View Full Version : Ack. I'm infected - 4DW4R3 virus
jw,chicago
2010-03-03, 19:53
It looks like my computer was feeling left out and went ahead and contracted the 4DW4R3 virus. Yeah. Let the fun begin...
JK. Please help...
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 12:51:21 PM, on 3/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WinSys.exe
C:\WINDOWS\SOUNDMAN.EXE
G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\TrendMicro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/id/3036677/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [WinSys] C:\WINDOWS\system32\WinSys.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - file:///D:/Program%20Files/xnews/downloads/Guitar/Riff%20Interactive%20-%2060S%20Funk%20Soul/setup/RiffLick.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144799573187
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 12044 bytes
Hi,
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.
jw,chicago
2010-03-08, 00:24
Thank you for your help Blade. We really do appreciate it.
Attached are three files; attach.zip, dds.zip and GMER.zip
Here is the GMER report:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-07 16:54:37
Windows 5.1.2600 Service Pack 3
Running: 2zm21i4j.exe; Driver: C:\DOCUME~1\john\LOCALS~1\Temp\awtdqpod.sys
---- System - GMER 1.0.15 ----
Code B9151EB5 ZwCallbackReturn
Code B9151979 ZwEnumerateKey
Code B915196F ZwSaveKey
Code B9151974 ZwSaveKeyEx
Code B9151BD2 IofCompleteRequest
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!IofCompleteRequest 804EE1C0 5 Bytes JMP B9151BD7
.text ntkrnlpa.exe!ZwCallbackReturn 804FF838 5 Bytes JMP B9151EB9
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB76 5 Bytes JMP B915197D
PAGE ntkrnlpa.exe!ZwSaveKey 8061BDEA 5 Bytes JMP B9151973
PAGE ntkrnlpa.exe!ZwSaveKeyEx 8061BED0 5 Bytes JMP B9151978
.rsrc C:\WINDOWS\system32\drivers\nvata.sys entry point in ".rsrc" section [0xBA708E94]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8752360, 0x32DEFD, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[2496] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10002FD0
.text C:\WINDOWS\Explorer.EXE[2496] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002F3D
.text C:\WINDOWS\Explorer.EXE[2496] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002FB0
.text C:\WINDOWS\Explorer.EXE[2496] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10002F7E
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3096] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe (Windows Live Messenger/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\nvata \Device\00000076 8A85A90A
Device \Driver\nvata \Device\00000076 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\USBSTOR \Device\00000082 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\nvata \Device\00000077 8A85A90A
Device \Driver\nvata \Device\00000077 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\USBSTOR \Device\00000083 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\USBSTOR \Device\00000084 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\nvata \Device\00000078 8A85A90A
Device \Driver\nvata \Device\00000078 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\USBSTOR \Device\00000085 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\nvata \Device\NvAta0 8A85A90A
Device \Driver\nvata \Device\NvAta0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\nvata \Device\NvAta1 8A85A90A
Device \Driver\nvata \Device\NvAta1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\Si3114r5 \Device\Scsi\Si3114r51Port2Path3Target1fLun0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\Si3114r5 \Device\Scsi\Si3114r51 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\Si3114r5 \Device\Scsi\Si3114r51Port2Path0Target0Lun0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\system32\drivers\4DW4R3YwXHrXILKV.sys (*** hidden *** ) [SYSTEM] 4DW4R3 <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000272c1f699 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000272c1f699@00149a18152a 0x55 0x47 0xB4 0x40 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@imagepath \systemroot\system32\drivers\4DW4R3YwXHrXILKV.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\connections
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\connections@5bf3bc6c
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\injector@* 4DW4R3c
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\modules@4DW4R3 \\?\globalroot\systemroot\system32\drivers\4DW4R3YwXHrXILKV.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\modules@4DW4R3c \\?\globalroot\systemroot\system32\4DW4R3MgpMGemqGQ.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272c1f699
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272c1f699@0019c0e65fc0 0x42 0x31 0x14 0x93 ...
Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3@imagepath \systemroot\system32\drivers\4DW4R3YwXHrXILKV.sys
Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3\connections (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3\connections@5bf3bc6c
Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3\injector@* 4DW4R3c
Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3\modules@4DW4R3 \\?\globalroot\systemroot\system32\drivers\4DW4R3YwXHrXILKV.sys
Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3\modules@4DW4R3c \\?\globalroot\systemroot\system32\4DW4R3MgpMGemqGQ.dll
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\000272c1f699 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\000272c1f699@0019c0e65fc0 0x42 0x31 0x14 0x93 ...
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\4DW4R3c.dll 28160 bytes executable
File C:\WINDOWS\system32\4DW4R3FaYXrQYcme.dll 28160 bytes executable
File C:\WINDOWS\system32\4DW4R3iurLGmkwTv.dll 28160 bytes executable
File C:\WINDOWS\system32\4DW4R3mFQdpiRTmq.dll 28160 bytes executable
File C:\WINDOWS\system32\4DW4R3MgpMGemqGQ.dll 28160 bytes executable
File C:\WINDOWS\system32\4DW4R3sv.dat 53 bytes
File C:\WINDOWS\system32\4DW4R3tIXdRtQIIK.dll 28160 bytes executable
File C:\WINDOWS\system32\drivers\4DW4R3.sys 46592 bytes executable
File C:\WINDOWS\system32\drivers\4DW4R3BrNexObrmy.sys 46592 bytes executable
File C:\WINDOWS\system32\drivers\4DW4R3BXyBchNoxg.sys 46592 bytes executable
File C:\WINDOWS\system32\drivers\4DW4R3EnUHoQlgpb.sys 46592 bytes executable
File C:\WINDOWS\system32\drivers\4DW4R3QRiaLfbekn.sys 46592 bytes executable
File C:\WINDOWS\system32\drivers\4DW4R3tHqlWBRwIX.sys 46592 bytes executable
File C:\WINDOWS\system32\drivers\4DW4R3vREbTVvLdj.sys 46592 bytes executable
File C:\WINDOWS\system32\drivers\4DW4R3YwXHrXILKV.sys 46592 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\4DW4R3tJMiatoNHY.dll 28160 bytes executable
File C:\WINDOWS\system32\4DW4R3UXJQpygTJk.dll 28160 bytes executable
File C:\WINDOWS\Temp\4DW4R3bc6a 53 bytes
File C:\WINDOWS\system32\drivers\nvata.sys suspicious modification
---- EOF - GMER 1.0.15 ----
Hi,
Please post next logs in your reply (paste contents in) instead of attachments.
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
jw,chicago
2010-03-08, 20:50
Here is ComboFix. I'll post the dss log in a sec.
Thanks again.
ComboFix 10-03-08.01 - john 03/08/2010 13:31:47.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1501 [GMT -6:00]
Running from: c:\documents and settings\john\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Common Files\Real\WeatherBug\MiniBugTransporter.dll
c:\windows\system32\4DW4R3c.dll
c:\windows\system32\4DW4R3FaYXrQYcme.dll
c:\windows\system32\4DW4R3iQsvehngjX.dll
c:\windows\system32\4DW4R3iurLGmkwTv.dll
c:\windows\system32\4DW4R3mFQdpiRTmq.dll
c:\windows\system32\4DW4R3MgpMGemqGQ.dll
c:\windows\system32\4DW4R3nBowypJVhe.dll
c:\windows\system32\4DW4R3PJCwTSKFBd.dll
c:\windows\system32\4DW4R3sv.dat
c:\windows\system32\4DW4R3tIXdRtQIIK.dll
c:\windows\system32\4DW4R3tJMiatoNHY.dll
c:\windows\system32\4DW4R3UXJQpygTJk.dll
c:\windows\system32\4DW4R3XPKWfdoXHF.dll
c:\windows\system32\drivers\4DW4R3.sys
c:\windows\system32\drivers\4DW4R3BrNexObrmy.sys
c:\windows\system32\drivers\4DW4R3BXyBchNoxg.sys
c:\windows\system32\drivers\4DW4R3EFPTMqvsdS.sys
c:\windows\system32\drivers\4DW4R3EnUHoQlgpb.sys
c:\windows\system32\drivers\4DW4R3QRiaLfbekn.sys
c:\windows\system32\drivers\4DW4R3rPRKYMkUiq.sys
c:\windows\system32\drivers\4DW4R3tHqlWBRwIX.sys
c:\windows\system32\drivers\4DW4R3uLAncElNKo.sys
c:\windows\system32\drivers\4DW4R3vREbTVvLdj.sys
c:\windows\system32\drivers\4DW4R3wTKYkaDboH.sys
c:\windows\system32\drivers\4DW4R3YwXHrXILKV.sys
c:\windows\system32\Ijl11.dll
c:\windows\system32\lowsec
c:\windows\system32\sdra64.exe
c:\windows\system32\twain_32.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_4DW4R3
-------\Legacy_4DW4R3
((((((((((((((((((((((((( Files Created from 2010-02-08 to 2010-03-08 )))))))))))))))))))))))))))))))
.
2010-03-08 19:39 . 2010-03-08 19:39 203938 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP0.exe
2010-03-08 19:39 . 2010-03-08 19:39 48810 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP0.sys
2010-03-08 19:39 . 2010-03-08 19:39 30380 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP9.dll
2010-03-08 19:39 . 2010-03-08 19:39 30380 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP8.dll
2010-03-08 19:39 . 2010-03-08 19:39 30380 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP7.dll
2010-03-08 19:39 . 2010-03-08 19:39 30380 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP6.dll
2010-03-08 19:39 . 2010-03-08 19:39 30380 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP5.dll
2010-03-08 19:39 . 2010-03-08 19:39 30380 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP4.dll
2010-03-08 19:39 . 2010-03-08 19:39 30380 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP3.dll
2010-03-08 19:39 . 2010-03-08 19:39 30380 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP2.dll
2010-03-08 19:39 . 2010-03-08 19:39 30380 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP1.dll
2010-03-08 19:39 . 2010-03-08 19:39 30380 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP0.dll
2010-03-03 17:48 . 2010-03-03 17:48 388096 ----a-r- c:\documents and settings\john\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-03 17:48 . 2010-03-03 17:48 -------- d-----w- c:\program files\Trend Micro
2010-03-03 17:47 . 2010-03-03 17:47 -------- d-----w- c:\program files\ERUNT
2010-02-25 18:51 . 2010-02-26 01:27 -------- d-----w- c:\documents and settings\john\Local Settings\Application Data\My Games
2010-02-25 18:38 . 2010-02-25 18:38 -------- d-----w- c:\program files\2K Games
2010-02-25 18:38 . 2007-06-21 02:46 266088 ----a-w- c:\windows\system32\xactengine2_8.dll
2010-02-25 18:38 . 2007-06-21 02:45 18280 ----a-w- c:\windows\system32\x3daudio1_2.dll
2010-02-25 18:38 . 2007-05-16 22:45 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
2010-02-25 18:38 . 2007-05-16 22:45 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2010-02-25 18:38 . 2007-05-16 22:45 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
2010-02-25 18:38 . 2007-04-05 00:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2010-02-25 17:45 . 2010-02-25 17:45 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-08 19:31 . 2005-11-25 01:02 -------- d-----w- c:\program files\Symantec AntiVirus
2010-03-08 04:13 . 2009-11-13 23:05 -------- d-----w- c:\documents and settings\john\Application Data\vlc
2010-03-03 19:58 . 2005-11-29 01:23 -------- d-----w- c:\program files\Ahead
2010-03-03 19:56 . 2006-10-26 14:01 -------- d-----w- c:\program files\AvantGo
2010-03-03 19:50 . 2006-09-12 00:07 -------- d-----w- c:\documents and settings\john\Application Data\BitTorrent
2010-03-03 14:29 . 2009-02-20 21:32 -------- d-----w- c:\program files\Video Thumbnails Maker
2010-02-25 18:54 . 2005-11-25 01:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-23 17:58 . 2006-09-11 02:38 -------- d-----w- c:\documents and settings\john\Application Data\dvdcss
2010-01-10 02:14 . 2009-11-14 00:38 -------- d-----w- c:\documents and settings\john\Application Data\Any Video Converter
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2005-11-25 00:39 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2006-05-03 10:06 . 2009-02-23 21:12 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-02-23 21:12 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-02-23 21:12 216064 --sh--r- c:\windows\system32\nbDX.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"SoundMan"="SOUNDMAN.EXE" [2005-06-21 77824]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]
"Acrobat Assistant 8.0"="g:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"nwiz"="nwiz.exe" [2008-09-18 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
c:\documents and settings\john\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-7-13 565309]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 20:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"SavRoam"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"mnmsrvc"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [1/29/2008 2:56 PM 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [1/29/2008 2:56 PM 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys --> c:\windows\system32\DRIVERS\motodrv.sys [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [1/29/2008 2:56 PM 23680]
S3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [1/23/2004 3:33 PM 13952]
S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [1/23/2004 3:32 PM 28800]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 7:27 PM 124608]
--- Other Services/Drivers In Memory ---
*Deregistered* - EraserUtilDrvI9
*Deregistered* - EraserUtilRebootDrv
.
Contents of the 'Scheduled Tasks' folder
2010-03-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - file:///D:/Program%20Files/xnews/downloads/Guitar/Riff%20Interactive%20-%2060S%20Funk%20Soul/setup/RiffLick.cab
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-NapsterShell - c:\program files\Napster\napster.exe
MSConfigStartUp-WatchDog - c:\program files\mobile PhoneTools\WatchDog.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-08 13:40
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2010-03-08 13:44:06
ComboFix-quarantined-files.txt 2010-03-08 19:43
Pre-Run: 30,670,204,928 bytes free
Post-Run: 30,639,394,816 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 5B629181895E9B3BD864FB3B509E46E2
jw,chicago
2010-03-08, 20:52
Here is the dds log:
DDS (Ver_09-12-01.01) - NTFSx86
Run by john at 13:51:07.40 on Mon 03/08/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1360 [GMT -6:00]
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\john\Desktop\dds.scr
============== Pseudo HJT Report ===============
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [Acrobat Assistant 8.0] "g:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\john\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: Append to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15026/CTSUEng.cab
DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - file:///D:/Program%20Files/xnews/downloads/Guitar/Riff%20Interactive%20-%2060S%20Funk%20Soul/setup/RiffLick.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144799573187
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?39011.4312615741
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15026/CTPID.cab
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-6-23 1715904]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100307.007\naveng.sys [2010-3-8 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100307.007\navex15.sys [2010-3-8 1324720]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-1-29 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-1-29 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys --> c:\windows\system32\drivers\motodrv.sys [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-1-29 23680]
S3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-1-23 13952]
S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-1-23 28800]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
S4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-6-23 124608]
=============== Created Last 30 ================
2010-03-08 19:16:12 0 d-sha-r- C:\cmdcons
2010-03-08 19:15:41 98816 ----a-w- c:\windows\sed.exe
2010-03-08 19:15:41 77312 ----a-w- c:\windows\MBR.exe
2010-03-08 19:15:41 261632 ----a-w- c:\windows\PEV.exe
2010-03-08 19:15:41 161792 ----a-w- c:\windows\SWREG.exe
2010-03-03 17:48:56 0 d-----w- c:\program files\Trend Micro
2010-02-25 18:38:02 0 d-----w- c:\program files\2K Games
2010-02-25 18:38:01 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
2010-02-25 18:38:01 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2010-02-25 18:38:01 266088 ----a-w- c:\windows\system32\xactengine2_8.dll
2010-02-25 18:38:01 18280 ----a-w- c:\windows\system32\x3daudio1_2.dll
2010-02-25 18:38:01 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
2010-02-25 18:38:00 81768 ----a-w- c:\windows\system32\xinput1_3.dll
==================== Find3M ====================
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
2008-08-25 18:12:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082520080826\index.dat
============= FINISH: 13:51:23.37 ===============
jw,chicago
2010-03-08, 20:53
Here is the dds attach file:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-12-01.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/24/2005 6:44:23 PM
System Uptime: 3/8/2010 1:29:51 PM (0 hours ago)
Motherboard: ASUSTeK Computer INC. | | A8N-SLI Premium
Processor: AMD Athlon(tm) 64 Processor 4000+ | Socket 939 | 2412/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 112 GiB total, 28.572 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is FIXED (NTFS) - 373 GiB total, 24.453 GiB free.
==== Disabled Device Manager Items =============
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&1F09082D&0&01
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&1F09082D&0&01
Service: NVENETFD
==== System Restore Points ===================
RP885: 12/20/2009 4:55:41 PM - Software Distribution Service 3.0
RP886: 1/7/2010 8:57:30 AM - Software Distribution Service 3.0
RP887: 1/8/2010 11:39:37 AM - System Checkpoint
RP888: 1/9/2010 8:36:13 PM - System Checkpoint
RP889: 1/11/2010 5:41:49 PM - System Checkpoint
RP890: 1/12/2010 6:21:33 PM - System Checkpoint
RP891: 1/13/2010 9:13:33 PM - System Checkpoint
RP892: 1/13/2010 9:54:10 PM - Software Distribution Service 3.0
RP893: 1/15/2010 11:06:54 AM - System Checkpoint
RP894: 1/19/2010 11:03:09 AM - System Checkpoint
RP895: 1/21/2010 12:21:02 PM - System Checkpoint
RP896: 1/22/2010 6:10:50 PM - System Checkpoint
RP897: 1/22/2010 11:23:20 PM - Software Distribution Service 3.0
RP898: 1/24/2010 1:31:24 PM - System Checkpoint
RP899: 1/25/2010 2:36:36 PM - System Checkpoint
RP900: 1/26/2010 6:56:14 PM - System Checkpoint
RP901: 1/27/2010 7:11:41 PM - System Checkpoint
RP902: 1/29/2010 3:50:39 PM - System Checkpoint
RP903: 1/30/2010 4:00:36 PM - System Checkpoint
RP904: 2/1/2010 9:31:31 PM - System Checkpoint
RP905: 2/3/2010 9:02:53 PM - System Checkpoint
RP906: 2/6/2010 7:34:57 PM - System Checkpoint
RP907: 2/7/2010 8:44:45 PM - System Checkpoint
RP908: 2/8/2010 8:48:39 PM - System Checkpoint
RP909: 2/10/2010 12:53:23 PM - Software Distribution Service 3.0
RP910: 2/12/2010 3:51:52 PM - System Checkpoint
RP911: 2/13/2010 5:37:21 PM - System Checkpoint
RP912: 2/14/2010 7:59:34 PM - System Checkpoint
RP913: 2/16/2010 5:17:17 PM - System Checkpoint
RP914: 2/17/2010 5:38:10 PM - System Checkpoint
RP915: 2/18/2010 6:07:29 PM - System Checkpoint
RP916: 2/20/2010 4:37:47 PM - System Checkpoint
RP917: 2/22/2010 8:22:01 AM - System Checkpoint
RP918: 2/23/2010 8:34:14 AM - System Checkpoint
RP919: 2/23/2010 1:47:35 PM - Software Distribution Service 3.0
RP920: 3/3/2010 1:58:11 PM - System Checkpoint
RP921: 3/8/2010 1:31:30 PM - ComboFix created restore point
==== Installed Programs ======================
Acrobat.com
Add or Remove Adobe Creative Suite 3 Design Premium
Adobe Acrobat 8 Professional
Adobe Acrobat 8.1.6 - CPSID_49167
Adobe Acrobat 8.1.6 Professional
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Creative Suite 3 Design Premium
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 9 Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 9.3
Adobe Setup
Adobe SING CS3
Adobe Stock Photos 1.0
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server {ko_KR}
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
Alias DirectConnect 2.0
Any Video Converter 2.7.9
Apple Mobile Device Support
Apple Software Update
Avanquest update
AviSynth 2.5
Battlefield
Battlefield 2142
Bonjour
BT headset fix
BufferChm
Call of Duty(R) 2
Call of Duty(R) 2 Mod Tools
Call of Duty(R) 2 Patch 1.2
Call of Duty(R) 2 Patch 1.3
Canon S600
Combined Community Codec Pack 2008-09-21 16:18
Compatibility Pack for the 2007 Office system
CorePLS_Min_QFolder
Creative Mass Storage Drivers
Critical Update for Windows Media Player 11 (KB959772)
CustomerResearchQFolder
Data Lifeguard Tools
Destinations
DeviceManagementQFolder
DivXLand Media Subtitler
DVD Shrink 3.2
EA Link
ERUNT 1.1j
eSupportQFolder
Far Cry (Patch 1)
Far Cry (Patch 1.3)
Far Cry (Patch 1.31)
Far Cry (Patch 1.33)
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Color LaserJet 2605 Series 1.0
HP Extended Capabilities 6.0
HP Imaging Device Functions 6.0
HP Software Update
HP Solution Center and Imaging Support Tools 6.0
hppFonts
hppIOFiles
hppManuals2605
HPProductAssistant
hppWebRegMM
IsoBuster 2.0
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
LiveUpdate 2.6 (Symantec Corporation)
MarketResearch
Mega Manager
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync 4.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft LifeCam
Microsoft National Language Support Downlevel APIs
Microsoft Office Converter Pack
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Motorola Driver Installation 3.4.0
Motorola Phone Tools
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Nero 7
neroxml
NVIDIA Drivers
NVIDIA nTune
Odyssey Access Client for Windows Mobile
OGA Notifier 2.0.0048.0
OLYMPUS Master 2
OSP for Quake3 1.03
PDF Settings
Product_SF_Min_QFolder
Quake 4(TM)
Quake 4(TM) 1.3 Patch
QuickPar 0.9
QuickTime
QuickTime Alternative 1.81
RealPlayer
Realtek AC'97 Audio
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Sid Meier's Civilization 4 Complete
SolutionCenter
Spybot - Search & Destroy
SUPER © Version 2009.bld.35 (Jan 5, 2009)
Symantec AntiVirus
TeamSpeak 2 RC2
Tweak UI
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Video Thumbnails Maker by Scorp (remove only)
VLC media player 1.0.3
WebFldrs XP
WebReg
WIDCOMM Bluetooth Software
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows XP Creativity Fun Packs - Windows Movie Maker 2
Windows XP Service Pack 3
WinRAR archiver
Xilisoft Video Converter Ultimate
XviD MPEG4 Video Codec (remove only)
==== Event Viewer Messages From Past Week ========
3/8/2010 1:20:34 PM, error: Service Control Manager [7034] - The FLEXnet Licensing Service service terminated unexpectedly. It has done this 1 time(s).
3/7/2010 5:04:42 PM, error: Service Control Manager [7034] - The Terminal Services service terminated unexpectedly. It has done this 1 time(s).
3/7/2010 5:04:42 PM, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
3/7/2010 4:59:24 PM, error: Service Control Manager [7034] - The TCP/IP NetBIOS Helper service terminated unexpectedly. It has done this 1 time(s).
3/7/2010 4:59:24 PM, error: Service Control Manager [7034] - The SSDP Discovery Service service terminated unexpectedly. It has done this 1 time(s).
3/7/2010 4:59:24 PM, error: Service Control Manager [7031] - The Remote Registry service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
3/7/2010 4:36:29 PM, error: Srv [2019] - The server was unable to allocate from the system nonpaged pool because the pool was empty.
3/5/2010 7:05:57 AM, error: Service Control Manager [7024] - The Symantec SPBBCSvc service terminated with service-specific error 4294967295 (0xFFFFFFFF).
3/4/2010 8:50:24 PM, error: SRService [104] - The System Restore initialization process failed.
3/4/2010 8:50:24 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: A device attached to the system is not functioning.
==== End Of File ===========================
Hi again,
There were found signs of Zbot information stealer there. You should change all your online passwords to new ones.
Do you use Adobe Acrobat for other duties than pdf conversions?
Open notepad and copy/paste the text in the quotebox below into it:
Folder::
c:\documents and settings\john\Application Data\BitTorrent
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
DDS::
BHO: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - No File
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Get the update 9.3.1 for Adobe Reader here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).
Uninstall vulnerable Flash versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 18 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
jw,chicago
2010-03-08, 23:27
Yes we do use the entire Adobe Suite that includes Acrobat. I can always reinstall it though if I have to.
Here is the ComboFix run number two...
ComboFix 10-03-08.01 - john 03/08/2010 16:12:57.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1446 [GMT -6:00]
Running from: c:\documents and settings\john\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\john\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\john\Application Data\BitTorrent
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\01a5b3b839437f26518afa10de4515297eb1cd8f
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\09d35cf0c6e81ca318c7d0e76968f56ee706f1cf
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\0ce1d694cad22e23a618e7f8303132a3c865ac58
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\10cfd554e7c9cb6904d06abb733e23ddd1ce1ad8
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\13f3d733c963eae515c2b5a5258cc39422e50ee2
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\14b818a24b22316d614bc10e9c591a9d44e3abef
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\1602be3f3bc01a15b6c28c8793ad3f311896ddd1
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\1c6d5b883e834b92bd1c50910defdbcc5d795c92
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\24bb9d2bf1f839eb8d4f2fc1e1a08925840d3fbf
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\32605ba607fce89f82d72afae9d5603eacfd835c
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\3e3ced57eb87a36a1f4e411f011e1b58d3918832
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\46645cb85f7de83bd0a698392e1e47d93eb55a7b
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\55440cc038261f61aefb1061fc0db9b780afab1b
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\56c6e74aec5085cba34d1ec7fe372f4511667179
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\5840392fc9eb7de31cac2b39d604b97cbcc618c0
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\5a1b3db01b7af7644b0a81b064ac119d40aec2ca
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\7c4d4d153d0e02fc8346012eddc97d59466fc20f
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\808ddd80c7e3b2c755c2f40cadde041393356b72
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\8e0b7b065c429e00677896bed7daac567dc5c1e6
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\955d29723782bffd5a64d8400e98af1edf2438db
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\a1b4894087ff0670c1b48a5bc897da533dee79dc
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\a1b4da1d5c3b6ed48c6db1239578116dd53de1c8
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\a60aa234b3447b5ccb810fce928527a8cb63c182
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\aa332bbb25663d0818796118e93050d5d361d643
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\aa6a24523148d34aca4ba8e0c8311d129fc767d0
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\b3afa3d666eccc533670d4bf18104a5ba3e59f26
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\cc621fd6682253238740adf91549fd81eba0cc11
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\ce1191b672c75744eaaac11bb69263318a4b9a05
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\da4665382788988f019a8af56f0773627dbf3e7e
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\db83202407b2156d506b2a4b64ed1b4754078338
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\f677391069532da880c311000fcf3e790d1db245
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\f9d18ac6a4541f60b816eb9c35742966c408eca6
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\fc62c7510ca742304d345de3a34431bcc02300a3
c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\fdbf865ee526a798ae75e2f6dfca0d4ac9604a93
c:\documents and settings\john\Application Data\BitTorrent\data\resume\0ce1d694cad22e23a618e7f8303132a3c865ac58
c:\documents and settings\john\Application Data\BitTorrent\data\resume\955d29723782bffd5a64d8400e98af1edf2438db
c:\documents and settings\john\Application Data\BitTorrent\data\resume\a1b4da1d5c3b6ed48c6db1239578116dd53de1c8
c:\documents and settings\john\Application Data\BitTorrent\data\resume\a60aa234b3447b5ccb810fce928527a8cb63c182
c:\documents and settings\john\Application Data\BitTorrent\data\resume\fdbf865ee526a798ae75e2f6dfca0d4ac9604a93
c:\documents and settings\john\Application Data\BitTorrent\data\routing_table
c:\documents and settings\john\Application Data\BitTorrent\data\torrents\0ce1d694cad22e23a618e7f8303132a3c865ac58
c:\documents and settings\john\Application Data\BitTorrent\data\torrents\955d29723782bffd5a64d8400e98af1edf2438db
c:\documents and settings\john\Application Data\BitTorrent\data\torrents\a1b4da1d5c3b6ed48c6db1239578116dd53de1c8
c:\documents and settings\john\Application Data\BitTorrent\data\torrents\a60aa234b3447b5ccb810fce928527a8cb63c182
c:\documents and settings\john\Application Data\BitTorrent\data\torrents\fdbf865ee526a798ae75e2f6dfca0d4ac9604a93
c:\documents and settings\john\Application Data\BitTorrent\data\ui_config
c:\documents and settings\john\Application Data\BitTorrent\data\ui_state
.
((((((((((((((((((((((((( Files Created from 2010-02-08 to 2010-03-08 )))))))))))))))))))))))))))))))
.
2010-03-03 17:48 . 2010-03-03 17:48 388096 ----a-r- c:\documents and settings\john\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-03 17:48 . 2010-03-03 17:48 -------- d-----w- c:\program files\Trend Micro
2010-03-03 17:47 . 2010-03-03 17:47 -------- d-----w- c:\program files\ERUNT
2010-02-25 18:51 . 2010-02-26 01:27 -------- d-----w- c:\documents and settings\john\Local Settings\Application Data\My Games
2010-02-25 18:38 . 2010-02-25 18:38 -------- d-----w- c:\program files\2K Games
2010-02-25 18:38 . 2007-06-21 02:46 266088 ----a-w- c:\windows\system32\xactengine2_8.dll
2010-02-25 18:38 . 2007-06-21 02:45 18280 ----a-w- c:\windows\system32\x3daudio1_2.dll
2010-02-25 18:38 . 2007-05-16 22:45 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
2010-02-25 18:38 . 2007-05-16 22:45 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2010-02-25 18:38 . 2007-05-16 22:45 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
2010-02-25 18:38 . 2007-04-05 00:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2010-02-25 17:45 . 2010-02-25 17:45 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-08 22:11 . 2005-11-25 01:02 -------- d-----w- c:\program files\Symantec AntiVirus
2010-03-08 21:59 . 2009-11-13 23:05 -------- d-----w- c:\documents and settings\john\Application Data\vlc
2010-03-08 21:12 . 2009-02-20 21:32 -------- d-----w- c:\program files\Video Thumbnails Maker
2010-03-03 19:58 . 2005-11-29 01:23 -------- d-----w- c:\program files\Ahead
2010-03-03 19:56 . 2006-10-26 14:01 -------- d-----w- c:\program files\AvantGo
2010-02-25 18:54 . 2005-11-25 01:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-23 17:58 . 2006-09-11 02:38 -------- d-----w- c:\documents and settings\john\Application Data\dvdcss
2010-01-10 02:14 . 2009-11-14 00:38 -------- d-----w- c:\documents and settings\john\Application Data\Any Video Converter
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2005-11-25 00:39 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2006-05-03 10:06 . 2009-02-23 21:12 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-02-23 21:12 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-02-23 21:12 216064 --sh--r- c:\windows\system32\nbDX.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"SoundMan"="SOUNDMAN.EXE" [2005-06-21 77824]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]
"Acrobat Assistant 8.0"="g:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"nwiz"="nwiz.exe" [2008-09-18 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
c:\documents and settings\john\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-7-13 565309]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 20:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"SavRoam"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"mnmsrvc"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [1/29/2008 2:56 PM 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [1/29/2008 2:56 PM 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys --> c:\windows\system32\DRIVERS\motodrv.sys [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [1/29/2008 2:56 PM 23680]
S3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [1/23/2004 3:33 PM 13952]
S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [1/23/2004 3:32 PM 28800]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 7:27 PM 124608]
--- Other Services/Drivers In Memory ---
*Deregistered* - EraserUtilDrvI9
*Deregistered* - EraserUtilRebootDrv
.
Contents of the 'Scheduled Tasks' folder
2010-03-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - file:///D:/Program%20Files/xnews/downloads/Guitar/Riff%20Interactive%20-%2060S%20Funk%20Soul/setup/RiffLick.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-08 16:21
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2010-03-08 16:24:26
ComboFix-quarantined-files.txt 2010-03-08 22:24
ComboFix2.txt 2010-03-08 19:44
Pre-Run: 31,391,977,472 bytes free
Post-Run: 31,379,927,040 bytes free
- - End Of File - - 0880770E201B62BF821FB17BD0F1B173
Hi,
Yes we do use the entire Adobe Suite that includes Acrobat.
In that case, you should get latest security updates for it.
Shall wait for those other reports :)
jw,chicago
2010-03-10, 19:16
Thanks Blade. The ComboFix log was the last post and here are Kaspersky and dds number 3:
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, March 9, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, March 08, 2010 18:01:31
Records in database: 3740411
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
G:\
I:\
Scan statistics
Objects scanned 230654
Threats found 7
Infected objects found 44
Suspicious objects found 0
Scan duration 05:22:41
File name Threat Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02200000.VBN Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\john\Application Data\Sun\Java\Deployment\cache\6.0\31\3f4316df-2ef6e416 Infected: Trojan-Downloader.Java.Agent.aj 1
C:\Documents and Settings\john\Application Data\Sun\Java\Deployment\cache\6.0\34\38fb6e22-12520436 Infected: Trojan-Downloader.Java.Agent.ap 3
C:\Documents and Settings\john\Desktop\Phone\E815Drivers\Motorola\MotoConnect\Pages\kf141.zip Infected: not-a-virus:PSWTool.Win32.RAS.a 2
C:\Qoobox\Quarantine\C\WINDOWS\system32\4DW4R3XPKWfdoXHF.dll.vir Infected: Rootkit.Win32.Agent.bctc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3.sys.vir Infected: Rootkit.Win32.Agent.aibm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3BrNexObrmy.sys.vir Infected: Rootkit.Win32.Agent.aibm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3BXyBchNoxg.sys.vir Infected: Rootkit.Win32.Agent.aibm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3EFPTMqvsdS.sys.vir Infected: Rootkit.Win32.Agent.aibm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3EnUHoQlgpb.sys.vir Infected: Rootkit.Win32.Agent.aibm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3QRiaLfbekn.sys.vir Infected: Rootkit.Win32.Agent.aibm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3rPRKYMkUiq.sys.vir Infected: Rootkit.Win32.Agent.aibm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3tHqlWBRwIX.sys.vir Infected: Rootkit.Win32.Agent.aibm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3vREbTVvLdj.sys.vir Infected: Rootkit.Win32.Agent.aibm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3wTKYkaDboH.sys.vir Infected: Rootkit.Win32.Agent.aibm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3YwXHrXILKV.sys.vir Infected: Rootkit.Win32.Agent.aibm 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP920\A0170021.sys Infected: Rootkit.Win32.Agent.aibm 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP920\A0170022.dll Infected: Rootkit.Win32.Agent.bctc 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP920\A0170023.sys Infected: Rootkit.Win32.Agent.aibm 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP920\A0170024.sys Infected: Rootkit.Win32.Agent.aibm 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP920\A0170025.sys Infected: Rootkit.Win32.Agent.aibm 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP920\A0170026.sys Infected: Rootkit.Win32.Agent.aibm 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP920\A0170027.sys Infected: Rootkit.Win32.Agent.aibm 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP920\A0170028.sys Infected: Rootkit.Win32.Agent.aibm 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP920\A0170029.sys Infected: Rootkit.Win32.Agent.aibm 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP920\A0170030.sys Infected: Rootkit.Win32.Agent.aibm 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP920\A0170031.sys Infected: Rootkit.Win32.Agent.aibm 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP920\A0170032.sys Infected: Rootkit.Win32.Agent.aibm 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP921\A0170059.dll Infected: Rootkit.Win32.Agent.bctc 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP921\A0170060.dll Infected: Rootkit.Win32.Agent.bctc 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP921\A0170061.dll Infected: Rootkit.Win32.Agent.bctc 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP921\A0170062.dll Infected: Rootkit.Win32.Agent.bctc 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP921\A0170063.dll Infected: Rootkit.Win32.Agent.bctc 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP921\A0170064.dll Infected: Rootkit.Win32.Agent.bctc 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP921\A0170065.dll Infected: Rootkit.Win32.Agent.bctc 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP921\A0170066.dll Infected: Rootkit.Win32.Agent.bctc 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP921\A0170067.dll Infected: Rootkit.Win32.Agent.bctc 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP921\A0170068.dll Infected: Rootkit.Win32.Agent.bctc 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP921\A0170069.dll Infected: Rootkit.Win32.Agent.bctc 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP921\A0170070.sys Infected: Rootkit.Win32.Agent.aibm 1
C:\WINDOWS\system32\drivers\nvata.sys Infected: Rootkit.Win32.Tdss.ai 1
Selected area has been scanned.
END::::::::::::::::::::::::::::::::::::::::::::::::::
dds scan number three:
DDS (Ver_09-12-01.01) - NTFSx86
Run by john at 8:10:27.01 on Tue 03/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1381 [GMT -6:00]
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\SOUNDMAN.EXE
G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\john\Desktop\dds.scr
============== Pseudo HJT Report ===============
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [Acrobat Assistant 8.0] "g:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\john\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: Append to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15026/CTSUEng.cab
DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - file:///D:/Program%20Files/xnews/downloads/Guitar/Riff%20Interactive%20-%2060S%20Funk%20Soul/setup/RiffLick.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144799573187
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?39011.4312615741
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15026/CTPID.cab
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-6-23 1715904]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100308.003\naveng.sys [2010-3-9 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100308.003\navex15.sys [2010-3-9 1324720]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-1-29 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-1-29 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys --> c:\windows\system32\drivers\motodrv.sys [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-1-29 23680]
S3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-1-23 13952]
S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-1-23 28800]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
S4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-6-23 124608]
=============== Created Last 30 ================
2010-03-08 22:44:37 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-08 22:44:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-08 19:16:12 0 d-sha-r- C:\cmdcons
2010-03-08 19:15:41 98816 ----a-w- c:\windows\sed.exe
2010-03-08 19:15:41 77312 ----a-w- c:\windows\MBR.exe
2010-03-08 19:15:41 261632 ----a-w- c:\windows\PEV.exe
2010-03-08 19:15:41 161792 ----a-w- c:\windows\SWREG.exe
2010-03-03 17:48:56 0 d-----w- c:\program files\Trend Micro
2010-02-25 18:38:02 0 d-----w- c:\program files\2K Games
2010-02-25 18:38:01 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
2010-02-25 18:38:01 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
2010-02-25 18:38:01 266088 ----a-w- c:\windows\system32\xactengine2_8.dll
2010-02-25 18:38:01 18280 ----a-w- c:\windows\system32\x3daudio1_2.dll
2010-02-25 18:38:01 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
2010-02-25 18:38:00 81768 ----a-w- c:\windows\system32\xinput1_3.dll
==================== Find3M ====================
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
2008-08-25 18:12:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082520080826\index.dat
============= FINISH: 8:11:05.85 ===============
Thanks for the logs :)
Download and Run SystemLook
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:filefind
nvata.sys
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
jw,chicago
2010-03-10, 20:21
Ha! Here it is. Somehow I thought it would look bigger. Just kidding.
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 13:16 on 10/03/2010 by john (Administrator - Elevation successful)
========== filefind ==========
Searching for "nvata.sys"
C:\WINDOWS\system32\drivers\nvata.sys -ra--- 92800 bytes [00:55 25/11/2005] [19:04 10/03/2010] 0EBC5A48FB56CD0A356EB394F38316B8
-=End Of File=-
Believe me, I would had been happier if the list had had more than one entry :)
Do you have your motherboard chipset drivers around?
jw,chicago
2010-03-10, 21:50
YIKES! Now I'm nervous...
However, yes I do have them handy.
Hi,
Infection has patched one of the system files and we have to replace it. Reinstall chipset drivers and then run SystemLook again.
jw,chicago
2010-03-10, 23:12
I just did it - twice actually. How are we looking?
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 16:11 on 10/03/2010 by john (Administrator - Elevation successful)
========== filefind ==========
Searching for "nvata.sys"
C:\WINDOWS\LastGood\system32\DRIVERS\nvata.sys -ra--- 92800 bytes [21:59 10/03/2010] [19:04 10/03/2010] 0EBC5A48FB56CD0A356EB394F38316B8
C:\WINDOWS\system32\drivers\nvata.sys -ra--- 92800 bytes [00:55 25/11/2005] [09:45 17/05/2005] DCE353985C988BFB7E84FD942068151F
C:\WINDOWS\system32\ReinstallBackups\0029\DriverFiles\nvata.sys -ra--- 92800 bytes [21:59 10/03/2010] [19:04 10/03/2010] 0EBC5A48FB56CD0A356EB394F38316B8
C:\WINDOWS\system32\ReinstallBackups\0030\DriverFiles\nvata.sys -ra--- 92800 bytes [21:59 10/03/2010] [09:45 17/05/2005] DCE353985C988BFB7E84FD942068151F
C:\WINDOWS\system32\ReinstallBackups\0034\DriverFiles\nvata.sys -ra--- 92800 bytes [22:09 10/03/2010] [09:45 17/05/2005] DCE353985C988BFB7E84FD942068151F
C:\WINDOWS\system32\ReinstallBackups\0035\DriverFiles\nvata.sys -ra--- 92800 bytes [22:09 10/03/2010] [09:45 17/05/2005] DCE353985C988BFB7E84FD942068151F
-=End Of File=-
Hi,
Looks promising. Let's run Kaspersky online scanner one more time. Post back the report when ready :)
jw,chicago
2010-03-13, 18:22
Hi Blade,
Wee Hoo! Am I correct that this looks good? The exceptions are the symantic antivirus and the new flash installer. The others are all either in quarantine or in a backup volume.
Can I clear out the last of the infected files?
Thanks,
John.
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, March 13, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, March 12, 2010 11:28:18
Records in database: 3777294
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
C:\
E:\
F:\
G:\
I:\
Scan statistics
Objects scanned 241287
Threats found 6
Infected objects found 43
Suspicious objects found 0
Scan duration 10:55:25
File name Threat Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02200000.VBN Infected: Exploit.HTML.Mht 1
C:\Documents and Settings\john\Application Data\Sun\Java\Deployment\cache\6.0\31\3f4316df-2ef6e416 Infected: Trojan-Downloader.Java.Agent.aj 1
C:\Documents and Settings\john\Application Data\Sun\Java\Deployment\cache\6.0\34\38fb6e22-12520436 Infected: Trojan-Downloader.Java.Agent.ap 3
C:\Qoobox\Quarantine\C\WINDOWS\system32\4DW4R3XPKWfdoXHF.dll.vir Infected: Rootkit.Win32.Agent.bctc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3.sys.vir Infected: Rootkit.Win32.Agent.aibm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3BrNexObrmy.sys.vir Infected: Rootkit.Win32.Agent.aibm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3BXyBchNoxg.sys.vir Infected: Rootkit.Win32.Agent.aibm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3EFPTMqvsdS.sys.vir Infected: Rootkit.Win32.Agent.aibm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3EnUHoQlgpb.sys.vir Infected: Rootkit.Win32.Agent.aibm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3QRiaLfbekn.sys.vir Infected: Rootkit.Win32.Agent.aibm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3rPRKYMkUiq.sys.vir Infected: Rootkit.Win32.Agent.aibm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3tHqlWBRwIX.sys.vir Infected: Rootkit.Win32.Agent.aibm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3vREbTVvLdj.sys.vir Infected: Rootkit.Win32.Agent.aibm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3wTKYkaDboH.sys.vir Infected: Rootkit.Win32.Agent.aibm 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\4DW4R3YwXHrXILKV.sys.vir Infected: Rootkit.Win32.Agent.aibm 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP920\A0170021.sys Infected: Rootkit.Win32.Agent.aibm 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP920\A0170022.dll Infected: Rootkit.Win32.Agent.bctc 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP920\A0170023.sys Infected: Rootkit.Win32.Agent.aibm 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP920\A0170024.sys Infected: Rootkit.Win32.Agent.aibm 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP920\A0170025.sys Infected: Rootkit.Win32.Agent.aibm 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP920\A0170026.sys Infected: Rootkit.Win32.Agent.aibm 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP920\A0170027.sys Infected: Rootkit.Win32.Agent.aibm 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP920\A0170028.sys Infected: Rootkit.Win32.Agent.aibm 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP920\A0170029.sys Infected: Rootkit.Win32.Agent.aibm 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP920\A0170030.sys Infected: Rootkit.Win32.Agent.aibm 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP920\A0170031.sys Infected: Rootkit.Win32.Agent.aibm 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP920\A0170032.sys Infected: Rootkit.Win32.Agent.aibm 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP921\A0170059.dll Infected: Rootkit.Win32.Agent.bctc 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP921\A0170060.dll Infected: Rootkit.Win32.Agent.bctc 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP921\A0170061.dll Infected: Rootkit.Win32.Agent.bctc 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP921\A0170062.dll Infected: Rootkit.Win32.Agent.bctc 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP921\A0170063.dll Infected: Rootkit.Win32.Agent.bctc 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP921\A0170064.dll Infected: Rootkit.Win32.Agent.bctc 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP921\A0170065.dll Infected: Rootkit.Win32.Agent.bctc 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP921\A0170066.dll Infected: Rootkit.Win32.Agent.bctc 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP921\A0170067.dll Infected: Rootkit.Win32.Agent.bctc 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP921\A0170068.dll Infected: Rootkit.Win32.Agent.bctc 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP921\A0170069.dll Infected: Rootkit.Win32.Agent.bctc 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP921\A0170070.sys Infected: Rootkit.Win32.Agent.aibm 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP930\A0171105.sys Infected: Rootkit.Win32.Tdss.ai 1
C:\System Volume Information\_restore{DA72D12F-5FF8-4B33-BC42-B81F62DFB65D}\RP932\A0171210.sys Infected: Rootkit.Win32.Tdss.ai 1
Selected area has been scanned.
Hi,
Looks good :)
Delete these files:
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02200000.VBN
C:\Documents and Settings\john\Application Data\Sun\Java\Deployment\cache\6.0\31\3f4316df-2ef6e416
C:\Documents and Settings\john\Application Data\Sun\Java\Deployment\cache\6.0\34\38fb6e22-12520436
Other items will be deleted when ComboFix is uninstalled and system restore resetted. Instructions for that below.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Run Secunia vulnerability check here (http://secunia.com/vulnerability_scanning/online/) and fix its findings.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free (http://www.tallemu.com/free-firewall-protection-software.html) or Comodo Firewall Pro (http://www.personalfirewall.comodo.com/download_firewall.html#fw3.0) (If you choose Comodo: Uncheck during installation Install Comodo HopSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!). Both providers have support forums that help with configuration related questions.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
jw,chicago
2010-03-13, 20:52
Hi Blade,
Zero errors dected!
Thanks for all your help and for introducing me to these fantastic tools. I'm actually going to run the K scanner on my other computers to see if there are any other problems lurking around.
Great, great, great.
Thanks again,
John.
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.