Created a new restore point
FILE ::
c:\windows\ios.dat
c:\windows\system32\drivers\af3f0e1d.sys
c:\windows\system32\knzg.dll
c:\windows\system32\m3.ico
c:\windows\system32\sf.ico
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\uTorrent
c:\program files\uTorrent\uTorrent.exe
c:\windows\ios.dat
c:\windows\system32\drivers\af3f0e1d.sys
c:\windows\system32\knzg.dll
c:\windows\system32\m3.ico
c:\windows\system32\sf.ico
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_af3f0e1d
((((((((((((((((((((((((( Files Created from 2008-11-20 to 2008-12-20 )))))))))))))))))))))))))))))))
.
2008-12-20 07:03 . 2008-12-20 08:19 345 --a------ c:\windows\gmer.ini
2008-12-15 20:50 . 2008-12-15 20:50 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-15 17:25 . 2008-12-15 17:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-15 17:25 . 2008-12-15 17:25 <DIR> d-------- c:\documents and settings\Stephen\Application Data\Malwarebytes
2008-12-15 17:25 . 2008-12-15 17:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-15 17:25 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-15 17:25 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-15 17:12 . 2008-12-15 21:22 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-14 21:19 . 2008-12-14 21:19 <DIR> d-------- c:\program files\Trend Micro
2008-12-14 15:24 . 2008-12-14 15:24 <DIR> d-------- c:\documents and settings\Administrator
2008-12-14 12:40 . 2008-12-14 12:40 <DIR> dr------- c:\program files\Norton Support
2008-12-14 12:31 . 2008-12-14 12:30 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys
2008-12-14 12:30 . 2008-12-14 12:30 <DIR> d-------- c:\windows\system32\drivers\NIS
2008-12-14 12:30 . 2008-12-14 12:30 <DIR> d-------- c:\program files\Windows Sidebar
2008-12-14 12:30 . 2008-12-14 12:30 <DIR> d-------- c:\program files\Symantec
2008-12-14 12:30 . 2008-12-14 12:30 <DIR> d-------- c:\program files\Norton Internet Security
2008-12-14 12:30 . 2008-12-14 12:49 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2008-12-14 12:30 . 2008-12-14 12:30 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-14 12:30 . 2008-12-14 12:30 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-14 12:30 . 2008-12-14 12:30 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-14 12:30 . 2008-12-14 12:30 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-12-14 12:27 . 2008-12-14 12:27 <DIR> d-------- c:\program files\NortonInstaller
2008-12-14 12:08 . 2008-12-14 12:08 <DIR> d-------- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2008-12-14 10:53 . 2008-12-14 10:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\PCSettings
2008-12-13 14:09 . 2008-12-13 14:09 <DIR> d-------- c:\windows\system32\drivers\NAV
2008-12-13 14:09 . 2008-12-14 12:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-13 14:09 . 2008-12-14 12:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2008-12-13 13:57 . 2008-12-14 13:55 1,056 --a------ c:\windows\wininit.ini
2008-12-13 13:46 . 2008-12-15 17:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-13 07:18 . 2008-12-13 08:08 <DIR> d-------- c:\documents and settings\Stephen\Application Data\AVS Video Converter
2008-12-13 07:14 . 2003-05-22 12:26 638,976 --a------ c:\windows\system32\divx.dll
2008-12-13 07:14 . 2004-07-03 20:59 524,288 --a------ c:\windows\system32\xvidcore.dll
2008-12-13 07:14 . 2003-05-21 23:50 261,632 --a------ c:\windows\system32\mcdvd_32.dll
2008-12-13 07:14 . 2003-05-22 12:26 221,215 --a------ c:\windows\system32\divxdec.ax
2008-12-13 07:14 . 2003-05-21 23:50 156,910 --a------ c:\windows\WMSysPr8.prx
2008-12-13 07:14 . 2004-07-03 21:08 139,264 --a------ c:\windows\system32\xvidvfw.dll
2008-12-13 07:14 . 2003-05-21 23:50 82,944 --a------ c:\windows\system32\vct3216.acm
2008-12-13 07:14 . 2004-02-04 21:11 81,920 --a------ c:\windows\system32\AC3ACM.acm
2008-12-13 07:14 . 2004-09-06 16:06 53,248 --a------ c:\windows\system32\xvid.ax
2008-12-13 07:14 . 2003-05-21 23:50 38,912 --a------ c:\windows\system32\alf2cd.acm
2008-12-13 07:14 . 2000-03-14 20:55 13,239 --a------ c:\windows\system32\Scg726.acm
2008-12-12 23:08 . 2008-12-13 18:58 <DIR> d-------- c:\program files\Common Files\AVSMedia
2008-12-12 23:08 . 2008-12-12 23:08 <DIR> d-------- c:\documents and settings\Stephen\Application Data\AVS4YOU
2008-12-12 23:08 . 2008-12-12 23:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\AVS4YOU
2008-12-12 23:07 . 2008-12-13 18:58 <DIR> d-------- c:\program files\AVS4YOU
2008-12-12 23:07 . 2007-02-27 18:36 1,700,352 --a------ c:\windows\system32\GdiPlus.dll
2008-12-12 23:07 . 2007-02-27 18:36 974,848 --a------ c:\windows\system32\mfc70.dll
2008-12-12 23:07 . 2007-02-27 18:36 487,424 --a------ c:\windows\system32\msvcp70.dll
2008-12-12 23:07 . 2007-02-27 18:36 344,064 --a------ c:\windows\system32\msvcr70.dll
2008-12-12 23:07 . 2007-02-27 18:36 24,576 --a------ c:\windows\system32\msxml3a.dll
2008-12-12 22:06 . 2008-12-12 22:07 <DIR> d-------- C:\Output
2008-12-12 22:05 . 2008-12-12 23:00 <DIR> d-------- c:\program files\Aglare Video Converter Platinum
2008-12-12 22:05 . 2008-12-12 22:05 34 --ah----- c:\windows\system32\VideoConverter_sysquict.dat
2008-12-08 16:48 . 2008-12-08 16:48 <DIR> d-------- c:\program files\Folding@home
2008-12-08 16:31 . 2008-12-08 16:43 <DIR> d-------- c:\documents and settings\Stephen\Application Data\Folding@home-gpu
2008-12-05 18:20 . 2008-12-08 16:11 <DIR> d-------- c:\documents and settings\Stephen\Application Data\Folding@home-x86
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-19 04:00 --------- d-----w c:\documents and settings\Stephen\Application Data\uTorrent
2008-12-15 04:33 --------- d-----w c:\program files\Diablo II
2008-12-14 23:27 --------- d-----w c:\program files\Microsoft Broadband Networking
2008-11-10 22:19 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-10 22:07 --------- d-----w c:\program files\id Software
2008-11-08 19:23 --------- d-----w c:\program files\ZDoomGL
2008-11-04 23:21 --------- d-----w c:\program files\Doom 3
2008-10-31 21:16 --------- d-----w c:\program files\Winamp
2008-10-31 21:16 --------- d-----w c:\documents and settings\Stephen\Application Data\Winamp
2008-10-26 16:32 --------- d-----w c:\program files\Maxis
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 01:22 --------- d-----w c:\documents and settings\Stephen\Application Data\Sony Corporation
2008-10-24 01:19 --------- d-----w c:\program files\Sony Corporation
2008-10-24 01:19 --------- d-----w c:\program files\Sony
2008-10-24 01:19 --------- d-----w c:\program files\Common Files\Sony Shared
2008-10-24 01:18 --------- d-----w c:\documents and settings\All Users\Application Data\Sony Corporation
2008-10-24 00:07 94,208 ----a-w c:\windows\DIIUnin.exe
2008-10-24 00:07 2,829 ----a-w c:\windows\DIIUnin.pif
2008-10-23 22:50 --------- d-----w c:\program files\NOS
2008-10-23 22:50 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2008-10-23 21:58 --------- d-----w c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2008-10-23 21:36 --------- d-----w c:\program files\Google
2008-10-23 21:15 --------- d-----w c:\program files\Combined Community Codec Pack
2008-10-23 21:13 --------- d-----w c:\documents and settings\Stephen\Application Data\Media Player Classic
2008-10-23 21:12 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-10-23 21:12 --------- d-----w c:\program files\Common Files\Adobe
2008-10-23 03:51 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-10-23 03:49 --------- d-----w c:\program files\Bonjour
2008-10-23 03:44 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-10-23 02:31 73,728 ----a-w c:\windows\ALCFDRTM.EXE
2008-10-23 02:31 --------- d-----w c:\program files\Vtune
2008-10-23 02:29 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-23 02:25 315,392 ----a-w c:\windows\HideWin.exe
2008-10-23 02:25 --------- d-----w c:\program files\Realtek
2008-10-23 02:20 --------- d-----w c:\program files\Driver
2008-10-23 01:26 --------- d-----w c:\program files\Lan Driver
2008-10-23 01:19 --------- d-----w c:\program files\Marvell
2008-10-23 00:39 --------- d-----w c:\documents and settings\Stephen\Application Data\InstallShield
2008-10-23 00:01 --------- d-----w c:\program files\microsoft frontpage
.
((((((((((((((((((((((((((((( snapshot@2008-12-14_16.25.44.64 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-20 13:03:21 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 03:13:02 811,008 ----a-w c:\windows\gmer.exe
- 2008-10-23 22:58:30 25,214 ----a-r c:\windows\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_18be6784.exe
+ 2008-12-14 23:27:11 25,214 ----a-r c:\windows\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_18be6784.exe
- 2008-10-23 22:58:30 25,214 ----a-r c:\windows\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_294823.exe
+ 2008-12-14 23:27:10 25,214 ----a-r c:\windows\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_294823.exe
- 2008-10-23 22:58:30 25,214 ----a-r c:\windows\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_4ae13d6c.exe
+ 2008-12-14 23:27:11 25,214 ----a-r c:\windows\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_4ae13d6c.exe
+ 2008-12-20 13:03:21 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
- 2004-06-21 05:02:10 684,672 ----a-w c:\windows\system32\drivers\MN510-51.sys
+ 2004-06-21 06:02:10 684,672 ----a-w c:\windows\system32\drivers\MN510-51.sys
- 2008-12-14 22:23:04 62,548 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-20 14:29:01 62,548 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-14 22:23:04 401,394 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-20 14:29:01 401,394 ----a-w c:\windows\system32\perfh009.dat
+ 2004-06-21 05:02:10 684,672 ----a-w c:\windows\system32\ReinstallBackups\0006\DriverFiles\Drivers\MN510-51.sys
+ 2008-12-20 15:08:02 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_574.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TBPanel"="c:\program files\Vtune\TBPanel.exe" [2008-07-03 2150400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 81920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Broadband Networking.lnk - c:\windows\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_18be6784.exe [2008-10-23 25214]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"20027041717067047730358347851037"=c:\program files\A360\av360.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNUtil.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNTray.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNCfg.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNUpdate.exe"=
R0 symefa;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1000000.07D\SYMEFA.SYS [2008-12-14 309296]
R1 bhdrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\NIS\1000000.07D\BHDrvx86.sys [2008-12-14 254512]
R1 BIOS;BIOS;\??\c:\windows\system32\drivers\BIOS.sys [2008-10-22 13696]
R1 cchp;Symantec Hash Provider;\??\c:\windows\system32\drivers\NIS\1000000.07D\ccHPx86.sys [2008-12-14 362544]
R1 idsxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081212.001\IDSxpx86.sys [2008-12-15 274808]
R2 norton internet security;Norton Internet Security;"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 []
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-15 99376]
S2 norton antivirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll" /prefetch:1 []
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-20 09:08:02
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\norton antivirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll\" /prefetch:1"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\norton internet security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
c:\windows\system32\rundll32.exe
c:\program files\Microsoft Broadband Networking\MSBNTray.exe
c:\windows\ALCFDRTM.EXE
.
**************************************************************************
.
Completion time: 2008-12-20 9:09:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-20 15:09:35
ComboFix2.txt 2008-12-20 14:43:11
ComboFix3.txt 2008-12-18 22:20:43
Pre-Run: 126,989,193,216 bytes free
Post-Run: 126,974,152,704 bytes free
227 --- E O F --- 2008-12-14 23:44:24
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:08 AM, on 12/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Vtune\TBPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Stephenwolf.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\coIEPlg.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [TBPanel] C:\Program Files\Vtune\TBPanel.exe /A
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224726238432
O16 - DPF: {d27cdb6e-ae6d-11cf-96b8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus (norton antivirus) - Unknown owner - C:\Program Files\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe (file missing)
O23 - Service: Norton Internet Security (norton internet security) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 4761 bytes
That looks better :)
Please re-run gmer and post back its log.
Stephenwolf
2008-12-20, 17:35
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-20 09:32:33
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.14 ----
SSDT 89A77070 ZwAlertResumeThread
SSDT 89A85C20 ZwAlertThread
SSDT 88F21E38 ZwAllocateVirtualMemory
SSDT 89A59430 ZwAssignProcessToJobObject
SSDT 89AAC130 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB75D1020]
SSDT 88F17EC0 ZwCreateMutant
SSDT 88F12270 ZwCreateSymbolicLinkObject
SSDT 89A9FEB0 ZwCreateThread
SSDT 89A98620 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB75D12A0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB75D1800]
SSDT 88F22148 ZwDuplicateObject
SSDT 88F21698 ZwFreeVirtualMemory
SSDT 89A922C8 ZwImpersonateAnonymousToken
SSDT 897F99C0 ZwImpersonateThread
SSDT 89AA0710 ZwLoadDriver
SSDT 88F214F8 ZwMapViewOfSection
SSDT 897F9868 ZwOpenEvent
SSDT 88F22468 ZwOpenProcess
SSDT 89AAA248 ZwOpenProcessToken
SSDT 89AA4948 ZwOpenSection
SSDT 88F222D8 ZwOpenThread
SSDT 88F12C00 ZwProtectVirtualMemory
SSDT 89AFF568 ZwResumeThread
SSDT 89BE94C0 ZwSetContextThread
SSDT 88F211E0 ZwSetInformationProcess
SSDT 89A995B0 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB75D1A50]
SSDT 89A99A40 ZwSuspendProcess
SSDT 89B085F8 ZwSuspendThread
SSDT 89BF7890 ZwTerminateProcess
SSDT 89BFA278 ZwTerminateThread
SSDT 89B025F8 ZwUnmapViewOfSection
SSDT 88F21A68 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.14 ----
? SYMEFA.SYS The system cannot find the file specified. !
? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
---- Devices - GMER 1.0.14 ----
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.14 ----
Yes, now it looks normal :)
Does norton still warn about emails?
Stephenwolf
2008-12-20, 17:53
I am now posting from the formerly infected computer. Browser works fine and no warnings about unknown emails. Thank you so much. Definitely giving you guys a donation for that!
Glad to hear that but let's run one scanner to see if there is something else lurking:
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select ''Run as administrator'' to perform this scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)
Due to the lack of feedback this Topic is closed.
If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.