soplay
2010-02-07, 23:05
My computer was infected with the 2010 antivirus Friday. After searching around I landed on bleeping computer and followed their process to remove 2010. I downloaded Malwarebytes which removed 2010 (I think) but then the computer started sending mass spam e-mail. I found this site and followed the recommendations in a similar thread (before reading Forum notes!) and downloaded Combofix and Rootrepeal.
I have 5 computers running on a network. Symantec Corporate Edition runs on all computers and server. Only 2 computers + the server were powered on when I got the virus.
Problem: I ran a Symantec Antivirus full scan on one of the other computers that was active when I got the 2010 virus and Symantec found and quarantined 7 virus files. Other than Symantec finding the virus files I don't notice unusual behavior from the computer. Is my computer infecting the network? See hijackthis text files below from computer infected with 2010 antivirus:
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 3:32:41 PM, on 2/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ACT\ACT for Windows\Act.Scheduler.UI.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TurboHddUsb\TurboHddUsb.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Autobahn\autobahn.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Dell\Dell Laser MFP 1815\NetworkScan\DNSCST.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.southernplayground.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 69.25.74.37 MAIL007 #Exchange Hosting 02/07/10 14:09:30
O1 - Hosts: 69.25.75.251 MAIL091 #Exchange Hosting 02/07/10 14:09:30
O1 - Hosts: 69.25.75.251 MAIL091.mail.lan #Exchange Hosting 02/07/10 14:09:30
O1 - Hosts: 69.25.75.245 MAIL005 #Exchange Hosting 02/07/10 14:09:30
O1 - Hosts: 69.25.75.245 MAIL005.mail.lan #Exchange Hosting 02/07/10 14:09:30
O1 - Hosts: 64.95.72.204 BE034 #Exchange Hosting 02/07/10 14:09:30
O1 - Hosts: 64.95.72.204 BE034.mail.lan #Exchange Hosting 02/07/10 14:09:30
O1 - Hosts: 69.25.75.242 MAIL092 #Exchange Hosting 02/07/10 14:09:30
O1 - Hosts: 69.25.75.242 MAIL092.mail.lan #Exchange Hosting 02/07/10 14:09:30
O1 - Hosts: 74.201.97.159 MAILSC009 #Exchange Hosting 02/07/10 14:09:30
O1 - Hosts: 74.201.97.159 MAILSC009.mail.lan #Exchange Hosting 02/07/10 14:09:30
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ACTSchedulerUI] "C:\Program Files\ACT\ACT for Windows\Act.Scheduler.UI.exe" -Dfalse
O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\ACT for Windows\Act8.exe" -stayrunning
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PeachtreePrefetcher.exe] "C:\PROGRA~1\SAGESO~1\PEACHT~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config
O4 - HKLM\..\Run: [TurboHddUsb] C:\Program Files\TurboHddUsb\TurboHddUsb.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: autobahn.lnk = C:\Program Files\Autobahn\autobahn.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.buy-internetsecurity10.com
O15 - Trusted Zone: http://*.buy-is2010.com
O15 - Trusted Zone: http://*.is-software-download.com
O15 - Trusted Zone: http://*.is-software-download25.com
O15 - Trusted Zone: http://*.is10-soft-download.com
O15 - Trusted Zone: www.uslechosting.com
O15 - Trusted Zone: http://*.buy-internetsecurity10.com (HKLM)
O15 - Trusted Zone: http://*.buy-is2010.com (HKLM)
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,73/mcinsctl.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173472755439
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned35.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopricer/autopricer.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mci.webex.com/client/v_mywebex-wbs-mciprodins/webex/ieatgpc.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - https://wc.wachovia.com/Common/cab/ikcntrls.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = splayground.local
O17 - HKLM\Software\..\Telephony: DomainName = splayground.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{47F28EF7-4BA9-4285-A11D-986F6F6E96B9}: NameServer = 192.168.20.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B96AB0E-EA8A-4114-A82D-783CF1E283C8}: NameServer = 192.168.20.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = splayground.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = splayground.local
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: ACT! Scheduler - Sage Software SB, Inc - c:\program files\act\act for windows\act.scheduler.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Pervasive PSQL Workgroup Engine (psqlWGE) - Unknown owner - C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 15227 bytes
Malwarebytes:
Malwarebytes' Anti-Malware 1.44
Database version: 3691
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
2/6/2010 2:33:39 PM
mbam-log-2010-02-06 (14-33-39).txt
Scan type: Quick Scan
Objects scanned: 164401
Time elapsed: 35 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\SYSTEM32\DRIVERS\ktwzpynr.sys (Rootkit.Agent) -> Delete on reboot.
Combofix:
ComboFix 10-02-05.04 - sdubois 02/06/2010 15:57:01.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.395 [GMT -5:00]
Running from: c:\documents and settings\sdubois\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\cpbrkpie.ocx
c:\windows\sv.ini
c:\windows\system32\10277.exe
c:\windows\system32\11400.exe
c:\windows\system32\11478.exe
c:\windows\system32\11886.exe
c:\windows\system32\12542.exe
c:\windows\system32\12709.exe
c:\windows\system32\13574.exe
c:\windows\system32\14825.exe
c:\windows\system32\15131.exe
c:\windows\system32\15310.exe
c:\windows\system32\15724.exe
c:\windows\system32\1655.exe
c:\windows\system32\16621.exe
c:\windows\system32\18467.exe
c:\windows\system32\18480.exe
c:\windows\system32\19169.exe
c:\windows\system32\1933.exe
c:\windows\system32\19527.exe
c:\windows\system32\20660.exe
c:\windows\system32\21229.exe
c:\windows\system32\21546.exe
c:\windows\system32\22027.exe
c:\windows\system32\22494.exe
c:\windows\system32\2431.exe
c:\windows\system32\24464.exe
c:\windows\system32\26219.exe
c:\windows\system32\26500.exe
c:\windows\system32\2659.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\28395.exe
c:\windows\system32\28686.exe
c:\windows\system32\29358.exe
c:\windows\system32\29568.exe
c:\windows\system32\30060.exe
c:\windows\system32\30301.exe
c:\windows\system32\30408.exe
c:\windows\system32\3072.exe
c:\windows\system32\32179.exe
c:\windows\system32\32350.exe
c:\windows\system32\4252.exe
c:\windows\system32\4461.exe
c:\windows\system32\5382.exe
c:\windows\system32\5705.exe
c:\windows\system32\5939.exe
c:\windows\system32\6334.exe
c:\windows\system32\7296.exe
c:\windows\system32\9168.exe
c:\windows\system32\990.exe
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\drivers\ktwzpynr.sys
c:\windows\system32\Thumbs.db
----- BITS: Possible infected sites -----
hxxp://updates.swarmcast.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ktwzpynr
-------\Service_ktwzpynr
((((((((((((((((((((((((( Files Created from 2010-01-07 to 2010-02-07 )))))))))))))))))))))))))))))))
.
2010-02-07 17:34 . 2010-02-07 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-02-05 19:47 . 2010-02-05 19:47 -------- d-----w- c:\documents and settings\sdubois\Application Data\webex
2010-02-04 23:23 . 2010-02-04 23:23 -------- d-----w- c:\documents and settings\sdubois\Application Data\Malwarebytes
2010-02-04 23:21 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-04 23:19 . 2010-02-04 23:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-04 23:19 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-04 23:19 . 2010-02-04 23:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-04 21:51 . 2010-02-04 21:51 -------- d-sh--w- c:\documents and settings\administrator.SPLAYGROUND\IETldCache
2010-01-23 16:55 . 2010-01-23 16:55 7040 ----a-w- c:\windows\system32\drivers\FNETURPX.SYS
2010-01-23 16:55 . 2010-01-23 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\FNET
2010-01-23 16:55 . 2010-01-23 16:55 17792 ----a-w- c:\windows\system32\drivers\FNETTBOH.SYS
2010-01-23 16:55 . 2010-01-23 16:55 -------- d-----w- c:\program files\TurboHddUsb
2010-01-13 03:26 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-07 17:39 . 2006-03-23 18:57 1994 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-02-07 17:38 . 2006-03-23 17:14 -------- d-----w- c:\program files\Symantec AntiVirus
2010-02-06 09:00 . 2010-02-07 01:08 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd308c15.vdb\ECMSVR32.DLL
2010-02-04 23:29 . 2010-02-04 23:29 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-04 18:11 . 2010-02-04 18:11 24 ----a-w- c:\windows\system32\config\systemprofile\Application Data\anvkgp.dat
2010-02-04 09:00 . 2010-02-07 01:13 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd308806.vdb\ECMSVR32.DLL
2010-01-23 20:33 . 2002-10-01 21:40 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-01-23 08:56 . 2009-12-01 16:12 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-04 20:12 . 2009-11-03 05:14 -------- d-----w- c:\program files\MaxView
2010-01-04 20:12 . 2002-09-03 23:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-04 20:11 . 2008-04-02 17:09 -------- d-----w- c:\program files\Citrix
2010-01-04 20:10 . 2003-01-09 21:56 -------- d-----w- c:\program files\GoldMine
2010-01-04 18:53 . 2005-12-30 18:03 -------- d-----w- c:\program files\Stamps.com Internet Postage
2010-01-04 18:51 . 2010-01-04 18:51 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-12-21 19:14 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-08 00:01 . 2010-02-07 01:13 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd308806.vdb\CCERASER.DLL
2009-12-08 00:01 . 2010-02-07 01:08 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd308c15.vdb\CCERASER.DLL
2009-12-02 18:16 . 2010-02-07 01:13 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd308806.vdb\NAVEX15.SYS
2009-12-02 18:16 . 2010-02-07 01:08 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd308c15.vdb\NAVEX15.SYS
2009-12-02 18:15 . 2010-02-07 01:13 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd308806.vdb\NAVENG.SYS
2009-12-02 18:15 . 2010-02-07 01:08 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd308c15.vdb\NAVENG.SYS
2009-11-10 22:48 . 2010-02-07 01:13 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd308806.vdb\NAVEX32A.DLL
2009-11-10 22:48 . 2010-02-07 01:08 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd308c15.vdb\NAVEX32A.DLL
2009-11-10 22:48 . 2010-02-07 01:13 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd308806.vdb\NAVENG32.DLL
2009-11-10 22:48 . 2010-02-07 01:08 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd308c15.vdb\NAVENG32.DLL
2007-03-15 00:03 . 2007-03-15 00:03 7886336 ----a-w- c:\program files\setup.msi
2006-03-23 18:59 . 2006-03-23 18:57 56 --sh--r- c:\windows\SYSTEM32\AA9D9F65B9.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [1999-08-30 189952]
"ACTSchedulerUI"="c:\program files\ACT\ACT for Windows\Act.Scheduler.UI.exe" [2006-03-26 638976]
"Act! Preloader"="c:\program files\ACT\ACT for Windows\Act8.exe" [2006-02-18 1015808]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"PeachtreePrefetcher.exe"="c:\progra~1\SAGESO~1\PEACHT~1\PeachtreePrefetcher.exe" [2008-10-02 32768]
"TurboHddUsb"="c:\program files\TurboHddUsb\TurboHddUsb.exe" [2010-01-23 3327488]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-1-28 25214]
autobahn.lnk - c:\program files\Autobahn\autobahn.exe [2009-1-21 712408]
Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2002-10-7 869376]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
NvQTwk [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
TCAUDIAG -off [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 06:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-04-10 21:44 679936 ------w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AHQInit]
2001-03-28 06:00 102400 ------w- c:\program files\Creative\SBLive\Program\AHQINIT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 03:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-06-02 15:13 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 14:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R1 FNETURPX;FNETURPX;c:\windows\SYSTEM32\DRIVERS\FNETURPX.SYS [1/23/2010 11:55 AM 7040]
R2 3ComDMIService;3Com DMI Agent;c:\windows\SYSTEM32\3COM_DMI\3CDMINIC.EXE [9/3/2002 6:09 PM 114688]
R2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\ACT for Windows\Act.Scheduler.exe [3/23/2006 1:41 PM 53248]
R2 BCAITDI;3Com BCAITDI DMI TDI;c:\windows\SYSTEM32\DRIVERS\BCAITDI.SYS [9/3/2002 6:09 PM 19470]
R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 [?]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [9/5/2007 11:25 AM 455968]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/15/2006 12:40 AM 115952]
R2 tcaicchg;tcaicchg;c:\windows\SYSTEM32\TCAICCHG.SYS [9/3/2002 6:07 PM 21233]
R2 TCAITDI;TCAITDI Protocol;c:\windows\SYSTEM32\DRIVERS\TCAITDI.SYS [9/3/2002 6:07 PM 19534]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2009 7:08 PM 102448]
S3 DW90USB;DW90USB Device;c:\windows\system32\DRIVERS\DW90USB.sys --> c:\windows\system32\DRIVERS\DW90USB.sys [?]
S3 FCUSB;Freecom Cable II USB Driver;c:\windows\SYSTEM32\DRIVERS\FCUSB.sys [11/29/2001 12:05 PM 13104]
S3 FNETTBOH;FNETTBOH;c:\windows\SYSTEM32\DRIVERS\FNETTBOH.SYS [1/23/2010 11:55 AM 17792]
S3 NikeDrv;nike psa[play driver;c:\windows\SYSTEM32\DRIVERS\NIKEDRV.SYS [8/18/2001 7:00 AM 12032]
S3 qic157;qic157;c:\windows\SYSTEM32\DRIVERS\qic157.sys [10/7/2002 9:10 AM 6016]
S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 [?]
.
Contents of the 'Scheduled Tasks' folder
2010-02-07 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
2010-02-07 c:\windows\Tasks\User_Feed_Synchronization-{59D156E7-2B75-4099-931D-954E93A84977}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
2010-02-05 c:\windows\Tasks\{16C4FE4D-4FC4-414F-A853-A8D9F99D89AC}_SDUBOIS_sdubois.job
- c:\windows\system32\MOBSYNC.EXE [2001-08-18 00:12]
2010-02-05 c:\windows\Tasks\{39E719AF-9F0A-46E7-80FA-59AB1E08E860}_SDUBOIS_sdubois.job
- c:\windows\system32\MOBSYNC.EXE [2001-08-18 00:12]
2010-02-05 c:\windows\Tasks\{E4922E48-A5DC-41B0-8F25-BE9D5698D4A8}_SDUBOIS_sdubois.job
- c:\windows\system32\MOBSYNC.EXE [2001-08-18 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.southernplayground.com/
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: is10-soft-download.com
Trusted Zone: uslechosting.com\www
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
TCP: {47F28EF7-4BA9-4285-A11D-986F6F6E96B9} = 192.168.20.5
TCP: {4B96AB0E-EA8A-4114-A82D-783CF1E283C8} = 192.168.20.5
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - hxxp://download.sidestep.com/get/k00719/sb028.cab
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab
.
- - - - ORPHANS REMOVED - - - -
AddRemove-Creative News - c:\program files\Creative\News\CTNews.isu
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-07 12:35
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A?@?????B???@?$?@?? C?????U?@?????????@?B???A???????A???????B???@?????P???$?@?`???????~?B~??????????@???????????????????B???????????????????????????????????B
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(980)
c:\program files\Bonjour\mdnsNSP.dll
- - - - - - - > 'explorer.exe'(3196)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.EXE
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Dantz\Retrospect\retrorun.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\devldr32.exe
c:\program files\Creative\ShareDLL\MediaDet.Exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Symantec AntiVirus\DoScan.exe
.
**************************************************************************
.
Completion time: 2010-02-07 12:47:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-07 17:47
Pre-Run: 4,182,953,984 bytes free
Post-Run: 5,405,503,488 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - 613D8950D15B5DBF24317A5650AC399A
Rootrepeal:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/02/07 13:55
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF0ED2000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7C9D000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEE714000 Size: 49152 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: c:\windows\temp\perflib_perfdata_b8.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)
SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x862e3510
#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x86412228
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x862f2b50
#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8717aec0
#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x862123e0
#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x862113f0
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0xf141bcc0
#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x86289fb8
#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x862d7390
#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x86b3dcf0
#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x86cb3400
#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x86212418
#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x86289f80
#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x86d36558
#: 177 Function Name: NtQueryValueKey
Status: Hooked by "<unknown>" at address 0x8719b108
#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x86de3090
#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x86359e30
#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x862e90b8
#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x86286c28
#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0xf141bf20
#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x862d7430
#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x862b5b88
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x86b3d308
#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x862baf68
#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x863d7c60
#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x871ae4e8
==EOF==
I have 5 computers running on a network. Symantec Corporate Edition runs on all computers and server. Only 2 computers + the server were powered on when I got the virus.
Problem: I ran a Symantec Antivirus full scan on one of the other computers that was active when I got the 2010 virus and Symantec found and quarantined 7 virus files. Other than Symantec finding the virus files I don't notice unusual behavior from the computer. Is my computer infecting the network? See hijackthis text files below from computer infected with 2010 antivirus:
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 3:32:41 PM, on 2/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ACT\ACT for Windows\Act.Scheduler.UI.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TurboHddUsb\TurboHddUsb.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Autobahn\autobahn.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Dell\Dell Laser MFP 1815\NetworkScan\DNSCST.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.southernplayground.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 69.25.74.37 MAIL007 #Exchange Hosting 02/07/10 14:09:30
O1 - Hosts: 69.25.75.251 MAIL091 #Exchange Hosting 02/07/10 14:09:30
O1 - Hosts: 69.25.75.251 MAIL091.mail.lan #Exchange Hosting 02/07/10 14:09:30
O1 - Hosts: 69.25.75.245 MAIL005 #Exchange Hosting 02/07/10 14:09:30
O1 - Hosts: 69.25.75.245 MAIL005.mail.lan #Exchange Hosting 02/07/10 14:09:30
O1 - Hosts: 64.95.72.204 BE034 #Exchange Hosting 02/07/10 14:09:30
O1 - Hosts: 64.95.72.204 BE034.mail.lan #Exchange Hosting 02/07/10 14:09:30
O1 - Hosts: 69.25.75.242 MAIL092 #Exchange Hosting 02/07/10 14:09:30
O1 - Hosts: 69.25.75.242 MAIL092.mail.lan #Exchange Hosting 02/07/10 14:09:30
O1 - Hosts: 74.201.97.159 MAILSC009 #Exchange Hosting 02/07/10 14:09:30
O1 - Hosts: 74.201.97.159 MAILSC009.mail.lan #Exchange Hosting 02/07/10 14:09:30
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ACTSchedulerUI] "C:\Program Files\ACT\ACT for Windows\Act.Scheduler.UI.exe" -Dfalse
O4 - HKLM\..\Run: [Act! Preloader] "C:\Program Files\ACT\ACT for Windows\Act8.exe" -stayrunning
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PeachtreePrefetcher.exe] "C:\PROGRA~1\SAGESO~1\PEACHT~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config
O4 - HKLM\..\Run: [TurboHddUsb] C:\Program Files\TurboHddUsb\TurboHddUsb.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: autobahn.lnk = C:\Program Files\Autobahn\autobahn.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.buy-internetsecurity10.com
O15 - Trusted Zone: http://*.buy-is2010.com
O15 - Trusted Zone: http://*.is-software-download.com
O15 - Trusted Zone: http://*.is-software-download25.com
O15 - Trusted Zone: http://*.is10-soft-download.com
O15 - Trusted Zone: www.uslechosting.com
O15 - Trusted Zone: http://*.buy-internetsecurity10.com (HKLM)
O15 - Trusted Zone: http://*.buy-is2010.com (HKLM)
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,73/mcinsctl.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173472755439
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned35.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopricer/autopricer.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mci.webex.com/client/v_mywebex-wbs-mciprodins/webex/ieatgpc.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - https://wc.wachovia.com/Common/cab/ikcntrls.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = splayground.local
O17 - HKLM\Software\..\Telephony: DomainName = splayground.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{47F28EF7-4BA9-4285-A11D-986F6F6E96B9}: NameServer = 192.168.20.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B96AB0E-EA8A-4114-A82D-783CF1E283C8}: NameServer = 192.168.20.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = splayground.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = splayground.local
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: ACT! Scheduler - Sage Software SB, Inc - c:\program files\act\act for windows\act.scheduler.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Pervasive PSQL Workgroup Engine (psqlWGE) - Unknown owner - C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 15227 bytes
Malwarebytes:
Malwarebytes' Anti-Malware 1.44
Database version: 3691
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
2/6/2010 2:33:39 PM
mbam-log-2010-02-06 (14-33-39).txt
Scan type: Quick Scan
Objects scanned: 164401
Time elapsed: 35 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\SYSTEM32\DRIVERS\ktwzpynr.sys (Rootkit.Agent) -> Delete on reboot.
Combofix:
ComboFix 10-02-05.04 - sdubois 02/06/2010 15:57:01.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.395 [GMT -5:00]
Running from: c:\documents and settings\sdubois\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\cpbrkpie.ocx
c:\windows\sv.ini
c:\windows\system32\10277.exe
c:\windows\system32\11400.exe
c:\windows\system32\11478.exe
c:\windows\system32\11886.exe
c:\windows\system32\12542.exe
c:\windows\system32\12709.exe
c:\windows\system32\13574.exe
c:\windows\system32\14825.exe
c:\windows\system32\15131.exe
c:\windows\system32\15310.exe
c:\windows\system32\15724.exe
c:\windows\system32\1655.exe
c:\windows\system32\16621.exe
c:\windows\system32\18467.exe
c:\windows\system32\18480.exe
c:\windows\system32\19169.exe
c:\windows\system32\1933.exe
c:\windows\system32\19527.exe
c:\windows\system32\20660.exe
c:\windows\system32\21229.exe
c:\windows\system32\21546.exe
c:\windows\system32\22027.exe
c:\windows\system32\22494.exe
c:\windows\system32\2431.exe
c:\windows\system32\24464.exe
c:\windows\system32\26219.exe
c:\windows\system32\26500.exe
c:\windows\system32\2659.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\28395.exe
c:\windows\system32\28686.exe
c:\windows\system32\29358.exe
c:\windows\system32\29568.exe
c:\windows\system32\30060.exe
c:\windows\system32\30301.exe
c:\windows\system32\30408.exe
c:\windows\system32\3072.exe
c:\windows\system32\32179.exe
c:\windows\system32\32350.exe
c:\windows\system32\4252.exe
c:\windows\system32\4461.exe
c:\windows\system32\5382.exe
c:\windows\system32\5705.exe
c:\windows\system32\5939.exe
c:\windows\system32\6334.exe
c:\windows\system32\7296.exe
c:\windows\system32\9168.exe
c:\windows\system32\990.exe
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\drivers\ktwzpynr.sys
c:\windows\system32\Thumbs.db
----- BITS: Possible infected sites -----
hxxp://updates.swarmcast.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ktwzpynr
-------\Service_ktwzpynr
((((((((((((((((((((((((( Files Created from 2010-01-07 to 2010-02-07 )))))))))))))))))))))))))))))))
.
2010-02-07 17:34 . 2010-02-07 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-02-05 19:47 . 2010-02-05 19:47 -------- d-----w- c:\documents and settings\sdubois\Application Data\webex
2010-02-04 23:23 . 2010-02-04 23:23 -------- d-----w- c:\documents and settings\sdubois\Application Data\Malwarebytes
2010-02-04 23:21 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-04 23:19 . 2010-02-04 23:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-04 23:19 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-04 23:19 . 2010-02-04 23:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-04 21:51 . 2010-02-04 21:51 -------- d-sh--w- c:\documents and settings\administrator.SPLAYGROUND\IETldCache
2010-01-23 16:55 . 2010-01-23 16:55 7040 ----a-w- c:\windows\system32\drivers\FNETURPX.SYS
2010-01-23 16:55 . 2010-01-23 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\FNET
2010-01-23 16:55 . 2010-01-23 16:55 17792 ----a-w- c:\windows\system32\drivers\FNETTBOH.SYS
2010-01-23 16:55 . 2010-01-23 16:55 -------- d-----w- c:\program files\TurboHddUsb
2010-01-13 03:26 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-07 17:39 . 2006-03-23 18:57 1994 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-02-07 17:38 . 2006-03-23 17:14 -------- d-----w- c:\program files\Symantec AntiVirus
2010-02-06 09:00 . 2010-02-07 01:08 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd308c15.vdb\ECMSVR32.DLL
2010-02-04 23:29 . 2010-02-04 23:29 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-04 18:11 . 2010-02-04 18:11 24 ----a-w- c:\windows\system32\config\systemprofile\Application Data\anvkgp.dat
2010-02-04 09:00 . 2010-02-07 01:13 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd308806.vdb\ECMSVR32.DLL
2010-01-23 20:33 . 2002-10-01 21:40 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-01-23 08:56 . 2009-12-01 16:12 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-04 20:12 . 2009-11-03 05:14 -------- d-----w- c:\program files\MaxView
2010-01-04 20:12 . 2002-09-03 23:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-04 20:11 . 2008-04-02 17:09 -------- d-----w- c:\program files\Citrix
2010-01-04 20:10 . 2003-01-09 21:56 -------- d-----w- c:\program files\GoldMine
2010-01-04 18:53 . 2005-12-30 18:03 -------- d-----w- c:\program files\Stamps.com Internet Postage
2010-01-04 18:51 . 2010-01-04 18:51 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-12-21 19:14 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-08 00:01 . 2010-02-07 01:13 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd308806.vdb\CCERASER.DLL
2009-12-08 00:01 . 2010-02-07 01:08 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd308c15.vdb\CCERASER.DLL
2009-12-02 18:16 . 2010-02-07 01:13 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd308806.vdb\NAVEX15.SYS
2009-12-02 18:16 . 2010-02-07 01:08 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd308c15.vdb\NAVEX15.SYS
2009-12-02 18:15 . 2010-02-07 01:13 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd308806.vdb\NAVENG.SYS
2009-12-02 18:15 . 2010-02-07 01:08 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd308c15.vdb\NAVENG.SYS
2009-11-10 22:48 . 2010-02-07 01:13 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd308806.vdb\NAVEX32A.DLL
2009-11-10 22:48 . 2010-02-07 01:08 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd308c15.vdb\NAVEX32A.DLL
2009-11-10 22:48 . 2010-02-07 01:13 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd308806.vdb\NAVENG32.DLL
2009-11-10 22:48 . 2010-02-07 01:08 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd308c15.vdb\NAVENG32.DLL
2007-03-15 00:03 . 2007-03-15 00:03 7886336 ----a-w- c:\program files\setup.msi
2006-03-23 18:59 . 2006-03-23 18:57 56 --sh--r- c:\windows\SYSTEM32\AA9D9F65B9.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [1999-08-30 189952]
"ACTSchedulerUI"="c:\program files\ACT\ACT for Windows\Act.Scheduler.UI.exe" [2006-03-26 638976]
"Act! Preloader"="c:\program files\ACT\ACT for Windows\Act8.exe" [2006-02-18 1015808]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"PeachtreePrefetcher.exe"="c:\progra~1\SAGESO~1\PEACHT~1\PeachtreePrefetcher.exe" [2008-10-02 32768]
"TurboHddUsb"="c:\program files\TurboHddUsb\TurboHddUsb.exe" [2010-01-23 3327488]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-1-28 25214]
autobahn.lnk - c:\program files\Autobahn\autobahn.exe [2009-1-21 712408]
Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2002-10-7 869376]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
NvQTwk [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
TCAUDIAG -off [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 06:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-04-10 21:44 679936 ------w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AHQInit]
2001-03-28 06:00 102400 ------w- c:\program files\Creative\SBLive\Program\AHQINIT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 03:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-06-02 15:13 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 14:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R1 FNETURPX;FNETURPX;c:\windows\SYSTEM32\DRIVERS\FNETURPX.SYS [1/23/2010 11:55 AM 7040]
R2 3ComDMIService;3Com DMI Agent;c:\windows\SYSTEM32\3COM_DMI\3CDMINIC.EXE [9/3/2002 6:09 PM 114688]
R2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\ACT for Windows\Act.Scheduler.exe [3/23/2006 1:41 PM 53248]
R2 BCAITDI;3Com BCAITDI DMI TDI;c:\windows\SYSTEM32\DRIVERS\BCAITDI.SYS [9/3/2002 6:09 PM 19470]
R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 [?]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [9/5/2007 11:25 AM 455968]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/15/2006 12:40 AM 115952]
R2 tcaicchg;tcaicchg;c:\windows\SYSTEM32\TCAICCHG.SYS [9/3/2002 6:07 PM 21233]
R2 TCAITDI;TCAITDI Protocol;c:\windows\SYSTEM32\DRIVERS\TCAITDI.SYS [9/3/2002 6:07 PM 19534]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2009 7:08 PM 102448]
S3 DW90USB;DW90USB Device;c:\windows\system32\DRIVERS\DW90USB.sys --> c:\windows\system32\DRIVERS\DW90USB.sys [?]
S3 FCUSB;Freecom Cable II USB Driver;c:\windows\SYSTEM32\DRIVERS\FCUSB.sys [11/29/2001 12:05 PM 13104]
S3 FNETTBOH;FNETTBOH;c:\windows\SYSTEM32\DRIVERS\FNETTBOH.SYS [1/23/2010 11:55 AM 17792]
S3 NikeDrv;nike psa[play driver;c:\windows\SYSTEM32\DRIVERS\NIKEDRV.SYS [8/18/2001 7:00 AM 12032]
S3 qic157;qic157;c:\windows\SYSTEM32\DRIVERS\qic157.sys [10/7/2002 9:10 AM 6016]
S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 [?]
.
Contents of the 'Scheduled Tasks' folder
2010-02-07 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
2010-02-07 c:\windows\Tasks\User_Feed_Synchronization-{59D156E7-2B75-4099-931D-954E93A84977}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
2010-02-05 c:\windows\Tasks\{16C4FE4D-4FC4-414F-A853-A8D9F99D89AC}_SDUBOIS_sdubois.job
- c:\windows\system32\MOBSYNC.EXE [2001-08-18 00:12]
2010-02-05 c:\windows\Tasks\{39E719AF-9F0A-46E7-80FA-59AB1E08E860}_SDUBOIS_sdubois.job
- c:\windows\system32\MOBSYNC.EXE [2001-08-18 00:12]
2010-02-05 c:\windows\Tasks\{E4922E48-A5DC-41B0-8F25-BE9D5698D4A8}_SDUBOIS_sdubois.job
- c:\windows\system32\MOBSYNC.EXE [2001-08-18 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.southernplayground.com/
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: is10-soft-download.com
Trusted Zone: uslechosting.com\www
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
TCP: {47F28EF7-4BA9-4285-A11D-986F6F6E96B9} = 192.168.20.5
TCP: {4B96AB0E-EA8A-4114-A82D-783CF1E283C8} = 192.168.20.5
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - hxxp://download.sidestep.com/get/k00719/sb028.cab
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab
.
- - - - ORPHANS REMOVED - - - -
AddRemove-Creative News - c:\program files\Creative\News\CTNews.isu
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-07 12:35
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A?@?????B???@?$?@?? C?????U?@?????????@?B???A???????A???????B???@?????P???$?@?`???????~?B~??????????@???????????????????B???????????????????????????????????B
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(980)
c:\program files\Bonjour\mdnsNSP.dll
- - - - - - - > 'explorer.exe'(3196)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.EXE
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Dantz\Retrospect\retrorun.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\devldr32.exe
c:\program files\Creative\ShareDLL\MediaDet.Exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Symantec AntiVirus\DoScan.exe
.
**************************************************************************
.
Completion time: 2010-02-07 12:47:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-07 17:47
Pre-Run: 4,182,953,984 bytes free
Post-Run: 5,405,503,488 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - 613D8950D15B5DBF24317A5650AC399A
Rootrepeal:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/02/07 13:55
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF0ED2000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7C9D000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEE714000 Size: 49152 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: c:\windows\temp\perflib_perfdata_b8.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)
SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x862e3510
#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x86412228
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x862f2b50
#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8717aec0
#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x862123e0
#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x862113f0
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0xf141bcc0
#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x86289fb8
#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x862d7390
#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x86b3dcf0
#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x86cb3400
#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x86212418
#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x86289f80
#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x86d36558
#: 177 Function Name: NtQueryValueKey
Status: Hooked by "<unknown>" at address 0x8719b108
#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x86de3090
#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x86359e30
#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x862e90b8
#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x86286c28
#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0xf141bf20
#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x862d7430
#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x862b5b88
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x86b3d308
#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x862baf68
#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x863d7c60
#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x871ae4e8
==EOF==