View Full Version : Virtumonde :(
Bad_Infection
2009-06-21, 02:17
Virtumonde keeps coming back!!!
Hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:25 PM, on 6/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1244549680&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-US
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA1479] command.com /c del "C:\WINDOWS\system32\rpcnet.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8240] cmd.exe /c del "C:\WINDOWS\system32\rpcnet.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB6674] command.com /c del "C:\WINDOWS\system32\rpcnet.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6850] cmd.exe /c del "C:\WINDOWS\system32\rpcnet.dll_old"
O4 - HKUS\S-1-5-18\..\Run: [SYSDLL] SYSDLL (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [SYSDLL] SYSDLL (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.hotmail.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177525140296
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) - http://testdevapp1:7777/forms/jinitiator/jinit.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 9611 bytes
http://forums.spybot.info/showthread.php?p=318201#post318201
Hi,
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Bad_Infection
2009-06-24, 05:04
DDS & ATTACH.txt - it told me to attach the second file (attach.txt) so i did, but i also included it below in case you did not want to DL it. THANKS FOR YOU HELP BLADE!!!:thanks:
DDS.txt:
DDS (Ver_09-05-14.01) - NTFSx86
Run by Administrator at 21:56:49.03 on Tue 06/23/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.424 [GMT -4:00]
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\stsystra.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Administrator\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1244549680&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-US
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
dRun: [SYSDLL] SYSDLL
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: hotmail.com
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177525140296
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} - hxxp://testdevapp1:7777/forms/jinitiator/jinit.exe
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\ydf1jcta.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
============= SERVICES / DRIVERS ===============
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-6-12 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-6-12 46864]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-6-12 159600]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-6-12 73840]
R2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program files\pc tools firewall plus\FWService.exe [2009-6-12 146800]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-3-24 24652]
R2 ZDCNDIS5;ZDCNDIS5 NDIS5.1 Protocol Driver;c:\windows\system32\ZDCndis5.sys [2008-12-15 20736]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-4-20 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090417.007\naveng.sys [2009-4-17 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090417.007\navex15.sys [2009-4-17 876144]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2009-6-12 95640]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-6-12 33552]
S1 6c693b55;6c693b55;c:\windows\system32\drivers\6c693b55.sys --> c:\windows\system32\drivers\6c693b55.sys [?]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S3 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
=============== Created Last 30 ================
2009-06-22 19:40 56,680 a------- c:\windows\system32\rpcnet.dll
2009-06-19 23:45 161,792 a------- c:\windows\SWREG.exe
2009-06-19 23:45 98,816 a------- c:\windows\sed.exe
2009-06-19 23:44 <DIR> --ds---- C:\ComboFix
2009-06-19 23:44 389,120 a------- c:\windows\system32\CF15048.exe
2009-06-19 23:35 <DIR> --d----- c:\docume~1\admini~1\applic~1\Windows Search
2009-06-12 17:11 <DIR> --d----- c:\program files\common files\Windows Live
2009-06-12 17:09 <DIR> --d----- c:\program files\Microsoft
2009-06-12 17:08 <DIR> --d----- c:\docume~1\admini~1\applic~1\Windows Desktop Search
2009-06-12 17:07 <DIR> --d----- c:\windows\system32\GroupPolicy
2009-06-12 17:07 <DIR> --d----- c:\program files\Windows Desktop Search
2009-06-12 17:06 192,000 -c------ c:\windows\system32\dllcache\offfilt.dll
2009-06-12 17:06 98,304 -c------ c:\windows\system32\dllcache\nlhtml.dll
2009-06-12 17:06 29,696 -c------ c:\windows\system32\dllcache\mimefilt.dll
2009-06-12 17:04 <DIR> --d----- c:\windows\system32\URTTEMP
2009-06-12 17:02 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-12 17:00 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-06-12 15:17 11,264 a------- c:\windows\system32\PSS0579E.DLL
2009-06-12 13:53 <DIR> --d----- C:\eeb96a915334b459b628e9bd97f4ea
2009-06-12 13:49 <DIR> --d----- C:\7104996b916ebe98e8c2
2009-06-12 13:49 <DIR> --d----- c:\windows\SxsCaPendDel
2009-06-12 13:03 <DIR> --d----- c:\docume~1\admini~1\applic~1\PCToolsFirewallPlus
2009-06-12 12:59 130,424 a------- c:\windows\system32\drivers\PCTCore.sys
2009-06-12 12:59 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-12 12:59 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-06-12 12:58 97,408 a------- c:\windows\system32\drivers\pctfw.sys
2009-06-12 12:58 <DIR> --d----- c:\program files\common files\PC Tools
2009-06-12 12:58 95,640 a------- c:\windows\system32\drivers\pctplfw.sys
2009-06-12 12:58 <DIR> --d----- c:\program files\PC Tools Firewall Plus
2009-06-12 12:57 51,984 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-06-12 12:57 46,864 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-06-12 12:57 33,552 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-06-12 12:57 <DIR> --d----- c:\program files\ThreatFire
2009-06-12 12:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-06-09 23:35 <DIR> --d----- c:\windows\ie8updates
2009-06-09 15:28 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 15:28 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-07 20:40 <DIR> a-dshr-- C:\cmdcons
2009-06-07 20:37 155,136 a------- c:\windows\PEV.exe
2009-06-03 13:40 <DIR> --d----- c:\program files\Trend Micro
2009-05-27 19:20 <DIR> --dsh--- c:\documents and settings\administrator\IECompatCache
2009-05-27 19:18 <DIR> --dsh--- c:\documents and settings\administrator\PrivacIE
2009-05-27 19:10 <DIR> -cd-h--- c:\windows\ie8
2009-05-27 18:23 <DIR> --dsh--- c:\documents and settings\administrator\IETldCache
2009-05-27 17:54 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-05-27 17:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\99654206
2009-05-27 17:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\19644214
==================== Find3M ====================
2009-06-23 21:54 17,408 a------- c:\windows\system32\rpcnetp.exe
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-07 20:56 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-06-07 19:35 17,408 ac------ c:\windows\system32\rpcnetp.dll
2009-05-31 12:14 56,680 a------- c:\windows\system32\rpcnet.exe
2009-05-25 00:24 350,208 a------- c:\windows\system32\mssph.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-06 13:21 0 a------- c:\documents and settings\administrator\settings.dat
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 16:24 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-04-15 16:24 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-04-15 16:24 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-04-15 16:24 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-04-15 16:24 684,032 a------- c:\windows\system32\DivX.dll
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-06 20:29 129,784 -------- c:\windows\system32\pxafs.dll
2009-04-06 20:28 90,112 a------- c:\windows\system32\dpl100.dll
============= FINISH: 21:58:34.54 ===============
ATTACH.TXT
[/B][/B]UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-05-14.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 3/24/2008 12:30:25 PM
System Uptime: 6/23/2009 9:53:40 PM (0 hours ago)
Motherboard: Dell Inc. | | 0TD761
Processor: Genuine Intel(R) CPU T2400 @ 1.83GHz | Microprocessor | 1830/166mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 56 GiB total, 22.155 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID:
Description: Ethernet Controller
Device ID: PCI\VEN_14E4&DEV_1600&SUBSYS_01C21028&REV_02\4&378EDFA4&0&00E2
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_14E4&DEV_1600&SUBSYS_01C21028&REV_02\4&378EDFA4&0&00E2
Service:
==== System Restore Points ===================
RP103: 6/12/2009 12:53:08 PM - System Checkpoint
RP104: 6/12/2009 12:55:54 PM - Clean Slate Day
RP105: 6/12/2009 1:43:19 PM - Software Distribution Service 3.0
RP106: 6/12/2009 2:26:37 PM - Printer Driver Microsoft XPS Document Writer Installed
RP107: 6/12/2009 3:05:45 PM - Software Distribution Service 3.0
RP108: 6/12/2009 3:44:22 PM - Software Distribution Service 3.0
RP109: 6/12/2009 5:03:58 PM - Software Distribution Service 3.0
RP110: 6/12/2009 7:28:12 PM - Software Distribution Service 3.0
RP111: 6/14/2009 8:52:01 AM - Software Distribution Service 3.0
RP112: 6/19/2009 11:46:19 PM - ComboFix created restore point
RP113: 6/22/2009 3:49:07 PM - System Checkpoint
==== Installed Programs ======================
AAC Decoder
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8
Adobe Shockwave Player
AIM 6
ALPS Touch Pad Driver
Apple Software Update
AutoUpdate
Conexant HDA D110 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Resource CD
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
FLV Player 2.0 (build 25)
Google Earth
H.264 Decoder
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless Software
iTunes
Java(TM) 6 Update 13
Java(TM) 6 Update 2
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
LiveUpdate 3.1 (Symantec Corporation)
Malwarebytes' Anti-Malware
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office FrontPage 2003
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office SharePoint Designer 2007
Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
Microsoft Office SharePoint Designer MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIWA
MKV Splitter
mLogView
mMHouse
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.0.11)
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
mWlsSafe
mWMI
mXML
mZConfig
NVIDIA Drivers
Oracle JInitiator 1.3.1.22
PC Tools Firewall Plus 5.0
Pharos
PowerDVD 5.7
QuickTime
Real Alternative 1.52
Roxio DLA
Roxio Express Labeler
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
SigmaTel Audio
Sonic Update Manager
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
Symantec AntiVirus
ThreatFire
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Sharepoint Designer 2007 Help (KB963675)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb970012)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC80CRTRedist - 8.0.50727.762
Viewpoint Media Player
Virtual Earth 3D (Beta)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows PowerShell(TM) 1.0
Windows Presentation Foundation
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
==== Event Viewer Messages From Past Week ========
6/20/2009 9:33:08 AM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 86b4bda0, parameter3 86b4bf14, parameter4 805d297c.
6/20/2009 9:32:15 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Spooler service.
6/20/2009 12:02:07 AM, error: Srv [2019] - The server was unable to allocate from the system nonpaged pool because the pool was empty.
6/19/2009 11:47:13 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
6/18/2009 8:59:01 AM, error: Service Control Manager [7000] - The Windows CardSpace service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/18/2009 8:59:00 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows CardSpace service to connect.
6/18/2009 8:55:11 AM, error: System Error [1003] - Error code 000000c2, parameter1 00000041, parameter2 85e1c000, parameter3 00005c1c, parameter4 0003f680.
6/18/2009 3:35:09 PM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
6/17/2009 11:32:56 PM, error: Service Control Manager [7034] - The Symantec Settings Manager service terminated unexpectedly. It has done this 1 time(s).
==== End Of File ===========================
Bad_Infection
2009-06-24, 05:06
Oh also, as far as disabling scripts, i wasnt too sure what to do... but i disabled my firewall and threatfire program as well as spybot resident prior to running the DDS scan.
If this was incorrect, please advise how to disable "scripts" or what exactly they are and ill scan again :)
THANK YOU AGAIN.
Hi :)
Please run ComboFix (let it update itself) and post its log & a fresh dds.txt log.
Bad_Infection
2009-06-26, 15:45
FYI - Combofix froze at the end and I had to reboot.. i recovered fine and found the log on my harddrive. How do I uninstall Combofix????
ComboFix 09-06-25.06 - Administrator 06/26/2009 7:58:55.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.420 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Mozilla Firefox\extensions\{A1DA2AFD-2256-4F08-8733-C8DE789BDF2E}
C:\Program Files\Mozilla Firefox\extensions\{A1DA2AFD-2256-4F08-8733-C8DE789BDF2E}\chrome.manifest
C:\Program Files\Mozilla Firefox\extensions\{A1DA2AFD-2256-4F08-8733-C8DE789BDF2E}\chrome\content\overlay.xul
C:\Program Files\Mozilla Firefox\extensions\{A1DA2AFD-2256-4F08-8733-C8DE789BDF2E}\install.rdf
.
---- Previous Run -------
.
C:\WINDOWS\dhcp
.
((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-06-26 )))))))))))))))))))))))))))))))
.
2009-06-22 23:40:49 . 2009-06-26 11:48:21 56680 ----a-w- C:\WINDOWS\system32\rpcnet.dll
2009-06-22 17:13:38 . 2009-06-22 17:13:38 0 d-----w- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
2009-06-20 03:35:44 . 2009-06-20 03:35:44 0 d-----w- C:\Documents and Settings\Administrator\Application Data\Windows Search
2009-06-12 23:31:24 . 2009-06-12 23:32:19 0 d-----w- C:\Documents and Settings\Administrator\Local Settings\Application Data\ApplicationHistory
2009-06-12 21:11:24 . 2009-06-12 21:11:24 0 d-----w- C:\Program Files\Common Files\Windows Live
2009-06-12 21:09:17 . 2009-06-12 21:09:17 0 d-----w- C:\Program Files\Microsoft Silverlight
2009-06-12 21:09:01 . 2009-06-12 21:09:01 0 d-----w- C:\Program Files\Microsoft
2009-06-12 21:08:34 . 2009-06-12 21:08:34 0 d-----w- C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities
2009-06-12 21:08:28 . 2009-06-12 21:08:28 0 d-----w- C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search
2009-06-12 21:07:46 . 2009-06-13 00:17:20 0 d-----w- C:\Program Files\Windows Desktop Search
2009-06-12 21:07:46 . 2009-06-12 21:07:46 0 d-----w- C:\WINDOWS\system32\GroupPolicy
2009-06-12 21:06:07 . 2008-03-07 17:02:08 98304 -c----w- C:\WINDOWS\system32\dllcache\nlhtml.dll
2009-06-12 21:06:07 . 2008-03-07 17:02:08 29696 -c----w- C:\WINDOWS\system32\dllcache\mimefilt.dll
2009-06-12 21:06:07 . 2008-03-07 17:02:08 192000 -c----w- C:\WINDOWS\system32\dllcache\offfilt.dll
2009-06-12 21:04:39 . 2009-06-12 21:04:39 0 d-----w- C:\WINDOWS\system32\URTTEMP
2009-06-12 21:02:18 . 2009-05-12 05:11:53 102912 -c----w- C:\WINDOWS\system32\dllcache\iecompat.dll
2009-06-12 19:17:45 . 2009-06-12 19:17:45 11264 ----a-w- C:\WINDOWS\system32\PSS0579E.DLL
2009-06-12 19:07:39 . 2009-06-12 19:07:39 0 d-----w- C:\Documents and Settings\Administrator\Local Settings\Application Data\PCHealth
2009-06-12 17:53:55 . 2009-06-12 18:23:14 0 d-----w- C:\eeb96a915334b459b628e9bd97f4ea
2009-06-12 17:49:58 . 2009-06-12 17:50:25 0 d-----w- C:\7104996b916ebe98e8c2
2009-06-12 17:49:23 . 2009-06-12 18:25:35 0 d-----w- C:\WINDOWS\SxsCaPendDel
2009-06-12 17:03:53 . 2009-06-12 17:03:58 0 d-----w- C:\Documents and Settings\Administrator\Application Data\PCToolsFirewallPlus
2009-06-12 16:59:16 . 2009-03-06 20:45:06 130424 ----a-w- C:\WINDOWS\system32\drivers\PCTCore.sys
2009-06-12 16:59:16 . 2008-12-18 16:16:56 73840 ----a-w- C:\WINDOWS\system32\drivers\PCTAppEvent.sys
2009-06-12 16:59:14 . 2008-12-11 12:38:22 159600 ----a-w- C:\WINDOWS\system32\drivers\pctgntdi.sys
2009-06-12 16:58:17 . 2009-06-12 16:59:16 0 d-----w- C:\Program Files\Common Files\PC Tools
2009-06-12 16:58:17 . 2008-09-22 16:29:18 97408 ----a-w- C:\WINDOWS\system32\drivers\pctfw.sys
2009-06-12 16:58:14 . 2009-01-21 14:38:32 95640 ----a-w- C:\WINDOWS\system32\drivers\pctplfw.sys
2009-06-12 16:58:11 . 2009-06-26 11:48:07 0 d-----w- C:\Program Files\PC Tools Firewall Plus
2009-06-12 16:57:55 . 2009-06-26 11:49:17 0 d---a-w- C:\Documents and Settings\All Users\Application Data\TEMP
2009-06-12 16:57:49 . 2009-06-19 20:37:29 46864 ----a-w- C:\WINDOWS\system32\drivers\TfSysMon.sys
2009-06-12 16:57:49 . 2009-06-19 20:37:28 33552 ----a-w- C:\WINDOWS\system32\drivers\TfNetMon.sys
2009-06-12 16:57:49 . 2009-06-19 20:37:27 51984 ----a-w- C:\WINDOWS\system32\drivers\TfFsMon.sys
2009-06-12 16:57:47 . 2009-06-24 01:25:05 0 d-----w- C:\Program Files\ThreatFire
2009-06-12 16:57:47 . 2009-06-12 16:57:47 0 d-----w- C:\Documents and Settings\All Users\Application Data\PC Tools
2009-06-10 23:15:05 . 2009-06-10 23:15:05 0 d-sh--w- C:\Documents and Settings\Default User\IETldCache
2009-06-10 03:35:28 . 2009-06-12 21:16:59 0 d-----w- C:\WINDOWS\ie8updates
2009-06-09 19:28:36 . 2009-04-30 21:22:34 12800 -c----w- C:\WINDOWS\system32\dllcache\xpshims.dll
2009-06-09 19:28:36 . 2009-04-30 21:22:31 246272 -c----w- C:\WINDOWS\system32\dllcache\ieproxy.dll
2009-06-03 17:40:33 . 2009-06-03 17:40:33 0 d-----w- C:\Program Files\Trend Micro
2009-05-27 23:39:50 . 2009-05-27 23:39:50 0 d-sh--w- C:\Documents and Settings\NetworkService\IETldCache
2009-05-27 23:20:04 . 2009-05-27 23:20:04 0 d-sh--w- C:\Documents and Settings\Administrator\IECompatCache
2009-05-27 23:18:57 . 2009-05-27 23:18:58 0 d-sh--w- C:\Documents and Settings\Administrator\PrivacIE
2009-05-27 23:18:51 . 2009-05-27 23:18:51 0 d-sh--w- C:\Documents and Settings\LocalService\IETldCache
2009-05-27 23:10:53 . 2009-05-27 23:13:00 0 dc-h--w- C:\WINDOWS\ie8
2009-05-27 22:23:22 . 2009-05-27 22:23:22 0 d-sh--w- C:\WINDOWS\system32\config\systemprofile\PrivacIE
2009-05-27 22:23:02 . 2009-05-27 22:23:02 0 d-sh--w- C:\Documents and Settings\Administrator\IETldCache
2009-05-27 22:22:57 . 2009-05-27 22:22:57 0 d-sh--w- C:\WINDOWS\system32\config\systemprofile\IETldCache
2009-05-27 21:54:00 . 2009-06-08 00:53:15 182656 -c--a-w- C:\WINDOWS\system32\dllcache\ndis.sys
2009-05-27 21:53:36 . 2009-05-27 23:01:15 0 d-----w- C:\Documents and Settings\All Users\Application Data\99654206
2009-05-27 21:53:36 . 2009-05-27 23:01:15 0 d-----w- C:\Documents and Settings\All Users\Application Data\19644214
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-26 11:48:24 . 2007-04-24 14:53:17 17408 ----a-w- C:\WINDOWS\system32\rpcnetp.exe
2009-06-18 03:01:57 . 2009-05-06 13:19:08 0 d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2009-06-18 03:01:31 . 2009-05-26 19:16:49 3561743 ----a-w- C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 15:27:56 . 2009-05-06 13:19:09 38160 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27:44 . 2009-05-06 13:19:12 19096 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2009-06-12 21:19:01 . 2007-04-25 12:48:12 0 d-----w- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-06-12 21:10:41 . 2007-08-14 17:55:27 69232 -c--a-w- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-12 19:12:23 . 2007-04-25 12:52:13 0 d-----w- C:\Program Files\Microsoft Works
2009-06-08 00:56:44 . 2006-02-28 12:00:00 182656 ----a-w- C:\WINDOWS\system32\drivers\ndis.sys
2009-06-07 23:35:19 . 2007-04-24 19:22:30 17408 -c--a-w- C:\WINDOWS\system32\rpcnetp.dll
2009-05-31 16:14:08 . 2007-04-25 15:58:39 56680 ----a-w- C:\WINDOWS\system32\rpcnet.exe
2009-05-29 21:52:41 . 2007-04-27 15:13:29 0 d-----w- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-29 21:52:26 . 2007-04-27 15:13:22 0 d-----w- C:\Program Files\Spybot - Search & Destroy
2009-05-25 04:24:06 . 2008-05-27 02:18:26 350208 ----a-w- C:\WINDOWS\system32\mssph.dll
2009-05-13 22:08:02 . 2009-05-13 22:08:02 0 d-----w- C:\Program Files\FLV Player
2009-05-13 16:44:55 . 2009-05-12 21:31:36 0 d-----w- C:\Program Files\DivX
2009-05-13 16:44:33 . 2009-05-12 21:31:36 0 d-----w- C:\Program Files\Common Files\DivX Shared
2009-05-13 05:15:55 . 2006-02-28 12:00:00 915456 ----a-w- C:\WINDOWS\system32\wininet.dll
2009-05-12 19:12:14 . 2007-04-25 16:05:55 26144 ----a-w- C:\WINDOWS\system32\spupdsvc.exe
2009-05-07 15:32:35 . 2006-02-28 12:00:00 345600 ----a-w- C:\WINDOWS\system32\localspl.dll
2009-05-06 17:21:05 . 2009-05-06 17:21:05 0 ----a-w- C:\Documents and Settings\Administrator\settings.dat
2009-05-06 13:19:13 . 2009-05-06 13:19:13 0 d-----w- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2009-05-06 13:19:08 . 2009-05-06 13:19:08 0 d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-05-04 13:38:11 . 2009-05-04 13:37:53 0 d-----w- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2009-05-01 13:49:33 . 2009-05-01 13:49:33 0 d-----w- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2009-05-01 13:49:33 . 2009-05-01 13:49:33 0 d-----w- C:\Program Files\SDHelper (Spybot - Search & Destroy)
2009-05-01 13:49:33 . 2009-05-01 13:49:33 0 d-----w- C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)
2009-05-01 13:49:33 . 2009-05-01 13:49:32 0 d-----w- C:\Program Files\File Scanner Library (Spybot - Search & Destroy)
2009-04-18 01:54:38 . 2009-04-18 01:54:38 152576 ----a-w- C:\Documents and Settings\Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-17 12:26:40 . 2006-02-28 12:00:00 1847168 ----a-w- C:\WINDOWS\system32\win32k.sys
2009-04-15 20:24:38 . 2009-04-15 20:24:38 823296 ----a-w- C:\WINDOWS\system32\divx_xx0c.dll
2009-04-15 20:24:38 . 2009-04-15 20:24:38 823296 ----a-w- C:\WINDOWS\system32\divx_xx07.dll
2009-04-15 20:24:38 . 2009-04-15 20:24:38 815104 ----a-w- C:\WINDOWS\system32\divx_xx0a.dll
2009-04-15 20:24:38 . 2009-04-15 20:24:38 802816 ----a-w- C:\WINDOWS\system32\divx_xx11.dll
2009-04-15 20:24:38 . 2009-04-15 20:24:38 684032 ----a-w- C:\WINDOWS\system32\DivX.dll
2009-04-15 14:51:25 . 2006-02-28 12:00:00 585216 ----a-w- C:\WINDOWS\system32\rpcrt4.dll
2009-04-07 00:29:46 . 2009-05-12 21:32:00 129784 ------w- C:\WINDOWS\system32\pxafs.dll
2009-04-07 00:28:40 . 2009-04-07 00:28:40 90112 ----a-w- C:\WINDOWS\system32\dpl100.dll
2009-04-15 20:24:54 . 2009-04-15 20:24:54 1044480 ----a-w- C:\Program Files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24:54 . 2009-04-15 20:24:54 200704 ----a-w- C:\Program Files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-06-20_03.54.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-26 11:48:18 . 2009-06-26 11:48:18 16384 C:\WINDOWS\Temp\Perflib_Perfdata_118.dat
+ 2006-02-28 12:00:00 . 2009-06-24 01:29:28 79302 C:\WINDOWS\system32\perfc009.dat
- 2006-02-28 12:00:00 . 2009-06-20 03:39:17 79302 C:\WINDOWS\system32\perfc009.dat
+ 2006-02-28 12:00:00 . 2009-06-24 01:29:28 465200 C:\WINDOWS\system32\perfh009.dat
- 2006-02-28 12:00:00 . 2009-06-20 03:39:17 465200 C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 00:12:16 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 15:44:34 31072]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 21:41:08 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 21:45:00 118784]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 23:26:04 52896]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 15:56:16 602182]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 17:10:32 267048]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 18:13:38 176128]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [2009-06-19 20:37:21 259344]
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" [2009-02-23 14:49:16 2652056]
"SigmatelSysTrayApp"="stsystra.exe" - C:\WINDOWS\stsystra.exe [2006-03-24 21:30:44 282624]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SYSDLL"="SYSDLL" [X]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 02:41:34 304128]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
R0 TfFsMon;TfFsMon;C:\WINDOWS\system32\drivers\TfFsMon.sys [6/12/2009 12:57:49 PM 51984]
R0 TfSysMon;TfSysMon;C:\WINDOWS\system32\drivers\TfSysMon.sys [6/12/2009 12:57:49 PM 46864]
R1 pctgntdi;pctgntdi;C:\WINDOWS\system32\drivers\pctgntdi.sys [6/12/2009 12:59:14 PM 159600]
R2 PCTAppEvent;PCTAppEvent Driver;C:\WINDOWS\system32\drivers\PCTAppEvent.sys [6/12/2009 12:59:16 PM 73840]
R2 ThreatFire;ThreatFire;C:\Program Files\ThreatFire\TFService.exe service --> C:\Program Files\ThreatFire\TFService.exe service [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [3/24/2008 1:08:37 PM 24652]
R2 ZDCNDIS5;ZDCNDIS5 NDIS5.1 Protocol Driver;C:\WINDOWS\system32\ZDCndis5.sys [12/15/2008 8:17:49 PM 20736]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/20/2009 2:41:55 PM 101936]
R3 pctplfw;pctplfw;C:\WINDOWS\system32\drivers\pctplfw.sys [6/12/2009 12:58:14 PM 95640]
R3 TfNetMon;TfNetMon;C:\WINDOWS\system32\drivers\TfNetMon.sys [6/12/2009 12:57:49 PM 33552]
S1 6c693b55;6c693b55;C:\WINDOWS\system32\drivers\6c693b55.sys --> C:\WINDOWS\system32\drivers\6c693b55.sys [?]
S3 SavRoam;SAVRoam;C:\Program Files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33:38 PM 116464]
--- Other Services/Drivers In Memory ---
*Deregistered* - mchInjDrv
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-06-22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57:52 . 2008-07-30 17:34:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1244549680&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-US
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
Trusted Zone: hotmail.com
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} - hxxp://testdevapp1:7777/forms/jinitiator/jinit.exe
FF - ProfilePath - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ydf1jcta.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - plugin: C:\Program Files\Microsoft\Office Live\npOLW.dll
FF - plugin: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: C:\Program Files\Virtual Earth 3D\npVE3D.dll
.
[DDS logs in the following post]
Bad_Infection
2009-06-26, 16:23
DDS (Ver_09-06-26.01) - NTFSx86
Run by Administrator at 9:19:39.42 on Fri 06/26/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.315 [GMT -4:00]
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\E1LUWSWP\dds[1].scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wscntfy.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1244549680&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-US
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
dRun: [SYSDLL] SYSDLL
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: hotmail.com
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177525140296
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} - hxxp://testdevapp1:7777/forms/jinitiator/jinit.exe
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\ydf1jcta.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
============= SERVICES / DRIVERS ===============
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-6-12 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-6-12 46864]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-6-12 159600]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-6-12 73840]
R2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program files\pc tools firewall plus\FWService.exe [2009-6-12 146800]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-3-24 24652]
R2 ZDCNDIS5;ZDCNDIS5 NDIS5.1 Protocol Driver;c:\windows\system32\ZDCndis5.sys [2008-12-15 20736]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-4-20 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090417.007\naveng.sys [2009-4-17 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090417.007\navex15.sys [2009-4-17 876144]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2009-6-12 95640]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-6-12 33552]
S1 6c693b55;6c693b55;c:\windows\system32\drivers\6c693b55.sys --> c:\windows\system32\drivers\6c693b55.sys [?]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S3 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
=============== Created Last 30 ================
2009-06-26 08:07 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-06-26 07:56 161,792 a------- c:\windows\SWREG.exe
2009-06-26 07:56 155,136 a------- c:\windows\PEV.exe
2009-06-26 07:56 98,816 a------- c:\windows\sed.exe
2009-06-26 07:56 <DIR> --ds---- C:\ComboFix
2009-06-26 07:56 389,120 a------- c:\windows\system32\CF2084.exe
2009-06-22 19:40 56,680 a------- c:\windows\system32\rpcnet.dll
2009-06-19 23:35 <DIR> --d----- c:\docume~1\admini~1\applic~1\Windows Search
2009-06-12 17:11 <DIR> --d----- c:\program files\common files\Windows Live
2009-06-12 17:09 <DIR> --d----- c:\program files\Microsoft
2009-06-12 17:08 <DIR> --d----- c:\docume~1\admini~1\applic~1\Windows Desktop Search
2009-06-12 17:07 <DIR> --d----- c:\windows\system32\GroupPolicy
2009-06-12 17:07 <DIR> --d----- c:\program files\Windows Desktop Search
2009-06-12 17:06 192,000 -c------ c:\windows\system32\dllcache\offfilt.dll
2009-06-12 17:06 98,304 -c------ c:\windows\system32\dllcache\nlhtml.dll
2009-06-12 17:06 29,696 -c------ c:\windows\system32\dllcache\mimefilt.dll
2009-06-12 17:04 <DIR> --d----- c:\windows\system32\URTTEMP
2009-06-12 17:02 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-12 17:00 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-06-12 15:17 11,264 a------- c:\windows\system32\PSS0579E.DLL
2009-06-12 13:53 <DIR> --d----- C:\eeb96a915334b459b628e9bd97f4ea
2009-06-12 13:49 <DIR> --d----- C:\7104996b916ebe98e8c2
2009-06-12 13:49 <DIR> --d----- c:\windows\SxsCaPendDel
2009-06-12 13:03 <DIR> --d----- c:\docume~1\admini~1\applic~1\PCToolsFirewallPlus
2009-06-12 12:59 130,424 a------- c:\windows\system32\drivers\PCTCore.sys
2009-06-12 12:59 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-12 12:59 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-06-12 12:58 97,408 a------- c:\windows\system32\drivers\pctfw.sys
2009-06-12 12:58 <DIR> --d----- c:\program files\common files\PC Tools
2009-06-12 12:58 95,640 a------- c:\windows\system32\drivers\pctplfw.sys
2009-06-12 12:58 <DIR> --d----- c:\program files\PC Tools Firewall Plus
2009-06-12 12:57 51,984 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-06-12 12:57 46,864 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-06-12 12:57 33,552 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-06-12 12:57 <DIR> --d----- c:\program files\ThreatFire
2009-06-12 12:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-06-09 23:35 <DIR> --d----- c:\windows\ie8updates
2009-06-09 15:28 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 15:28 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-07 20:40 <DIR> a-dshr-- C:\cmdcons
2009-06-03 13:40 <DIR> --d----- c:\program files\Trend Micro
2009-05-27 19:20 <DIR> --dsh--- c:\documents and settings\administrator\IECompatCache
2009-05-27 19:18 <DIR> --dsh--- c:\documents and settings\administrator\PrivacIE
2009-05-27 19:10 <DIR> -cd-h--- c:\windows\ie8
2009-05-27 18:23 <DIR> --dsh--- c:\documents and settings\administrator\IETldCache
2009-05-27 17:54 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-05-27 17:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\99654206
2009-05-27 17:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\19644214
==================== Find3M ====================
2009-06-26 08:29 17,408 a------- c:\windows\system32\rpcnetp.exe
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-07 20:56 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-06-07 19:35 17,408 ac------ c:\windows\system32\rpcnetp.dll
2009-05-31 12:14 56,680 a------- c:\windows\system32\rpcnet.exe
2009-05-25 00:24 350,208 a------- c:\windows\system32\mssph.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-06 13:21 0 a------- c:\documents and settings\administrator\settings.dat
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 16:24 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-04-15 16:24 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-04-15 16:24 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-04-15 16:24 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-04-15 16:24 684,032 a------- c:\windows\system32\DivX.dll
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-06 20:29 129,784 -------- c:\windows\system32\pxafs.dll
2009-04-06 20:28 90,112 a------- c:\windows\system32\dpl100.dll
============= FINISH: 9:21:26.09 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-06-26.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 3/24/2008 12:30:25 PM
System Uptime: 6/26/2009 8:28:30 AM (1 hours ago)
Motherboard: Dell Inc. | | 0TD761
Processor: Genuine Intel(R) CPU T2400 @ 1.83GHz | Microprocessor | 1830/166mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 56 GiB total, 22.117 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID:
Description: Ethernet Controller
Device ID: PCI\VEN_14E4&DEV_1600&SUBSYS_01C21028&REV_02\4&378EDFA4&0&00E2
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_14E4&DEV_1600&SUBSYS_01C21028&REV_02\4&378EDFA4&0&00E2
Service:
==== System Restore Points ===================
RP103: 6/12/2009 12:53:08 PM - System Checkpoint
RP104: 6/12/2009 12:55:54 PM - Clean Slate Day
RP105: 6/12/2009 1:43:19 PM - Software Distribution Service 3.0
RP106: 6/12/2009 2:26:37 PM - Printer Driver Microsoft XPS Document Writer Installed
RP107: 6/12/2009 3:05:45 PM - Software Distribution Service 3.0
RP108: 6/12/2009 3:44:22 PM - Software Distribution Service 3.0
RP109: 6/12/2009 5:03:58 PM - Software Distribution Service 3.0
RP110: 6/12/2009 7:28:12 PM - Software Distribution Service 3.0
RP111: 6/14/2009 8:52:01 AM - Software Distribution Service 3.0
RP112: 6/19/2009 11:46:19 PM - ComboFix created restore point
RP113: 6/22/2009 3:49:07 PM - System Checkpoint
RP114: 6/26/2009 7:57:36 AM - ComboFix created restore point
==== Installed Programs ======================
AAC Decoder
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8
Adobe Shockwave Player
AIM 6
ALPS Touch Pad Driver
Apple Software Update
AutoUpdate
Conexant HDA D110 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Resource CD
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
FLV Player 2.0 (build 25)
Google Earth
H.264 Decoder
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless Software
iTunes
Java(TM) 6 Update 13
Java(TM) 6 Update 2
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
LiveUpdate 3.1 (Symantec Corporation)
Malwarebytes' Anti-Malware
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office FrontPage 2003
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office SharePoint Designer 2007
Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
Microsoft Office SharePoint Designer MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIWA
MKV Splitter
mLogView
mMHouse
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.0.11)
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
mWlsSafe
mWMI
mXML
mZConfig
NVIDIA Drivers
Oracle JInitiator 1.3.1.22
PC Tools Firewall Plus 5.0
Pharos
PowerDVD 5.7
QuickTime
Real Alternative 1.52
Roxio DLA
Roxio Express Labeler
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
SigmaTel Audio
Sonic Update Manager
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
Symantec AntiVirus
ThreatFire
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Sharepoint Designer 2007 Help (KB963675)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb970012)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC80CRTRedist - 8.0.50727.762
Viewpoint Media Player
Virtual Earth 3D (Beta)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows PowerShell(TM) 1.0
Windows Presentation Foundation
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
==== Event Viewer Messages From Past Week ========
6/20/2009 9:33:08 AM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 86b4bda0, parameter3 86b4bf14, parameter4 805d297c.
6/20/2009 9:32:15 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Spooler service.
6/20/2009 12:20:09 AM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
6/20/2009 12:14:07 AM, error: Srv [2019] - The server was unable to allocate from the system nonpaged pool because the pool was empty.
6/19/2009 2:01:02 PM, error: Service Control Manager [7000] - The Windows CardSpace service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/19/2009 2:01:01 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows CardSpace service to connect.
6/19/2009 11:53:37 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
==== End Of File ===========================
How do I uninstall Combofix????
That will be done later when time is right :)
Open notepad and copy/paste the text in the quotebox below into it:
Driver::
6c693b55
File::
C:\WINDOWS\system32\drivers\6c693b55.sys
DDS::
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
Firefox::
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ydf1jcta.default\
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
DirLook::
C:\Documents and Settings\All Users\Application Data\99654206
C:\Documents and Settings\All Users\Application Data\19644214
Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SYSDLL"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Uninstall these vulnerable Javas:
Java(TM) 6 Update 2
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Uninstall old Adobe Reader versions and get the latest one (9.1 and 9.1.2 update for it) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
Run also a full scan with Malwarebytes' Anti-Malware (let it update its definitions first). Post back its report too.
Bad_Infection
2009-06-26, 22:32
ComboFix 09-06-26.02 - Administrator 06/26/2009 15:08.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.418 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
FILE ::
"c:\windows\system32\drivers\6c693b55.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files\Mozilla Firefox\extensions\{A1DA2AFD-2256-4F08-8733-C8DE789BDF2E}
c:\program files\Mozilla Firefox\extensions\{A1DA2AFD-2256-4F08-8733-C8DE789BDF2E}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{A1DA2AFD-2256-4F08-8733-C8DE789BDF2E}\chrome\content\overlay.xul
c:\program files\Mozilla Firefox\extensions\{A1DA2AFD-2256-4F08-8733-C8DE789BDF2E}\install.rdf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_6c693b55
((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-06-26 )))))))))))))))))))))))))))))))
.
2009-06-26 12:07 . 2009-06-26 12:07 -------- dc----w- c:\windows\system32\dllcache\cache
2009-06-22 23:40 . 2009-06-26 19:17 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-06-22 17:13 . 2009-06-22 17:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-06-20 03:35 . 2009-06-20 03:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2009-06-12 23:31 . 2009-06-12 23:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2009-06-12 21:11 . 2009-06-12 21:11 -------- d-----w- c:\program files\Common Files\Windows Live
2009-06-12 21:09 . 2009-06-12 21:09 -------- d-----w- c:\program files\Microsoft Silverlight
2009-06-12 21:09 . 2009-06-12 21:09 -------- d-----w- c:\program files\Microsoft
2009-06-12 21:08 . 2009-06-12 21:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-06-12 21:08 . 2009-06-12 21:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2009-06-12 21:07 . 2009-06-13 00:17 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-12 21:07 . 2009-06-12 21:07 -------- d-----w- c:\windows\system32\GroupPolicy
2009-06-12 21:06 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2009-06-12 21:06 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2009-06-12 21:06 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2009-06-12 21:04 . 2009-06-12 21:04 -------- d-----w- c:\windows\system32\URTTEMP
2009-06-12 21:02 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-12 19:17 . 2009-06-12 19:17 11264 ----a-w- c:\windows\system32\PSS0579E.DLL
2009-06-12 19:07 . 2009-06-12 19:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PCHealth
2009-06-12 17:53 . 2009-06-12 18:23 -------- d-----w- C:\eeb96a915334b459b628e9bd97f4ea
2009-06-12 17:49 . 2009-06-12 17:50 -------- d-----w- C:\7104996b916ebe98e8c2
2009-06-12 17:49 . 2009-06-12 18:25 -------- d-----w- c:\windows\SxsCaPendDel
2009-06-12 17:03 . 2009-06-12 17:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\PCToolsFirewallPlus
2009-06-12 16:59 . 2009-03-06 20:45 130424 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-12 16:59 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-12 16:59 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-12 16:58 . 2009-06-12 16:59 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-12 16:58 . 2008-09-22 16:29 97408 ----a-w- c:\windows\system32\drivers\pctfw.sys
2009-06-12 16:58 . 2009-01-21 14:38 95640 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2009-06-12 16:58 . 2009-06-26 11:48 -------- d-----w- c:\program files\PC Tools Firewall Plus
2009-06-12 16:57 . 2009-06-26 19:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-12 16:57 . 2009-06-19 20:37 46864 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-06-12 16:57 . 2009-06-19 20:37 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-06-12 16:57 . 2009-06-19 20:37 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-06-12 16:57 . 2009-06-24 01:25 -------- d-----w- c:\program files\ThreatFire
2009-06-12 16:57 . 2009-06-12 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-06-10 23:15 . 2009-06-10 23:15 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-06-10 03:35 . 2009-06-12 21:16 -------- d-----w- c:\windows\ie8updates
2009-06-09 19:28 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-09 19:28 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-03 17:40 . 2009-06-03 17:40 -------- d-----w- c:\program files\Trend Micro
2009-05-27 23:39 . 2009-05-27 23:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-05-27 23:20 . 2009-05-27 23:20 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-05-27 23:18 . 2009-05-27 23:18 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-05-27 23:18 . 2009-05-27 23:18 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-05-27 23:10 . 2009-05-27 23:13 -------- dc-h--w- c:\windows\ie8
2009-05-27 22:23 . 2009-05-27 22:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-05-27 22:23 . 2009-05-27 22:23 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-05-27 22:22 . 2009-05-27 22:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-05-27 21:54 . 2009-06-08 00:53 182656 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2009-05-27 21:53 . 2009-05-27 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\99654206
2009-05-27 21:53 . 2009-05-27 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\19644214
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-26 19:17 . 2007-04-24 14:53 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2009-06-18 03:01 . 2009-05-06 13:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-18 03:01 . 2009-05-26 19:16 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 15:27 . 2009-05-06 13:19 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2009-05-06 13:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 21:19 . 2007-04-25 12:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-12 21:10 . 2007-08-14 17:55 69232 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-12 19:12 . 2007-04-25 12:52 -------- d-----w- c:\program files\Microsoft Works
2009-06-08 00:56 . 2006-02-28 12:00 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-07 23:35 . 2007-04-24 19:22 17408 -c--a-w- c:\windows\system32\rpcnetp.dll
2009-05-31 16:14 . 2007-04-25 15:58 56680 ----a-w- c:\windows\system32\rpcnet.exe
2009-05-29 21:52 . 2007-04-27 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-29 21:52 . 2007-04-27 15:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-25 04:24 . 2008-05-27 02:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-13 22:08 . 2009-05-13 22:08 -------- d-----w- c:\program files\FLV Player
2009-05-13 16:44 . 2009-05-12 21:31 -------- d-----w- c:\program files\DivX
2009-05-13 16:44 . 2009-05-12 21:31 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-05-13 05:15 . 2006-02-28 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 19:12 . 2007-04-25 16:05 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 17:21 . 2009-05-06 17:21 0 ----a-w- c:\documents and settings\Administrator\settings.dat
2009-05-06 13:19 . 2009-05-06 13:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-06 13:19 . 2009-05-06 13:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-04 13:38 . 2009-05-04 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-05-01 13:49 . 2009-05-01 13:49 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-05-01 13:49 . 2009-05-01 13:49 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-05-01 13:49 . 2009-05-01 13:49 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-05-01 13:49 . 2009-05-01 13:49 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-04-18 01:54 . 2009-04-18 01:54 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-17 12:26 . 2006-02-28 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-04-15 20:24 . 2009-04-15 20:24 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-04-15 20:24 . 2009-04-15 20:24 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-04-15 20:24 . 2009-04-15 20:24 684032 ----a-w- c:\windows\system32\DivX.dll
2009-04-15 14:51 . 2006-02-28 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-07 00:29 . 2009-05-12 21:32 129784 ------w- c:\windows\system32\pxafs.dll
2009-04-07 00:28 . 2009-04-07 00:28 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\19644214 ----
2009-05-27 21:53 . 2009-05-27 21:53 64784 ----a-w- c:\documents and settings\All Users\Application Data\19644214\19644214.glu
---- Directory of c:\documents and settings\All Users\Application Data\99654206 ----
((((((((((((((((((((((((((((( SnapShot@2009-06-20_03.54.16 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-06-20 03:30 . 2009-06-20 03:30 16384 c:\windows\Temp\Perflib_Perfdata_108.dat
+ 2009-06-26 19:17 . 2009-06-26 19:17 16384 c:\windows\Temp\Perflib_Perfdata_108.dat
+ 2006-02-28 12:00 . 2009-06-24 01:29 79302 c:\windows\system32\perfc009.dat
- 2006-02-28 12:00 . 2009-06-20 03:39 79302 c:\windows\system32\perfc009.dat
+ 2009-06-26 12:07 . 2008-10-16 19:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-26 12:07 . 2008-04-14 00:12 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-26 12:07 . 2008-04-14 00:12 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-26 12:07 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-26 12:07 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-26 12:07 . 2008-04-14 00:12 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-26 12:07 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-26 12:07 . 2008-04-13 18:39 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-26 12:07 . 2008-04-13 18:53 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-26 12:07 . 2008-04-14 00:12 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2006-02-28 12:00 . 2009-06-24 01:29 465200 c:\windows\system32\perfh009.dat
- 2006-02-28 12:00 . 2009-06-20 03:39 465200 c:\windows\system32\perfh009.dat
+ 2009-06-26 12:07 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-26 12:07 . 2009-05-13 05:15 915456 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-26 12:07 . 2008-04-14 00:12 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-26 12:07 . 2008-04-14 00:12 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-26 12:07 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-26 12:07 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-26 12:07 . 2009-06-08 00:56 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-26 12:07 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-26 12:07 . 2008-04-14 00:11 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-26 12:07 . 2008-04-14 00:11 167936 c:\windows\system32\dllcache\cache\appmgmts.dll
+ 2009-06-26 12:07 . 2008-04-14 00:12 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-26 12:07 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-26 12:07 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-26 12:07 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2009-06-19 259344]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2009-02-23 2652056]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"igfxtray"=c:\windows\system32\igfxtray.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [6/12/2009 12:57 PM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [6/12/2009 12:57 PM 46864]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [6/12/2009 12:59 PM 159600]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [6/12/2009 12:59 PM 73840]
R2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/24/2008 1:08 PM 24652]
R2 ZDCNDIS5;ZDCNDIS5 NDIS5.1 Protocol Driver;c:\windows\system32\ZDCndis5.sys [12/15/2008 8:17 PM 20736]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/20/2009 2:41 PM 101936]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [6/12/2009 12:58 PM 95640]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [6/12/2009 12:57 PM 33552]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
--- Other Services/Drivers In Memory ---
*Deregistered* - mchInjDrv
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-06-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1244549680&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-US
Trusted Zone: hotmail.com
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} - hxxp://testdevapp1:7777/forms/jinitiator/jinit.exe
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ydf1jcta.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-26 15:19
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8d,67,dd,ff,a2,1b,f2,4a,ac,9c,a4,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8d,67,dd,ff,a2,1b,f2,4a,ac,9c,a4,\
[HKEY_USERS\S-1-5-21-1681107151-3008978803-624861639-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
@Allowed: (Read) (RestrictedCode)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8f,98,b0,61,66,a2,1e,43,8e,a8,1f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8f,98,b0,61,66,a2,1e,43,8e,a8,1f,\
[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\0*& Æ]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(932)
c:\program files\ThreatFire\TFWAH.dll
c:\program files\ThreatFire\TFNI.dll
c:\program files\ThreatFire\TFMon.dll
c:\program files\ThreatFire\TFRK.dll
- - - - - - - > 'lsass.exe'(988)
c:\program files\ThreatFire\TFWAH.dll
- - - - - - - > 'explorer.exe'(2800)
c:\windows\system32\WININET.dll
c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL
c:\program files\ThreatFire\TFWAH.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\program files\ThreatFire\TFNI.dll
c:\program files\ThreatFire\TFMon.dll
c:\program files\ThreatFire\TFRK.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\scardsvr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\progra~1\PHAROS~1\Core\CTskMstr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\rpcnet.exe
c:\program files\ThreatFire\TFService.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ThreatFire\TFUN.exe
.
**************************************************************************
.
Completion time: 2009-06-26 15:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-26 19:27
Pre-Run: 23,758,897,152 bytes free
Post-Run: 23,738,310,656 bytes free
308 --- E O F --- 2009-06-14 12:53
More logs to follow...
Bad_Infection
2009-06-27, 00:51
I was doing the Kasperty Scan and when i came back to my comp, it was off :/ i am out of time right now, but i will finish the scans (Kasp. and DDS) asap!! Also, i have uninstalled Adobe stuff and the Java updates you advised me to!! THANK YOU SOOOOOO MUCH!!!!!!!!!!!!!!!!!!
:thanks:
Ok. I'll wait for the results. Remember to run MBAM as well :)
Hi,
What's the status with this?
Due to inactivity, this thread will now be closed.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.