View Full Version : Unknown Malware or virus
JMoniello
2011-05-27, 16:47
Hi
This is my first post so please pardon any errors on my part. I need some help with a virus or malware (I think its a root kit). I thought I found and cleaned the system, however the system is unstable. It seems lethargic and hangs or freezes often. The original infection caused pop up windows alerting me to a "bad Image" with almost every service attempting to run. so initially i ran a scan with Norton 360 and then with malwarebytes. both indicated a Trojan of some sort and cleaned the system. as a precaution I did an online with Eset however the scan froze about 75% through. It seemed to hang on file C:\i386\lang\imjpdte.ch_ so the scan was never completed. I have included the required DDS scan log. Any help you can provide would be greatly appreciated.
.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by Shawn at 8:24:28 on 2011-05-27
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.421 [GMT -4:00]
.
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\COMODO\COMODO System-Cleaner\Cleaner_Validator.exe
C:\Program Files\WSED\WSED.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\OA012Mon.exe
C:\Program Files\CapsLKNotify\CapsLKNotify.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Battery Meter\BTMeter.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Documents and Settings\Shawn\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.msn.com
uSearch Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.3.0.5\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
c:\docume~1\shawn\locals~1\temp\nsg38.tmp\temp00
c:\docume~1\shawn\locals~1\temp\nsg38.tmp\temp00
c:\docume~1\shawn\locals~1\temp\nsg38.tmp\temp00
c:\docume~1\shawn\locals~1\temp\nsg38.tmp\temp00
c:\docume~1\shawn\locals~1\temp\nsg38.tmp\temp00
c:\docume~1\shawn\locals~1\temp\nsg38.tmp\temp00
c:\docume~1\shawn\locals~1\temp\nsg38.tmp\temp00
c:\docume~1\shawn\locals~1\temp\nsg38.tmp\temp00
c:\docume~1\shawn\locals~1\temp\nsg38.tmp\temp00
c:\docume~1\shawn\locals~1\temp\nsg38.tmp\temp00
c:\docume~1\shawn\locals~1\temp\nsg38.tmp\temp00
c:\docume~1\shawn\locals~1\temp\nsg38.tmp\temp00
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\shawn\application data\mozilla\firefox\profiles\a7jv023c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coFFPlgn
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2011-05-26 17:11:17 -------- d-----w- c:\windows\pss
2011-05-26 14:27:23 19528 ----a-w- c:\windows\cscmondump.bin
2011-05-26 13:33:43 -------- d-----w- c:\program files\ESET
2011-05-26 13:05:52 -------- d-----w- c:\program files\COMODO
2011-05-26 13:05:41 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-05-26 13:05:41 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2011-05-26 13:05:41 1060864 ----a-w- c:\windows\system32\mfc71.dll
2011-05-25 14:50:58 -------- d-----w- c:\documents and settings\shawn\application data\PCDr
2011-05-25 05:37:40 6075904 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-05-25 05:37:40 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-05-25 05:37:40 468480 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-05-25 05:37:40 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2011-05-25 05:37:40 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-05-25 05:37:40 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2011-05-25 05:37:40 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2011-05-25 05:37:39 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2011-05-25 03:47:16 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-25 03:05:33 -------- d-----w- c:\windows\ServicePackFiles
2011-05-25 01:55:27 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2011-05-25 01:55:27 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2011-05-25 01:55:26 -------- d-----w- c:\program files\SpywareBlaster
2011-05-25 01:31:32 -------- d-----w- c:\program files\CCleaner
2011-05-24 16:33:14 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll
2011-05-24 16:33:14 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-05-24 16:33:13 978944 -c----w- c:\windows\system32\dllcache\mfc42.dll
2011-05-24 16:32:44 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-05-24 16:29:01 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2011-05-24 16:28:50 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-05-24 16:22:06 -------- d-----w- c:\documents and settings\shawn\application data\Malwarebytes
2011-05-24 16:21:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-24 16:21:28 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-05-24 16:21:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-24 16:21:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-24 16:09:32 -------- d-----w- c:\program files\VS Revo Group
2011-05-24 16:05:23 45568 -c----w- c:\windows\system32\dllcache\wab.exe
.
==================== Find3M ====================
.
2011-03-11 14:10:38 471552 ----a-w- c:\windows\apppatch\aclayers.dll
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:27:43 1866880 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 8:25:50.62 ===============
Hello JMoniello and :welcome:
My name is JonTom
Malware Logs can sometimes take a lot of time to research and interpret.
Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
PLEASE NOTE: If you do not reply after 5 days your thread will be closed.
As it has been a few days since your last post (and if you still require assistance) please re-scan your machine with DDS and post both logs in your next reply along with the following:
i ran a scan with Norton 360 and then with malwarebytes Please post the MBAM log from the last run (You can find it by opening MBAM and clicking on the logs tab).
Please scan your system with GMER
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).
Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in your reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries
Please post the MBAM, DDS and GMER logs in your next reply. If you encounter any problems with the scans come back and let me know.
JMoniello
2011-06-02, 14:16
Hi
Thanks for responding to my post. As you requested I performed the new scans and the logs are as follows. I should note that I had a bit of trouble with GMER. It crashed the system several times. Specifically, it caused a memory fault and subsequent memory dump which shut down windows. I got a blue screen with the warning message, but I neglected to write down what the memory fault was. Sorry!
.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by Shawn at 2:41:22 on 2011-06-02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.539 [GMT -4:00]
.
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files\WSED\WSED.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\OA012Mon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Battery Meter\BTMeter.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Shawn\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.msn.com
uSearch Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.3.0.5\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
mRun: [WSED] c:\program files\wsed\WSED.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OA012Mon] c:\windows\OA012Mon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [CapsLKNotify] c:\program files\capslknotify\CapsLKNotify.exe
mRun: [BTMeter] c:\program files\battery meter\BTMeter.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\shawn\application data\mozilla\firefox\profiles\a7jv023c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-8-19 14248]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-9-24 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-9-24 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20110518.001\BHDrvx86.sys [2011-5-18 802936]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-9-24 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-9-24 116784]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.3.0.5\ccsvchst.exe [2010-9-24 126392]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-8-19 143840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-19 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20110531.001\IDSXpx86.sys [2011-6-1 341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20110601.021\NAVENG.SYS [2011-6-1 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20110601.021\NAVEX15.SYS [2011-6-1 1542392]
R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [2009-8-19 135168]
R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [2009-8-19 133632]
R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [2009-8-19 272032]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-8-19 162816]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-19 1684736]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-5-24 39984]
.
=============== Created Last 30 ================
.
2011-06-02 02:51:01 -------- d-----w- c:\documents and settings\shawn\application data\Tific
2011-06-02 02:50:41 -------- d-----w- c:\documents and settings\shawn\local settings\application data\Symantec
2011-05-30 18:08:41 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-05-30 18:08:40 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-05-30 18:08:39 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-05-30 18:08:39 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-05-29 03:14:27 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-05-29 03:14:25 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-05-29 03:14:24 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-05-29 03:14:24 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-05-29 03:14:24 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-05-29 03:14:24 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-05-29 03:14:24 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-05-29 03:14:22 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-05-29 03:14:22 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-05-29 03:14:21 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-05-27 12:35:49 28600 ----a-w- c:\windows\cscmondump.bin
2011-05-26 17:11:17 -------- d-----w- c:\windows\pss
2011-05-26 13:33:43 -------- d-----w- c:\program files\ESET
2011-05-26 13:05:41 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-05-26 13:05:41 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2011-05-26 13:05:41 1060864 ----a-w- c:\windows\system32\mfc71.dll
2011-05-25 14:50:58 -------- d-----w- c:\documents and settings\shawn\application data\PCDr
2011-05-25 05:37:40 6075904 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-05-25 05:37:40 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-05-25 05:37:40 468480 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-05-25 05:37:40 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2011-05-25 05:37:40 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-05-25 05:37:40 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2011-05-25 05:37:40 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2011-05-25 05:37:39 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2011-05-25 03:47:16 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-25 03:05:33 -------- d-----w- c:\windows\ServicePackFiles
2011-05-25 01:55:27 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2011-05-25 01:55:27 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2011-05-25 01:55:26 -------- d-----w- c:\program files\SpywareBlaster
2011-05-25 01:31:32 -------- d-----w- c:\program files\CCleaner
2011-05-24 16:33:14 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll
2011-05-24 16:33:14 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-05-24 16:33:13 978944 -c----w- c:\windows\system32\dllcache\mfc42.dll
2011-05-24 16:32:44 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-05-24 16:29:01 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2011-05-24 16:28:50 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-05-24 16:22:06 -------- d-----w- c:\documents and settings\shawn\application data\Malwarebytes
2011-05-24 16:21:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-24 16:21:28 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-05-24 16:21:23 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-24 16:21:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-24 16:09:32 -------- d-----w- c:\program files\VS Revo Group
2011-05-24 16:05:23 45568 -c----w- c:\windows\system32\dllcache\wab.exe
.
==================== Find3M ====================
.
2011-03-11 14:10:38 471552 ----a-w- c:\windows\apppatch\aclayers.dll
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
.
============= FINISH: 2:42:27.60 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-05-19.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 9/15/2009 6:19:24 PM
System Uptime: 6/2/2011 1:46:14 AM (1 hours ago)
.
Motherboard: Dell Inc. | | CN0Y53
Processor: Intel(R) Atom(TM) CPU N270 @ 1.60GHz | U1 | 1596/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 140.395 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Advanced Audio FX Engine
Banctec Service Agreement
Battery Meter
CapsLKNotify
CCleaner
Choice Guard
Dell Support Center (Support Software)
Dell Touchpad
Dell Video Chat
Dell Webcam Central
Dell Wireless WLAN Card Utility
EMSC
ERUNT 1.1j
ESET Online Scanner v3
Function Keys
GRE POWERPREP
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954434)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB959252)
IBM SPSS Statistics 19
Integrated Webcam Driver (1.02.02.0403)
Intel(R) Graphics Media Accelerator Driver
Junk Mail filter update
Live! Cam Avatar Creator
Malwarebytes' Anti-Malware version 1.51.0.1200
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Mozilla Firefox 4.0.1 (x86 en-US)
MSVCRT
MSXML 6.0 Parser (KB927977)
Norton 360
Realtek High Definition Audio Driver
Revo Uninstaller 1.92
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
Segoe UI
SpywareBlaster 4.4
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Search 4.0
WSED
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
6/2/2011 1:57:10 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Search service to connect.
6/2/2011 1:57:10 AM, error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/2/2011 1:57:10 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
6/2/2011 1:53:00 AM, error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
6/1/2011 6:10:22 PM, error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort0.
6/1/2011 6:05:51 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
6/1/2011 10:50:36 PM, error: SRTSP [4] - Error loading virus definitions.
5/29/2011 5:39:33 AM, error: Dhcp [1002] - The IP address lease 192.168.1.111 for the Network Card with network address 00225FE61483 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
5/29/2011 3:19:43 AM, error: Dhcp [1002] - The IP address lease 192.168.1.112 for the Network Card with network address 00225FE61483 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
5/27/2011 7:55:38 AM, error: SideBySide [59] - Generate Activation Context failed for C:\PROGRAM FILES\NORTON 360\ENGINE\4.3.0.5\LUE.DLL. Reference error message: The operation completed successfully. .
5/27/2011 7:27:14 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Norton 360\Engine\4.3.0.5\isError.dll. Reference error message: The operation completed successfully. .
5/27/2011 7:27:13 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: Insufficient system resources exist to complete the requested service. .
5/27/2011 7:27:13 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Norton 360\Engine\4.3.0.5\AppMgr32.dll. Reference error message: The operation completed successfully. .
5/27/2011 7:27:08 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Norton 360\Engine\4.3.0.5\AVExclu.dll. Reference error message: The operation completed successfully. .
5/27/2011 12:08:36 AM, error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
5/27/2011 12:08:18 AM, error: Service Control Manager [7034] - The COMODO System - Cleaner Service service terminated unexpectedly. It has done this 1 time(s).
5/27/2011 12:08:11 AM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-02 02:41:01
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9160314AS rev.0003DEM1
Running: gmer.exe; Driver: C:\DOCUME~1\Shawn\LOCALS~1\Temp\uxtdypob.sys
---- System - GMER 1.0.15 ----
SSDT 8553D050 ZwAlertResumeThread
SSDT 86468050 ZwAlertThread
SSDT 854B3C68 ZwAllocateVirtualMemory
SSDT 85539050 ZwAssignProcessToJobObject
SSDT 864E3C50 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xAA161210]
SSDT 854AF738 ZwCreateMutant
SSDT 854AE630 ZwCreateSymbolicLinkObject
SSDT 854B47A8 ZwCreateThread
SSDT 86462050 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xAA161490]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAA1619F0]
SSDT 854B3DC0 ZwDuplicateObject
SSDT 854B2528 ZwFreeVirtualMemory
SSDT 863FD050 ZwImpersonateAnonymousToken
SSDT 863FF050 ZwImpersonateThread
SSDT 86498360 ZwLoadDriver
SSDT 854B15D0 ZwMapViewOfSection
SSDT 86467050 ZwOpenEvent
SSDT 854B4300 ZwOpenProcess
SSDT 855400C0 ZwOpenProcessToken
SSDT 8553A050 ZwOpenSection
SSDT 854B4230 ZwOpenThread
SSDT 854AE700 ZwProtectVirtualMemory
SSDT 86401050 ZwResumeThread
SSDT 864403D0 ZwSetContextThread
SSDT 854B0F80 ZwSetInformationProcess
SSDT 86463050 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAA161C40]
SSDT 85D9C050 ZwSuspendProcess
SSDT 8553E050 ZwSuspendThread
SSDT 86434818 ZwTerminateProcess
SSDT 86406210 ZwTerminateThread
SSDT 85543590 ZwUnmapViewOfSection
SSDT 854B25F8 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
init C:\WINDOWS\system32\Drivers\OA012Afx.sys entry point in "init" section [0xAA299D60]
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \FileSystem\Fastfat \Fat A8517D20
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org
Database version: 6748
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
6/1/2011 6:01:17 PM
mbam-log-2011-06-01 (18-01-17).txt
Scan type: Quick scan
Objects scanned: 138551
Time elapsed: 3 minute(s), 39 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Hello JMoniello
Thank you for the logs.
Please work your way through the following steps:
Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216).
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
Should there be issues with internet afterward:
In IE: Tools Menu -> Internet Options -> Connections Tab -> Lan Settings -> uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
In Firefox: Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.
Please post the ComboFix log in your next reply.
JMoniello
2011-06-02, 21:33
ComboFix 11-06-01.07 - Shawn 06/02/2011 14:03:44.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.485 [GMT -4:00]
Running from: c:\documents and settings\Shawn\Desktop\ComboFix.exe
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((( Files Created from 2011-05-02 to 2011-06-02 )))))))))))))))))))))))))))))))
.
.
2011-06-02 02:51 . 2011-06-02 02:51 -------- d-----w- c:\documents and settings\Shawn\Application Data\Tific
2011-06-02 02:50 . 2011-06-02 02:50 -------- d-----w- c:\documents and settings\Shawn\Local Settings\Application Data\Symantec
2011-05-30 18:08 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-05-30 18:08 . 2008-04-14 09:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-05-30 18:08 . 2008-04-14 04:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-05-30 18:08 . 2008-04-14 04:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-05-29 03:14 . 2011-05-29 03:14 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-05-29 03:14 . 2011-05-29 03:14 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-29 03:14 . 2011-05-29 03:14 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-29 03:14 . 2011-05-29 03:14 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-29 03:14 . 2011-05-29 03:14 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-05-29 03:14 . 2011-05-29 03:14 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-29 03:14 . 2011-05-29 03:14 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-29 03:14 . 2011-05-29 03:14 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-29 03:14 . 2011-05-29 03:14 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-05-29 03:14 . 2011-05-29 03:14 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-27 12:39 . 2011-05-27 12:39 -------- d-----w- c:\program files\ERUNT
2011-05-27 12:35 . 2011-05-27 12:35 28600 ----a-w- c:\windows\cscmondump.bin
2011-05-26 13:33 . 2011-05-26 13:33 -------- d-----w- c:\program files\ESET
2011-05-26 13:05 . 2011-05-26 13:05 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-05-26 13:05 . 2011-05-26 13:05 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2011-05-26 13:05 . 2011-05-26 13:05 1060864 ----a-w- c:\windows\system32\mfc71.dll
2011-05-25 14:50 . 2011-05-25 14:50 -------- d-----w- c:\documents and settings\Shawn\Application Data\PCDr
2011-05-25 05:37 . 2011-02-17 19:00 6075904 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-05-25 05:37 . 2011-02-17 19:00 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-05-25 05:37 . 2011-02-17 19:00 468480 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-05-25 05:37 . 2011-02-17 19:00 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2011-05-25 05:37 . 2011-02-17 19:00 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-05-25 05:37 . 2011-02-17 11:43 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2011-05-25 05:37 . 2010-02-22 22:04 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2011-05-25 05:37 . 2011-02-17 19:00 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2011-05-25 03:47 . 2011-05-25 03:47 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-25 03:05 . 2011-05-25 03:05 -------- d-----w- c:\windows\ServicePackFiles
2011-05-25 01:55 . 2011-05-25 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2011-05-25 01:55 . 2010-01-10 23:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2011-05-25 01:55 . 2010-01-10 23:40 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2011-05-25 01:55 . 2011-05-25 01:56 -------- d-----w- c:\program files\SpywareBlaster
2011-05-25 01:31 . 2011-05-25 01:31 -------- d-----w- c:\program files\CCleaner
2011-05-24 16:33 . 2010-09-18 06:53 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll
2011-05-24 16:33 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-05-24 16:33 . 2011-02-08 13:33 978944 -c----w- c:\windows\system32\dllcache\mfc42.dll
2011-05-24 16:32 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-05-24 16:29 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2011-05-24 16:28 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-05-24 16:22 . 2011-05-24 16:22 -------- d-----w- c:\documents and settings\Shawn\Application Data\Malwarebytes
2011-05-24 16:21 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-24 16:21 . 2011-05-24 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-24 16:21 . 2011-06-01 21:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-24 16:21 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-24 16:09 . 2011-05-24 16:09 -------- d-----w- c:\program files\VS Revo Group
2011-05-24 16:05 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-11 14:10 . 2008-04-25 20:33 471552 ----a-w- c:\windows\apppatch\aclayers.dll
2011-03-07 05:33 . 2008-04-26 01:44 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-05-29 03:14 . 2011-05-29 03:14 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WSED"="c:\program files\WSED\WSED.exe" [2009-03-31 251176]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-15 1434920]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-15 17529856]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-15 137752]
"OA012Mon"="c:\windows\OA012Mon.exe" [2009-05-11 24576]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-15 166424]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"CapsLKNotify"="c:\program files\CapsLKNotify\CapsLKNotify.exe" [2009-02-23 320808]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2008-11-05 623912]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\IBM\\SPSS\\Statistics\\19\\stats.com"=
"c:\\Program Files\\IBM\\SPSS\\Statistics\\19\\stats.exe"=
"c:\\Program Files\\IBM\\SPSS\\Statistics\\19\\WinWrapIDE.exe"=
.
R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [8/19/2009 11:05 AM 14248]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0403000.005\symds.sys [9/24/2010 6:20 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0403000.005\symefa.sys [9/24/2010 6:20 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110518.001\BHDrvx86.sys [5/18/2011 12:36 AM 802936]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0403000.005\cchpx86.sys [9/24/2010 6:20 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0403000.005\ironx86.sys [9/24/2010 6:20 PM 116784]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\4.3.0.5\ccsvchst.exe [9/24/2010 6:20 PM 126392]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [8/19/2009 11:17 AM 143840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/19/2011 9:18 PM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110531.001\IDSXpx86.sys [6/1/2011 7:45 PM 341944]
R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [8/19/2009 1:43 PM 135168]
R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [8/19/2009 1:43 PM 133632]
R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [8/19/2009 1:43 PM 272032]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [8/19/2009 1:43 PM 162816]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/19/2009 1:42 PM 1684736]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/24/2011 12:21 PM 39984]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uxtdypob
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Shawn\Application Data\Mozilla\Firefox\Profiles\a7jv023c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-02 14:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(872)
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(2064)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-06-02 14:17:39
ComboFix-quarantined-files.txt 2011-06-02 18:17
.
Pre-Run: 150,643,912,704 bytes free
Post-Run: 150,615,904,256 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - C6A866423C52B795F07BD3E52B91662A
Hello JMoniello
Did you run ComboFix twice?
JMoniello
2011-06-03, 01:01
No! I started and stopped when combofix alerted me that Norton 360 was still on. After disabling Norton it still said that Norton was running so I gave up and let it finish. So I started and stopped combofix I think 3 times, trying to figure out why it still was telling me that Norton was still on. Why is there a problem? Im sorry if I screwed it all up. Damn!
JMoniello
2011-06-03, 04:01
Hi
Incidentally, this is my nephews computer and its the first time I ever worked on it. I don't know if he purchased it new or used, and who's worked on it in the past. He's had it for about 2 years. sorry I could not be more helpful.
Hello JMoniello
Why is there a problem? Im sorry if I screwed it all up. Damn! There is no need to panic :)
Lets take a look at what was removed as part of the procedure below:
Please run the following Command
Click on Start and then on Run.
Copy and Paste the following command into the Run Box that opens, then press Enter:
C:\QooBox\ComboFix-quarantined-files.txt
Post the contents of the logfile which will open.
Clean out your temporary files
Please download ATF Cleaner by Atribune by clicking here (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) and save the file (called ATF-Cleaner.exe) to your desktop.
Run the program by double clicking the ATF-Cleaner.exe icon located on your desktop.
Check the boxes to the left of the following:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional. If you want to remove everything check the "Select All" box.
Click on "Empty Selected" to begin cleaning.
Once the "Done Cleaning" message appears, click OK.
If you use Firefox, Click on the Firefox tab and repeat the above process.
When you have finished cleaning, click on the "Exit" button in the main menu.
MalwareBytes AntiMalware:
I can see that you have MBAM installed.
Double click on your MalwareBytes AntiMalware icon to launch the program.
Click on the "Update" tab and then on "Check for Updates".
The program will now install the latest Malware definition files.
Once complete, click on the "Scanner" tab, select "Perform Quick Scan"and then click on "Scan".
Once the program has scanned your computer, a log file will be created in Notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
Come back here to this thread and Paste the log in your next reply.
Please post the quarantine log and the MBAM log in your next reply.
JMoniello
2011-06-07, 17:08
HI
My apologizes for taking this long to respond, however I encountered several problems. In addition to a family emergency which took me out of town for a few days, fortunately all is well. The computer we have been working on died! during one of the reboots, I received a hard disk failure error message. Clearly there was more going on than I realized. I'll try to get out today and pick up a new drive. Fortunately, all of my data was backed up and I have the restore disks. I want to thank you and the rest of the volunteer staff for all that you do. without websites like yours, anarchy would surely rule the PC world. Thanks again for all your time a patience.
John....
Hello JMoniello
My apologizes for taking this long to respond No need to apologise my friend. I'm glad that you got your family emergency sorted out and everything is okay.
during one of the reboots, I received a hard disk failure error message Oh no :sad: Thank goodness you backed up all of your stuff!
Thanks again for all your time a patience No problem at all, you are Very Welcome. If you notice any problems once your machine is back up and running send me a PM and I'll see what I can do to help.
Best wishes
JonTom
Since this problem appears to be resolved this topic is now closed.
Best wishes
JonTom