Awash with malware

**mikeyd** · 2009-02-24, 18:27

Hope you can assist

Norton Internet Security virus scan option had dissappeared.
Clicking the fix button did nothing.
This is a valid copy.
Symantec has been less than helpful.

So..

Ran Spybot in normal mode and nothing came up.
Ran Spybot in safemode and found the following:

1 stration.c
5 hupigon13
1 hellzlittlespy
1 win32.agent.pz
2 win32.agent.ys
43 smitfraud-c.
1 coolwwwsearch.hjg
2 winagent.qlo
1 win32,brontok
1 win32.nosok.b
2 win32.autorun.homevideo

clicked fix and poof, I lost windows XP. Could not recover/restore, had to reinstall

Reinstalled norton internet security, Virus scan reappeared
Ran it and found no issues either in normal or safe mode
Now, I can't scan for viruses, option has disappeared again

Ran spybot and found the above again ( only found in safe mode)
Backed up Registry in Spybot.

So I am at the part where I push "Fix" and am very reluctant to do so as I don't know which of the little nasties caused this

Assistance would be appreciated

**pskelley** · 2009-02-26, 13:28

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

For your benefit, the instructions are pinned (sticky) to the top of the Malware Removal forum, please read and be sure you have followed those instructions. I have also posted the "Before you Post" instructions at the top of this thread.

Not sure if I can help or not but Matt posted a link to the instructions for you here: http://forums.spybot.info/showthread.php?t=46083

I posted it again above, we will not find out if I can help until you follow the directions then post a HJT log.

Thanks

**mikeyd** · 2009-02-27, 06:17

Thanks for the reply.

1) computer in normal mode
2) system restore is enabled
3) teatimer is off
4) system registry is backed up
5) word wrap is off

copy of log as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:25 PM, on 2/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Michael.MJD-KLI8V24JPWT\Desktop\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\RunOnce: [SymLnch] "C:\Documents and Settings\Michael.MJD-KLI8V24JPWT\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\Michael.MJD-KLI8V24JPWT\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Setup.exe" "/UPREBOOT /temp /patched"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 4671 bytes
Thanks for looking into this

**pskelley** · 2009-02-27, 13:30

C:\Documents and Settings\Michael.MJD-KLI8V24JPWT\Desktop\HiJackThis.exe <<< directions were not followed, read them again and install HJT safely as instructed:
By default it will install to C:\Program Files\Trend Micro\HijackThis
Please do not proceed until that is done.

Nothing showing in the HJT log, we will have combofix take the first look.

1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/comb...o-use-combofix

3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
Image: http://img.bleepingcomputer.com/tuto...nstall-man.jpg

Thanks

**mikeyd** · 2009-02-28, 18:40

Well try as I might, following all links. Could not disable Norton Internet Security, All options were missing except for phishing protection.

So here are the logs anyway.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:16 AM, on 2/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5034 bytes

ComboFix 09-02-26.02 - Michael 2009-02-27 23:56:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.220 [GMT -8:00]
Running from: c:\documents and settings\Michael.MJD-KLI8V24JPWT\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\rmoc3260.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-28 to 2009-02-28 )))))))))))))))))))))))))))))))
.

2009-02-27 23:31 . 2009-02-27 23:31 <DIR> d-------- c:\program files\Trend Micro
2009-02-26 12:00 . 2009-02-26 11:53 1,211 --a------ C:\remove-spybotsd-settings.reg
2009-02-25 12:45 . 2009-02-25 12:46 <DIR> d-------- c:\program files\ERUNT
2009-02-22 12:09 . 2009-02-22 13:28 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-02-22 01:22 . 2009-02-22 02:17 <DIR> d-------- c:\documents and settings\Administrator.MJD-KLI8V24JPWT\Application Data\Spybot - Search & Destroy
2009-02-21 18:22 . 2009-02-21 18:22 <DIR> d-------- c:\documents and settings\Daniel.MJD-KLI8V24JPWT\Application Data\AdobeUM
2009-02-21 18:17 . 2009-02-21 18:17 <DIR> d-------- c:\documents and settings\Daniel.MJD-KLI8V24JPWT\Application Data\Symantec
2009-02-18 03:10 . 2008-09-15 03:57 1,846,016 -----c--- c:\windows\system32\dllcache\win32k.sys
2009-02-18 03:05 . 2008-12-12 09:33 3,060,224 -----c--- c:\windows\system32\dllcache\mshtml.dll
2009-02-18 03:03 . 2008-08-14 02:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-18 03:03 . 2008-08-14 01:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-18 03:03 . 2008-08-14 01:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-18 03:03 . 2008-10-24 03:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-02-18 03:03 . 2008-12-11 03:57 333,184 -----c--- c:\windows\system32\dllcache\srv.sys
2009-02-18 03:03 . 2008-10-15 08:57 332,800 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-02-18 03:02 . 2008-08-14 01:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-18 03:00 . 2009-02-25 15:25 <DIR> d--h----- c:\windows\$hf_mig$
2009-02-17 22:52 . 2009-02-17 22:52 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-02-17 22:52 . 2009-02-17 22:52 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-02-17 22:52 . 2009-02-17 22:52 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-02-17 22:50 . 2009-02-17 23:03 <DIR> d-------- c:\documents and settings\Michael.MJD-KLI8V24JPWT\Application Data\Spybot - Search & Destroy
2009-02-17 22:47 . 2009-02-27 15:00 <DIR> d-------- c:\program files\Norton Security Scan
2009-02-17 20:48 . 2009-02-17 20:48 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-02-17 20:47 . 2008-05-06 21:18 1,287,680 -----c--- c:\windows\system32\dllcache\quartz.dll
2009-02-17 20:47 . 2008-06-13 05:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-02-17 20:47 . 2008-07-07 12:32 253,952 -----c--- c:\windows\system32\dllcache\es.dll
2009-02-17 20:45 . 2008-05-01 06:30 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-02-17 20:44 . 2008-04-11 10:50 683,520 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-02-17 20:43 . 2008-09-04 08:42 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2009-02-17 20:43 . 2008-10-03 02:15 247,326 -----c--- c:\windows\system32\dllcache\strmdll.dll
2009-02-15 15:23 . 2009-02-15 15:23 <DIR> d-------- c:\documents and settings\Administrator.MJD-KLI8V24JPWT
2009-02-15 13:10 . 2009-02-15 14:12 <DIR> d-------- c:\program files\Symantec
2009-02-15 13:10 . 2009-02-26 13:13 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Symantec
2009-02-15 13:10 . 2009-02-15 14:12 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-15 13:10 . 2009-02-15 14:12 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2009-02-15 13:01 . 2009-02-15 14:12 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-15 13:01 . 2009-02-15 14:12 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-02-15 12:31 . 2009-02-15 13:17 <DIR> d-------- c:\documents and settings\Michael.MJD-KLI8V24JPWT\Application Data\Symantec
2009-02-15 11:51 . 2009-02-15 11:51 <DIR> d-------- c:\documents and settings\Daniel.MJD-KLI8V24JPWT
2009-02-15 11:32 . 2009-02-15 11:32 376 --a------ c:\windows\ODBC.INI
2009-02-15 11:30 . 2009-02-15 11:31 <DIR> d-------- c:\windows\ShellNew
2009-02-14 12:42 . 2009-02-14 12:42 <DIR> d---s---- c:\documents and settings\Aaron\UserData
2009-02-14 12:40 . 2009-02-14 12:42 <DIR> d-------- c:\documents and settings\Aaron
2009-02-13 19:36 . 2009-02-13 19:36 24,576 --a------ c:\windows\system32\prefscpl.cpl
2009-02-13 19:36 . 2009-02-13 19:36 8,552 --a------ c:\windows\system32\drivers\asctrm.sys
2009-02-11 21:36 . 2003-04-02 11:23 65,536 --a------ c:\windows\wanmpsvc.exe
2009-02-11 21:20 . 2009-02-13 19:27 316,640 --a------ c:\windows\WMSysPr9.prx
2009-02-11 21:14 . 2004-08-04 00:56 2,897,920 --------- c:\windows\system32\xpsp2res.dll
2009-02-11 21:14 . 2004-07-17 11:40 19,528 --a------ c:\windows\002345_.tmp
2009-02-11 21:13 . 2005-02-24 19:35 22,752 --a------ c:\windows\system32\spupdsvc.exe
2009-02-11 21:05 . 2009-02-11 21:05 <DIR> d---s---- c:\windows\system32\Microsoft
2009-02-04 22:00 . 2004-08-04 00:56 96,768 --a------ c:\windows\system32\dpcdll.dll
2009-02-04 21:58 . 2004-08-04 00:56 1,298,432 --a------ c:\windows\system32\dxdiag.exe
2009-02-04 21:55 . 2002-06-14 18:46 19,274 --a------ c:\windows\000001_.tmp
2009-02-02 21:24 . 2009-02-02 21:24 <DIR> d--hs---- c:\documents and settings\NetworkService.NT AUTHORITY.000
2009-02-02 21:24 . 2009-02-13 19:27 <DIR> d--hs---- c:\documents and settings\LocalService.NT AUTHORITY
2009-02-02 21:03 . 2009-02-02 21:03 8,192 --a------ c:\windows\REGLOCS.OLD
2009-02-02 21:01 . 2001-08-23 04:00 1,875,968 --a--c--- c:\windows\system32\dllcache\msir3jp.lex
2009-02-02 21:00 . 2001-08-23 04:00 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2009-02-02 18:27 . 2009-02-25 12:41 <DIR> d-------- c:\documents and settings\Michael.MJD-KLI8V24JPWT
2009-02-02 11:05 . 2009-02-02 18:26 <DIR> d--h----- c:\documents and settings\Default User.WINDOWS
2009-02-02 11:05 . 2009-02-02 20:57 <DIR> d-------- c:\documents and settings\All Users.WINDOWS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-28 08:02 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-26 20:04 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-26 06:35 --------- d-----w c:\program files\America Online 8.0
2009-02-18 07:09 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-15 22:05 --------- d-----w c:\program files\Norton Internet Security
2009-02-15 19:31 --------- d-----w c:\program files\Microsoft ActiveSync
2009-01-31 23:21 --------- d-----w c:\documents and settings\Daniel\Application Data\DNA
2009-01-31 23:14 --------- d-----w c:\program files\DNA
2009-01-30 15:51 --------- d-----w c:\documents and settings\Daniel\Application Data\uTorrent
2009-01-28 23:42 --------- d-----w c:\program files\Yahoo!
2009-01-27 02:55 --------- d-----w c:\documents and settings\Daniel\Application Data\FrostWire
2009-01-25 23:16 --------- d-----w c:\program files\FrostWire
2008-12-29 01:58 --------- d-----w c:\documents and settings\Daniel\Application Data\Apple Computer
2002-07-26 21:02 153,088 ----a-w c:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2009-02-13 26112]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-24 714608]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\America Online 8.0\\waol.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2007-08-24 149352]
R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-05-29 23888]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*Deregistered* - EraserUtilDrv10910
.
Contents of the 'Scheduled Tasks' folder

2009-02-18 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Michael.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 17:19]

2009-02-27 c:\windows\Tasks\Norton Security Scan for Michael.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-SymLnch - c:\documents and settings\Michael.MJD-KLI8V24JPWT\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Support\SymLnch\SymLnch.exe

.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: aol.ca\www
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-28 00:01:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1957994488-492894223-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-02-28 0:04:22
ComboFix-quarantined-files.txt 2009-02-28 08:04:17

Pre-Run: 38,301,982,720 bytes free
Post-Run: 38,631,751,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

156 --- E O F --- 2009-02-26 11:00:46

Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
AppCore
ccCommon
Component Framework
ERUNT 1.1j
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 Redistributable
Norton AntiVirus
Norton AntiVirus Help
Norton Confidential Core
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
Norton Security Scan
Norton Security Scan (Symantec Corporation)
RealPlayer Basic
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
SPBBC 32bit
SymNet
Update for Windows XP (KB898461)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB885884
Windows XP Service Pack 2

hope this helps.

**pskelley** · 2009-02-28, 21:15

This can be done as time permits, but it is important, and may be why you got infected.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Flash Player 10 ActiveX
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/securit...apsb09-01.html

Adobe Reader 7.0Out of date, see this information:
http://news.cnet.com/8301-1009_3-100...ml?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck any toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php

Viewpoint Media Player <<< suggested uninstall:
For your information, Viewpoint is installed by aol probably without your knowledge.
http://www.spywareinfo.com/newslette....php#viewpoint
http://www.clickz.com/news/article.php/3561546
http://vil.nai.com/vil/content/v_137262.htm

Ran Spybot in safemode and found the following:

This all started with you telling me about what Spybot S&D found and I don't even see that program in Add Remove programs? Did you uninstall it for some reason? I have no way of knowing if that program was up to date or not. Please do not install it again until I ask you to, then only from the link I provide, with the instructions I provide.

Please follow these directions:
Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

http://www.besttechie.net/mbam/mbam-setup.exe <<< download

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum...ware-mbam.html

Thanks

**mikeyd** · 2009-03-01, 02:57

I can't explain why Spybot is not in the add/remove programs. (I had an earlier version that was uninstalled v1.3 I think.)

Spybot is definitely on the system.

At any rate here is the log

Malwarebytes' Anti-Malware 1.34
Database version: 1813
Windows 5.1.2600 Service Pack 2

2/28/2009 8:51:45 PM
mbam-log-2009-02-28 (20-51-45).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 346020
Time elapsed: 3 hour(s), 58 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

**pskelley** · 2009-03-01, 12:36

Spybot is definitely on the system.

I can see the program in the comofix log:
c:\program files\Spybot - Search & Destroy

Look at the uninstall list you posted, it is alphabetical and Spybot S&D does not show there. What I would like you to do is:

1) Open Spybot S&D, at the top click on Help then About. Post the version number, for instance mine is Spybot - Search & Destroy 1.6.0.30 and the lated detection update.

2) Start > Control Panel > Add Remove programs. When that loads, look alphabetically for Spybot- Search & Destroy and tell me if it is there.

Thanks

**mikeyd** · 2009-03-01, 16:03

Morning

Version is 1.6.0.31

and no Spybot is not in Add/Remove Programs

**mikeyd** · 2009-03-01, 16:04

sorry, latest update is 02/25/09

Thread: Awash with malware

Thread Tools

Display

Awash with malware

Posting Permissions