View Full Version : Help - Nasty Rootkit
Win XP SP2
HJT & gmer logs
Logfile of HijackThis v1.99.1
Scan saved at 8:06:43 PM, on 8/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\UnHackMe\gwebupdate.exe
C:\Documents and Settings\Ray.NOTEBOOK\My Documents\Download\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Cobian Backup 8] "C:\Program Files\Cobian Backup 8\Cobian.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\Star2Star\eyeBeam.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.58-deleon/GoogleNav.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLcd.CAB
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
GMER 1.0.15.15077 [xpiku1s6.exe] - http://www.gmer.net
Rootkit scan 2009-08-19 21:21:49
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.15 ----
SSDT 834DA0B8 ZwConnectPort
SSDT sptd.sys ZwCreateKey [0xF877F0B0]
SSDT sptd.sys ZwEnumerateKey [0xF878484C]
SSDT sptd.sys ZwEnumerateValueKey [0xF8784BEC]
SSDT sptd.sys ZwOpenKey [0xF877F090]
SSDT sptd.sys ZwQueryKey [0xF8784CC4]
SSDT sptd.sys ZwQueryValueKey [0xF8784B44]
SSDT sptd.sys ZwSetValueKey [0xF8784D56]
---- Kernel code sections - GMER 1.0.15 ----
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F803E62C 5 Bytes JMP 8364E780
? System32\Drivers\sfc.SYS The system cannot find the path specified. !
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F8793580] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F879352C] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F87ADAB8] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F8793580] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F877FABA] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F877FC00] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F877FB82] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F878072E] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F8780604] sptd.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F8792B9A] sptd.sys
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1516] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 003F3EB4
IAT C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[2764] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 009A3EB4
IAT C:\Program Files\UnHackMe\gwebupdate.exe[3440] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00C925F8
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 837D11D8
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
Device \FileSystem\Fastfat \FatCdrom 831F6378
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys
Device \Driver\usbuhci \Device\USBPDO-0 8360C1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 837601D8
Device \Driver\dmio \Device\DmControl\DmConfig 837601D8
Device \Driver\dmio \Device\DmControl\DmPnP 837601D8
Device \Driver\dmio \Device\DmControl\DmInfo 837601D8
Device \Driver\usbuhci \Device\USBPDO-1 8360C1D8
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Ftdisk \Device\HarddiskVolume1 837D31D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 837D31D8
Device \Driver\Cdrom \Device\CdRom0 83502598
Device \Driver\atapi \Device\Ide\IdePort0 837D21D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 837D21D8
Device \Driver\atapi \Device\Ide\IdePort1 837D21D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 837D21D8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8326B3B8
Device \Driver\NetBT \Device\NetbiosSmb 8326B3B8
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\usbuhci \Device\USBFDO-0 8360C1D8
Device \Driver\usbuhci \Device\USBFDO-1 8360C1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8343A538
Device 8343A538
Device \Driver\NetBT \Device\NetBT_Tcpip_{B225EB0A-4540-4632-B300-329A8513F24E} 8326B3B8
Device \Driver\Ftdisk \Device\FtControl 837D31D8
Device 831F6378
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
Device \FileSystem\Cdfs \Cdfs 833F74C0
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAClrndondgiyutuha.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACd
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACc
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacsr
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uaclog
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmask
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACdfgvkasmrmxdlhx.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacbbr
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACproc
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacurls
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacerrors
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -1418291345
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -1961341128
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3F504ABE-6F11-70AA-47FD-03F802DCA507}
---- EOF - GMER 1.0.15 ----
Hi sjersey
We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix 09-08-22.06 - Ray 08/22/2009 20:54.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.128 [GMT -4:00]
Running from: c:\documents and settings\Ray.NOTEBOOK\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-3184799980-4516201209-907372435-1384
c:\recycler\S-1-5-21-4019740176-6412523428-745977463-8562
c:\recycler\S-1-5-21-4019740176-6412523428-745977463-8562\msimfo32.exe
c:\windows\Fonts\pxdocexp.TTF
c:\windows\Fonts\Wphv07nb.ttf
c:\windows\Fonts\ZWAdobeF.TTF
c:\windows\Install.txt
c:\windows\Installer\20e6c03.msp
c:\windows\Installer\219761.msi
c:\windows\Installer\3dea5d3.msi
c:\windows\Installer\3ea2e.msi
c:\windows\Installer\452148.msp
c:\windows\Installer\4f719.msi
c:\windows\Installer\4f71f.msi
c:\windows\Installer\4f725.msi
c:\windows\Installer\554d21e.msp
c:\windows\Installer\e9b5d6.msp
c:\windows\system32\1.tmp
c:\windows\system32\2.tmp
c:\windows\system32\AVR09.exe
c:\windows\system32\drivers\KBIWKMRRFWORVX.SYS.del
c:\windows\system32\drivers\Sonyhcp.dll
c:\windows\system32\Ijl11.dll
c:\windows\system32\Install.txt
c:\windows\system32\kbiwkmbqnkfppj.dll
c:\windows\system32\kbiwkmehrrovnh.dll
c:\windows\system32\kbiwkmoodmltai.dat
c:\windows\system32\nqWFOqssORG.ini
c:\windows\system32\tmp.reg
Infected copy of c:\windows\system32\sfcfiles.dll was found and disinfected
Restored copy from - c:\windows\system32\mssfc.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Legacy_AFINDING
-------\Legacy_CLBDRIVER
-------\Legacy_IAS
-------\Legacy_IPRIP
-------\Legacy_MACIDWE
-------\Legacy_NETSVCS_0X0
-------\Legacy_NOBICYT
-------\Legacy_NWCWORKSTATION
-------\Legacy_PERFS
-------\Legacy_ROUTING
-------\Legacy_SEICTRL
-------\Legacy_SFC
-------\Legacy_SOBICYT
-------\Legacy_TDXDOWKC
-------\Legacy_WSERVING
-------\Service_sfc
((((((((((((((((((((((((( Files Created from 2009-07-23 to 2009-08-23 )))))))))))))))))))))))))))))))
.
2009-08-19 20:12 . 2009-08-19 20:12 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-19 18:04 . 2009-08-19 18:04 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2009-08-19 17:02 . 2009-06-18 16:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2009-08-19 16:07 . 2009-08-19 16:08 -------- d-----w- C:\RootkitNO
2009-08-19 10:43 . 2009-08-19 10:43 -------- d-----w- c:\windows\Recent
2009-08-19 01:12 . 2009-08-19 18:41 32290 ----a-w- c:\windows\system32\drivers\Partizan.sys
2009-08-19 01:12 . 2009-08-19 20:16 25600 ----a-w- c:\windows\system32\Partizan.exe
2009-08-19 01:12 . 2005-04-03 19:02 8944 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-07-28 23:04 . 2009-07-28 23:05 -------- d-----w- c:\program files\FCTR
2009-07-28 22:14 . 2009-07-28 22:14 -------- d-----w- c:\program files\Print Server
2009-07-25 10:52 . 2009-07-25 10:52 -------- d-----w- c:\docume~1\RAY~1.NOT\APPLIC~1\Apple Computer
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-23 01:23 . 2005-10-10 20:03 -------- d-----w- c:\program files\Symantec AntiVirus
2009-08-23 00:34 . 2008-07-07 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-23 00:34 . 2006-09-08 12:25 -------- d-----w- c:\program files\LogMeIn
2009-08-19 19:39 . 2008-08-10 19:03 -------- d-----w- c:\program files\UnHackMe
2009-08-19 01:13 . 2008-08-10 19:05 2 --shatr- c:\windows\winstart.bat
2009-08-18 19:39 . 2008-07-10 11:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-18 19:19 . 2007-01-12 01:33 -------- d-----w- c:\docume~1\RAY~1.NOT\APPLIC~1\U3
2009-08-17 18:17 . 2008-09-26 17:29 -------- d-----w- c:\docume~1\RAY~1.NOT\APPLIC~1\FileZilla
2009-08-14 19:30 . 2008-09-26 17:27 -------- d-----w- c:\program files\FileZilla FTP Client
2009-08-07 03:01 . 2009-06-15 02:30 -------- d-----w- c:\program files\PeerGuardian2
2009-08-07 00:29 . 2007-05-25 20:10 -------- d-----w- c:\docume~1\RAY~1.NOT\APPLIC~1\uTorrent
2009-08-03 17:36 . 2008-08-07 17:12 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2008-07-10 11:51 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-24 20:37 . 2005-07-25 12:56 -------- d-----w- c:\docume~1\RAY~1.NOT\APPLIC~1\AdobeUM
2009-07-24 19:56 . 2008-03-26 19:03 256 ----a-w- c:\documents and settings\Ray.NOTEBOOK\pool.bin
2009-07-16 01:47 . 2003-07-23 01:36 -------- d-----w- c:\docume~1\RAY~1.NOT\APPLIC~1\Roxio
2009-07-10 20:30 . 2002-06-03 10:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-10 20:28 . 2002-06-03 10:22 -------- d-----w- c:\program files\Dell
2009-06-29 16:12 . 2005-06-18 04:49 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2005-11-11 18:49 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2001-08-17 23:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-26 15:17 . 2003-11-28 01:43 -------- d-----w- c:\program files\Google
2009-06-25 02:17 . 2008-07-10 01:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-25 00:27 . 2002-06-08 02:55 -------- d-----w- c:\program files\MediaFACE
2009-06-23 14:28 . 2008-03-26 18:55 256 ----a-w- c:\windows\system32\pool.bin
2009-06-16 14:55 . 2001-08-17 23:00 82432 ------w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2001-08-17 23:00 119808 ------w- c:\windows\system32\t2embed.dll
2009-06-03 19:27 . 2005-08-30 04:02 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 14:23 . 2009-06-02 14:23 262144 ----a-w- C:\ntuser.dat
.
------- Sigcheck -------
[7] 2001-08-17 23:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\SYSTEM32\beep.sys
[7] 2001-08-17 23:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\SYSTEM32\DLLCACHE\beep.sys
c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM95\aim.exe" [2003-08-01 61440]
"eyeBeam SIP Client"="c:\program files\Star2Star\eyeBeam.exe" [2008-03-31 21110784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-13 68856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2009-07-27 236744]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-06-24 4800512]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2001-10-26 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2001-10-26 401408]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-12 196608]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 40960]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_05\bin\jusched.exe" [2005-08-26 36975]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-08 180269]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]
"Cobian Backup 8"="c:\program files\Cobian Backup 8\Cobian.exe" [2007-03-21 499712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2003-06-24 323584]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2005-10-05 67216]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2006-10-04 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\Symantec\WinFax\WfxSeh32.Dll" [1998-07-27 38400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 00:35 87352 ----a-w- c:\windows\SYSTEM32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 14:51 24638 ------w- c:\windows\SYSTEM32\PCANotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan\0
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 7.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DataViz Messenger.lnk
backup=c:\windows\pss\DataViz Messenger.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2001 Delivery Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks 2001 Delivery Agent.lnk
backup=c:\windows\pss\QuickBooks 2001 Delivery Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Ray.NOTEBOOK^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\Ray.NOTEBOOK\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\winaw32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\Corel\\WordPerfect Office 2000\\programs\\pdxwin32.exe"=
"c:\\WINDOWS\\SYSTEM32\\ftp.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Corel\\Paradox 9 Runtime\\Programs\\PDXRWN32.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\Ray.NOTEBOOK\\My Documents\\Download\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\SYSTEM32\\java.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Star2Star\\eyeBeam.exe"=
"c:\\Program Files\\Softland\\Backup4all 3\\Backup4all.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Documents and Settings\\Ray.NOTEBOOK\\My Documents\\Download\\mute\\MUTE\\fileSharingMUTE.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8600:TCP"= 8600:TCP:null
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [12/17/2003 4:41 PM 5632]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\SYSTEM32\SAVRKBootTasks.sys [8/19/2009 1:02 PM 18816]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/2/2007 6:16 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\SYSTEM32\DRIVERS\LMIRfsDriver.sys [7/2/2007 6:16 PM 47640]
R2 MapMemP;MapMemP;c:\windows\SYSTEM32\DRIVERS\MapMemP.Sys [4/10/2003 2:55 PM 63080]
R3 EraserUtilDrv10910;EraserUtilDrv10910;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys [8/15/2009 7:41 AM 101936]
R3 Ich;Ich;c:\windows\SYSTEM32\DRIVERS\Ich.sys [12/31/1979 12:00 PM 65916]
S0 Partizan;Partizan;c:\windows\SYSTEM32\DRIVERS\Partizan.sys [8/18/2009 9:12 PM 32290]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\SYSTEM32\DRIVERS\hphius09.sys [10/5/2006 7:26 PM 18864]
S3 FCUSB;Freecom Cable II USB Driver;c:\windows\SYSTEM32\DRIVERS\FCUSB.sys [11/29/2001 1:05 PM 13104]
S3 LSWL;Instant Wireless Network PC Card V2.5 Driver;c:\windows\SYSTEM32\DRIVERS\LSWLNDS.sys [9/8/2008 6:26 PM 50688]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]
S3 qic157;qic157;c:\windows\SYSTEM32\DRIVERS\qic157.sys [6/9/2002 7:06 AM 6016]
S3 RegGuard;RegGuard;c:\windows\SYSTEM32\DRIVERS\regguard.sys [8/19/2009 2:04 PM 24416]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
S3 USB-100;Linksys EtherFast 10/100 Compact USB Network Adapter;c:\windows\SYSTEM32\DRIVERS\USB100M.SYS [3/30/2004 4:11 PM 27519]
S3 VisorUsb;Handspring USB;c:\windows\SYSTEM32\DRIVERS\VisorUsb.sys [6/8/2002 6:00 AM 19968]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 Nlaidevrnsa;Nlaidevrnsa; [x]
--- Other Services/Drivers In Memory ---
*Deregistered* - UnHackMeDrv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
netsvcs_0x3
netsvcs_0x4
netsvcs_0x6
.
Contents of the 'Scheduled Tasks' folder
2009-08-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-04-25 23:52]
2009-08-23 c:\windows\Tasks\User_Feed_Synchronization-{363F83FD-D289-4B33-B2C8-94C1FF4776C5}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 23:36]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - c:\program files\Qualcomm\Eudora\EuShlExt.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = actsvr.comcastonline.com
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-22 21:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\TEMP\TMP4.tmp 554760 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\3.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1779672970-1582333133-359561344-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3F504ABE-6F11-70AA-47FD-03F802DCA507}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(604)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
- - - - - - - > 'explorer.exe'(3236)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\windows\system32\mshtml.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\program files\AIM95\idlemon.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\browselc.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Executive Software\Diskeeper\DkService.exe
c:\program files\Symantec\Norton Ghost 2003\GhostStartService.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\SYSTEM32\WFXSVC.EXE
c:\program files\Symantec\WinFax\WFXMOD32.EXE
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Cobian Backup 8\cbInterface.exe
c:\program files\UnHackMe\GWebUpdate.exe
.
**************************************************************************
.
Completion time: 2009-08-23 21:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-23 01:45
Pre-Run: 4,871,987,200 bytes free
Post-Run: 4,718,972,928 bytes free
337 --- E O F --- 2009-08-07 03:06
Logfile of HijackThis v1.99.1
Scan saved at 9:40:12 PM, on 8/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CF14432.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Cobian Backup 8\Cobian.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\UnHackMe\gwebupdate.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\ComboFix\pev.cfxxe
C:\Documents and Settings\Ray.NOTEBOOK\My Documents\Download\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Cobian Backup 8] "C:\Program Files\Cobian Backup 8\Cobian.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\Star2Star\eyeBeam.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.58-deleon/GoogleNav.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLcd.CAB
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
Please install recovery console manually as instructed in link I gave you.
After that, please re-run combofix and post back a fresh combofix log.
ComboFix 09-08-22.06 - Ray 08/23/2009 8:23.2.1 - NTFSx86
Running from: c:\documents and settings\Ray.NOTEBOOK\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2009-07-23 to 2009-08-23 )))))))))))))))))))))))))))))))
.
2009-08-19 20:12 . 2009-08-19 20:12 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-19 17:02 . 2009-06-18 16:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2009-08-19 16:07 . 2009-08-19 16:08 -------- d-----w- C:\RootkitNO
2009-08-19 10:43 . 2009-08-19 10:43 -------- d-----w- c:\windows\Recent
2009-07-28 23:04 . 2009-07-28 23:05 -------- d-----w- c:\program files\FCTR
2009-07-28 22:14 . 2009-07-28 22:14 -------- d-----w- c:\program files\Print Server
2009-07-25 10:52 . 2009-07-25 10:52 -------- d-----w- c:\docume~1\RAY~1.NOT\APPLIC~1\Apple Computer
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-23 12:48 . 2005-10-10 20:03 -------- d-----w- c:\program files\Symantec AntiVirus
2009-08-23 12:02 . 2008-08-10 19:03 -------- d-----w- c:\program files\UnHackMe
2009-08-23 11:51 . 2006-09-08 12:25 -------- d-----w- c:\program files\LogMeIn
2009-08-23 00:34 . 2008-07-07 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-19 01:13 . 2008-08-10 19:05 2 --shatr- c:\windows\winstart.bat
2009-08-18 19:39 . 2008-07-10 11:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-18 19:38 . 2009-01-12 03:39 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-18 19:19 . 2007-01-12 01:33 -------- d-----w- c:\docume~1\RAY~1.NOT\APPLIC~1\U3
2009-08-17 18:17 . 2008-09-26 17:29 -------- d-----w- c:\docume~1\RAY~1.NOT\APPLIC~1\FileZilla
2009-08-14 19:30 . 2008-09-26 17:27 -------- d-----w- c:\program files\FileZilla FTP Client
2009-08-07 03:01 . 2009-06-15 02:30 -------- d-----w- c:\program files\PeerGuardian2
2009-08-07 00:29 . 2007-05-25 20:10 -------- d-----w- c:\docume~1\RAY~1.NOT\APPLIC~1\uTorrent
2009-08-03 17:36 . 2008-08-07 17:12 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2008-07-10 11:51 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-24 20:37 . 2005-07-25 12:56 -------- d-----w- c:\docume~1\RAY~1.NOT\APPLIC~1\AdobeUM
2009-07-24 19:56 . 2008-03-26 19:03 256 ----a-w- c:\documents and settings\Ray.NOTEBOOK\pool.bin
2009-07-16 01:47 . 2003-07-23 01:36 -------- d-----w- c:\docume~1\RAY~1.NOT\APPLIC~1\Roxio
2009-07-10 20:30 . 2002-06-03 10:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-10 20:28 . 2002-06-03 10:22 -------- d-----w- c:\program files\Dell
2009-06-29 16:12 . 2005-06-18 04:49 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2005-11-11 18:49 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2001-08-17 23:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-26 15:17 . 2003-11-28 01:43 -------- d-----w- c:\program files\Google
2009-06-25 02:17 . 2008-07-10 01:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-25 00:27 . 2002-06-08 02:55 -------- d-----w- c:\program files\MediaFACE
2009-06-23 14:28 . 2008-03-26 18:55 256 ----a-w- c:\windows\system32\pool.bin
2009-06-16 14:55 . 2001-08-17 23:00 82432 ------w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2001-08-17 23:00 119808 ------w- c:\windows\system32\t2embed.dll
2009-06-03 19:27 . 2005-08-30 04:02 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 14:23 . 2009-06-02 14:23 262144 ----a-w- C:\ntuser.dat
2009-05-26 23:50 . 2009-06-02 14:21 607472 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUpdater\yupdater.exe
.
------- Sigcheck -------
[7] 2001-08-17 23:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\SYSTEM32\beep.sys
[7] 2001-08-17 23:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\SYSTEM32\DLLCACHE\beep.sys
c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM95\aim.exe" [2003-08-01 61440]
"eyeBeam SIP Client"="c:\program files\Star2Star\eyeBeam.exe" [2008-03-31 21110784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-13 68856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-06-24 4800512]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2001-10-26 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2001-10-26 401408]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-12 196608]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 40960]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_05\bin\jusched.exe" [2005-08-26 36975]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-08 180269]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]
"Cobian Backup 8"="c:\program files\Cobian Backup 8\Cobian.exe" [2007-03-21 499712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2003-06-24 323584]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2005-10-05 67216]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2006-10-04 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\Symantec\WinFax\WfxSeh32.Dll" [1998-07-27 38400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 00:35 87352 ----a-w- c:\windows\SYSTEM32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 14:51 24638 ------w- c:\windows\SYSTEM32\PCANotify.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 7.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DataViz Messenger.lnk
backup=c:\windows\pss\DataViz Messenger.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2001 Delivery Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks 2001 Delivery Agent.lnk
backup=c:\windows\pss\QuickBooks 2001 Delivery Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Ray.NOTEBOOK^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\Ray.NOTEBOOK\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\winaw32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\Corel\\WordPerfect Office 2000\\programs\\pdxwin32.exe"=
"c:\\WINDOWS\\SYSTEM32\\ftp.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Corel\\Paradox 9 Runtime\\Programs\\PDXRWN32.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\Ray.NOTEBOOK\\My Documents\\Download\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\SYSTEM32\\java.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Star2Star\\eyeBeam.exe"=
"c:\\Program Files\\Softland\\Backup4all 3\\Backup4all.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Documents and Settings\\Ray.NOTEBOOK\\My Documents\\Download\\mute\\MUTE\\fileSharingMUTE.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8600:TCP"= 8600:TCP:null
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [12/17/2003 4:41 PM 5632]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\SYSTEM32\SAVRKBootTasks.sys [8/19/2009 1:02 PM 18816]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/2/2007 6:16 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\SYSTEM32\DRIVERS\LMIRfsDriver.sys [7/2/2007 6:16 PM 47640]
R2 MapMemP;MapMemP;c:\windows\SYSTEM32\DRIVERS\MapMemP.Sys [4/10/2003 2:55 PM 63080]
R3 Ich;Ich;c:\windows\SYSTEM32\DRIVERS\Ich.sys [12/31/1979 12:00 PM 65916]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\SYSTEM32\DRIVERS\hphius09.sys [10/5/2006 7:26 PM 18864]
S3 FCUSB;Freecom Cable II USB Driver;c:\windows\SYSTEM32\DRIVERS\FCUSB.sys [11/29/2001 1:05 PM 13104]
S3 LSWL;Instant Wireless Network PC Card V2.5 Driver;c:\windows\SYSTEM32\DRIVERS\LSWLNDS.sys [9/8/2008 6:26 PM 50688]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]
S3 qic157;qic157;c:\windows\SYSTEM32\DRIVERS\qic157.sys [6/9/2002 7:06 AM 6016]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
S3 USB-100;Linksys EtherFast 10/100 Compact USB Network Adapter;c:\windows\SYSTEM32\DRIVERS\USB100M.SYS [3/30/2004 4:11 PM 27519]
S3 VisorUsb;Handspring USB;c:\windows\SYSTEM32\DRIVERS\VisorUsb.sys [6/8/2002 6:00 AM 19968]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 Nlaidevrnsa;Nlaidevrnsa; [x]
--- Other Services/Drivers In Memory ---
*Deregistered* - EraserUtilDrv10910
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
netsvcs_0x3
netsvcs_0x4
netsvcs_0x6
.
Contents of the 'Scheduled Tasks' folder
2009-08-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-04-25 23:52]
2009-08-23 c:\windows\Tasks\User_Feed_Synchronization-{363F83FD-D289-4B33-B2C8-94C1FF4776C5}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 23:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = actsvr.comcastonline.com
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-23 08:52
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\3.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1779672970-1582333133-359561344-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3F504ABE-6F11-70AA-47FD-03F802DCA507}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(584)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
- - - - - - - > 'explorer.exe'(2108)
c:\windows\system32\WININET.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-08-23 9:10
ComboFix-quarantined-files.txt 2009-08-23 13:10
ComboFix2.txt 2009-08-23 01:46
Pre-Run: 4,760,899,584 bytes free
Post-Run: 4,727,566,336 bytes free
239 --- E O F --- 2009-08-07 03:06
Open notepad and copy/paste the text in the codebox below into it:
FCopy::
c:\windows\SYSTEM32\beep.sys | c:\windows\system32\drivers\beep.sys
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
ComboFix 09-08-22.06 - Ray 08/23/2009 11:12.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.245 [GMT -4:00]
Running from: c:\documents and settings\Ray.NOTEBOOK\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ray.NOTEBOOK\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--------------- FCopy ---------------
c:\windows\SYSTEM32\beep.sys --> c:\windows\system32\drivers\beep.sys
.
((((((((((((((((((((((((( Files Created from 2009-07-23 to 2009-08-23 )))))))))))))))))))))))))))))))
.
2009-08-23 15:12 . 2001-08-17 23:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-08-23 15:12 . 2001-08-17 23:00 4224 ----a-w- c:\windows\system32\dllcache\beep.sys
2009-08-23 09:54 . 2009-08-23 09:54 -------- d-----w- c:\windows\Recent
2009-08-19 20:12 . 2009-08-19 20:12 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-19 17:02 . 2009-06-18 16:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2009-08-19 16:07 . 2009-08-19 16:08 -------- d-----w- C:\RootkitNO
2009-07-28 23:04 . 2009-07-28 23:05 -------- d-----w- c:\program files\FCTR
2009-07-28 22:14 . 2009-07-28 22:14 -------- d-----w- c:\program files\Print Server
2009-07-25 10:52 . 2009-07-25 10:52 -------- d-----w- c:\docume~1\RAY~1.NOT\APPLIC~1\Apple Computer
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-23 15:41 . 2005-10-10 20:03 -------- d-----w- c:\program files\Symantec AntiVirus
2009-08-23 12:02 . 2008-08-10 19:03 -------- d-----w- c:\program files\UnHackMe
2009-08-23 11:51 . 2006-09-08 12:25 -------- d-----w- c:\program files\LogMeIn
2009-08-23 00:34 . 2008-07-07 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-19 01:13 . 2008-08-10 19:05 2 --shatr- c:\windows\winstart.bat
2009-08-18 19:39 . 2008-07-10 11:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-18 19:38 . 2009-01-12 03:39 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-18 19:19 . 2007-01-12 01:33 -------- d-----w- c:\docume~1\RAY~1.NOT\APPLIC~1\U3
2009-08-17 18:17 . 2008-09-26 17:29 -------- d-----w- c:\docume~1\RAY~1.NOT\APPLIC~1\FileZilla
2009-08-14 19:30 . 2008-09-26 17:27 -------- d-----w- c:\program files\FileZilla FTP Client
2009-08-07 03:01 . 2009-06-15 02:30 -------- d-----w- c:\program files\PeerGuardian2
2009-08-07 00:29 . 2007-05-25 20:10 -------- d-----w- c:\docume~1\RAY~1.NOT\APPLIC~1\uTorrent
2009-08-03 17:36 . 2008-08-07 17:12 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2008-07-10 11:51 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-24 20:37 . 2005-07-25 12:56 -------- d-----w- c:\docume~1\RAY~1.NOT\APPLIC~1\AdobeUM
2009-07-24 19:56 . 2008-03-26 19:03 256 ----a-w- c:\documents and settings\Ray.NOTEBOOK\pool.bin
2009-07-16 01:47 . 2003-07-23 01:36 -------- d-----w- c:\docume~1\RAY~1.NOT\APPLIC~1\Roxio
2009-07-10 20:30 . 2002-06-03 10:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-10 20:28 . 2002-06-03 10:22 -------- d-----w- c:\program files\Dell
2009-06-29 16:12 . 2005-06-18 04:49 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2005-11-11 18:49 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2001-08-17 23:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-26 15:17 . 2003-11-28 01:43 -------- d-----w- c:\program files\Google
2009-06-25 02:17 . 2008-07-10 01:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-25 00:27 . 2002-06-08 02:55 -------- d-----w- c:\program files\MediaFACE
2009-06-23 14:28 . 2008-03-26 18:55 256 ----a-w- c:\windows\system32\pool.bin
2009-06-16 14:55 . 2001-08-17 23:00 82432 ------w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2001-08-17 23:00 119808 ------w- c:\windows\system32\t2embed.dll
2009-06-03 19:27 . 2005-08-30 04:02 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 14:23 . 2009-06-02 14:23 262144 ----a-w- C:\ntuser.dat
2009-05-26 23:50 . 2009-06-02 14:21 607472 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUpdater\yupdater.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM95\aim.exe" [2003-08-01 61440]
"eyeBeam SIP Client"="c:\program files\Star2Star\eyeBeam.exe" [2008-03-31 21110784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-13 68856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-06-24 4800512]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2001-10-26 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2001-10-26 401408]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-12 196608]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-03 40960]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_05\bin\jusched.exe" [2005-08-26 36975]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-08 180269]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]
"Cobian Backup 8"="c:\program files\Cobian Backup 8\Cobian.exe" [2007-03-21 499712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2003-06-24 323584]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2005-10-05 67216]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2006-10-04 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\Symantec\WinFax\WfxSeh32.Dll" [1998-07-27 38400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 00:35 87352 ----a-w- c:\windows\SYSTEM32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 14:51 24638 ------w- c:\windows\SYSTEM32\PCANotify.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 7.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DataViz Messenger.lnk
backup=c:\windows\pss\DataViz Messenger.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2001 Delivery Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks 2001 Delivery Agent.lnk
backup=c:\windows\pss\QuickBooks 2001 Delivery Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Ray.NOTEBOOK^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\Ray.NOTEBOOK\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\winaw32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\Corel\\WordPerfect Office 2000\\programs\\pdxwin32.exe"=
"c:\\WINDOWS\\SYSTEM32\\ftp.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Corel\\Paradox 9 Runtime\\Programs\\PDXRWN32.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\Ray.NOTEBOOK\\My Documents\\Download\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\SYSTEM32\\java.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Star2Star\\eyeBeam.exe"=
"c:\\Program Files\\Softland\\Backup4all 3\\Backup4all.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Documents and Settings\\Ray.NOTEBOOK\\My Documents\\Download\\mute\\MUTE\\fileSharingMUTE.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8600:TCP"= 8600:TCP:null
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [12/17/2003 4:41 PM 5632]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\SYSTEM32\SAVRKBootTasks.sys [8/19/2009 1:02 PM 18816]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/2/2007 6:16 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\SYSTEM32\DRIVERS\LMIRfsDriver.sys [7/2/2007 6:16 PM 47640]
R2 MapMemP;MapMemP;c:\windows\SYSTEM32\DRIVERS\MapMemP.Sys [4/10/2003 2:55 PM 63080]
R3 Ich;Ich;c:\windows\SYSTEM32\DRIVERS\Ich.sys [12/31/1979 12:00 PM 65916]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\SYSTEM32\DRIVERS\hphius09.sys [10/5/2006 7:26 PM 18864]
S3 FCUSB;Freecom Cable II USB Driver;c:\windows\SYSTEM32\DRIVERS\FCUSB.sys [11/29/2001 1:05 PM 13104]
S3 LSWL;Instant Wireless Network PC Card V2.5 Driver;c:\windows\SYSTEM32\DRIVERS\LSWLNDS.sys [9/8/2008 6:26 PM 50688]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]
S3 qic157;qic157;c:\windows\SYSTEM32\DRIVERS\qic157.sys [6/9/2002 7:06 AM 6016]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
S3 USB-100;Linksys EtherFast 10/100 Compact USB Network Adapter;c:\windows\SYSTEM32\DRIVERS\USB100M.SYS [3/30/2004 4:11 PM 27519]
S3 VisorUsb;Handspring USB;c:\windows\SYSTEM32\DRIVERS\VisorUsb.sys [6/8/2002 6:00 AM 19968]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 Nlaidevrnsa;Nlaidevrnsa; [x]
--- Other Services/Drivers In Memory ---
*Deregistered* - EraserUtilDrv10910
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
netsvcs_0x3
netsvcs_0x4
netsvcs_0x6
.
Contents of the 'Scheduled Tasks' folder
2009-08-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-04-25 23:52]
2009-08-23 c:\windows\Tasks\User_Feed_Synchronization-{363F83FD-D289-4B33-B2C8-94C1FF4776C5}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 23:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = actsvr.comcastonline.com
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-23 11:38
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\3.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1779672970-1582333133-359561344-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3F504ABE-6F11-70AA-47FD-03F802DCA507}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(592)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
- - - - - - - > 'explorer.exe'(1152)
c:\windows\system32\WININET.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\program files\AIM95\idlemon.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-08-23 12:00
ComboFix-quarantined-files.txt 2009-08-23 16:00
ComboFix2.txt 2009-08-23 13:10
ComboFix3.txt 2009-08-23 01:46
Pre-Run: 4,762,509,312 bytes free
Post-Run: 4,722,905,088 bytes free
247 --- E O F --- 2009-08-07 03:06
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
Due to the lack of feedback this Topic is closed.
If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
Everyone else please begin a New Topic.