alan057
2010-05-07, 07:54
I have a windows XP system with XP 2 and the up to date system sw. The system is approx 5 yr old. I have Norton AV running and Spybot running to prevent access to my registry. I have a router between my computer and the net.
I was browsing the web and encountered an attack. I received msg(s) that Norton identified "Hacktool.Rootkit" attack and stopped it. I received several msg's from SpyBot about registry updates, I denied them.
My screen background went green, a black box was displayed which said in red letters "System is Infected" and tried to sell me their sw.
I installed/ran the Malwarebytes Anti Malware. My screen background is ok and the black msg box is gone.
I then noticed a svchost.exe process is taking 50% of my cpu. The associated sub processes are "DComLaunch" and "Termservice". If I terminate this process, then i receive a msg my machine will shutdown in 60 seconds.
I've tried installing and running the Kapersky Virus Removal Tool after reading this would fix the problem, did not do anything.
I've downloaded and run RegCure registry cleaner. This removed numerous file and object references which did not exist. I also used the Manage Startup option to identify a couple corrupt files invoked at startup which Norton AV said were created at the same time as the attack:
Qgezofoce C:\Windows\uGWud32.dll
Xxopijipataxuhi C:\Windows\ohihupotovunik.dll
I moved the two files and removed them from the startup.
My system runs, but I still have the svchost.exe process which uses 50% of the cpu. This started happening at the same time the attack occured.
I've cleaned up some of the mess, but there are still a few (?) things on my system which need to be removed. Please help me if possible.
I've included the DDS log below. I can provide the Attachment if requested.
Thanks in advance for your help.
DDS (Ver_10-03-17.01) - NTFSx86
Run by Alan Gertner at 0:21:23.45 on Fri 05/07/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1291 [GMT -5:00]
AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe
C:\Program Files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\adg_download\2010\spybot_dds\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com/
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application
data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.6.0.32\IPSBHO.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google
toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [<NO NAME>]
uRun: [ATI Launchpad]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [EssSpkPhone] essspk.exe
mRun: [SMSI Loader] c:\program files\common files\smith micro shared\fax\SMLoader.exe /PRNDRV
mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [FinePrint Dispatcher v5] "c:\windows\system32\spool\drivers\w32x86\3\fpdisp5a.exe" /source=HKLM
mRun: [pdfFactory Pro Dispatcher v2] "c:\windows\system32\spool\drivers\w32x86\3\fppdis2a.exe" /source=HKLM
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program
files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\documents and settings\alan gertner\start menu\programs\startup\wwwzuc32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: alibaba.com\login
Trusted Zone: alibaba.com\www
Trusted Zone: amazon.com\www
Trusted Zone: amerisave.com\appraiser
Trusted Zone: amerisave.com\www
Trusted Zone: bid4assets.com\secure
Trusted Zone: biggerpockets.com\www
Trusted Zone: blinkx.com\www
Trusted Zone: blockbuster.com\www
Trusted Zone: bobvila.com\movie
Trusted Zone: bobvila.com\video
Trusted Zone: bobvila.com\www
Trusted Zone: box.net\www
Trusted Zone: brokerpriceopinion.com\beta
Trusted Zone: burnet-cad.org\www
Trusted Zone: cityofpflugerville.com\maps
Trusted Zone: craigshelper.com\www
Trusted Zone: craigslist.org\accounts
Trusted Zone: dailymotion.com\www
Trusted Zone: dtv2009.gov\www
Trusted Zone: earthlink.net\myaccount
Trusted Zone: earthlink.net\support
Trusted Zone: fema.gov\map1.msc
Trusted Zone: fema.gov\msc
Trusted Zone: flurl.com\www
Trusted Zone: fnismls.com
Trusted Zone: fool.com\www
Trusted Zone: freecreditreport.com\www
Trusted Zone: funwithwind.com\www
Trusted Zone: google.com\earth
Trusted Zone: intelius.com\www
Trusted Zone: irs.gov\sa2.www4
Trusted Zone: ldproducts.com\www
Trusted Zone: linkedin.com\www
Trusted Zone: lowes.com\www
Trusted Zone: magicjack.com\www
Trusted Zone: match.com\www
Trusted Zone: mckissock.com\www
Trusted Zone: microsoft.com\www
Trusted Zone: millcreekranchresort.com\www
Trusted Zone: mlxchange.com\actris
Trusted Zone: municode.com\www
Trusted Zone: netflix.com\www
Trusted Zone: pbdisasterservices.com\www
Trusted Zone: prodigyinvestor.com
Trusted Zone: propertysmart.us\www
Trusted Zone: scribd.com\www
Trusted Zone: search.com\www
Trusted Zone: searchtempest.com\www
Trusted Zone: solidifi.com\login
Trusted Zone: thenoteclearinghouse.com\www
Trusted Zone: trueautomation.com\clientdb
Trusted Zone: trueautomation.com\propaccess
Trusted Zone: trueautomation.com\www
Trusted Zone: trustetc.com\forms
Trusted Zone: trustetc.com\www
Trusted Zone: valuamerica.com\orders
Trusted Zone: vanguard.com\flagship
Trusted Zone: vanguard.com\personal
Trusted Zone: visualwebcaster.com\www
Trusted Zone: walmart.com\www
Trusted Zone: youtube.com\www
DPF: {0854D220-A90A-466D-BC02-6683183802B7} - hxxp://hlmls.fnismls.com/Paragon/Codebase/FNISPrintControl.cab
DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} - hxxp://actris.mlxchange.com/4.3.08.91/Control/FileCruiser.cab
DPF: {16FD824B-8E7B-11D2-9855-00802962956C} - hxxp://actris.mlxchange.com/4.3.08.91/Control/Specfile.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103836002262
DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} - hxxp://actris.mlxchange.com/4.3.08.91/Control/LiteGrid.cab
DPF: {7A7537FC-5988-11D3-8B33-00104B9E5A4A} - hxxp://actris.mlxchange.com/4.3.08.91/Control/IRCWebPrint.cab
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://actris.mlxchange.com/5.0.05.46/Control/IRCSharc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {B198A72B-B4C3-42B5-B8DA-B364E76429AA} - hxxp://actris.mlxchange.com/4.3.08.91/Control/WebDog.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} - hxxp://actris.mlxchange.com/4.3.08.91/Control/AspCustomCtrls.cab
DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab
DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} - file://c:\program files\intercap\activecgm\activex\Acgm.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: CShellExecuteHookImpl Object: {54d9498b-cf93-414f-8984-8ce7fde0d391} - c:\program files\ewido anti-malware\shellhook.dll
============= SERVICES / DRIVERS ===============
R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2004-12-26 9344]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1106000.020\symds.sys [2010-3-31 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1106000.020\symefa.sys [2010-3-31 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application
data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1106000.020\cchpx86.sys [2010-3-31 501888]
R1 ewido security suite driver;ewido security suite driver;c:\program files\ewido anti-malware\guard.sys [2005-12-30 3072]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1106000.020\ironx86.sys [2010-3-31 116784]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2004-12-26 462464]
R2 ewido security suite control;ewido security suite control;c:\program files\ewido anti-malware\ewidoctrl.exe [2005-11-30 13888]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.6.0.32\ccsvchst.exe [2010-3-31 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-26 102448]
R3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8xx.sys [2005-2-6 458820]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application
data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\ipsdefs\20100429.001\IDSXpx86.sys [2010-5-3 329592]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application
data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\virusdefs\20100506.025\NAVENG.SYS [2010-5-7 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application
data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\virusdefs\20100506.025\NAVEX15.SYS [2010-5-7 1324720]
S1 defb;defb;\??\c:\windows\system32\defb.sys --> c:\windows\system32\defb.sys [?]
S4 ewido security suite guard;ewido security suite guard;c:\program files\ewido anti-malware\ewidoguard.exe [2005-12-18 151616]
=============== Created Last 30 ================
2010-05-07 04:56:44 0 d-----w- c:\docume~1\alange~1\applic~1\Tific
2010-05-07 04:05:50 0 d-----w- c:\windows\05_06_10_virus_fu
2010-05-07 02:37:32 0 d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-05-06 18:42:00 0 d-----w- c:\docume~1\alange~1\applic~1\Malwarebytes
2010-05-06 18:41:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-06 18:41:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-06 18:41:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-06 18:41:27 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-06 18:22:02 0 ----a-w- c:\windows\system32\6263.exe
2010-05-06 18:01:58 0 ----a-w- c:\windows\system32\31156.exe
2010-05-06 17:41:21 0 ----a-w- c:\windows\system32\19050.exe
2010-05-06 17:02:26 0 ----a-w- c:\windows\system32\28838.exe
2010-05-06 16:29:55 120 ----a-w- c:\windows\Jwimita.dat
2010-05-06 16:29:55 0 ----a-w- c:\windows\Iqaqovabupice.bin
2010-05-06 16:29:09 8192 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-05-06 16:29:09 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-05-06 16:29:09 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-05-06 16:29:09 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-05-06 16:29:08 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-05-06 16:29:08 8192 ----a-w- c:\windows\system32\drivers\Changer.sys
==================== Find3M ====================
2010-03-26 15:08:25 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-26 15:08:25 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-26 15:08:25 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-26 15:08:24 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-03-25 01:00:29 72080 ----a-w- c:\documents and settings\alan gertner\g2mdlhlpx.exe
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ------w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-16 13:17:38 2137088 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39:04 2016768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\6to4svc.dll
============= FINISH: 0:22:44.48 ===============
This is an update to my earlier post.
After more research, I found a similar problem described at:
http://www.hardwareanalysis.com/content/topic/75487/
This is similar (if not identical) to the problem I had.
I performed the following:
Filehippo super anti spyware deleted a Trojan Home
Rebooted. Asked me to change Winlogon registry userinit.exe with UserInit.exe, I declined in Spybot.
I also noticed another file that may be corrupt:
C:\Documents and Settings\user name\Start Menu\Programs\Startup\wwwzuc32
I could not delete, copy or move the wwwzuc32 file. It behaved the same as the siszyd32 file described in the link above.
I rebooted in safe mode and moved the wwwzuc32 file to another folder. I then rebooted. After the reboot, the svchost process which was taking 50% of my cpu was gone.
I downloaded PrevX which is recommended for removing wwwzuc32. I ran the free version, it identified 3 possible issues. I've already moved the wwwzuc32 file, the 2nd file i think is a false alarm and the 3rd item is a registry entry which i don't know if it is an issue. I'll try to find a free sw tool to address these issue.
My machine is better, but I still don't know if all the bad stuff is gone. As identified in the link above, the large anti virus sw companies need to incorporate a fix into their sw for the Trojan SISZYD32 before this really gets out of hand.
I was browsing the web and encountered an attack. I received msg(s) that Norton identified "Hacktool.Rootkit" attack and stopped it. I received several msg's from SpyBot about registry updates, I denied them.
My screen background went green, a black box was displayed which said in red letters "System is Infected" and tried to sell me their sw.
I installed/ran the Malwarebytes Anti Malware. My screen background is ok and the black msg box is gone.
I then noticed a svchost.exe process is taking 50% of my cpu. The associated sub processes are "DComLaunch" and "Termservice". If I terminate this process, then i receive a msg my machine will shutdown in 60 seconds.
I've tried installing and running the Kapersky Virus Removal Tool after reading this would fix the problem, did not do anything.
I've downloaded and run RegCure registry cleaner. This removed numerous file and object references which did not exist. I also used the Manage Startup option to identify a couple corrupt files invoked at startup which Norton AV said were created at the same time as the attack:
Qgezofoce C:\Windows\uGWud32.dll
Xxopijipataxuhi C:\Windows\ohihupotovunik.dll
I moved the two files and removed them from the startup.
My system runs, but I still have the svchost.exe process which uses 50% of the cpu. This started happening at the same time the attack occured.
I've cleaned up some of the mess, but there are still a few (?) things on my system which need to be removed. Please help me if possible.
I've included the DDS log below. I can provide the Attachment if requested.
Thanks in advance for your help.
DDS (Ver_10-03-17.01) - NTFSx86
Run by Alan Gertner at 0:21:23.45 on Fri 05/07/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1291 [GMT -5:00]
AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Smith Micro Shared\FAX\SMLoader.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe
C:\Program Files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\adg_download\2010\spybot_dds\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com/
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application
data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.6.0.32\IPSBHO.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google
toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [<NO NAME>]
uRun: [ATI Launchpad]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [EssSpkPhone] essspk.exe
mRun: [SMSI Loader] c:\program files\common files\smith micro shared\fax\SMLoader.exe /PRNDRV
mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [FinePrint Dispatcher v5] "c:\windows\system32\spool\drivers\w32x86\3\fpdisp5a.exe" /source=HKLM
mRun: [pdfFactory Pro Dispatcher v2] "c:\windows\system32\spool\drivers\w32x86\3\fppdis2a.exe" /source=HKLM
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program
files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\documents and settings\alan gertner\start menu\programs\startup\wwwzuc32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: alibaba.com\login
Trusted Zone: alibaba.com\www
Trusted Zone: amazon.com\www
Trusted Zone: amerisave.com\appraiser
Trusted Zone: amerisave.com\www
Trusted Zone: bid4assets.com\secure
Trusted Zone: biggerpockets.com\www
Trusted Zone: blinkx.com\www
Trusted Zone: blockbuster.com\www
Trusted Zone: bobvila.com\movie
Trusted Zone: bobvila.com\video
Trusted Zone: bobvila.com\www
Trusted Zone: box.net\www
Trusted Zone: brokerpriceopinion.com\beta
Trusted Zone: burnet-cad.org\www
Trusted Zone: cityofpflugerville.com\maps
Trusted Zone: craigshelper.com\www
Trusted Zone: craigslist.org\accounts
Trusted Zone: dailymotion.com\www
Trusted Zone: dtv2009.gov\www
Trusted Zone: earthlink.net\myaccount
Trusted Zone: earthlink.net\support
Trusted Zone: fema.gov\map1.msc
Trusted Zone: fema.gov\msc
Trusted Zone: flurl.com\www
Trusted Zone: fnismls.com
Trusted Zone: fool.com\www
Trusted Zone: freecreditreport.com\www
Trusted Zone: funwithwind.com\www
Trusted Zone: google.com\earth
Trusted Zone: intelius.com\www
Trusted Zone: irs.gov\sa2.www4
Trusted Zone: ldproducts.com\www
Trusted Zone: linkedin.com\www
Trusted Zone: lowes.com\www
Trusted Zone: magicjack.com\www
Trusted Zone: match.com\www
Trusted Zone: mckissock.com\www
Trusted Zone: microsoft.com\www
Trusted Zone: millcreekranchresort.com\www
Trusted Zone: mlxchange.com\actris
Trusted Zone: municode.com\www
Trusted Zone: netflix.com\www
Trusted Zone: pbdisasterservices.com\www
Trusted Zone: prodigyinvestor.com
Trusted Zone: propertysmart.us\www
Trusted Zone: scribd.com\www
Trusted Zone: search.com\www
Trusted Zone: searchtempest.com\www
Trusted Zone: solidifi.com\login
Trusted Zone: thenoteclearinghouse.com\www
Trusted Zone: trueautomation.com\clientdb
Trusted Zone: trueautomation.com\propaccess
Trusted Zone: trueautomation.com\www
Trusted Zone: trustetc.com\forms
Trusted Zone: trustetc.com\www
Trusted Zone: valuamerica.com\orders
Trusted Zone: vanguard.com\flagship
Trusted Zone: vanguard.com\personal
Trusted Zone: visualwebcaster.com\www
Trusted Zone: walmart.com\www
Trusted Zone: youtube.com\www
DPF: {0854D220-A90A-466D-BC02-6683183802B7} - hxxp://hlmls.fnismls.com/Paragon/Codebase/FNISPrintControl.cab
DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} - hxxp://actris.mlxchange.com/4.3.08.91/Control/FileCruiser.cab
DPF: {16FD824B-8E7B-11D2-9855-00802962956C} - hxxp://actris.mlxchange.com/4.3.08.91/Control/Specfile.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103836002262
DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} - hxxp://actris.mlxchange.com/4.3.08.91/Control/LiteGrid.cab
DPF: {7A7537FC-5988-11D3-8B33-00104B9E5A4A} - hxxp://actris.mlxchange.com/4.3.08.91/Control/IRCWebPrint.cab
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://actris.mlxchange.com/5.0.05.46/Control/IRCSharc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {B198A72B-B4C3-42B5-B8DA-B364E76429AA} - hxxp://actris.mlxchange.com/4.3.08.91/Control/WebDog.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} - hxxp://actris.mlxchange.com/4.3.08.91/Control/AspCustomCtrls.cab
DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab
DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} - file://c:\program files\intercap\activecgm\activex\Acgm.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: CShellExecuteHookImpl Object: {54d9498b-cf93-414f-8984-8ce7fde0d391} - c:\program files\ewido anti-malware\shellhook.dll
============= SERVICES / DRIVERS ===============
R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2004-12-26 9344]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1106000.020\symds.sys [2010-3-31 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1106000.020\symefa.sys [2010-3-31 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application
data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1106000.020\cchpx86.sys [2010-3-31 501888]
R1 ewido security suite driver;ewido security suite driver;c:\program files\ewido anti-malware\guard.sys [2005-12-30 3072]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1106000.020\ironx86.sys [2010-3-31 116784]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2004-12-26 462464]
R2 ewido security suite control;ewido security suite control;c:\program files\ewido anti-malware\ewidoctrl.exe [2005-11-30 13888]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.6.0.32\ccsvchst.exe [2010-3-31 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-26 102448]
R3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8xx.sys [2005-2-6 458820]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application
data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\ipsdefs\20100429.001\IDSXpx86.sys [2010-5-3 329592]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application
data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\virusdefs\20100506.025\NAVENG.SYS [2010-5-7 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application
data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\virusdefs\20100506.025\NAVEX15.SYS [2010-5-7 1324720]
S1 defb;defb;\??\c:\windows\system32\defb.sys --> c:\windows\system32\defb.sys [?]
S4 ewido security suite guard;ewido security suite guard;c:\program files\ewido anti-malware\ewidoguard.exe [2005-12-18 151616]
=============== Created Last 30 ================
2010-05-07 04:56:44 0 d-----w- c:\docume~1\alange~1\applic~1\Tific
2010-05-07 04:05:50 0 d-----w- c:\windows\05_06_10_virus_fu
2010-05-07 02:37:32 0 d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-05-06 18:42:00 0 d-----w- c:\docume~1\alange~1\applic~1\Malwarebytes
2010-05-06 18:41:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-06 18:41:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-06 18:41:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-06 18:41:27 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-06 18:22:02 0 ----a-w- c:\windows\system32\6263.exe
2010-05-06 18:01:58 0 ----a-w- c:\windows\system32\31156.exe
2010-05-06 17:41:21 0 ----a-w- c:\windows\system32\19050.exe
2010-05-06 17:02:26 0 ----a-w- c:\windows\system32\28838.exe
2010-05-06 16:29:55 120 ----a-w- c:\windows\Jwimita.dat
2010-05-06 16:29:55 0 ----a-w- c:\windows\Iqaqovabupice.bin
2010-05-06 16:29:09 8192 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-05-06 16:29:09 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-05-06 16:29:09 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-05-06 16:29:09 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-05-06 16:29:08 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-05-06 16:29:08 8192 ----a-w- c:\windows\system32\drivers\Changer.sys
==================== Find3M ====================
2010-03-26 15:08:25 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-26 15:08:25 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-26 15:08:25 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-26 15:08:24 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-03-25 01:00:29 72080 ----a-w- c:\documents and settings\alan gertner\g2mdlhlpx.exe
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ------w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-16 13:17:38 2137088 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39:04 2016768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\6to4svc.dll
============= FINISH: 0:22:44.48 ===============
This is an update to my earlier post.
After more research, I found a similar problem described at:
http://www.hardwareanalysis.com/content/topic/75487/
This is similar (if not identical) to the problem I had.
I performed the following:
Filehippo super anti spyware deleted a Trojan Home
Rebooted. Asked me to change Winlogon registry userinit.exe with UserInit.exe, I declined in Spybot.
I also noticed another file that may be corrupt:
C:\Documents and Settings\user name\Start Menu\Programs\Startup\wwwzuc32
I could not delete, copy or move the wwwzuc32 file. It behaved the same as the siszyd32 file described in the link above.
I rebooted in safe mode and moved the wwwzuc32 file to another folder. I then rebooted. After the reboot, the svchost process which was taking 50% of my cpu was gone.
I downloaded PrevX which is recommended for removing wwwzuc32. I ran the free version, it identified 3 possible issues. I've already moved the wwwzuc32 file, the 2nd file i think is a false alarm and the 3rd item is a registry entry which i don't know if it is an issue. I'll try to find a free sw tool to address these issue.
My machine is better, but I still don't know if all the bad stuff is gone. As identified in the link above, the large anti virus sw companies need to incorporate a fix into their sw for the Trojan SISZYD32 before this really gets out of hand.