View Full Version : Multiple Infections on XP Pro SP1 box
Running XP Pro SP 1. The system likely has multiple infections.
One of the infections appears to not allow Microsoft Update to run. I’m stuck with an old copy of NAV because I haven’t upgraded beyond SP1.
One infection installed jviesc.dll in the System32 directory and created an HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls key referencing the file. I renamed the dll but retained the registry entry. I believe that the dll was loaded into the Explorer process. It was blocking NAV from running.
One infection tries to change the value of registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer from a DWORD value of x00000091 to a Binary 91 00 00 00. When I tell TeaTimer to deny the change and remember the decision, the attempt is repeated at 1 second intervals. The log entry is:
4/21/2010 4:59:44 PM Denied (based on user decision) value "NoDriveTypeAutoRun" (new data: "hex:91,00,00,") changed in System Startup user entry!
I’m getting browser popups and redirects. Based on Wireshark monitoring, some of the sites which are visited upon boot are z0g7ya1i0.com, li1i16b0.com and clkh71yhks66.com.
While drafting this post, Spybot was deleted as a Browser help object (the option to deny the change was disabled):
4/22/2010 2:35:31 PM Allowed (based on user decision) value "{53707962-6F74-2D53-2644-206D7942484F}" (new data: "") deleted in Browser Helper Object!
I've been working on this problem for several days. The last run of Spybot failed to detect any problems. An online NAV scan detected Trojan.Monicker but I've been unable to identify manual procedures for deleting it.
When looking at the log file, please note that I’ve modified registry entries to keep certain software from starting up during the debugging process. Either “nomore” or “later” have been added to their .exe names so that I can go back later and reenable them. I’ve also renamed the Program Files\Google directory and hence those files will be reported as not found.
I’m including 2 HijackThis log files. The first is the most current. The second is the one that I ran earlier when I began drafting this post. As mentioned above, Spybot was deleted as a Browser Help Object after the second log was generated.
Current report:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:58:53 PM, on 4/22/2010
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\tbctray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Pwrchute\ups.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\SYSTEM32\CMD.EXE
C:\WINDOWS\regedit.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32NOMORE.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swgNOMORE.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTWinModem1] ltmsgLATER.exe 9
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCDLATER.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMonNOMORE.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12LATER.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgrLATER.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2LATER.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realschedLATER.exe" -osboot
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\AtomicLATER.exe
O4 - HKLM\..\Run: [DaProcExp] "C:\Program Files\ProcessExplorer\procexp.exe"
O4 - HKLM\..\Run: [DaWireShark] "C:\Program Files\Wireshark\wireshark.exe" -k
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\WeatherLATER.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManagerLATER.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessengerLATER.exex" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtectionLATER.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifierLATER.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-4212676017-2704639424-2437969446-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Administrator')
O4 - HKUS\S-1-5-21-4212676017-2704639424-2437969446-500\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: Later (User 'SYSTEM')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - .DEFAULT Startup: Later (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Later
O4 - Global Startup: Later
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
O16 - DPF: Microsoft WFC Forms Designer - file://D:\VJ98\wfcforms.cab
O16 - DPF: Visual Studio 6 Extensibility Libraries - file://D:\VJ98\vstudio6.cab
O16 - DPF: {0348CD18-6EFE-415B-AF32-58F08FA29B33} -
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1271962936562
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} -
O18 - Filter hijack: text/html - {d3bcb27a-b78e-4c6d-9cb5-3d14229caa4e} - C:\WINDOWS\system32\xwreg32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: APC PBE Server (APCPBEServer) - Unknown owner - C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: UPS - APC PowerChute plus (UPS) - APC - C:\Program Files\Pwrchute\ups.exe
--
End of file - 13313 bytes
---------------------------------------------------------------------
Previous report when Spybot was a BHO:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:07:05 PM, on 4/22/2010
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\tbctray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Pwrchute\ups.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32NOMORE.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swgNOMORE.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTWinModem1] ltmsgLATER.exe 9
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCDLATER.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMonNOMORE.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12LATER.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgrLATER.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2LATER.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realschedLATER.exe" -osboot
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\AtomicLATER.exe
O4 - HKLM\..\Run: [DaProcExp] "C:\Program Files\ProcessExplorer\procexp.exe"
O4 - HKLM\..\Run: [DaWireShark] "C:\Program Files\Wireshark\wireshark.exe" -k
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\WeatherLATER.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManagerLATER.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessengerLATER.exex" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtectionLATER.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifierLATER.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: Later (User 'SYSTEM')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - .DEFAULT Startup: Later (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Later
O4 - Global Startup: Later
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
O16 - DPF: Microsoft WFC Forms Designer - file://D:\VJ98\wfcforms.cab
O16 - DPF: Visual Studio 6 Extensibility Libraries - file://D:\VJ98\vstudio6.cab
O16 - DPF: {0348CD18-6EFE-415B-AF32-58F08FA29B33} -
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1271962936562
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} -
O18 - Filter hijack: text/html - {d3bcb27a-b78e-4c6d-9cb5-3d14229caa4e} - C:\WINDOWS\system32\xwreg32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: APC PBE Server (APCPBEServer) - Unknown owner - C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: UPS - APC PowerChute plus (UPS) - APC - C:\Program Files\Pwrchute\ups.exe
--
End of file - 13030 bytes
Hi,
Please run the MGA Diagnostic Tool and post back the report it creates:
Download MGADiag (http://go.microsoft.com/fwlink/?linkid=56062) to your desktop.
Double-click on MGADiag.exe to launch the program
Click "Continue"
Ensure that the "Windows" tab is selected (it should be by default).
Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
Paste the MGA Diagnostic Report back here in your next reply.
Blade81,
Thank you SO much for taking this case.
The report that you requested is provided below.
In my initial post I forgot to mention that later in the same day when the jviesc.dll was delivered file ave.exe was also delievered to the Local Settings\Application Data directory and a registry key value was modified to reference the file. I renamed the file to avebad.exe but did not modify the registry key value.
I have also added a few policies to my router to help minimize traffic with the web sites identified in my original post (plus a few others) that I’ve noticed since then but have yet to identify their initial hook into the system.
George
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Validation Control not Installed
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-T6DFB-Y934T-YD4YT
Windows Product Key Hash: 3g4CZGFEDgbKmn/oB4pa2FZsssU=
Windows Product ID: 55274-OEM-2211906-00102
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010100.1.0.pro
ID: {46287E8E-6787-455D-8DA6-137C54B7ED15}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-8009_E2AD56EA-766-2ee7_E2AD56EA-148-80004005_16E0B333-89-80004005_78155E4D-232-80004005
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 101 Not Activated
Microsoft FrontPage 2002 - 100 Genuine
Microsoft Office XP Professional - 101 Not Activated
Microsoft Publisher 2002 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_3E121E02-385-80004005_3E121E02-452-80004005_3E121E02-312-80004005_3E121E02-372-80004005_3E121E02-452-80004005_3E121E02-312-80004005_3E121E02-372-80004005_3E121E02-452-80004005_3E121E02-312-80004005
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
File Mismatch: C:\WINDOWS\system32\oembios.bin[Hr = 0x800b0003]
File Mismatch: C:\WINDOWS\system32\oembios.dat[Hr = 0x800b0003]
File Mismatch: C:\WINDOWS\system32\oembios.sig[Hr = 0x800b0003]
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{46287E8E-6787-455D-8DA6-137C54B7ED15}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.1.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-YD4YT</PKey><PID>55274-OEM-2211906-00102</PID><PIDType>2</PIDType><SID>S-1-5-21-4212676017-2704639424-2437969446</SID><SYSTEM><Manufacturer>Dell Computer Corporation</Manufacturer><Model>Dimension 8200 </Model></SYSTEM><BIOS><Manufacturer>Dell Computer Corporation</Manufacturer><Version>A05</Version><SMBIOSVersion major="2" minor="3"/><Date>20020418******.******+***</Date><SLPBIOS>Dell System,Dell Computer,Dell System,Dell System</SLPBIOS></BIOS><HWID>D289336F0184C062</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Dell Computer Corporation</name><model>Dell DIMENSION 8200</model></SBID><OEM/><GANotification/></MachineData> <Software><Office><Result>101</Result><Products><Product GUID="{90170409-6000-11D3-8CFE-0050048383C9}"><LegitResult>100</LegitResult><Name>Microsoft FrontPage 2002</Name><Ver>10</Ver><Val>44FC9E0D3745458</Val><Hash>3/W2mSsbIhqsoYg4RsRXOlyHCVU=</Hash><Pid>54196-700-0663481-16196</Pid><PidType>1</PidType></Product><Product GUID="{91110409-6000-11D3-8CFE-0050048383C9}"><LegitResult>101</LegitResult><Name>Microsoft Office XP Professional</Name><Ver>10</Ver><Val>5ADFCB16C75B3E6</Val><Hash>Xw6ze/DNOKi1LIk4OTEtzep/Sa4=</Hash><Pid>54186-OEM-1790981-26547</Pid><PidType>4</PidType></Product><Product GUID="{91190409-6000-11D3-8CFE-0050048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Publisher 2002</Name><Ver>10</Ver><Val>32846C26CE47B46</Val><Hash>HO5oizDLH8iKplJfCJx+Xk1eXj4=</Hash><Pid>54197-OEM-1691344-56547</Pid><PidType>4</PidType></Product></Products><Applications><App Id="15" Version="10" Result="101"/><App Id="16" Version="10" Result="101"/><App Id="17" Version="10" Result="100"/><App Id="18" Version="10" Result="101"/><App Id="19" Version="10" Result="100"/><App Id="1A" Version="10" Result="101"/><App Id="1B" Version="10" Result="101"/></Applications></Office></Software></GenuineResults>
Licensing Data-->
N/A
Windows Activation Technologies-->
N/A
HWID Data-->
N/A
OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 8000:Dell Inc|8000:Microsoft Corporation
Marker string from OEMBIOS.DAT: Dell System,Dell Computer,Dell System,Dell System
OEM Activation 2.0 Data-->
N/A
Hi again,
Download DDS and save it to your desktop from here (http://download.bleepingcomputer.com/sUBs/dds.com) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
---
Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab, uncheck files option and then click scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.
DDS.txt:
DDS (Ver_10-03-17.01) - NTFSx86
Run by gm at 9:07:46.90 on Sun 04/25/2010
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1023.589 [GMT -5:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Pwrchute\ups.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\tbctray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\cidaemon.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\System32\hpbpro.exe
C:\WINDOWS\System32\hpboid.exe
C:\Documents and Settings\gm\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = about:blank
uDefault_Page_URL = hxxp://www.dellnet.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32NOMORE.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swgNOMORE.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
EB: {0494D0DE-F8E0-41AD-92A3-14154ECE70AC} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
EB: {9404901D-06DA-4B23-A0EE-3EA4F64EC9B3} - No File
uRun: [Weather] c:\program files\aws\weatherbug\WeatherLATER.exe 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManagerLATER.exe" AcRdB7_0_8 -reboot 1
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessengerLATER.exex" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtectionLATER.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifierLATER.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [LTWinModem1] ltmsgLATER.exe 9
mRun: [AdaptecDirectCD] "c:\program files\adaptec\easy cd creator 5\directcd\DirectCDLATER.exe"
mRun: [DellTouch] c:\windows\MMKeybd.exe
mRun: [Dell|Alert] c:\program files\dell\support\alert\bin\DAMonNOMORE.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb12LATER.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgrLATER.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2LATER.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realschedLATER.exe" -osboot
mRun: [Atomic.exe] c:\program files\atomic clock sync\AtomicLATER.exe
mRun: [DaProcExp] "c:\program files\processexplorer\procexp.exe"
mRun: [DaWireShark] "c:\program files\wireshark\wireshark.exe" -k
mRun: [TraySantaCruz] c:\windows\system32\tbctray.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\gm\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\gm\startm~1\programs\startup\later\pandora.lnk - c:\program files\pandora\Pandora.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\shortc~1.lnk - c:\program files\processexplorer\procexp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\wiresh~1.lnk - c:\program files\wireshark\wireshark.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
DPF: Microsoft WFC Forms Designer - file://d:\vj98\wfcforms.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Visual Studio 6 Extensibility Libraries - file://d:\vj98\vstudio6.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {0348CD18-6EFE-415B-AF32-58F08FA29B33}
DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - hxxp://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6}
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1271962936562
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.531087963
DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B}
DPF: {CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_01-win.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6}
Filter: text/html - {d3bcb27a-b78e-4c6d-9cb5-3d14229caa4e} -
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R2 agentcd;DriverAgent Class Driver;c:\windows\system32\AgentCD.sys [2002-6-19 196096]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 105632]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 105632]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-4-6 712048]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-4-6 712048]
R2 Mojave;Dazzle Mojave Device;c:\windows\system32\drivers\Mojave.sys [2002-6-19 119276]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2008-3-15 1251720]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-5 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20080924.003\NAVENG.SYS [2008-9-24 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20080924.003\NAVEX15.SYS [2008-9-24 873552]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2009-7-2 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2009-7-2 545088]
S2 APCPBEServer;APC PBE Server;c:\program files\apc\powerchute business edition\server\pbeserver.exe --> c:\program files\apc\powerchute business edition\server\pbeserver.exe [?]
S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 vtdg46xx;vtdg46xx;c:\progra~1\turtle~1\santac~1\contro~1\vtdg46xx.sys [2009-7-2 19232]
=============== Created Last 30 ================
2010-04-22 18:48:41 0 d-----w- c:\program files\Trend Micro
2010-04-22 17:03:39 0 d-----w- c:\windows\pss
2010-04-20 21:25:05 54156 ---ha-w- c:\windows\QTFont.qfn
2010-04-20 21:25:05 1409 ----a-w- c:\windows\QTFont.for
2010-04-19 19:49:05 0 d-----w- c:\program files\SysinternalsSuite
2010-04-19 16:10:31 73 ----a-w- c:\windows\system32\-1
2010-04-19 16:09:31 0 d-----w- c:\program files\Wireshark
2010-04-18 22:01:30 0 d-----w- c:\program files\WhoIs
2010-04-18 21:46:24 0 d-----w- c:\program files\RootkitRevealer
2010-04-18 21:11:08 0 d-----w- c:\program files\Autoruns
2010-04-17 14:04:02 138410532 ----a-w- c:\windows\system32\20100417a.reg
2010-04-17 10:45:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-04-16 15:45:26 43008 ---ha-w- c:\windows\system32\jvieSCbad.dll
==================== Find3M ====================
2010-02-04 23:25:19 82232 ----a-w- c:\docume~1\gm\applic~1\GDIPFONTCACHEV1.DAT
============= FINISH: 9:08:33.43 ===============
Attach.txt:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 6/24/2002 3:54:21 PM
System Uptime: 4/25/2010 8:22:22 AM (1 hours ago)
Motherboard: Dell Computer Corporation | | Dimension 8200
Processor: Intel(R) Pentium(R) 4 CPU 2.53GHz | Microprocessor | 2518/133mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 112 GiB total, 32.681 GiB free.
D: is CDROM (CDFS)
E: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP2466: 1/25/2010 9:23:53 PM - System Checkpoint
RP2467: 1/26/2010 9:24:11 PM - System Checkpoint
RP2468: 1/27/2010 10:24:12 PM - System Checkpoint
RP2469: 1/28/2010 11:47:50 PM - System Checkpoint
RP2470: 1/30/2010 12:24:21 AM - System Checkpoint
RP2471: 1/31/2010 1:24:34 AM - System Checkpoint
RP2472: 2/1/2010 9:28:12 PM - System Checkpoint
RP2473: 2/8/2010 1:56:30 PM - System Checkpoint
RP2474: 2/9/2010 5:40:54 PM - System Checkpoint
RP2475: 2/11/2010 9:33:16 PM - System Checkpoint
RP2476: 2/13/2010 12:53:31 AM - System Checkpoint
RP2477: 2/14/2010 1:43:31 AM - System Checkpoint
RP2478: 2/15/2010 2:08:36 AM - System Checkpoint
RP2479: 2/16/2010 2:46:22 AM - System Checkpoint
RP2480: 2/17/2010 3:03:20 AM - System Checkpoint
RP2481: 2/18/2010 4:03:22 AM - System Checkpoint
RP2482: 2/18/2010 3:26:52 PM - Installed H&R Block Deluxe + Efile + State 2009.
RP2483: 2/18/2010 3:29:53 PM - Installed DeductionPro 2009
RP2484: 2/21/2010 7:55:48 AM - System Checkpoint
RP2485: 2/22/2010 10:01:27 AM - System Checkpoint
RP2486: 2/23/2010 3:36:11 PM - System Checkpoint
RP2487: 2/24/2010 4:03:28 PM - System Checkpoint
RP2488: 2/25/2010 5:22:55 PM - System Checkpoint
RP2489: 2/26/2010 5:37:35 PM - System Checkpoint
RP2490: 2/27/2010 7:21:38 PM - System Checkpoint
RP2491: 2/28/2010 7:57:07 PM - System Checkpoint
RP2492: 3/1/2010 8:19:04 PM - System Checkpoint
RP2493: 3/2/2010 9:09:26 PM - System Checkpoint
RP2494: 3/3/2010 9:47:19 PM - System Checkpoint
RP2495: 3/4/2010 10:47:21 PM - System Checkpoint
RP2496: 3/5/2010 11:47:21 PM - System Checkpoint
RP2497: 3/7/2010 12:47:21 AM - System Checkpoint
RP2498: 3/8/2010 1:47:21 AM - System Checkpoint
RP2499: 3/9/2010 2:46:15 AM - System Checkpoint
RP2500: 3/10/2010 2:47:22 AM - System Checkpoint
RP2501: 3/11/2010 2:58:12 AM - System Checkpoint
RP2502: 3/12/2010 1:54:44 PM - System Checkpoint
RP2503: 3/13/2010 1:58:58 PM - System Checkpoint
RP2504: 3/14/2010 3:01:02 PM - System Checkpoint
RP2505: 3/15/2010 4:04:15 PM - System Checkpoint
RP2506: 3/16/2010 4:10:14 PM - System Checkpoint
RP2507: 3/17/2010 8:36:58 PM - System Checkpoint
RP2508: 3/19/2010 10:16:20 AM - System Checkpoint
RP2509: 3/21/2010 3:54:32 PM - System Checkpoint
RP2510: 3/22/2010 5:00:37 PM - System Checkpoint
RP2511: 3/24/2010 5:24:08 PM - System Checkpoint
RP2512: 3/25/2010 6:05:07 PM - System Checkpoint
RP2513: 3/26/2010 8:01:32 PM - System Checkpoint
RP2514: 3/28/2010 7:07:49 PM - System Checkpoint
RP2515: 3/29/2010 7:48:47 PM - System Checkpoint
RP2516: 3/30/2010 8:19:10 PM - System Checkpoint
RP2517: 3/31/2010 9:15:17 PM - System Checkpoint
RP2518: 4/1/2010 9:48:44 PM - System Checkpoint
RP2519: 4/2/2010 10:03:19 PM - System Checkpoint
RP2520: 4/3/2010 11:20:19 PM - System Checkpoint
RP2521: 4/4/2010 12:30:01 PM - Installed H&R Block Missouri 2009.
RP2522: 4/5/2010 7:14:54 PM - System Checkpoint
RP2523: 4/6/2010 11:39:52 PM - System Checkpoint
RP2524: 4/8/2010 11:47:04 AM - System Checkpoint
RP2525: 4/9/2010 11:53:14 AM - System Checkpoint
RP2526: 4/10/2010 12:13:16 PM - System Checkpoint
RP2527: 4/11/2010 1:01:18 PM - System Checkpoint
RP2528: 4/12/2010 1:50:47 PM - System Checkpoint
RP2529: 4/13/2010 4:57:31 PM - System Checkpoint
RP2530: 4/14/2010 5:27:20 PM - System Checkpoint
RP2531: 4/15/2010 6:30:30 PM - System Checkpoint
RP2532: 4/17/2010 10:04:17 AM - System Checkpoint
RP2533: 4/18/2010 12:28:44 PM - System Checkpoint
RP2534: 4/19/2010 5:40:02 PM - System Checkpoint
RP2535: 4/20/2010 10:09:01 PM - System Checkpoint
RP2536: 4/22/2010 1:48:40 PM - Installed HiJackThis
RP2537: 4/24/2010 2:00:25 AM - System Checkpoint
RP2538: 4/25/2010 2:34:19 AM - System Checkpoint
==== Installed Programs ======================
ABBYY FineReader 5.0 Sprint
Adobe Acrobat 4.0
Adobe AIR
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop Elements 2.0
Adobe Reader 7.0.8
AOL Instant Messenger
APC PowerChute Business Edition Agent
APC PowerChute Business Edition Console
APC PowerChute Business Edition Server
AppCore
Atomic Clock Sync
AV
Borland C++ 5.02
ccCommon
CDMaster32
CreativeProjects
CreativeProjectsTemplates
CueTour
DeductionPro 2003
DeductionPro 2004-05
DeductionPro 2005-06
DeductionPro 2006
DeductionPro 2007
DeductionPro 2008
DeductionPro 2009
Dell | Support
Dell Picture Studio - Image Expert 2000
Dell Solution Center
DellTouch
Destinations
Director
DivX Codec
Easy CD Creator 5 Basic
EPSON Copy Utility
EPSON Photo Print
EPSON Scan
EPSON Smart Panel
ERUNT 1.1j
Family Lawyer 2000
Forté Agent
GanttProject 2.0.9
Garmin City Navigator North America NT 2010.10 Update
Garmin POI Loader
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
GoToMeeting 4.0.0.320
H&R Block Deluxe + Efile + State 2009
H&R Block Missouri 2009
Help and Support Customization
HiJackThis
HP Deskjet 6800
HP Diagnostic Assistant
HP Photo & Imaging 4.1
HP Update
HPSystemDiagnostics
IE2K
InstantShare
Intel Processor Frequency ID Utility
InterActual Player
iolo technologies' Search and Recover
Island Hopper Scenario A
J2SE Runtime Environment 5.0 Update 7
Java 2 Runtime Environment Standard Edition v1.3.1_01
Java(TM) SE Runtime Environment 6 Update 1
Legal Search
LiveUpdate 3.1 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Lucent Win Modem
MapSource
MapSource - City Select North America v7
MGI VideoWave 4
Microsoft .NET Framework 1.1
Microsoft ActiveSync 3.7
Microsoft Assembler Version 6.15
Microsoft Data Access Components KB870669
Microsoft FrontPage 2002
Microsoft Interactive Training
Microsoft Money 2005
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Publisher 2002
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J++ 6.0
Microsoft Visual Studio 6.0 Professional Edition
MindSpring PipeLine+ 2.60-32
Miro
Modem Helper
Movie Studio 2 Hardware
MSDN Library - Visual Studio 6.0a
MSN Add-in for Windows Messenger
MSN Music Assistant
MSRedist
MUSICMATCH Jukebox
MyDVD
News Rover
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
NVIDIA Windows 2000/XP Display Drivers
Overland
Pandora
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
PhoneTools
PowerChute plus 5.2
PowerDVD
Presto! BizCard 4.1 Eng
PrintScreen
QFolder
QuickProjects
QuickTime
RealPlayer
Realtek RTL8139 Diagnostics Program
Santa Cruz
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB914798)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Shockwave Player
SkinsHP1
SmartDraw 7 Trial Edition
SPBBC 32bit
Spybot - Search & Destroy
SpywareBlaster v3.2
Street Atlas USA 4.0
Symantec KB-DocID:2003093015493306
Symantec Real Time Storage Protection Component
Symantec Technical Support Web Controls
SymNet
TaxCut 2003
TaxCut 2004
TaxCut Deluxe 2005
TaxCut Missouri 2007
TaxCut Missouri 2008
TaxCut Premium + State + Efile 2008
TaxCut Premium + State 2007
TaxCut Premium 2006
TD AMERITRADE StrategyDesk 1.2
TD AMERITRADE StrategyDesk 1.3
TD AMERITRADE StrategyDesk 2.0
TD AMERITRADE StrategyDesk 2.1
TD AMERITRADE StrategyDesk 2.2
TD AMERITRADE StrategyDesk 2.3
TD AMERITRADE StrategyDesk 3.3_2 (C:\Program Files\TD AMERITRADE\StrategyDesk)
TD AMERITRADE StrategyDesk 3.4_3 (C:\Program Files\TD AMERITRADE\StrategyDesk)
The Plain-Language Law Dictionary
TrayApp
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
VBA & Macros for Excel Project Files
VideoLAN VLC media player 0.7.2
Viewpoint Manager (Remove Only)
Viewpoint Media Player (Remove Only)
vr3d
WeatherBug
WebEx
WebFldrs XP
WebReg
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB810217
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB824151
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839643
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
Windows XP Hotfix (SP2) Q811114
Windows XP Hotfix (SP2) Q819696
Windows XP Service Pack 1a
WinMX
WinPcap 4.1.1
WinZip
Wireshark 1.2.7
XviD MPEG-4 Video Codec
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
==== Event Viewer Messages From Past Week ========
4/25/2010 2:57:26 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
4/25/2010 2:56:28 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
4/25/2010 2:50:54 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl FileDisk Fips Processor SPBBCDrv SRTSPL SRTSPX SYMTDI
4/25/2010 2:50:54 AM, error: Service Control Manager [7001] - The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
4/25/2010 2:50:54 AM, error: Service Control Manager [7001] - The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
4/25/2010 2:50:54 AM, error: Service Control Manager [7001] - The FTP Publishing service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
4/25/2010 2:49:13 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/22/2010 6:08:15 AM, error: Service Control Manager [7001] - The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error: The executable program that this service is configured to run in does not implement the service.
4/22/2010 6:08:15 AM, error: Service Control Manager [7001] - The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error: The executable program that this service is configured to run in does not implement the service.
4/22/2010 6:08:15 AM, error: Service Control Manager [7001] - The FTP Publishing service depends on the IIS Admin service which failed to start because of the following error: The executable program that this service is configured to run in does not implement the service.
4/22/2010 6:08:15 AM, error: Service Control Manager [7000] - The IIS Admin service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
4/20/2010 4:50:56 PM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.
4/20/2010 4:39:28 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\oembios.sig has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 0.0.0.1.
4/20/2010 4:39:28 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\oembios.dat has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 0.0.0.1.
4/20/2010 4:39:28 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\oembios.sig could not be restored to its original, valid version. The file version of the bad file is 0.0.0.1 The specific error code is 0x800b0100 [No signature was present in the subject. ].
4/20/2010 4:39:28 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\oembios.dat could not be restored to its original, valid version. The file version of the bad file is 0.0.0.1 The specific error code is 0x800b0100 [No signature was present in the subject. ].
4/20/2010 4:39:27 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\oembios.bin could not be restored to its original, valid version. The file version of the bad file is 0.0.0.1 The specific error code is 0x800b0100 [No signature was present in the subject. ].
4/20/2010 4:39:26 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\oembios.bin has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 0.0.0.1.
4/20/2010 4:38:52 PM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
4/20/2010 4:15:13 AM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 929526FAAD7B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/20/2010 3:03:40 PM, error: DCOM [10009] - DCOM was unable to communicate with the computer D using any of the configured protocols.
4/19/2010 9:36:22 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 929526FAAD7B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/19/2010 8:03:25 AM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.100 with the system having network hardware address 00:18:DE:86:97:A9. Network operations on this system may be disrupted as a result.
4/19/2010 6:13:36 AM, error: Dhcp [1002] - The IP address lease 192.168.1.104 for the Network Card with network address 929526FAAD7B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/19/2010 5:36:14 PM, error: BROWSER [8007] - The browser was unable to update the service status bits. The data is the error.
4/19/2010 2:26:11 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.102 with the system having network hardware address 00:25:A0:70:AA:E9. Network operations on this system may be disrupted as a result.
4/19/2010 10:45:07 AM, error: DCOM [10002] - Access denied attempting to launch a DCOM Server. The server is: {0C0A3666-30C9-11D0-8F20-00805F2CD064} The user is IWAM_DMAIN/DMAIN, SID=S-1-5-21-4212676017-2704639424-2437969446-1008.
4/19/2010 10:22:34 AM, error: Service Control Manager [7023] - The Machine Debug Manager service terminated with the following error: The class is configured to run as a security id different from the caller
4/18/2010 6:51:54 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Automatic LiveUpdate Scheduler service to connect.
4/18/2010 6:51:54 AM, error: Service Control Manager [7000] - The Automatic LiveUpdate Scheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/18/2010 5:05:55 PM, error: Service Control Manager [7003] - The SRTSP service depends on the following nonexistent service: FltMgr
4/18/2010 5:05:55 PM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The system cannot find the path specified.
4/18/2010 5:05:55 PM, error: Service Control Manager [7000] - The APC PBE Server service failed to start due to the following error: The system cannot find the file specified.
4/18/2010 5:05:04 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
4/18/2010 5:05:04 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
4/18/2010 5:00:49 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.100 with the system having network hardware address 00:90:4B:F5:A0:69. Network operations on this system may be disrupted as a result.
4/18/2010 4:30:50 AM, error: Service Control Manager [7023] - The Google Update Service (gupdate) service terminated with the following error: The class is configured to run as a security id different from the caller
4/18/2010 3:36:29 AM, error: Dhcp [1002] - The IP address lease 192.168.1.105 for the Network Card with network address 929526FAAD7B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/18/2010 2:16:56 PM, error: Service Control Manager [7005] - The RpcImpersonateClient call failed with the following error: No security context is available to allow impersonation.
==== End Of File ===========================
---------------------------------------------
GMER Output:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-25 09:15:12
Windows 5.1.2600 Service Pack 1
Running: 35wodyyo.exe; Driver: C:\DOCUME~1\gm\LOCALS~1\Temp\axtdapod.sys
---- System - GMER 1.0.15 ----
SSDT 871160A8 ZwAlertResumeThread
SSDT 870E0418 ZwAlertThread
SSDT 870E1F18 ZwAllocateVirtualMemory
SSDT 86FD4158 ZwConnectPort
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA9EF2EB0]
SSDT 87101B28 ZwCreateMutant
SSDT 86F8F3A0 ZwCreateThread
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA9EF3130]
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA9EF3690]
SSDT 86E8AF98 ZwFreeVirtualMemory
SSDT 87024AA0 ZwImpersonateAnonymousToken
SSDT 86FF1430 ZwImpersonateThread
SSDT 8702D6A8 ZwMapViewOfSection
SSDT 86FF1508 ZwOpenEvent
SSDT 870DEC08 ZwOpenProcessToken
SSDT 871005A0 ZwOpenThreadToken
SSDT 86FF50D0 ZwResumeThread
SSDT 87100038 ZwSetContextThread
SSDT 870E3C58 ZwSetInformationProcess
SSDT 870F8838 ZwSetInformationThread
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA9EF38E0]
SSDT 86FF10C8 ZwSuspendProcess
SSDT 870BE960 ZwSuspendThread
SSDT 871162B8 ZwTerminateProcess
SSDT 8704A1E8 ZwTerminateThread
SSDT 8725D078 ZwUnmapViewOfSection
SSDT 870E7848 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.rsrc C:\WINDOWS\system32\drivers\dmload.sys entry point in ".rsrc" section [0xF7A36114]
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF28C5340, 0xFFF3F, 0xF8000020]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF9B8300, 0x234A20, 0xF8000020]
? C:\WINDOWS\System32\Drivers\PROCEXP141.SYS The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\svchost.exe[880] ntdll.dll!NtProtectVirtualMemory 77F5BCC8 5 Bytes JMP 006C000A
.text C:\WINDOWS\System32\svchost.exe[880] ntdll.dll!NtWriteVirtualMemory 77F5C588 5 Bytes JMP 006D000A
.text C:\WINDOWS\System32\svchost.exe[880] ntdll.dll!KiUserExceptionDispatcher 77F75DAC 5 Bytes JMP 0066000C
.text C:\WINDOWS\System32\svchost.exe[880] ole32.dll!CoCreateInstance 4FEDF9E6 5 Bytes JMP 03AA000B
.text C:\WINDOWS\System32\svchost.exe[880] USER32.dll!GetCursorPos 77D48DF4 5 Bytes JMP 042A000B
.text C:\WINDOWS\Explorer.EXE[1888] ntdll.dll!NtProtectVirtualMemory 77F5BCC8 5 Bytes JMP 0097000A
.text C:\WINDOWS\Explorer.EXE[1888] ntdll.dll!NtWriteVirtualMemory 77F5C588 5 Bytes JMP 0098000A
.text C:\WINDOWS\Explorer.EXE[1888] ntdll.dll!KiUserExceptionDispatcher 77F75DAC 5 Bytes JMP 0096000C
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
Device -> \Driver\atapi \Device\Harddisk0\DR0 872F5AC8
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\dmload.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
Blade81,
I thought I should also mention that I was unable to post the results from the infected computer. When I hit the "Submit Reply" button the address line contained "http://forums.spybot.info/newreply.php?do=postreply&t=57000" and the following message was displayed "The page cannot be displayed The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings."
I copied the requested reports to a USB flash drive and sent them from another computer.
Thanks again for your help!
George
Thanks for the logs.
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
ComboFix 10-04-21.01 - gm 04/25/2010 10:12:48.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1023.651 [GMT -5:00]
Running from: c:\documents and settings\gm\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\gm\System
c:\documents and settings\gm\System\win_qs7.jqx
c:\recycler\NPROTECT
C:\test.txt
C:\Thumbs.db
c:\windows\system32\20100417a.reg
c:\windows\system32\Cache
c:\windows\winhelp.ini
C:\xu.dll
Infected copy of c:\windows\system32\drivers\DMLOAD.SYS was found and disinfected
Restored copy from - Kitty had a snack :p
c:\windows\system32\d3d9.dll . . . is missing!!
.
((((((((((((((((((((((((( Files Created from 2010-03-25 to 2010-04-25 )))))))))))))))))))))))))))))))
.
2010-04-25 13:33 . 2010-04-25 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-04-24 15:10 . 2010-04-24 15:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-04-22 18:48 . 2010-04-22 18:48 388096 ----a-r- c:\documents and settings\gm\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-04-22 18:48 . 2010-04-22 18:48 -------- d-----w- c:\program files\Trend Micro
2010-04-22 18:38 . 2010-04-22 18:39 -------- d-----w- c:\program files\ERUNT
2010-04-20 23:27 . 2010-04-20 23:27 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2010-04-19 19:49 . 2010-04-19 19:49 -------- d-----w- c:\program files\SysinternalsSuite
2010-04-19 16:09 . 2010-04-19 16:10 -------- d-----w- c:\program files\Wireshark
2010-04-18 22:01 . 2010-04-18 22:01 -------- d-----w- c:\program files\WhoIs
2010-04-18 21:46 . 2010-04-18 21:46 -------- d-----w- c:\program files\RootkitRevealer
2010-04-18 21:11 . 2010-04-18 21:11 -------- d-----w- c:\program files\Autoruns
2010-04-18 14:32 . 2010-04-18 14:32 -------- d-----w- c:\documents and settings\gm\Local Settings\Application Data\Temp
2010-04-18 14:27 . 2010-04-18 14:27 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-04-17 10:45 . 2010-04-17 10:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-04-16 15:45 . 2010-04-16 15:45 43008 ---ha-w- c:\windows\system32\jvieSCbad.dll
2010-04-04 17:29 . 2010-04-04 17:29 2994016 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockMO.exe
2010-03-28 17:26 . 2010-03-28 17:26 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-25 15:11 . 2002-06-20 04:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-25 15:07 . 2001-08-18 12:00 5888 ----a-w- c:\windows\system32\drivers\DMLOAD.SYS
2010-04-24 00:49 . 2002-12-15 21:44 -------- d-----w- c:\program files\NewsRover
2010-04-20 14:16 . 2007-02-19 19:34 -------- d-----w- c:\program files\ProcessExplorer
2010-04-19 16:10 . 2009-04-29 22:40 -------- d-----w- c:\program files\WinPcap
2010-04-18 16:20 . 2004-11-14 13:31 -------- d-----w- c:\program files\Yahoo!
2010-04-18 15:31 . 2007-05-03 12:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-04-18 15:31 . 2009-04-17 01:46 -------- d-----w- c:\documents and settings\gm\Application Data\Yahoo!
2010-04-18 14:31 . 2005-02-23 22:25 -------- d-----w- c:\documents and settings\gm\Application Data\WeatherBug
2010-04-18 14:26 . 2005-07-26 07:34 -------- d-----w- c:\program files\Googlebad
2010-04-17 09:57 . 2004-07-15 17:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-17 01:56 . 2004-07-15 17:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-16 13:29 . 2006-06-24 15:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-16 13:29 . 2007-05-14 19:41 -------- d-----w- c:\program files\TD AMERITRADE
2010-03-30 05:45 . 2002-12-22 18:54 -------- d-----w- c:\program files\Pwrchute
2010-03-28 17:25 . 2008-02-10 22:28 -------- d-----w- c:\documents and settings\gm\Application Data\TaxCut
2010-03-25 13:07 . 2002-06-20 04:22 -------- d-----w- c:\program files\PhoneTools
2010-02-08 17:21 . 2005-07-12 18:06 82232 ----a-w- c:\documents and settings\gm\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
------- Sigcheck -------
[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wscntfy.exe
[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\xmlprov.dll
c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessengerLATER.exex -quiet" [X]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTWinModem1"="ltmsgLATER.exe 9" [X]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472]
"DellTouch"="c:\windows\MMKeybd.exe" [2001-09-05 163840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-02-06 77824]
"nwiz"="nwiz.exe" [2003-07-28 323584]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 84640]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2006-09-06 26248]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"DaProcExp"="c:\program files\ProcessExplorer\procexp.exe" [2010-04-15 3879288]
"DaWireShark"="c:\program files\Wireshark\wireshark.exe" [2010-03-31 2217984]
"TraySantaCruz"="c:\windows\System32\tbctray.exe" [2002-04-03 290816]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2002-11-20 51200]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\Later
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-2-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-14 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-14 53248]
Shortcut to procexp.exe.lnk - c:\program files\ProcessExplorer\procexp.exe [2007-2-19 3879288]
Wireshark.lnk - c:\program files\Wireshark\wireshark.exe [2010-3-31 2217984]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
ntkrELOG REG_SZ c:\windows\System32\jvieSC.dll
R2 agentcd;DriverAgent Class Driver;c:\windows\SYSTEM32\AgentCD.sys [6/19/2002 11:24 PM 196096]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [4/6/2009 4:05 PM 712048]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [4/6/2009 4:05 PM 712048]
R2 Mojave;Dazzle Mojave Device;c:\windows\SYSTEM32\DRIVERS\Mojave.sys [6/19/2002 11:23 PM 119276]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [10/20/2009 1:19 PM 50704]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/5/2008 12:43 PM 99376]
R3 tbcspud;Santa Cruz Driver;c:\windows\SYSTEM32\DRIVERS\tbcspud.sys [7/2/2009 3:21 PM 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\SYSTEM32\DRIVERS\tbcwdm.sys [7/2/2009 3:21 PM 545088]
S2 APCPBEServer;APC PBE Server;c:\program files\APC\PowerChute Business Edition\server\pbeserver.exe --> c:\program files\APC\PowerChute Business Edition\server\pbeserver.exe [?]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [7/2/2009 3:21 PM 19232]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
2010-04-24 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - gm.job
- c:\progra~1\NORTON~2\NORTON~1\Navw32.exe [2006-09-07 05:38]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
DPF: Microsoft WFC Forms Designer - file://d:\vj98\wfcforms.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Visual Studio 6 Extensibility Libraries - file://d:\vj98\vstudio6.cab
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Weather - c:\program files\AWS\WeatherBug\WeatherLATER.exe
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManagerLATER.exe
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtectionLATER.exe
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifierLATER.exe
HKLM-Run-AdaptecDirectCD - c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCDLATER.exe
HKLM-Run-Dell|Alert - c:\program files\Dell\Support\Alert\bin\DAMonNOMORE.exe
HKLM-Run-HPDJ Taskbar Utility - c:\windows\System32\spool\drivers\w32x86\3\hpztsb12LATER.exe
HKLM-Run-HP Component Manager - c:\program files\HP\hpcoretech\hpcmpmgrLATER.exe
HKLM-Run-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2LATER.exe
HKLM-Run-TkBellExe - c:\program files\Common Files\Real\Update_OB\realschedLATER.exe
HKLM-Run-Atomic.exe - c:\program files\Atomic Clock Sync\AtomicLATER.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-25 10:30
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x872EFAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7583aac
\Driver\ACPI -> ACPI.sys @ 0xf74e8740
\Driver\atapi -> atapi.sys @ 0xf748f03c
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8058e444
ParseProcedure -> ntoskrnl.exe @ 0x8055a85b
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8058e444
ParseProcedure -> ntoskrnl.exe @ 0x8055a85b
NDIS: GVC-REALTEK Ethernet 10/100 PCI Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf73c5630
PacketIndicateHandler -> NDIS.sys @ 0xf73d0480
SendHandler -> NDIS.sys @ 0xf73c5779
user & kernel MBR OK
**************************************************************************
"PBEBackupImagePath"="%SystemRoot%\System32\ups.exe"
"OldImagePath"=" "
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-4212676017-2704639424-2437969446-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\ODBC32.dll
- - - - - - - > 'lsass.exe'(944)
c:\windows\System32\dssenh.dll
.
Completion time: 2010-04-25 10:40:05
ComboFix-quarantined-files.txt 2010-04-25 15:40
Pre-Run: 34,996,396,032 bytes free
Post-Run: 38,113,284,096 bytes free
winxpsp1_en_pro_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
- - End Of File - - 2A8AD835BA394F907AA0D356D5F92664
Blade81,
My previous post contains the ComboFix report. This post contains the DDS output reports. As was the case when I last ran DDS, I was unable to post the reports from the infected machine. I am creating this post from another computer.
Thanks again for all of your help!
George
DDS.txt:
DDS (Ver_10-03-17.01) - NTFSx86
Run by gm at 10:45:43.26 on Sun 04/25/2010
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1023.629 [GMT -5:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\gm\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32NOMORE.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swgNOMORE.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
EB: {9404901D-06DA-4B23-A0EE-3EA4F64EC9B3} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessengerLATER.exex" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [LTWinModem1] ltmsgLATER.exe 9
mRun: [DellTouch] c:\windows\MMKeybd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [DaProcExp] "c:\program files\processexplorer\procexp.exe"
mRun: [DaWireShark] "c:\program files\wireshark\wireshark.exe" -k
mRun: [TraySantaCruz] c:\windows\system32\tbctray.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\gm\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\gm\startm~1\programs\startup\later\pandora.lnk - c:\program files\pandora\Pandora.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\shortc~1.lnk - c:\program files\processexplorer\procexp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\wiresh~1.lnk - c:\program files\wireshark\wireshark.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
DPF: Microsoft WFC Forms Designer - file://d:\vj98\wfcforms.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Visual Studio 6 Extensibility Libraries - file://d:\vj98\vstudio6.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {0348CD18-6EFE-415B-AF32-58F08FA29B33}
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6}
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1271962936562
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.531087963
DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B}
DPF: {CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_01-win.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6}
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R2 agentcd;DriverAgent Class Driver;c:\windows\system32\AgentCD.sys [2002-6-19 196096]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 105632]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 105632]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-4-6 712048]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-4-6 712048]
R2 Mojave;Dazzle Mojave Device;c:\windows\system32\drivers\Mojave.sys [2002-6-19 119276]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2008-3-15 1251720]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-5 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20080924.003\NAVENG.SYS [2008-9-24 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20080924.003\NAVEX15.SYS [2008-9-24 873552]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2009-7-2 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2009-7-2 545088]
S2 APCPBEServer;APC PBE Server;c:\program files\apc\powerchute business edition\server\pbeserver.exe --> c:\program files\apc\powerchute business edition\server\pbeserver.exe [?]
S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 vtdg46xx;vtdg46xx;c:\progra~1\turtle~1\santac~1\contro~1\vtdg46xx.sys [2009-7-2 19232]
=============== Created Last 30 ================
2010-04-25 15:00:40 0 d-sha-r- C:\cmdcons
2010-04-25 14:59:08 98816 ----a-w- c:\windows\sed.exe
2010-04-25 14:59:08 77312 ----a-w- c:\windows\MBR.exe
2010-04-25 14:59:08 261632 ----a-w- c:\windows\PEV.exe
2010-04-25 14:59:08 161792 ----a-w- c:\windows\SWREG.exe
2010-04-22 18:48:41 0 d-----w- c:\program files\Trend Micro
2010-04-22 17:03:39 0 d-----w- c:\windows\pss
2010-04-20 21:25:05 54156 ---ha-w- c:\windows\QTFont.qfn
2010-04-20 21:25:05 1409 ----a-w- c:\windows\QTFont.for
2010-04-19 19:49:05 0 d-----w- c:\program files\SysinternalsSuite
2010-04-19 16:10:31 73 ----a-w- c:\windows\system32\-1
2010-04-19 16:09:31 0 d-----w- c:\program files\Wireshark
2010-04-18 22:01:30 0 d-----w- c:\program files\WhoIs
2010-04-18 21:46:24 0 d-----w- c:\program files\RootkitRevealer
2010-04-18 21:11:08 0 d-----w- c:\program files\Autoruns
2010-04-17 10:45:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-04-16 15:45:26 43008 ---ha-w- c:\windows\system32\jvieSCbad.dll
==================== Find3M ====================
2010-04-25 15:07:57 5888 ----a-w- c:\windows\system32\drivers\DMLOAD.SYS
2010-02-04 23:25:19 82232 ----a-w- c:\docume~1\gm\applic~1\GDIPFONTCACHEV1.DAT
============= FINISH: 10:46:29.87 ===============
Attach.txt:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 6/24/2002 3:54:21 PM
System Uptime: 4/25/2010 10:10:18 AM (0 hours ago)
Motherboard: Dell Computer Corporation | | Dimension 8200
Processor: Intel(R) Pentium(R) 4 CPU 2.53GHz | Microprocessor | 2519/133mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 112 GiB total, 35.523 GiB free.
D: is CDROM (CDFS)
E: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP2466: 1/25/2010 9:23:53 PM - System Checkpoint
RP2467: 1/26/2010 9:24:11 PM - System Checkpoint
RP2468: 1/27/2010 10:24:12 PM - System Checkpoint
RP2469: 1/28/2010 11:47:50 PM - System Checkpoint
RP2470: 1/30/2010 12:24:21 AM - System Checkpoint
RP2471: 1/31/2010 1:24:34 AM - System Checkpoint
RP2472: 2/1/2010 9:28:12 PM - System Checkpoint
RP2473: 2/8/2010 1:56:30 PM - System Checkpoint
RP2474: 2/9/2010 5:40:54 PM - System Checkpoint
RP2475: 2/11/2010 9:33:16 PM - System Checkpoint
RP2476: 2/13/2010 12:53:31 AM - System Checkpoint
RP2477: 2/14/2010 1:43:31 AM - System Checkpoint
RP2478: 2/15/2010 2:08:36 AM - System Checkpoint
RP2479: 2/16/2010 2:46:22 AM - System Checkpoint
RP2480: 2/17/2010 3:03:20 AM - System Checkpoint
RP2481: 2/18/2010 4:03:22 AM - System Checkpoint
RP2482: 2/18/2010 3:26:52 PM - Installed H&R Block Deluxe + Efile + State 2009.
RP2483: 2/18/2010 3:29:53 PM - Installed DeductionPro 2009
RP2484: 2/21/2010 7:55:48 AM - System Checkpoint
RP2485: 2/22/2010 10:01:27 AM - System Checkpoint
RP2486: 2/23/2010 3:36:11 PM - System Checkpoint
RP2487: 2/24/2010 4:03:28 PM - System Checkpoint
RP2488: 2/25/2010 5:22:55 PM - System Checkpoint
RP2489: 2/26/2010 5:37:35 PM - System Checkpoint
RP2490: 2/27/2010 7:21:38 PM - System Checkpoint
RP2491: 2/28/2010 7:57:07 PM - System Checkpoint
RP2492: 3/1/2010 8:19:04 PM - System Checkpoint
RP2493: 3/2/2010 9:09:26 PM - System Checkpoint
RP2494: 3/3/2010 9:47:19 PM - System Checkpoint
RP2495: 3/4/2010 10:47:21 PM - System Checkpoint
RP2496: 3/5/2010 11:47:21 PM - System Checkpoint
RP2497: 3/7/2010 12:47:21 AM - System Checkpoint
RP2498: 3/8/2010 1:47:21 AM - System Checkpoint
RP2499: 3/9/2010 2:46:15 AM - System Checkpoint
RP2500: 3/10/2010 2:47:22 AM - System Checkpoint
RP2501: 3/11/2010 2:58:12 AM - System Checkpoint
RP2502: 3/12/2010 1:54:44 PM - System Checkpoint
RP2503: 3/13/2010 1:58:58 PM - System Checkpoint
RP2504: 3/14/2010 3:01:02 PM - System Checkpoint
RP2505: 3/15/2010 4:04:15 PM - System Checkpoint
RP2506: 3/16/2010 4:10:14 PM - System Checkpoint
RP2507: 3/17/2010 8:36:58 PM - System Checkpoint
RP2508: 3/19/2010 10:16:20 AM - System Checkpoint
RP2509: 3/21/2010 3:54:32 PM - System Checkpoint
RP2510: 3/22/2010 5:00:37 PM - System Checkpoint
RP2511: 3/24/2010 5:24:08 PM - System Checkpoint
RP2512: 3/25/2010 6:05:07 PM - System Checkpoint
RP2513: 3/26/2010 8:01:32 PM - System Checkpoint
RP2514: 3/28/2010 7:07:49 PM - System Checkpoint
RP2515: 3/29/2010 7:48:47 PM - System Checkpoint
RP2516: 3/30/2010 8:19:10 PM - System Checkpoint
RP2517: 3/31/2010 9:15:17 PM - System Checkpoint
RP2518: 4/1/2010 9:48:44 PM - System Checkpoint
RP2519: 4/2/2010 10:03:19 PM - System Checkpoint
RP2520: 4/3/2010 11:20:19 PM - System Checkpoint
RP2521: 4/4/2010 12:30:01 PM - Installed H&R Block Missouri 2009.
RP2522: 4/5/2010 7:14:54 PM - System Checkpoint
RP2523: 4/6/2010 11:39:52 PM - System Checkpoint
RP2524: 4/8/2010 11:47:04 AM - System Checkpoint
RP2525: 4/9/2010 11:53:14 AM - System Checkpoint
RP2526: 4/10/2010 12:13:16 PM - System Checkpoint
RP2527: 4/11/2010 1:01:18 PM - System Checkpoint
RP2528: 4/12/2010 1:50:47 PM - System Checkpoint
RP2529: 4/13/2010 4:57:31 PM - System Checkpoint
RP2530: 4/14/2010 5:27:20 PM - System Checkpoint
RP2531: 4/15/2010 6:30:30 PM - System Checkpoint
RP2532: 4/17/2010 10:04:17 AM - System Checkpoint
RP2533: 4/18/2010 12:28:44 PM - System Checkpoint
RP2534: 4/19/2010 5:40:02 PM - System Checkpoint
RP2535: 4/20/2010 10:09:01 PM - System Checkpoint
RP2536: 4/22/2010 1:48:40 PM - Installed HiJackThis
RP2537: 4/24/2010 2:00:25 AM - System Checkpoint
RP2538: 4/25/2010 2:34:19 AM - System Checkpoint
==== Installed Programs ======================
ABBYY FineReader 5.0 Sprint
Adobe Acrobat 4.0
Adobe AIR
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop Elements 2.0
Adobe Reader 7.0.8
AOL Instant Messenger
APC PowerChute Business Edition Agent
APC PowerChute Business Edition Console
APC PowerChute Business Edition Server
AppCore
Atomic Clock Sync
AV
Borland C++ 5.02
ccCommon
CDMaster32
CreativeProjects
CreativeProjectsTemplates
CueTour
DeductionPro 2003
DeductionPro 2004-05
DeductionPro 2005-06
DeductionPro 2006
DeductionPro 2007
DeductionPro 2008
DeductionPro 2009
Dell | Support
Dell Picture Studio - Image Expert 2000
Dell Solution Center
DellTouch
Destinations
Director
DivX Codec
Easy CD Creator 5 Basic
EPSON Copy Utility
EPSON Photo Print
EPSON Scan
EPSON Smart Panel
ERUNT 1.1j
Family Lawyer 2000
Forté Agent
GanttProject 2.0.9
Garmin City Navigator North America NT 2010.10 Update
Garmin POI Loader
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
GoToMeeting 4.0.0.320
H&R Block Deluxe + Efile + State 2009
H&R Block Missouri 2009
Help and Support Customization
HiJackThis
HP Deskjet 6800
HP Diagnostic Assistant
HP Photo & Imaging 4.1
HP Update
HPSystemDiagnostics
IE2K
InstantShare
Intel Processor Frequency ID Utility
InterActual Player
iolo technologies' Search and Recover
Island Hopper Scenario A
J2SE Runtime Environment 5.0 Update 7
Java 2 Runtime Environment Standard Edition v1.3.1_01
Java(TM) SE Runtime Environment 6 Update 1
Legal Search
LiveUpdate 3.1 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Lucent Win Modem
MapSource
MapSource - City Select North America v7
MGI VideoWave 4
Microsoft .NET Framework 1.1
Microsoft ActiveSync 3.7
Microsoft Assembler Version 6.15
Microsoft Data Access Components KB870669
Microsoft FrontPage 2002
Microsoft Interactive Training
Microsoft Money 2005
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Publisher 2002
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J++ 6.0
Microsoft Visual Studio 6.0 Professional Edition
MindSpring PipeLine+ 2.60-32
Miro
Modem Helper
Movie Studio 2 Hardware
MSDN Library - Visual Studio 6.0a
MSN Add-in for Windows Messenger
MSN Music Assistant
MSRedist
MUSICMATCH Jukebox
MyDVD
News Rover
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
NVIDIA Windows 2000/XP Display Drivers
Overland
Pandora
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
PhoneTools
PowerChute plus 5.2
PowerDVD
Presto! BizCard 4.1 Eng
PrintScreen
QFolder
QuickProjects
QuickTime
RealPlayer
Realtek RTL8139 Diagnostics Program
Santa Cruz
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB914798)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Shockwave Player
SkinsHP1
SmartDraw 7 Trial Edition
SPBBC 32bit
Spybot - Search & Destroy
SpywareBlaster v3.2
Street Atlas USA 4.0
Symantec KB-DocID:2003093015493306
Symantec Real Time Storage Protection Component
Symantec Technical Support Web Controls
SymNet
TaxCut 2003
TaxCut 2004
TaxCut Deluxe 2005
TaxCut Missouri 2007
TaxCut Missouri 2008
TaxCut Premium + State + Efile 2008
TaxCut Premium + State 2007
TaxCut Premium 2006
TD AMERITRADE StrategyDesk 1.2
TD AMERITRADE StrategyDesk 1.3
TD AMERITRADE StrategyDesk 2.0
TD AMERITRADE StrategyDesk 2.1
TD AMERITRADE StrategyDesk 2.2
TD AMERITRADE StrategyDesk 2.3
TD AMERITRADE StrategyDesk 3.3_2 (C:\Program Files\TD AMERITRADE\StrategyDesk)
TD AMERITRADE StrategyDesk 3.4_3 (C:\Program Files\TD AMERITRADE\StrategyDesk)
The Plain-Language Law Dictionary
TrayApp
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
VBA & Macros for Excel Project Files
VideoLAN VLC media player 0.7.2
Viewpoint Manager (Remove Only)
Viewpoint Media Player (Remove Only)
vr3d
WeatherBug
WebEx
WebFldrs XP
WebReg
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB810217
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB824151
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839643
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
Windows XP Hotfix (SP2) Q811114
Windows XP Hotfix (SP2) Q819696
Windows XP Service Pack 1a
WinMX
WinPcap 4.1.1
WinZip
Wireshark 1.2.7
XviD MPEG-4 Video Codec
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
==== Event Viewer Messages From Past Week ========
4/25/2010 5:12:19 AM, error: Service Control Manager [7000] - The wscsvc service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
4/25/2010 2:57:26 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
4/25/2010 2:56:28 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
4/25/2010 2:50:54 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl FileDisk Fips Processor SPBBCDrv SRTSPL SRTSPX SYMTDI
4/25/2010 2:50:54 AM, error: Service Control Manager [7001] - The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
4/25/2010 2:50:54 AM, error: Service Control Manager [7001] - The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
4/25/2010 2:50:54 AM, error: Service Control Manager [7001] - The FTP Publishing service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
4/25/2010 2:49:13 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/22/2010 6:08:15 AM, error: Service Control Manager [7001] - The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error: The executable program that this service is configured to run in does not implement the service.
4/22/2010 6:08:15 AM, error: Service Control Manager [7001] - The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error: The executable program that this service is configured to run in does not implement the service.
4/22/2010 6:08:15 AM, error: Service Control Manager [7001] - The FTP Publishing service depends on the IIS Admin service which failed to start because of the following error: The executable program that this service is configured to run in does not implement the service.
4/22/2010 6:08:15 AM, error: Service Control Manager [7000] - The IIS Admin service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
4/20/2010 4:50:56 PM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.
4/20/2010 4:39:28 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\oembios.sig has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 0.0.0.1.
4/20/2010 4:39:28 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\oembios.dat has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 0.0.0.1.
4/20/2010 4:39:28 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\oembios.sig could not be restored to its original, valid version. The file version of the bad file is 0.0.0.1 The specific error code is 0x800b0100 [No signature was present in the subject. ].
4/20/2010 4:39:28 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\oembios.dat could not be restored to its original, valid version. The file version of the bad file is 0.0.0.1 The specific error code is 0x800b0100 [No signature was present in the subject. ].
4/20/2010 4:39:27 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\oembios.bin could not be restored to its original, valid version. The file version of the bad file is 0.0.0.1 The specific error code is 0x800b0100 [No signature was present in the subject. ].
4/20/2010 4:39:26 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\oembios.bin has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 0.0.0.1.
4/20/2010 4:38:52 PM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
4/20/2010 4:15:13 AM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 929526FAAD7B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/20/2010 3:03:40 PM, error: DCOM [10009] - DCOM was unable to communicate with the computer D using any of the configured protocols.
4/19/2010 9:36:22 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 929526FAAD7B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/19/2010 8:03:25 AM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.100 with the system having network hardware address 00:18:DE:86:97:A9. Network operations on this system may be disrupted as a result.
4/19/2010 6:13:36 AM, error: Dhcp [1002] - The IP address lease 192.168.1.104 for the Network Card with network address 929526FAAD7B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/19/2010 5:43:08 AM, error: Service Control Manager [7003] - The SRTSP service depends on the following nonexistent service: FltMgr
4/19/2010 5:43:08 AM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The system cannot find the path specified.
4/19/2010 5:43:08 AM, error: Service Control Manager [7000] - The APC PBE Server service failed to start due to the following error: The system cannot find the file specified.
4/19/2010 5:41:55 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
4/19/2010 5:41:55 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
4/19/2010 5:36:14 PM, error: BROWSER [8007] - The browser was unable to update the service status bits. The data is the error.
4/19/2010 2:26:11 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.102 with the system having network hardware address 00:25:A0:70:AA:E9. Network operations on this system may be disrupted as a result.
4/19/2010 10:45:07 AM, error: DCOM [10002] - Access denied attempting to launch a DCOM Server. The server is: {0C0A3666-30C9-11D0-8F20-00805F2CD064} The user is IWAM_DMAIN/DMAIN, SID=S-1-5-21-4212676017-2704639424-2437969446-1008.
4/19/2010 10:22:34 AM, error: Service Control Manager [7023] - The Machine Debug Manager service terminated with the following error: The class is configured to run as a security id different from the caller
4/18/2010 6:51:54 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Automatic LiveUpdate Scheduler service to connect.
4/18/2010 6:51:54 AM, error: Service Control Manager [7000] - The Automatic LiveUpdate Scheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/18/2010 5:00:49 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.100 with the system having network hardware address 00:90:4B:F5:A0:69. Network operations on this system may be disrupted as a result.
4/18/2010 4:30:50 AM, error: Service Control Manager [7023] - The Google Update Service (gupdate) service terminated with the following error: The class is configured to run as a security id different from the caller
4/18/2010 3:36:29 AM, error: Dhcp [1002] - The IP address lease 192.168.1.105 for the Network Card with network address 929526FAAD7B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/18/2010 2:16:56 PM, error: Service Control Manager [7005] - The RpcImpersonateClient call failed with the following error: No security context is available to allow impersonation.
==== End Of File ===========================
Hi again,
Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\windows\system32\-1
c:\windows\system32\jvieSCbad.dll
DDS::
uStart Page = about:blank
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {9404901D-06DA-4B23-A0EE-3EA4F64EC9B3} - No File
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
"ntkrELOG"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows, disable protection and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Adobe Acrobat 4.0 is badly outdated. If you use it for other duties than pdf conversions then you need to replace it with the latest non vulnerable version.
Uninstall old Adobe Reader versions and get the latest one (9.3 + update 9.3.2) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).
Uninstall your current Shockwave player and get the fresh one here (http://get.adobe.com/shockwave/) if needed.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 20 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log. Also, please run GMER again and post back its report.
Blade81,
I’m currently running ComboFix on the infected box. I read your instructions but forgot to disable NAV before starting ComboFix. Do you want the log file that it produces on this run or should I wait for it to finish, then disable NAV and then run it again?
Sorry for the botched execution.
George
Hi,
If ComboFix is able to finish then log from this current run is ok.
Blade81,
I’ve included below the ComboFix report, DDS reports and the GMER report.
I have started the Kaspersky online scan. It took around 5 hours to run the other day. I’ll post it’s log when it finishes.
I uninstalled the software that you requested. I’ll defer installation of Adobe Reader until the end of our cleaning process.
The following messages were generated during the uninstallation of Adobe Acrobat 4.0:
---------------------------
Unable to delete folder 'C:\Program Files\Common Files\Adobe\TypeSpt'.
Unable to delete folder 'C:\Program Files\Common Files\Adobe\Web'.
Unable to delete folder 'C:\Program Files\Common Files\Adobe'.
Unable to delete folder 'C:\Program Files\Adobe'.
Unable to delete all subkeys under 'HKEY_CLASSES_ROOT\.pdf'.
Unable to delete all subkeys under 'HKEY_CLASSES_ROOT\AcroExch.Document'.
Unable to delete all subkeys under 'HKEY_CLASSES_ROOT\AcroExch.Document\shell\open\command'.
Unable to delete all subkeys under 'HKEY_CLASSES_ROOT\AcroExch.Document\CLSID'.
Unable to delete all subkeys under 'HKEY_CLASSES_ROOT\.rmf'.
Unable to delete all subkeys under 'HKEY_CLASSES_ROOT\.pdf'.
Unable to delete registry value 'HKEY_CLASSES_ROOT\.pdf\Content Type'.
---------------------------
I did not take any action based on these messages. Please let me know if there’s anything that you’d like me to do related to these messages.
The following messages were generated during the uninstallation of Java 2 Runtime Environment Standard Edition v1.3.1_01:
---------------------------
Unable to delete folder 'C:\Program Files\JavaSoft\JRE\1.3.1_01\lib\applet'.
Unable to delete folder 'C:\Program Files\JavaSoft\JRE\1.3.1_01\lib'.
Unable to delete folder 'C:\Program Files\JavaSoft\JRE\1.3.1_01'.
Unable to delete folder 'C:\Program Files\JavaSoft\JRE'.
Unable to delete folder 'C:\Program Files\JavaSoft'.
Unable to delete all subkeys under 'HKEY_CLASSES_ROOT\.jar'.
Unable to delete all subkeys under 'HKEY_CLASSES_ROOT\jarfile'.
Unable to delete all subkeys under 'HKEY_CLASSES_ROOT\JavaPlugin'.
Unable to delete all subkeys under 'HKEY_CLASSES_ROOT\JavaPlugin\CLSID'.
---------------------------
I did not take any action based on these messages. Please let me know if there’s anything that you’d like me to do related to these messages.
Once again, thank you for all of your help.
George
ComboFix log:
ComboFix 10-04-21.01 - gm 04/25/2010 12:28:07.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1023.637 [GMT -5:00]
Running from: c:\documents and settings\gm\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\gm\Desktop\CFScript.txt
FILE ::
"c:\windows\system32\-1"
"c:\windows\system32\jvieSCbad.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\-1
c:\windows\system32\jvieSCbad.dll
Infected copy of c:\windows\system32\drivers\DMLOAD.SYS was found and disinfected
Restored copy from - Kitty had a snack :p
c:\windows\system32\d3d9.dll . . . is missing!!
.
((((((((((((((((((((((((( Files Created from 2010-03-25 to 2010-04-25 )))))))))))))))))))))))))))))))
.
2010-04-25 13:33 . 2010-04-25 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-04-24 15:10 . 2010-04-24 15:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-04-22 18:48 . 2010-04-22 18:48 388096 ----a-r- c:\documents and settings\gm\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-04-22 18:48 . 2010-04-22 18:48 -------- d-----w- c:\program files\Trend Micro
2010-04-22 18:38 . 2010-04-22 18:39 -------- d-----w- c:\program files\ERUNT
2010-04-20 23:27 . 2010-04-20 23:27 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2010-04-19 19:49 . 2010-04-19 19:49 -------- d-----w- c:\program files\SysinternalsSuite
2010-04-19 16:09 . 2010-04-19 16:10 -------- d-----w- c:\program files\Wireshark
2010-04-18 22:01 . 2010-04-18 22:01 -------- d-----w- c:\program files\WhoIs
2010-04-18 21:46 . 2010-04-18 21:46 -------- d-----w- c:\program files\RootkitRevealer
2010-04-18 21:11 . 2010-04-18 21:11 -------- d-----w- c:\program files\Autoruns
2010-04-18 14:32 . 2010-04-18 14:32 -------- d-----w- c:\documents and settings\gm\Local Settings\Application Data\Temp
2010-04-18 14:27 . 2010-04-18 14:27 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-04-17 10:45 . 2010-04-17 10:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-04-04 17:29 . 2010-04-04 17:29 2994016 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockMO.exe
2010-03-28 17:26 . 2010-03-28 17:26 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-25 17:21 . 2001-08-18 12:00 5888 ----a-w- c:\windows\system32\drivers\DMLOAD.SYS
2010-04-25 17:21 . 2002-06-20 04:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-24 00:49 . 2002-12-15 21:44 -------- d-----w- c:\program files\NewsRover
2010-04-20 14:16 . 2007-02-19 19:34 -------- d-----w- c:\program files\ProcessExplorer
2010-04-19 16:10 . 2009-04-29 22:40 -------- d-----w- c:\program files\WinPcap
2010-04-18 16:20 . 2004-11-14 13:31 -------- d-----w- c:\program files\Yahoo!
2010-04-18 15:31 . 2007-05-03 12:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-04-18 15:31 . 2009-04-17 01:46 -------- d-----w- c:\documents and settings\gm\Application Data\Yahoo!
2010-04-18 14:31 . 2005-02-23 22:25 -------- d-----w- c:\documents and settings\gm\Application Data\WeatherBug
2010-04-18 14:26 . 2005-07-26 07:34 -------- d-----w- c:\program files\Googlebad
2010-04-17 09:57 . 2004-07-15 17:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-17 01:56 . 2004-07-15 17:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-16 13:29 . 2006-06-24 15:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-16 13:29 . 2007-05-14 19:41 -------- d-----w- c:\program files\TD AMERITRADE
2010-03-30 05:45 . 2002-12-22 18:54 -------- d-----w- c:\program files\Pwrchute
2010-03-28 17:25 . 2008-02-10 22:28 -------- d-----w- c:\documents and settings\gm\Application Data\TaxCut
2010-03-25 13:07 . 2002-06-20 04:22 -------- d-----w- c:\program files\PhoneTools
2010-02-08 17:21 . 2005-07-12 18:06 82232 ----a-w- c:\documents and settings\gm\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( SnapShot@2010-04-25_15.31.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-20 14:17 . 2010-04-25 17:25 49152 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-04-20 14:17 . 2010-04-25 15:11 49152 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2002-06-20 04:11 . 2010-04-25 17:25 49152 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2002-06-20 04:11 . 2010-04-25 15:11 49152 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2002-06-20 04:11 . 2010-04-25 17:25 49152 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2002-06-20 04:11 . 2010-04-25 15:11 49152 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2002-11-15 18:31 . 2010-04-25 17:26 213080 c:\windows\SYSTEM32\INETSRV\MetaBase.bin
- 2002-11-15 18:31 . 2010-04-25 15:12 213080 c:\windows\SYSTEM32\INETSRV\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessengerLATER.exex -quiet" [X]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTWinModem1"="ltmsgLATER.exe 9" [X]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472]
"DellTouch"="c:\windows\MMKeybd.exe" [2001-09-05 163840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-02-06 77824]
"nwiz"="nwiz.exe" [2003-07-28 323584]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 84640]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2006-09-06 26248]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"DaProcExp"="c:\program files\ProcessExplorer\procexp.exe" [2010-04-15 3879288]
"DaWireShark"="c:\program files\Wireshark\wireshark.exe" [2010-03-31 2217984]
"TraySantaCruz"="c:\windows\System32\tbctray.exe" [2002-04-03 290816]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2002-11-20 51200]
c:\documents and settings\gm\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\gm\Start Menu\Programs\Startup\Later
Pandora.lnk - c:\program files\Pandora\Pandora.exe [2009-9-3 95744]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\Later
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-2-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-14 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-14 53248]
Shortcut to procexp.exe.lnk - c:\program files\ProcessExplorer\procexp.exe [2007-2-19 3879288]
Wireshark.lnk - c:\program files\Wireshark\wireshark.exe [2010-3-31 2217984]
R2 agentcd;DriverAgent Class Driver;c:\windows\SYSTEM32\AgentCD.sys [6/19/2002 11:24 PM 196096]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [4/6/2009 4:05 PM 712048]
R2 Mojave;Dazzle Mojave Device;c:\windows\SYSTEM32\DRIVERS\Mojave.sys [6/19/2002 11:23 PM 119276]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [10/20/2009 1:19 PM 50704]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/5/2008 12:43 PM 99376]
R3 tbcspud;Santa Cruz Driver;c:\windows\SYSTEM32\DRIVERS\tbcspud.sys [7/2/2009 3:21 PM 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\SYSTEM32\DRIVERS\tbcwdm.sys [7/2/2009 3:21 PM 545088]
S2 APCPBEServer;APC PBE Server;c:\program files\APC\PowerChute Business Edition\server\pbeserver.exe --> c:\program files\APC\PowerChute Business Edition\server\pbeserver.exe [?]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [4/6/2009 4:05 PM 712048]
S3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [7/2/2009 3:21 PM 19232]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
2010-04-24 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - gm.job
- c:\progra~1\NORTON~2\NORTON~1\Navw32.exe [2006-09-07 05:38]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
DPF: Microsoft WFC Forms Designer - file://d:\vj98\wfcforms.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Visual Studio 6 Extensibility Libraries - file://d:\vj98\vstudio6.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-25 12:41
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x872EFAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7583aac
\Driver\ACPI -> ACPI.sys @ 0xf74e8740
\Driver\atapi -> atapi.sys @ 0xf748f03c
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8058e444
ParseProcedure -> ntoskrnl.exe @ 0x8055a85b
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8058e444
ParseProcedure -> ntoskrnl.exe @ 0x8055a85b
NDIS: GVC-REALTEK Ethernet 10/100 PCI Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf73c5630
PacketIndicateHandler -> NDIS.sys @ 0xf73d0480
SendHandler -> NDIS.sys @ 0xf73c5779
user & kernel MBR OK
**************************************************************************
"PBEBackupImagePath"="%SystemRoot%\System32\ups.exe"
"OldImagePath"=" "
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-4212676017-2704639424-2437969446-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(872)
c:\windows\system32\ODBC32.dll
- - - - - - - > 'lsass.exe'(928)
c:\windows\System32\dssenh.dll
.
Completion time: 2010-04-25 12:47:37
ComboFix-quarantined-files.txt 2010-04-25 17:47
ComboFix2.txt 2010-04-25 15:40
Pre-Run: 38,121,037,824 bytes free
Post-Run: 38,101,159,936 bytes free
- - End Of File - - CCE0902185665556DBF9F50F5CC5D2C2
DDS.txt:
DDS (Ver_10-03-17.01) - NTFSx86
Run by gm at 13:34:33.17 on Sun 04/25/2010
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1023.610 [GMT -5:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\ProcessExplorer\procexp.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\tbctray.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\ctfmon.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\gm\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32NOMORE.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swgNOMORE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessengerLATER.exex" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [LTWinModem1] ltmsgLATER.exe 9
mRun: [DellTouch] c:\windows\MMKeybd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [DaProcExp] "c:\program files\processexplorer\procexp.exe"
mRun: [DaWireShark] "c:\program files\wireshark\wireshark.exe" -k
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TraySantaCruz] c:\windows\system32\tbctray.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\gm\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\gm\startm~1\programs\startup\later\pandora.lnk - c:\program files\pandora\Pandora.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\shortc~1.lnk - c:\program files\processexplorer\procexp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\later\wiresh~1.lnk - c:\program files\wireshark\wireshark.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes0521.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
DPF: Microsoft WFC Forms Designer - file://d:\vj98\wfcforms.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Visual Studio 6 Extensibility Libraries - file://d:\vj98\vstudio6.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {0348CD18-6EFE-415B-AF32-58F08FA29B33}
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6}
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1271962936562
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.531087963
DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6}
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R2 agentcd;DriverAgent Class Driver;c:\windows\system32\AgentCD.sys [2002-6-19 196096]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 105632]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 105632]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-4-6 712048]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-4-6 712048]
R2 Mojave;Dazzle Mojave Device;c:\windows\system32\drivers\Mojave.sys [2002-6-19 119276]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2008-3-15 1251720]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-5 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20080924.003\NAVENG.SYS [2008-9-24 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20080924.003\NAVEX15.SYS [2008-9-24 873552]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2009-7-2 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2009-7-2 545088]
S2 APCPBEServer;APC PBE Server;c:\program files\apc\powerchute business edition\server\pbeserver.exe --> c:\program files\apc\powerchute business edition\server\pbeserver.exe [?]
S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 vtdg46xx;vtdg46xx;c:\progra~1\turtle~1\santac~1\contro~1\vtdg46xx.sys [2009-7-2 19232]
=============== Created Last 30 ================
2010-04-25 18:24:21 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-25 18:24:21 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-25 15:00:40 0 d-sha-r- C:\cmdcons
2010-04-25 14:59:08 98816 ----a-w- c:\windows\sed.exe
2010-04-25 14:59:08 77312 ----a-w- c:\windows\MBR.exe
2010-04-25 14:59:08 261632 ----a-w- c:\windows\PEV.exe
2010-04-25 14:59:08 161792 ----a-w- c:\windows\SWREG.exe
2010-04-22 18:48:41 0 d-----w- c:\program files\Trend Micro
2010-04-22 17:03:39 0 d-----w- c:\windows\pss
2010-04-20 21:25:05 54156 ---ha-w- c:\windows\QTFont.qfn
2010-04-20 21:25:05 1409 ----a-w- c:\windows\QTFont.for
2010-04-19 19:49:05 0 d-----w- c:\program files\SysinternalsSuite
2010-04-19 16:09:31 0 d-----w- c:\program files\Wireshark
2010-04-18 22:01:30 0 d-----w- c:\program files\WhoIs
2010-04-18 21:46:24 0 d-----w- c:\program files\RootkitRevealer
2010-04-18 21:11:08 0 d-----w- c:\program files\Autoruns
2010-04-17 10:45:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
==================== Find3M ====================
2010-04-25 17:21:58 5888 ----a-w- c:\windows\system32\drivers\DMLOAD.SYS
2010-02-04 23:25:19 82232 ----a-w- c:\docume~1\gm\applic~1\GDIPFONTCACHEV1.DAT
============= FINISH: 13:35:45.87 ===============
Attach.txt:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 6/24/2002 3:54:21 PM
System Uptime: 4/25/2010 1:27:01 PM (0 hours ago)
Motherboard: Dell Computer Corporation | | Dimension 8200
Processor: Intel(R) Pentium(R) 4 CPU 2.53GHz | Microprocessor | 2519/133mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 112 GiB total, 35.285 GiB free.
D: is CDROM (CDFS)
E: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP2466: 1/25/2010 9:23:53 PM - System Checkpoint
RP2467: 1/26/2010 9:24:11 PM - System Checkpoint
RP2468: 1/27/2010 10:24:12 PM - System Checkpoint
RP2469: 1/28/2010 11:47:50 PM - System Checkpoint
RP2470: 1/30/2010 12:24:21 AM - System Checkpoint
RP2471: 1/31/2010 1:24:34 AM - System Checkpoint
RP2472: 2/1/2010 9:28:12 PM - System Checkpoint
RP2473: 2/8/2010 1:56:30 PM - System Checkpoint
RP2474: 2/9/2010 5:40:54 PM - System Checkpoint
RP2475: 2/11/2010 9:33:16 PM - System Checkpoint
RP2476: 2/13/2010 12:53:31 AM - System Checkpoint
RP2477: 2/14/2010 1:43:31 AM - System Checkpoint
RP2478: 2/15/2010 2:08:36 AM - System Checkpoint
RP2479: 2/16/2010 2:46:22 AM - System Checkpoint
RP2480: 2/17/2010 3:03:20 AM - System Checkpoint
RP2481: 2/18/2010 4:03:22 AM - System Checkpoint
RP2482: 2/18/2010 3:26:52 PM - Installed H&R Block Deluxe + Efile + State 2009.
RP2483: 2/18/2010 3:29:53 PM - Installed DeductionPro 2009
RP2484: 2/21/2010 7:55:48 AM - System Checkpoint
RP2485: 2/22/2010 10:01:27 AM - System Checkpoint
RP2486: 2/23/2010 3:36:11 PM - System Checkpoint
RP2487: 2/24/2010 4:03:28 PM - System Checkpoint
RP2488: 2/25/2010 5:22:55 PM - System Checkpoint
RP2489: 2/26/2010 5:37:35 PM - System Checkpoint
RP2490: 2/27/2010 7:21:38 PM - System Checkpoint
RP2491: 2/28/2010 7:57:07 PM - System Checkpoint
RP2492: 3/1/2010 8:19:04 PM - System Checkpoint
RP2493: 3/2/2010 9:09:26 PM - System Checkpoint
RP2494: 3/3/2010 9:47:19 PM - System Checkpoint
RP2495: 3/4/2010 10:47:21 PM - System Checkpoint
RP2496: 3/5/2010 11:47:21 PM - System Checkpoint
RP2497: 3/7/2010 12:47:21 AM - System Checkpoint
RP2498: 3/8/2010 1:47:21 AM - System Checkpoint
RP2499: 3/9/2010 2:46:15 AM - System Checkpoint
RP2500: 3/10/2010 2:47:22 AM - System Checkpoint
RP2501: 3/11/2010 2:58:12 AM - System Checkpoint
RP2502: 3/12/2010 1:54:44 PM - System Checkpoint
RP2503: 3/13/2010 1:58:58 PM - System Checkpoint
RP2504: 3/14/2010 3:01:02 PM - System Checkpoint
RP2505: 3/15/2010 4:04:15 PM - System Checkpoint
RP2506: 3/16/2010 4:10:14 PM - System Checkpoint
RP2507: 3/17/2010 8:36:58 PM - System Checkpoint
RP2508: 3/19/2010 10:16:20 AM - System Checkpoint
RP2509: 3/21/2010 3:54:32 PM - System Checkpoint
RP2510: 3/22/2010 5:00:37 PM - System Checkpoint
RP2511: 3/24/2010 5:24:08 PM - System Checkpoint
RP2512: 3/25/2010 6:05:07 PM - System Checkpoint
RP2513: 3/26/2010 8:01:32 PM - System Checkpoint
RP2514: 3/28/2010 7:07:49 PM - System Checkpoint
RP2515: 3/29/2010 7:48:47 PM - System Checkpoint
RP2516: 3/30/2010 8:19:10 PM - System Checkpoint
RP2517: 3/31/2010 9:15:17 PM - System Checkpoint
RP2518: 4/1/2010 9:48:44 PM - System Checkpoint
RP2519: 4/2/2010 10:03:19 PM - System Checkpoint
RP2520: 4/3/2010 11:20:19 PM - System Checkpoint
RP2521: 4/4/2010 12:30:01 PM - Installed H&R Block Missouri 2009.
RP2522: 4/5/2010 7:14:54 PM - System Checkpoint
RP2523: 4/6/2010 11:39:52 PM - System Checkpoint
RP2524: 4/8/2010 11:47:04 AM - System Checkpoint
RP2525: 4/9/2010 11:53:14 AM - System Checkpoint
RP2526: 4/10/2010 12:13:16 PM - System Checkpoint
RP2527: 4/11/2010 1:01:18 PM - System Checkpoint
RP2528: 4/12/2010 1:50:47 PM - System Checkpoint
RP2529: 4/13/2010 4:57:31 PM - System Checkpoint
RP2530: 4/14/2010 5:27:20 PM - System Checkpoint
RP2531: 4/15/2010 6:30:30 PM - System Checkpoint
RP2532: 4/17/2010 10:04:17 AM - System Checkpoint
RP2533: 4/18/2010 12:28:44 PM - System Checkpoint
RP2534: 4/19/2010 5:40:02 PM - System Checkpoint
RP2535: 4/20/2010 10:09:01 PM - System Checkpoint
RP2536: 4/22/2010 1:48:40 PM - Installed HiJackThis
RP2537: 4/24/2010 2:00:25 AM - System Checkpoint
RP2538: 4/25/2010 2:34:19 AM - System Checkpoint
RP2539: 4/25/2010 1:06:24 PM - Removed J2SE Runtime Environment 5.0 Update 7
RP2540: 4/25/2010 1:09:51 PM - Removed Java(TM) SE Runtime Environment 6 Update 1
RP2541: 4/25/2010 1:16:48 PM - Removed Adobe Reader 7.0.8
RP2542: 4/25/2010 1:18:45 PM - Removed Shockwave Player
RP2543: 4/25/2010 1:23:47 PM - Installed Java(TM) 6 Update 20
==== Installed Programs ======================
ABBYY FineReader 5.0 Sprint
Adobe AIR
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop Elements 2.0
AOL Instant Messenger
APC PowerChute Business Edition Agent
APC PowerChute Business Edition Console
APC PowerChute Business Edition Server
AppCore
Atomic Clock Sync
AV
Borland C++ 5.02
ccCommon
CDMaster32
CreativeProjects
CreativeProjectsTemplates
CueTour
DeductionPro 2003
DeductionPro 2004-05
DeductionPro 2005-06
DeductionPro 2006
DeductionPro 2007
DeductionPro 2008
DeductionPro 2009
Dell | Support
Dell Picture Studio - Image Expert 2000
Dell Solution Center
DellTouch
Destinations
Director
DivX Codec
Easy CD Creator 5 Basic
EPSON Copy Utility
EPSON Photo Print
EPSON Scan
EPSON Smart Panel
ERUNT 1.1j
Family Lawyer 2000
Forté Agent
GanttProject 2.0.9
Garmin City Navigator North America NT 2010.10 Update
Garmin POI Loader
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
GoToMeeting 4.0.0.320
H&R Block Deluxe + Efile + State 2009
H&R Block Missouri 2009
Help and Support Customization
HiJackThis
HP Deskjet 6800
HP Diagnostic Assistant
HP Photo & Imaging 4.1
HP Update
HPSystemDiagnostics
IE2K
InstantShare
Intel Processor Frequency ID Utility
InterActual Player
iolo technologies' Search and Recover
Island Hopper Scenario A
Java Auto Updater
Java(TM) 6 Update 20
Legal Search
LiveUpdate 3.1 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Lucent Win Modem
MapSource
MapSource - City Select North America v7
MGI VideoWave 4
Microsoft .NET Framework 1.1
Microsoft ActiveSync 3.7
Microsoft Assembler Version 6.15
Microsoft Data Access Components KB870669
Microsoft FrontPage 2002
Microsoft Interactive Training
Microsoft Money 2005
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Publisher 2002
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J++ 6.0
Microsoft Visual Studio 6.0 Professional Edition
MindSpring PipeLine+ 2.60-32
Miro
Modem Helper
Movie Studio 2 Hardware
MSDN Library - Visual Studio 6.0a
MSN Add-in for Windows Messenger
MSN Music Assistant
MSRedist
MUSICMATCH Jukebox
MyDVD
News Rover
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
NVIDIA Windows 2000/XP Display Drivers
Overland
Pandora
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
PhoneTools
PowerChute plus 5.2
PowerDVD
Presto! BizCard 4.1 Eng
PrintScreen
QFolder
QuickProjects
QuickTime
RealPlayer
Realtek RTL8139 Diagnostics Program
Santa Cruz
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB914798)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
SkinsHP1
SmartDraw 7 Trial Edition
SPBBC 32bit
Spybot - Search & Destroy
SpywareBlaster v3.2
Street Atlas USA 4.0
Symantec KB-DocID:2003093015493306
Symantec Real Time Storage Protection Component
Symantec Technical Support Web Controls
SymNet
TaxCut 2003
TaxCut 2004
TaxCut Deluxe 2005
TaxCut Missouri 2007
TaxCut Missouri 2008
TaxCut Premium + State + Efile 2008
TaxCut Premium + State 2007
TaxCut Premium 2006
TD AMERITRADE StrategyDesk 1.2
TD AMERITRADE StrategyDesk 1.3
TD AMERITRADE StrategyDesk 2.0
TD AMERITRADE StrategyDesk 2.1
TD AMERITRADE StrategyDesk 2.2
TD AMERITRADE StrategyDesk 2.3
TD AMERITRADE StrategyDesk 3.3_2 (C:\Program Files\TD AMERITRADE\StrategyDesk)
TD AMERITRADE StrategyDesk 3.4_3 (C:\Program Files\TD AMERITRADE\StrategyDesk)
The Plain-Language Law Dictionary
TrayApp
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
VBA & Macros for Excel Project Files
VideoLAN VLC media player 0.7.2
Viewpoint Manager (Remove Only)
Viewpoint Media Player (Remove Only)
vr3d
WeatherBug
WebEx
WebFldrs XP
WebReg
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB810217
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB824151
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839643
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
Windows XP Hotfix (SP2) Q811114
Windows XP Hotfix (SP2) Q819696
Windows XP Service Pack 1a
WinMX
WinPcap 4.1.1
WinZip
Wireshark 1.2.7
XviD MPEG-4 Video Codec
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
==== Event Viewer Messages From Past Week ========
4/25/2010 7:26:43 AM, error: Service Control Manager [7000] - The iolo FileInfoList Service service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
4/25/2010 5:55:20 AM, error: Service Control Manager [7001] - The Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) service depends on the Remote Access Connection Manager service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
4/25/2010 5:12:19 AM, error: Service Control Manager [7000] - The wscsvc service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
4/25/2010 2:57:26 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
4/25/2010 2:56:28 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
4/25/2010 2:50:54 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl FileDisk Fips Processor SPBBCDrv SRTSPL SRTSPX SYMTDI
4/25/2010 2:50:54 AM, error: Service Control Manager [7001] - The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
4/25/2010 2:50:54 AM, error: Service Control Manager [7001] - The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
4/25/2010 2:50:54 AM, error: Service Control Manager [7001] - The FTP Publishing service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
4/25/2010 2:49:13 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/22/2010 6:08:15 AM, error: Service Control Manager [7001] - The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error: The executable program that this service is configured to run in does not implement the service.
4/22/2010 6:08:15 AM, error: Service Control Manager [7001] - The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error: The executable program that this service is configured to run in does not implement the service.
4/22/2010 6:08:15 AM, error: Service Control Manager [7001] - The FTP Publishing service depends on the IIS Admin service which failed to start because of the following error: The executable program that this service is configured to run in does not implement the service.
4/22/2010 6:08:15 AM, error: Service Control Manager [7000] - The IIS Admin service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
4/20/2010 8:40:35 AM, error: BROWSER [8007] - The browser was unable to update the service status bits. The data is the error.
4/20/2010 4:50:56 PM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.
4/20/2010 4:39:28 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\oembios.sig has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 0.0.0.1.
4/20/2010 4:39:28 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\oembios.dat has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 0.0.0.1.
4/20/2010 4:39:28 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\oembios.sig could not be restored to its original, valid version. The file version of the bad file is 0.0.0.1 The specific error code is 0x800b0100 [No signature was present in the subject. ].
4/20/2010 4:39:28 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\oembios.dat could not be restored to its original, valid version. The file version of the bad file is 0.0.0.1 The specific error code is 0x800b0100 [No signature was present in the subject. ].
4/20/2010 4:39:27 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\oembios.bin could not be restored to its original, valid version. The file version of the bad file is 0.0.0.1 The specific error code is 0x800b0100 [No signature was present in the subject. ].
4/20/2010 4:39:26 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\oembios.bin has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 0.0.0.1.
4/20/2010 4:38:52 PM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
4/20/2010 4:37:55 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Automatic LiveUpdate Scheduler service to connect.
4/20/2010 4:37:55 AM, error: Service Control Manager [7003] - The SRTSP service depends on the following nonexistent service: FltMgr
4/20/2010 4:37:55 AM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The system cannot find the path specified.
4/20/2010 4:37:55 AM, error: Service Control Manager [7000] - The Automatic LiveUpdate Scheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/20/2010 4:37:55 AM, error: Service Control Manager [7000] - The APC PBE Server service failed to start due to the following error: The system cannot find the file specified.
4/20/2010 4:36:55 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
4/20/2010 4:36:55 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
4/20/2010 4:15:13 AM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 929526FAAD7B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/20/2010 3:03:40 PM, error: DCOM [10009] - DCOM was unable to communicate with the computer D using any of the configured protocols.
4/19/2010 9:36:22 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 929526FAAD7B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/19/2010 8:04:15 AM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.100 with the system having network hardware address 00:18:DE:86:97:A9. Network operations on this system may be disrupted as a result.
4/19/2010 6:13:36 AM, error: Dhcp [1002] - The IP address lease 192.168.1.104 for the Network Card with network address 929526FAAD7B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/19/2010 2:26:11 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.102 with the system having network hardware address 00:25:A0:70:AA:E9. Network operations on this system may be disrupted as a result.
4/19/2010 10:45:07 AM, error: DCOM [10002] - Access denied attempting to launch a DCOM Server. The server is: {0C0A3666-30C9-11D0-8F20-00805F2CD064} The user is IWAM_DMAIN/DMAIN, SID=S-1-5-21-4212676017-2704639424-2437969446-1008.
4/19/2010 10:22:34 AM, error: Service Control Manager [7023] - The Machine Debug Manager service terminated with the following error: The class is configured to run as a security id different from the caller
4/18/2010 5:00:49 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.100 with the system having network hardware address 00:90:4B:F5:A0:69. Network operations on this system may be disrupted as a result.
4/18/2010 4:30:50 AM, error: Service Control Manager [7023] - The Google Update Service (gupdate) service terminated with the following error: The class is configured to run as a security id different from the caller
4/18/2010 3:36:29 AM, error: Dhcp [1002] - The IP address lease 192.168.1.105 for the Network Card with network address 929526FAAD7B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/18/2010 2:16:56 PM, error: Service Control Manager [7005] - The RpcImpersonateClient call failed with the following error: No security context is available to allow impersonation.
==== End Of File ===========================
GMER report:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-25 13:44:34
Windows 5.1.2600 Service Pack 1
Running: 35wodyyo.exe; Driver: C:\DOCUME~1\gm\LOCALS~1\Temp\axtdapod.sys
---- System - GMER 1.0.15 ----
SSDT 86E74A50 ZwAlertResumeThread
SSDT 870918B8 ZwAlertThread
SSDT 87044DA0 ZwAllocateVirtualMemory
SSDT 87068FB0 ZwConnectPort
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xADC83EB0]
SSDT 86E507C0 ZwCreateMutant
SSDT 871463D0 ZwCreateThread
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xADC84130]
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xADC84690]
SSDT 87056CC8 ZwFreeVirtualMemory
SSDT 86F57448 ZwImpersonateAnonymousToken
SSDT 86E76E78 ZwImpersonateThread
SSDT 871F0BA8 ZwMapViewOfSection
SSDT 86E6ABE8 ZwOpenEvent
SSDT 86E76A50 ZwOpenProcessToken
SSDT 86DCEA58 ZwOpenThreadToken
SSDT 86DE9C48 ZwResumeThread
SSDT 8718FAF0 ZwSetContextThread
SSDT 86DBBA18 ZwSetInformationProcess
SSDT 87129AB8 ZwSetInformationThread
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xADC848E0]
SSDT 86E68A50 ZwSuspendProcess
SSDT 86F1BE78 ZwSuspendThread
SSDT 86F04E78 ZwTerminateProcess
SSDT 870B47C0 ZwTerminateThread
SSDT 8700A818 ZwUnmapViewOfSection
SSDT 87054AE8 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!_abnormal_termination + 20E 804DE7C0 4 Bytes CALL EFD4CE70
.text ntoskrnl.exe!_abnormal_termination + 24A 804DE7FC 4 Bytes JMP 5B8586DC
.text ntoskrnl.exe!_abnormal_termination + 49A 804DEA4C 4 Bytes CALL 34D4EF9B
.rsrc C:\WINDOWS\system32\drivers\dmload.sys entry point in ".rsrc" section [0xF7A36114]
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF259E340, 0xFFF3F, 0xF8000020]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF9B8300, 0x234A20, 0xF8000020]
? C:\WINDOWS\System32\Drivers\PROCEXP141.SYS The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!NtProtectVirtualMemory 77F5BCC8 5 Bytes JMP 006C000A
.text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!NtWriteVirtualMemory 77F5C588 5 Bytes JMP 006D000A
.text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!KiUserExceptionDispatcher 77F75DAC 5 Bytes JMP 0066000C
.text C:\WINDOWS\System32\svchost.exe[1240] ole32.dll!CoCreateInstance 4FEDF9E6 5 Bytes JMP 00FE000B
.text C:\WINDOWS\System32\svchost.exe[1240] USER32.dll!GetCursorPos 77D48DF4 5 Bytes JMP 00FF000B
.text C:\WINDOWS\Explorer.EXE[1960] ntdll.dll!NtProtectVirtualMemory 77F5BCC8 5 Bytes JMP 0097000A
.text C:\WINDOWS\Explorer.EXE[1960] ntdll.dll!NtWriteVirtualMemory 77F5C588 5 Bytes JMP 0098000A
.text C:\WINDOWS\Explorer.EXE[1960] ntdll.dll!KiUserExceptionDispatcher 77F75DAC 5 Bytes JMP 0096000C
.text C:\Program Files\internet explorer\iexplore.exe[2900] ntdll.dll!NtProtectVirtualMemory 77F5BCC8 5 Bytes JMP 00A5000A
.text C:\Program Files\internet explorer\iexplore.exe[2900] ntdll.dll!NtWriteVirtualMemory 77F5C588 5 Bytes JMP 00A6000A
.text C:\Program Files\internet explorer\iexplore.exe[2900] ntdll.dll!KiUserExceptionDispatcher 77F75DAC 5 Bytes JMP 00A4000C
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
Device -> \Driver\atapi \Device\Harddisk0\DR0 872EFAC8
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\dmload.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
Blade81,
Below is the Kaspersky report. My previous post contains the other reports that you requested.
I hope you got a good night's rest. You seem to work long hours here!
Thanks again,
George
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, April 25, 2010
Operating system: Microsoft Windows XP Professional Service Pack 1 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, April 25, 2010 17:10:26
Records in database: 3980805
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
Scan statistics:
Objects scanned: 161075
Threats found: 8
Infected objects found: 18
Suspicious objects found: 4
Scan duration: 04:28:12
File name / Threat / Threats count
C:\Documents and Settings\gm\Local Settings\Application Data\avebad.exe.xxx Infected: Packed.Win32.Katusha.j 1
C:\Documents and Settings\gm\Local Settings\Application Data\Microsoft\Outlook\OldOutlook.pst Infected: Trojan-Spy.HTML.Citifraud.ai 5
C:\Documents and Settings\gm\Local Settings\Application Data\Microsoft\Outlook\OldOutlook.pst Infected: Trojan-Spy.HTML.Citifraud.ae 1
C:\Documents and Settings\gm\Local Settings\Application Data\Microsoft\Outlook\OldOutlook.pst Infected: Trojan-Spy.HTML.Bankfraud.u 1
C:\Documents and Settings\gm\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan-Spy.HTML.Citifraud.ai 5
C:\Documents and Settings\gm\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan-Spy.HTML.Citifraud.ae 1
C:\Documents and Settings\gm\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan-Spy.HTML.Bankfraud.u 1
C:\Eudora\mambaman\In.mbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Eudora\Trash.mbx Suspicious: Exploit.HTML.Iframe.FileDownload 3
C:\Program Files\AWS\WeatherBug\WeatherBugInstall.exe Infected: not-a-virus:AdWare.Win32.MyWay.j 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\DMLOAD.SYS.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\WINDOWS\SYSTEM32\Macromed\AUTHORWA\NP32ASW\AW65\cCopyFile.u32 Infected: Trojan.Win32.Genome.dkpu 1
Selected area has been scanned.
Hi,
Click start->run->type cmd.exe and press enter. Copy paste following code box content into command prompt window (window will close itself when finished):
copy %systemroot%\system32\drivers\dmload.sys %systemroot%
echo copy dmload.sys system32\drivers>%systemroot%\fix.bat
echo del dmload.sys>>%systemroot%\fix.bat
exit
cls
Next steps should be printed out since you won't be able to access them from recovery console.
1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 2 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:
batch fix.bat
6. At the next prompt, type the following bolded text, and press Enter:
exit
Windows will now begin loading. Run GMER again and post back its report.
Blade81,
When prompted to enter the installation number I entered 2 and pressed the Enter key. The Recovery Console then responded with "Invalid selection. Please select a valid installation number." and once again prompted for an installation number to be entered. I entered 2 again and got the same response.
I'm still at that point on the infected box. Next step?
George
Blade81,
1 worked. The GMER report follows.
George
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-26 08:41:03
Windows 5.1.2600 Service Pack 1
Running: 35wodyyo.exe; Driver: C:\DOCUME~1\gm\LOCALS~1\Temp\axtdapod.sys
---- System - GMER 1.0.15 ----
SSDT 870CE058 ZwAlertResumeThread
SSDT 87091058 ZwAlertThread
SSDT 872DA688 ZwAllocateVirtualMemory
SSDT 8717A810 ZwConnectPort
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xEC58AEB0]
SSDT 871B2070 ZwCreateMutant
SSDT 871AB9C0 ZwCreateThread
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xEC58B130]
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xEC58B690]
SSDT 860DDF78 ZwFreeVirtualMemory
SSDT 870D0058 ZwImpersonateAnonymousToken
SSDT 870B9058 ZwImpersonateThread
SSDT 872836D8 ZwMapViewOfSection
SSDT 87361058 ZwOpenEvent
SSDT 871A5DE8 ZwOpenProcessToken
SSDT 873A0788 ZwOpenThreadToken
SSDT 8726C1D0 ZwResumeThread
SSDT 8726B058 ZwSetContextThread
SSDT 871B27D0 ZwSetInformationProcess
SSDT 87181218 ZwSetInformationThread
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xEC58B8E0]
SSDT 870AA058 ZwSuspendProcess
SSDT 870CB1E8 ZwSuspendThread
SSDT 8715F118 ZwTerminateProcess
SSDT 8715F3C8 ZwTerminateThread
SSDT 870A6E78 ZwUnmapViewOfSection
SSDT 87177298 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!_abnormal_termination + 142 804DE6F4 2 Bytes [30, B1]
.text ntoskrnl.exe!_abnormal_termination + 145 804DE6F7 1 Byte [EC]
.text ntoskrnl.exe!_abnormal_termination + 232 804DE7E4 4 Bytes CALL 31D50246
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF6B3F340, 0xFFF3F, 0xF8000020]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF9B8300, 0x234A20, 0xF8000020]
? C:\WINDOWS\System32\Drivers\PROCEXP141.SYS The system cannot find the file specified. !
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \FileSystem\Fastfat \Fat B7F85143
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
---- EOF - GMER 1.0.15 ----
Good. Let's get back to those earlier results now.
Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Delete this file if found:
C:\Documents and Settings\gm\Local Settings\Application Data\avebad.exe.xxx
Then you should check email messages in these two post files and delete suspicious looking messages if found:
C:\Documents and Settings\gm\Local Settings\Application Data\Microsoft\Outlook\OldOutlook.pst
C:\Documents and Settings\gm\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst
C:\Eudora\mambaman\In.mbx
C:\Eudora\Trash.mbx (probably better to empty this whole trash mailbox)
What is the issue status now?
Blade81,
The first thing I noticed was that it’s a lot faster now!
Going back to my original post:
Most of the problems have been resolved.
I can now access the Microsoft Update web page. I assume that updating to SP3 will be a high priority once this thread is closed since that will be a prerequisite to upgrading my AV software.
I haven’t seen any pop-ups that I had been getting when Googling topics like Spybot or Norton Antivirus.
I’m no longer seeing any Internet connections to the sites in India and Russia.
One major annoying problem that I never mentioned has also been resolved; closing IE now results in the termination of the process whereas before the window disappeared but the process remained.
The problem whereby something tries to change the value of registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer from a DWORD value of x00000091 to a Binary 91 00 00 00 is still present. When I tell TeaTimer to deny the change and remember the decision, the attempt is repeated at 1 second intervals. The log entry is:
4/26/2010 9:35:05 AM Denied (based on user blacklist) value "NoDriveTypeAutoRun" (new data: "hex:91,00,00,") changed in System Startup user entry!
Using Process Explorer, it would appear that the Explorer.exe process is the entity that is trying to change the registry entry. I see regular activity in the Explorer.exe process when I let TeaTimer block the change which is attempted at 1 second intervals. That activity basically disappears when I remove the TeaTimer rule and let it prompt me for Allow/Deny. Within the Explorer.exe process, it would appear that the activity is taking place within the thread with start address SHLWAPI.dll!Ordinal541+0xfe .
The effect of this appears to be that of disabling the autostart function when I load a CD. Compared with the issues that you’ve resolved, this is fairly minor. On the other hand, it would appear to be something that shouldn’t be happening and maybe there are other things happening as well that we’re not seeing.
Do you have any suggestions?
George
Hi,
If there're no other issues among those mentioned left then I'd try to install SP3 before seeing other possible issues (if still remaining after SP3). Take these steps below first.
Uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
Blade81,
Combofix has been uninstalled and OTC has been run.
I'm going to defrag my disk and then begin the process of upgrading to SP3 and then installing current AV (I have it here but couldn't install it because I was still on SP1).
If the NoDriveTypeAutoRun issue still exists after the upgrade then I'll open a new thread in the forum.
It's hard to find the words appropriate to thank you for your help. I'll elaborate on this a bit more in the Waiting Room's "Thank You" thread.
If you ever find yourself visiting Kansas City, Missouri (and why you would is beyond me) then shoot me a note and we'll show you the town!
Take care,
George
You're welcome George :)
I leave the topic open for a few days so you may post back how SP installation went.
If you ever find yourself visiting Kansas City, Missouri (and why you would is beyond me) then shoot me a note and we'll show you the town!Thanks. Shall keep that in my mind! :D:
Blade81,
The box is up-to-date with Microsoft upgrades and AV and new versions of some other layered products (SP3 got installed on the 3rd try after having problems due to a security setting on a registry entry). A full AV scan only detected and cleaned the Trojan.Win32.Genome.dkpu virus that was reported in the Kaspersky scan that you had me run.
The problem with Explorer attempting to change the registry entry has disappeared however the autorun function still doesn’t work. I went through the steps recommended in Microsoft’s article on how to get it to work but it still doesn’t work. It’s no big deal now that I’m no longer concerned about some malicious code being present on the system.
Once again, thank you for being there and for making it possible for me to enjoy the use of the machine without having to reformat the disk and loose everything that has accumulated on the box over the past 8 years!
George
Hi,
Malware authors have begun to exploit the autorun/autoplay feature, so the author of ComboFix, in an effort to help protect your computer from becoming infected via that avenue, configured ComboFix to disable it. Many security apps disable it as well, and even Microsoft recommends disabling it. Disabling autorun/autoplay does not prevent you from accessing those media sources. They are still available by opening My Computer and accessing the source drive (cd, dvd, usb flash or external harddrive). Pictures on a camera can still be accessed/transfered through My Pictures and selecting Get Pictures from a Scanner or Camera. Media can also be accessed via the program you intend to use it with, such as music cds accessed via Media Player, blank cds via your burning program, image handling software provided with the camera, etc.
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.
If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.