Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: Ack. I'm infected - 4DW4R3 virus

  1. #1
    Junior Member
    Join Date
    Mar 2010
    Posts
    12

    Default Ack. I'm infected - 4DW4R3 virus

    It looks like my computer was feeling left out and went ahead and contracted the 4DW4R3 virus. Yeah. Let the fun begin...

    JK. Please help...

    Logfile of Trend Micro HijackThis v2.0.3 (BETA)
    Scan saved at 12:51:21 PM, on 3/3/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\WinSys.exe
    C:\WINDOWS\SOUNDMAN.EXE
    G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\TrendMicro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/id/3036677/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [WinSys] C:\WINDOWS\system32\WinSys.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O4 - Global Startup: BTTray.lnk = ?
    O8 - Extra context menu item: Append to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
    O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - file:///D:/Program%20Files/xnews/downloads/Guitar/Riff%20Interactive%20-%2060S%20Funk%20Soul/setup/RiffLick.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144799573187
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/.../installer.exe
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 12044 bytes

  2. #2
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Download DDS and save it to your desktop from here or here or here.
    Disable any script blocker, and then double click dds.scr to run the tool.
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop. Post them back to your topic.


    Download GMER here by clicking download exe -button and then saving it your desktop:
    • Double-click .exe that you downloaded
    • Click rootkit-tab and then scan.
    • Don't check
      Show All
      box while scanning in progress!
    • When scanning is ready, click Copy.
    • This copies log to clipboard
    • Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #3
    Junior Member
    Join Date
    Mar 2010
    Posts
    12

    Default

    Thank you for your help Blade. We really do appreciate it.


    Attached are three files; attach.zip, dds.zip and GMER.zip


    Here is the GMER report:

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-03-07 16:54:37
    Windows 5.1.2600 Service Pack 3
    Running: 2zm21i4j.exe; Driver: C:\DOCUME~1\john\LOCALS~1\Temp\awtdqpod.sys


    ---- System - GMER 1.0.15 ----

    Code B9151EB5 ZwCallbackReturn
    Code B9151979 ZwEnumerateKey
    Code B915196F ZwSaveKey
    Code B9151974 ZwSaveKeyEx
    Code B9151BD2 IofCompleteRequest

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!IofCompleteRequest 804EE1C0 5 Bytes JMP B9151BD7
    .text ntkrnlpa.exe!ZwCallbackReturn 804FF838 5 Bytes JMP B9151EB9
    PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB76 5 Bytes JMP B915197D
    PAGE ntkrnlpa.exe!ZwSaveKey 8061BDEA 5 Bytes JMP B9151973
    PAGE ntkrnlpa.exe!ZwSaveKeyEx 8061BED0 5 Bytes JMP B9151978
    .rsrc C:\WINDOWS\system32\drivers\nvata.sys entry point in ".rsrc" section [0xBA708E94]
    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8752360, 0x32DEFD, 0xE8000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[2496] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10002FD0
    .text C:\WINDOWS\Explorer.EXE[2496] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 10002F3D
    .text C:\WINDOWS\Explorer.EXE[2496] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002FB0
    .text C:\WINDOWS\Explorer.EXE[2496] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10002F7E
    .text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3096] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe (Windows Live Messenger/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Driver\nvata \Device\00000076 8A85A90A
    Device \Driver\nvata \Device\00000076 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
    Device \Driver\USBSTOR \Device\00000082 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
    Device \Driver\nvata \Device\00000077 8A85A90A
    Device \Driver\nvata \Device\00000077 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
    Device \Driver\USBSTOR \Device\00000083 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
    Device \Driver\USBSTOR \Device\00000084 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
    Device \Driver\nvata \Device\00000078 8A85A90A
    Device \Driver\nvata \Device\00000078 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
    Device \Driver\USBSTOR \Device\00000085 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Driver\nvata \Device\NvAta0 8A85A90A
    Device \Driver\nvata \Device\NvAta0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
    Device \Driver\nvata \Device\NvAta1 8A85A90A
    Device \Driver\nvata \Device\NvAta1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
    Device \Driver\Si3114r5 \Device\Scsi\Si3114r51Port2Path3Target1fLun0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
    Device \Driver\Si3114r5 \Device\Scsi\Si3114r51 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
    Device \Driver\Si3114r5 \Device\Scsi\Si3114r51Port2Path0Target0Lun0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

    ---- Services - GMER 1.0.15 ----

    Service C:\WINDOWS\system32\drivers\4DW4R3YwXHrXILKV.sys (*** hidden *** ) [SYSTEM] 4DW4R3 <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000272c1f699 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000272c1f699@00149a18152a 0x55 0x47 0xB4 0x40 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3
    Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@start 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@type 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@group file system
    Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@imagepath \systemroot\system32\drivers\4DW4R3YwXHrXILKV.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\connections
    Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\connections@5bf3bc6c
    Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\injector
    Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\injector@* 4DW4R3c
    Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\modules
    Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\modules@4DW4R3 \\?\globalroot\systemroot\system32\drivers\4DW4R3YwXHrXILKV.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\modules@4DW4R3c \\?\globalroot\systemroot\system32\4DW4R3MgpMGemqGQ.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272c1f699
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272c1f699@0019c0e65fc0 0x42 0x31 0x14 0x93 ...
    Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3@start 1
    Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3@type 1
    Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3@group file system
    Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3@imagepath \systemroot\system32\drivers\4DW4R3YwXHrXILKV.sys
    Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3\connections (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3\connections@5bf3bc6c
    Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3\injector (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3\injector@* 4DW4R3c
    Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3\modules (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3\modules@4DW4R3 \\?\globalroot\systemroot\system32\drivers\4DW4R3YwXHrXILKV.sys
    Reg HKLM\SYSTEM\ControlSet004\Services\4DW4R3\modules@4DW4R3c \\?\globalroot\systemroot\system32\4DW4R3MgpMGemqGQ.dll
    Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\000272c1f699 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\000272c1f699@0019c0e65fc0 0x42 0x31 0x14 0x93 ...

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\4DW4R3c.dll 28160 bytes executable
    File C:\WINDOWS\system32\4DW4R3FaYXrQYcme.dll 28160 bytes executable
    File C:\WINDOWS\system32\4DW4R3iurLGmkwTv.dll 28160 bytes executable
    File C:\WINDOWS\system32\4DW4R3mFQdpiRTmq.dll 28160 bytes executable
    File C:\WINDOWS\system32\4DW4R3MgpMGemqGQ.dll 28160 bytes executable
    File C:\WINDOWS\system32\4DW4R3sv.dat 53 bytes
    File C:\WINDOWS\system32\4DW4R3tIXdRtQIIK.dll 28160 bytes executable
    File C:\WINDOWS\system32\drivers\4DW4R3.sys 46592 bytes executable
    File C:\WINDOWS\system32\drivers\4DW4R3BrNexObrmy.sys 46592 bytes executable
    File C:\WINDOWS\system32\drivers\4DW4R3BXyBchNoxg.sys 46592 bytes executable
    File C:\WINDOWS\system32\drivers\4DW4R3EnUHoQlgpb.sys 46592 bytes executable
    File C:\WINDOWS\system32\drivers\4DW4R3QRiaLfbekn.sys 46592 bytes executable
    File C:\WINDOWS\system32\drivers\4DW4R3tHqlWBRwIX.sys 46592 bytes executable
    File C:\WINDOWS\system32\drivers\4DW4R3vREbTVvLdj.sys 46592 bytes executable
    File C:\WINDOWS\system32\drivers\4DW4R3YwXHrXILKV.sys 46592 bytes executable <-- ROOTKIT !!!
    File C:\WINDOWS\system32\4DW4R3tJMiatoNHY.dll 28160 bytes executable
    File C:\WINDOWS\system32\4DW4R3UXJQpygTJk.dll 28160 bytes executable
    File C:\WINDOWS\Temp\4DW4R3bc6a 53 bytes
    File C:\WINDOWS\system32\drivers\nvata.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----

  4. #4
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Please post next logs in your reply (paste contents in) instead of attachments.

    Please visit this webpage for download links, and instructions for running ComboFix tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    Please ensure you read this guide carefully first.

    Please continue as follows:

    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
      Remember to re-enable them afterwards.

    2. Click Yes to allow ComboFix to continue scanning for malware.


    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review, and so we may continue cleansing the system:

    C:\ComboFix.txt
    New dds log.


    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  5. #5
    Junior Member
    Join Date
    Mar 2010
    Posts
    12

    Default

    Here is ComboFix. I'll post the dss log in a sec.
    Thanks again.


    ComboFix 10-03-08.01 - john 03/08/2010 13:31:47.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1501 [GMT -6:00]
    Running from: c:\documents and settings\john\Desktop\ComboFix.exe
    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\Common Files\Real\WeatherBug\MiniBugTransporter.dll
    c:\windows\system32\4DW4R3c.dll
    c:\windows\system32\4DW4R3FaYXrQYcme.dll
    c:\windows\system32\4DW4R3iQsvehngjX.dll
    c:\windows\system32\4DW4R3iurLGmkwTv.dll
    c:\windows\system32\4DW4R3mFQdpiRTmq.dll
    c:\windows\system32\4DW4R3MgpMGemqGQ.dll
    c:\windows\system32\4DW4R3nBowypJVhe.dll
    c:\windows\system32\4DW4R3PJCwTSKFBd.dll
    c:\windows\system32\4DW4R3sv.dat
    c:\windows\system32\4DW4R3tIXdRtQIIK.dll
    c:\windows\system32\4DW4R3tJMiatoNHY.dll
    c:\windows\system32\4DW4R3UXJQpygTJk.dll
    c:\windows\system32\4DW4R3XPKWfdoXHF.dll
    c:\windows\system32\drivers\4DW4R3.sys
    c:\windows\system32\drivers\4DW4R3BrNexObrmy.sys
    c:\windows\system32\drivers\4DW4R3BXyBchNoxg.sys
    c:\windows\system32\drivers\4DW4R3EFPTMqvsdS.sys
    c:\windows\system32\drivers\4DW4R3EnUHoQlgpb.sys
    c:\windows\system32\drivers\4DW4R3QRiaLfbekn.sys
    c:\windows\system32\drivers\4DW4R3rPRKYMkUiq.sys
    c:\windows\system32\drivers\4DW4R3tHqlWBRwIX.sys
    c:\windows\system32\drivers\4DW4R3uLAncElNKo.sys
    c:\windows\system32\drivers\4DW4R3vREbTVvLdj.sys
    c:\windows\system32\drivers\4DW4R3wTKYkaDboH.sys
    c:\windows\system32\drivers\4DW4R3YwXHrXILKV.sys
    c:\windows\system32\Ijl11.dll
    c:\windows\system32\lowsec
    c:\windows\system32\sdra64.exe
    c:\windows\system32\twain_32.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_4DW4R3
    -------\Legacy_4DW4R3


    ((((((((((((((((((((((((( Files Created from 2010-02-08 to 2010-03-08 )))))))))))))))))))))))))))))))
    .

    2010-03-08 19:39 . 2010-03-08 19:39 203938 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP0.exe
    2010-03-08 19:39 . 2010-03-08 19:39 48810 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP0.sys
    2010-03-08 19:39 . 2010-03-08 19:39 30380 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP9.dll
    2010-03-08 19:39 . 2010-03-08 19:39 30380 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP8.dll
    2010-03-08 19:39 . 2010-03-08 19:39 30380 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP7.dll
    2010-03-08 19:39 . 2010-03-08 19:39 30380 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP6.dll
    2010-03-08 19:39 . 2010-03-08 19:39 30380 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP5.dll
    2010-03-08 19:39 . 2010-03-08 19:39 30380 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP4.dll
    2010-03-08 19:39 . 2010-03-08 19:39 30380 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP3.dll
    2010-03-08 19:39 . 2010-03-08 19:39 30380 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP2.dll
    2010-03-08 19:39 . 2010-03-08 19:39 30380 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP1.dll
    2010-03-08 19:39 . 2010-03-08 19:39 30380 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP0.dll
    2010-03-03 17:48 . 2010-03-03 17:48 388096 ----a-r- c:\documents and settings\john\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
    2010-03-03 17:48 . 2010-03-03 17:48 -------- d-----w- c:\program files\Trend Micro
    2010-03-03 17:47 . 2010-03-03 17:47 -------- d-----w- c:\program files\ERUNT
    2010-02-25 18:51 . 2010-02-26 01:27 -------- d-----w- c:\documents and settings\john\Local Settings\Application Data\My Games
    2010-02-25 18:38 . 2010-02-25 18:38 -------- d-----w- c:\program files\2K Games
    2010-02-25 18:38 . 2007-06-21 02:46 266088 ----a-w- c:\windows\system32\xactengine2_8.dll
    2010-02-25 18:38 . 2007-06-21 02:45 18280 ----a-w- c:\windows\system32\x3daudio1_2.dll
    2010-02-25 18:38 . 2007-05-16 22:45 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
    2010-02-25 18:38 . 2007-05-16 22:45 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
    2010-02-25 18:38 . 2007-05-16 22:45 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
    2010-02-25 18:38 . 2007-04-05 00:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
    2010-02-25 17:45 . 2010-02-25 17:45 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-08 19:31 . 2005-11-25 01:02 -------- d-----w- c:\program files\Symantec AntiVirus
    2010-03-08 04:13 . 2009-11-13 23:05 -------- d-----w- c:\documents and settings\john\Application Data\vlc
    2010-03-03 19:58 . 2005-11-29 01:23 -------- d-----w- c:\program files\Ahead
    2010-03-03 19:56 . 2006-10-26 14:01 -------- d-----w- c:\program files\AvantGo
    2010-03-03 19:50 . 2006-09-12 00:07 -------- d-----w- c:\documents and settings\john\Application Data\BitTorrent
    2010-03-03 14:29 . 2009-02-20 21:32 -------- d-----w- c:\program files\Video Thumbnails Maker
    2010-02-25 18:54 . 2005-11-25 01:20 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-02-23 17:58 . 2006-09-11 02:38 -------- d-----w- c:\documents and settings\john\Application Data\dvdcss
    2010-01-10 02:14 . 2009-11-14 00:38 -------- d-----w- c:\documents and settings\john\Application Data\Any Video Converter
    2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
    2009-12-21 19:14 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2009-12-16 18:43 . 2005-11-25 00:39 343040 ----a-w- c:\windows\system32\mspaint.exe
    2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2006-05-03 10:06 . 2009-02-23 21:12 163328 --sh--r- c:\windows\system32\flvDX.dll
    2007-02-21 11:47 . 2009-02-23 21:12 31232 --sh--r- c:\windows\system32\msfDX.dll
    2008-03-16 13:30 . 2009-02-23 21:12 216064 --sh--r- c:\windows\system32\nbDX.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "SoundMan"="SOUNDMAN.EXE" [2005-06-21 77824]
    "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]
    "Acrobat Assistant 8.0"="g:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
    "nwiz"="nwiz.exe" [2008-09-18 1657376]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
    "QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2009-01-05 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

    c:\documents and settings\john\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-7-13 565309]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2007-03-01 20:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=3 (0x3)
    "SavRoam"=3 (0x3)
    "RDSessMgr"=3 (0x3)
    "RasMan"=3 (0x3)
    "RasAuto"=3 (0x3)
    "PnkBstrB"=2 (0x2)
    "PnkBstrA"=2 (0x2)
    "mnmsrvc"=3 (0x3)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\WINDOWS\\system32\\dpnsvr.exe"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=
    "c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=
    "c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
    "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
    "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
    "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
    "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [1/29/2008 2:56 PM 18176]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [1/29/2008 2:56 PM 7680]
    S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys --> c:\windows\system32\DRIVERS\motodrv.sys [?]
    S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [1/29/2008 2:56 PM 23680]
    S3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [1/23/2004 3:33 PM 13952]
    S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [1/23/2004 3:32 PM 28800]
    S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
    S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 7:27 PM 124608]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - EraserUtilDrvI9
    *Deregistered* - EraserUtilRebootDrv
    .
    Contents of the 'Scheduled Tasks' folder

    2010-03-08 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uInternet Settings,ProxyOverride = *.local
    IE: Append to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - file:///D:/Program%20Files/xnews/downloads/Guitar/Riff%20Interactive%20-%2060S%20Funk%20Soul/setup/RiffLick.cab
    .
    - - - - ORPHANS REMOVED - - - -

    MSConfigStartUp-NapsterShell - c:\program files\Napster\napster.exe
    MSConfigStartUp-WatchDog - c:\program files\mobile PhoneTools\WatchDog.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-08 13:40
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-03-08 13:44:06
    ComboFix-quarantined-files.txt 2010-03-08 19:43

    Pre-Run: 30,670,204,928 bytes free
    Post-Run: 30,639,394,816 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 5B629181895E9B3BD864FB3B509E46E2

  6. #6
    Junior Member
    Join Date
    Mar 2010
    Posts
    12

    Default

    Here is the dds log:


    DDS (Ver_09-12-01.01) - NTFSx86
    Run by john at 13:51:07.40 on Mon 03/08/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1360 [GMT -6:00]

    AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    svchost.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\john\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - No File
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
    uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
    mRun: [Acrobat Assistant 8.0] "g:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
    mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    StartupFolder: c:\docume~1\john\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    IE: Append to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
    DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15026/CTSUEng.cab
    DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - file:///D:/Program%20Files/xnews/downloads/Guitar/Riff%20Interactive%20-%2060S%20Funk%20Soul/setup/RiffLick.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
    DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144799573187
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?39011.4312615741
    DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15026/CTPID.cab
    Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
    Notify: NavLogon - c:\windows\system32\NavLogon.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: 127.0.0.1 www.spywareinfo.com

    ============= SERVICES / DRIVERS ===============

    R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
    R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
    R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968]
    R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392]
    R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-6-23 1715904]
    R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100307.007\naveng.sys [2010-3-8 84912]
    R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100307.007\navex15.sys [2010-3-8 1324720]
    S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-1-29 18176]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-1-29 7680]
    S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys --> c:\windows\system32\drivers\motodrv.sys [?]
    S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-1-29 23680]
    S3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-1-23 13952]
    S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-1-23 28800]
    S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
    S4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-6-23 124608]

    =============== Created Last 30 ================

    2010-03-08 19:16:12 0 d-sha-r- C:\cmdcons
    2010-03-08 19:15:41 98816 ----a-w- c:\windows\sed.exe
    2010-03-08 19:15:41 77312 ----a-w- c:\windows\MBR.exe
    2010-03-08 19:15:41 261632 ----a-w- c:\windows\PEV.exe
    2010-03-08 19:15:41 161792 ----a-w- c:\windows\SWREG.exe
    2010-03-03 17:48:56 0 d-----w- c:\program files\Trend Micro
    2010-02-25 18:38:02 0 d-----w- c:\program files\2K Games
    2010-02-25 18:38:01 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
    2010-02-25 18:38:01 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
    2010-02-25 18:38:01 266088 ----a-w- c:\windows\system32\xactengine2_8.dll
    2010-02-25 18:38:01 18280 ----a-w- c:\windows\system32\x3daudio1_2.dll
    2010-02-25 18:38:01 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
    2010-02-25 18:38:00 81768 ----a-w- c:\windows\system32\xinput1_3.dll

    ==================== Find3M ====================

    2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
    2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
    2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
    2007-02-21 11:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
    2008-03-16 13:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
    2008-08-25 18:12:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082520080826\index.dat

    ============= FINISH: 13:51:23.37 ===============

  7. #7
    Junior Member
    Join Date
    Mar 2010
    Posts
    12

    Default

    Here is the dds attach file:


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-12-01.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 11/24/2005 6:44:23 PM
    System Uptime: 3/8/2010 1:29:51 PM (0 hours ago)

    Motherboard: ASUSTeK Computer INC. | | A8N-SLI Premium
    Processor: AMD Athlon(tm) 64 Processor 4000+ | Socket 939 | 2412/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 112 GiB total, 28.572 GiB free.
    E: is CDROM ()
    F: is CDROM ()
    G: is FIXED (NTFS) - 373 GiB total, 24.453 GiB free.

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: NVIDIA nForce Networking Controller
    Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&1F09082D&0&01
    Manufacturer: NVIDIA
    Name: NVIDIA nForce Networking Controller
    PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&1F09082D&0&01
    Service: NVENETFD

    ==== System Restore Points ===================

    RP885: 12/20/2009 4:55:41 PM - Software Distribution Service 3.0
    RP886: 1/7/2010 8:57:30 AM - Software Distribution Service 3.0
    RP887: 1/8/2010 11:39:37 AM - System Checkpoint
    RP888: 1/9/2010 8:36:13 PM - System Checkpoint
    RP889: 1/11/2010 5:41:49 PM - System Checkpoint
    RP890: 1/12/2010 6:21:33 PM - System Checkpoint
    RP891: 1/13/2010 9:13:33 PM - System Checkpoint
    RP892: 1/13/2010 9:54:10 PM - Software Distribution Service 3.0
    RP893: 1/15/2010 11:06:54 AM - System Checkpoint
    RP894: 1/19/2010 11:03:09 AM - System Checkpoint
    RP895: 1/21/2010 12:21:02 PM - System Checkpoint
    RP896: 1/22/2010 6:10:50 PM - System Checkpoint
    RP897: 1/22/2010 11:23:20 PM - Software Distribution Service 3.0
    RP898: 1/24/2010 1:31:24 PM - System Checkpoint
    RP899: 1/25/2010 2:36:36 PM - System Checkpoint
    RP900: 1/26/2010 6:56:14 PM - System Checkpoint
    RP901: 1/27/2010 7:11:41 PM - System Checkpoint
    RP902: 1/29/2010 3:50:39 PM - System Checkpoint
    RP903: 1/30/2010 4:00:36 PM - System Checkpoint
    RP904: 2/1/2010 9:31:31 PM - System Checkpoint
    RP905: 2/3/2010 9:02:53 PM - System Checkpoint
    RP906: 2/6/2010 7:34:57 PM - System Checkpoint
    RP907: 2/7/2010 8:44:45 PM - System Checkpoint
    RP908: 2/8/2010 8:48:39 PM - System Checkpoint
    RP909: 2/10/2010 12:53:23 PM - Software Distribution Service 3.0
    RP910: 2/12/2010 3:51:52 PM - System Checkpoint
    RP911: 2/13/2010 5:37:21 PM - System Checkpoint
    RP912: 2/14/2010 7:59:34 PM - System Checkpoint
    RP913: 2/16/2010 5:17:17 PM - System Checkpoint
    RP914: 2/17/2010 5:38:10 PM - System Checkpoint
    RP915: 2/18/2010 6:07:29 PM - System Checkpoint
    RP916: 2/20/2010 4:37:47 PM - System Checkpoint
    RP917: 2/22/2010 8:22:01 AM - System Checkpoint
    RP918: 2/23/2010 8:34:14 AM - System Checkpoint
    RP919: 2/23/2010 1:47:35 PM - Software Distribution Service 3.0
    RP920: 3/3/2010 1:58:11 PM - System Checkpoint
    RP921: 3/8/2010 1:31:30 PM - ComboFix created restore point

    ==== Installed Programs ======================

    Acrobat.com
    Add or Remove Adobe Creative Suite 3 Design Premium
    Adobe Acrobat 8 Professional
    Adobe Acrobat 8.1.6 - CPSID_49167
    Adobe Acrobat 8.1.6 Professional
    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe AIR
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe BridgeTalk Plugin CS3
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Color - Photoshop Specific
    Adobe Color Common Settings
    Adobe Color EU Extra Settings
    Adobe Color JA Extra Settings
    Adobe Color NA Recommended Settings
    Adobe Creative Suite 3 Design Premium
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe Dreamweaver CS3
    Adobe ExtendScript Toolkit 2
    Adobe Extension Manager CS3
    Adobe Flash CS3
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 9 Plugin
    Adobe Flash Video Encoder
    Adobe Fonts All
    Adobe Help Viewer CS3
    Adobe Illustrator CS3
    Adobe InDesign CS3
    Adobe InDesign CS3 Icon Handler
    Adobe Linguistics CS3
    Adobe MotionPicture Color Files
    Adobe PDF Library Files
    Adobe Photoshop CS3
    Adobe Reader 9.3
    Adobe Setup
    Adobe SING CS3
    Adobe Stock Photos 1.0
    Adobe Stock Photos CS3
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Adobe Version Cue CS3 Server {ko_KR}
    Adobe WAS CS3
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS3
    AHV content for Acrobat and Flash
    Alias DirectConnect 2.0
    Any Video Converter 2.7.9
    Apple Mobile Device Support
    Apple Software Update
    Avanquest update
    AviSynth 2.5
    Battlefield
    Battlefield 2142
    Bonjour
    BT headset fix
    BufferChm
    Call of Duty(R) 2
    Call of Duty(R) 2 Mod Tools
    Call of Duty(R) 2 Patch 1.2
    Call of Duty(R) 2 Patch 1.3
    Canon S600
    Combined Community Codec Pack 2008-09-21 16:18
    Compatibility Pack for the 2007 Office system
    CorePLS_Min_QFolder
    Creative Mass Storage Drivers
    Critical Update for Windows Media Player 11 (KB959772)
    CustomerResearchQFolder
    Data Lifeguard Tools
    Destinations
    DeviceManagementQFolder
    DivXLand Media Subtitler
    DVD Shrink 3.2
    EA Link
    ERUNT 1.1j
    eSupportQFolder
    Far Cry (Patch 1)
    Far Cry (Patch 1.3)
    Far Cry (Patch 1.31)
    Far Cry (Patch 1.33)
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    HP Color LaserJet 2605 Series 1.0
    HP Extended Capabilities 6.0
    HP Imaging Device Functions 6.0
    HP Software Update
    HP Solution Center and Imaging Support Tools 6.0
    hppFonts
    hppIOFiles
    hppManuals2605
    HPProductAssistant
    hppWebRegMM
    IsoBuster 2.0
    iTunes
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) SE Runtime Environment 6 Update 1
    LiveUpdate 2.6 (Symantec Corporation)
    MarketResearch
    Mega Manager
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft ActiveSync 4.0
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft LifeCam
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Converter Pack
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Professional Edition 2003
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Motorola Driver Installation 3.4.0
    Motorola Phone Tools
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    Nero 7
    neroxml
    NVIDIA Drivers
    NVIDIA nTune
    Odyssey Access Client for Windows Mobile
    OGA Notifier 2.0.0048.0
    OLYMPUS Master 2
    OSP for Quake3 1.03
    PDF Settings
    Product_SF_Min_QFolder
    Quake 4(TM)
    Quake 4(TM) 1.3 Patch
    QuickPar 0.9
    QuickTime
    QuickTime Alternative 1.81
    RealPlayer
    Realtek AC'97 Audio
    Security Update for CAPICOM (KB931906)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978706)
    Sid Meier's Civilization 4 Complete
    SolutionCenter
    Spybot - Search & Destroy
    SUPER © Version 2009.bld.35 (Jan 5, 2009)
    Symantec AntiVirus
    TeamSpeak 2 RC2
    Tweak UI
    Unload
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB969497)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Video Thumbnails Maker by Scorp (remove only)
    VLC media player 1.0.3
    WebFldrs XP
    WebReg
    WIDCOMM Bluetooth Software
    Winamp
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage v1.3.0254.0
    Windows Genuine Advantage Validation Tool
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live installer
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Media Format 11 runtime
    Windows Media Player 10 Hotfix - KB894476
    Windows Media Player 11
    Windows XP Creativity Fun Packs - Windows Movie Maker 2
    Windows XP Service Pack 3
    WinRAR archiver
    Xilisoft Video Converter Ultimate
    XviD MPEG4 Video Codec (remove only)

    ==== Event Viewer Messages From Past Week ========

    3/8/2010 1:20:34 PM, error: Service Control Manager [7034] - The FLEXnet Licensing Service service terminated unexpectedly. It has done this 1 time(s).
    3/7/2010 5:04:42 PM, error: Service Control Manager [7034] - The Terminal Services service terminated unexpectedly. It has done this 1 time(s).
    3/7/2010 5:04:42 PM, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
    3/7/2010 4:59:24 PM, error: Service Control Manager [7034] - The TCP/IP NetBIOS Helper service terminated unexpectedly. It has done this 1 time(s).
    3/7/2010 4:59:24 PM, error: Service Control Manager [7034] - The SSDP Discovery Service service terminated unexpectedly. It has done this 1 time(s).
    3/7/2010 4:59:24 PM, error: Service Control Manager [7031] - The Remote Registry service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
    3/7/2010 4:36:29 PM, error: Srv [2019] - The server was unable to allocate from the system nonpaged pool because the pool was empty.
    3/5/2010 7:05:57 AM, error: Service Control Manager [7024] - The Symantec SPBBCSvc service terminated with service-specific error 4294967295 (0xFFFFFFFF).
    3/4/2010 8:50:24 PM, error: SRService [104] - The System Restore initialization process failed.
    3/4/2010 8:50:24 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: A device attached to the system is not functioning.

    ==== End Of File ===========================

  8. #8
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi again,

    There were found signs of Zbot information stealer there. You should change all your online passwords to new ones.


    Do you use Adobe Acrobat for other duties than pdf conversions?


    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    Folder::
    c:\documents and settings\john\Application Data\BitTorrent
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000000
    DDS::
    BHO: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - No File

    Save this as
    CFScript

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



    Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log.


    Get the update 9.3.1 for Adobe Reader here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.


    Uninstall vulnerable Flash versions by following instructions here. Fresh version can be obtained here.


    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

    Updating Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 Update 18.
    • Click the
      Download
      button to the right.
    • Select Windows on platform combobox and check the box that says:
      Accept License Agreement. Click continue.
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.




    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    If you use Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    If you use Opera:
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.


    Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


    Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  9. #9
    Junior Member
    Join Date
    Mar 2010
    Posts
    12

    Default

    Yes we do use the entire Adobe Suite that includes Acrobat. I can always reinstall it though if I have to.

    Here is the ComboFix run number two...

    ComboFix 10-03-08.01 - john 03/08/2010 16:12:57.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1446 [GMT -6:00]
    Running from: c:\documents and settings\john\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\john\Desktop\CFScript.txt
    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\john\Application Data\BitTorrent
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\01a5b3b839437f26518afa10de4515297eb1cd8f
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\09d35cf0c6e81ca318c7d0e76968f56ee706f1cf
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\0ce1d694cad22e23a618e7f8303132a3c865ac58
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\10cfd554e7c9cb6904d06abb733e23ddd1ce1ad8
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\13f3d733c963eae515c2b5a5258cc39422e50ee2
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\14b818a24b22316d614bc10e9c591a9d44e3abef
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\1602be3f3bc01a15b6c28c8793ad3f311896ddd1
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\1c6d5b883e834b92bd1c50910defdbcc5d795c92
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\24bb9d2bf1f839eb8d4f2fc1e1a08925840d3fbf
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\32605ba607fce89f82d72afae9d5603eacfd835c
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\3e3ced57eb87a36a1f4e411f011e1b58d3918832
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\46645cb85f7de83bd0a698392e1e47d93eb55a7b
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\55440cc038261f61aefb1061fc0db9b780afab1b
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\56c6e74aec5085cba34d1ec7fe372f4511667179
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\5840392fc9eb7de31cac2b39d604b97cbcc618c0
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\5a1b3db01b7af7644b0a81b064ac119d40aec2ca
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\7c4d4d153d0e02fc8346012eddc97d59466fc20f
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\808ddd80c7e3b2c755c2f40cadde041393356b72
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\8e0b7b065c429e00677896bed7daac567dc5c1e6
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\955d29723782bffd5a64d8400e98af1edf2438db
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\a1b4894087ff0670c1b48a5bc897da533dee79dc
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\a1b4da1d5c3b6ed48c6db1239578116dd53de1c8
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\a60aa234b3447b5ccb810fce928527a8cb63c182
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\aa332bbb25663d0818796118e93050d5d361d643
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\aa6a24523148d34aca4ba8e0c8311d129fc767d0
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\b3afa3d666eccc533670d4bf18104a5ba3e59f26
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\cc621fd6682253238740adf91549fd81eba0cc11
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\ce1191b672c75744eaaac11bb69263318a4b9a05
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\da4665382788988f019a8af56f0773627dbf3e7e
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\db83202407b2156d506b2a4b64ed1b4754078338
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\f677391069532da880c311000fcf3e790d1db245
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\f9d18ac6a4541f60b816eb9c35742966c408eca6
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\fc62c7510ca742304d345de3a34431bcc02300a3
    c:\documents and settings\john\Application Data\BitTorrent\data\metainfo\fdbf865ee526a798ae75e2f6dfca0d4ac9604a93
    c:\documents and settings\john\Application Data\BitTorrent\data\resume\0ce1d694cad22e23a618e7f8303132a3c865ac58
    c:\documents and settings\john\Application Data\BitTorrent\data\resume\955d29723782bffd5a64d8400e98af1edf2438db
    c:\documents and settings\john\Application Data\BitTorrent\data\resume\a1b4da1d5c3b6ed48c6db1239578116dd53de1c8
    c:\documents and settings\john\Application Data\BitTorrent\data\resume\a60aa234b3447b5ccb810fce928527a8cb63c182
    c:\documents and settings\john\Application Data\BitTorrent\data\resume\fdbf865ee526a798ae75e2f6dfca0d4ac9604a93
    c:\documents and settings\john\Application Data\BitTorrent\data\routing_table
    c:\documents and settings\john\Application Data\BitTorrent\data\torrents\0ce1d694cad22e23a618e7f8303132a3c865ac58
    c:\documents and settings\john\Application Data\BitTorrent\data\torrents\955d29723782bffd5a64d8400e98af1edf2438db
    c:\documents and settings\john\Application Data\BitTorrent\data\torrents\a1b4da1d5c3b6ed48c6db1239578116dd53de1c8
    c:\documents and settings\john\Application Data\BitTorrent\data\torrents\a60aa234b3447b5ccb810fce928527a8cb63c182
    c:\documents and settings\john\Application Data\BitTorrent\data\torrents\fdbf865ee526a798ae75e2f6dfca0d4ac9604a93
    c:\documents and settings\john\Application Data\BitTorrent\data\ui_config
    c:\documents and settings\john\Application Data\BitTorrent\data\ui_state

    .
    ((((((((((((((((((((((((( Files Created from 2010-02-08 to 2010-03-08 )))))))))))))))))))))))))))))))
    .

    2010-03-03 17:48 . 2010-03-03 17:48 388096 ----a-r- c:\documents and settings\john\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
    2010-03-03 17:48 . 2010-03-03 17:48 -------- d-----w- c:\program files\Trend Micro
    2010-03-03 17:47 . 2010-03-03 17:47 -------- d-----w- c:\program files\ERUNT
    2010-02-25 18:51 . 2010-02-26 01:27 -------- d-----w- c:\documents and settings\john\Local Settings\Application Data\My Games
    2010-02-25 18:38 . 2010-02-25 18:38 -------- d-----w- c:\program files\2K Games
    2010-02-25 18:38 . 2007-06-21 02:46 266088 ----a-w- c:\windows\system32\xactengine2_8.dll
    2010-02-25 18:38 . 2007-06-21 02:45 18280 ----a-w- c:\windows\system32\x3daudio1_2.dll
    2010-02-25 18:38 . 2007-05-16 22:45 443752 ----a-w- c:\windows\system32\d3dx10_34.dll
    2010-02-25 18:38 . 2007-05-16 22:45 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll
    2010-02-25 18:38 . 2007-05-16 22:45 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll
    2010-02-25 18:38 . 2007-04-05 00:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
    2010-02-25 17:45 . 2010-02-25 17:45 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-08 22:11 . 2005-11-25 01:02 -------- d-----w- c:\program files\Symantec AntiVirus
    2010-03-08 21:59 . 2009-11-13 23:05 -------- d-----w- c:\documents and settings\john\Application Data\vlc
    2010-03-08 21:12 . 2009-02-20 21:32 -------- d-----w- c:\program files\Video Thumbnails Maker
    2010-03-03 19:58 . 2005-11-29 01:23 -------- d-----w- c:\program files\Ahead
    2010-03-03 19:56 . 2006-10-26 14:01 -------- d-----w- c:\program files\AvantGo
    2010-02-25 18:54 . 2005-11-25 01:20 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-02-23 17:58 . 2006-09-11 02:38 -------- d-----w- c:\documents and settings\john\Application Data\dvdcss
    2010-01-10 02:14 . 2009-11-14 00:38 -------- d-----w- c:\documents and settings\john\Application Data\Any Video Converter
    2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
    2009-12-21 19:14 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
    2009-12-16 18:43 . 2005-11-25 00:39 343040 ----a-w- c:\windows\system32\mspaint.exe
    2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2006-05-03 10:06 . 2009-02-23 21:12 163328 --sh--r- c:\windows\system32\flvDX.dll
    2007-02-21 11:47 . 2009-02-23 21:12 31232 --sh--r- c:\windows\system32\msfDX.dll
    2008-03-16 13:30 . 2009-02-23 21:12 216064 --sh--r- c:\windows\system32\nbDX.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "SoundMan"="SOUNDMAN.EXE" [2005-06-21 77824]
    "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]
    "Acrobat Assistant 8.0"="g:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
    "nwiz"="nwiz.exe" [2008-09-18 1657376]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
    "QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2009-01-05 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

    c:\documents and settings\john\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-7-13 565309]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2007-03-01 20:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=3 (0x3)
    "SavRoam"=3 (0x3)
    "RDSessMgr"=3 (0x3)
    "RasMan"=3 (0x3)
    "RasAuto"=3 (0x3)
    "PnkBstrB"=2 (0x2)
    "PnkBstrA"=2 (0x2)
    "mnmsrvc"=3 (0x3)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\WINDOWS\\system32\\dpnsvr.exe"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=
    "c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=
    "c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
    "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
    "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
    "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
    "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [1/29/2008 2:56 PM 18176]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [1/29/2008 2:56 PM 7680]
    S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys --> c:\windows\system32\DRIVERS\motodrv.sys [?]
    S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [1/29/2008 2:56 PM 23680]
    S3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [1/23/2004 3:33 PM 13952]
    S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [1/23/2004 3:32 PM 28800]
    S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
    S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 7:27 PM 124608]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - EraserUtilDrvI9
    *Deregistered* - EraserUtilRebootDrv
    .
    Contents of the 'Scheduled Tasks' folder

    2010-03-08 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    uInternet Settings,ProxyOverride = *.local
    IE: Append to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - file:///D:/Program%20Files/xnews/downloads/Guitar/Riff%20Interactive%20-%2060S%20Funk%20Soul/setup/RiffLick.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-08 16:21
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-03-08 16:24:26
    ComboFix-quarantined-files.txt 2010-03-08 22:24
    ComboFix2.txt 2010-03-08 19:44

    Pre-Run: 31,391,977,472 bytes free
    Post-Run: 31,379,927,040 bytes free

    - - End Of File - - 0880770E201B62BF821FB17BD0F1B173

  10. #10
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Yes we do use the entire Adobe Suite that includes Acrobat.
    In that case, you should get latest security updates for it.

    Shall wait for those other reports
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •