Trojan.Vundo removal help

Printable View

Show 40 post(s) from this thread on one page

November 11th, 2009, 04:54 PM
crunchie

I have heard nothing bad about it, but have had no personal dealings with it, so it is hard to say.
Keep me posted.
November 15th, 2009, 01:43 PM
tenneyn

Crunchie,
mba-m found a rootkit yesterday, which it supposedly removed. I'll post that log below, plus a current hijack this log. computer continues to be slow on shutdown, about two minutes, with the weird change from normal still being that if I go the START>Turn Off Computer route it takes most of the two minutes to get to the restart/shutdown/sleep dialogue box, which is really inconvenient bc I have to stand there rather than walking away while it shuts down. Setting up the laptop close cover, Fn/F3 button, and power button to each correspond to a different option seems to be a successful workaround most of the time (though they can hang sometimes too). UnHackMe cumbersome but so far somewhat useful I think. Thanks! Tenney

Malwarebytes' Anti-Malware 1.41
Database version: 3168
Windows 5.1.2600 Service Pack 3

11/14/2009 6:10:09 AM
mbam-log-2009-11-14 (06-10-09).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 323556
Time elapsed: 3 hour(s), 26 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP695\A0225285.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:23 AM, on 11/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\University of Arizona Software\U of A VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\cryptainersrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\comcasttb\CIDGlobalLight.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.5.2.11\IPSBHO.DLL
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: ShimHelper Class - {776BAD77-F558-4692-B692-43AFDCFF0320} - C:\Program Files\browserhighlighter\Shim.dll
O2 - BHO: - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\YTSingleInstance.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Comcast Toolbar - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files\comcasttb\comcastdx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: TeleNav - {02818a03-790c-4dc1-b92b-85a79d635dfa} - C:\WINDOWS\system32\telenav-ie.htm
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: The Browser Highlighter - {5FA99BFF-0D30-40a0-9E76-0B4877E2C1D0} - C:\Program Files\browserhighlighter\Shim.dll (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1201562111109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1201562203718
O16 - DPF: {9C0B28E0-FCF4-40B5-ABD2-D223EA7AF839} (MyTN.AddressBookImporter) - http://my.telenav.com/mytn/MyTN.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\GOOGLE\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\University of Arizona Software\U of A VPN Client\cvpnd.exe
O23 - Service: Cypherix service (cypherixservice) - Cypherix Software (India) Pvt. Ltd. - C:\WINDOWS\SYSTEM32\cypherixsrv.exe
O23 - Service: Google Desktop Manager 5.9.909.30391 (GoogleDesktopManager-093009-130223) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: JTVNCProxy (JTVNCProxy_10.0) - Unknown owner - C:\Program Files\Freedom Scientific\JAWS\10.0\JTVNCProxy.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Cryptainer service (ssoftservice) - Cypherix Software (India) Pvt. Ltd. - C:\WINDOWS\SYSTEM32\cryptainersrv.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 14705 bytes
November 15th, 2009, 04:37 PM
crunchie

Go to Start | Run and type msconfig and press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

==

Download gmer.zip: http://www.gmer.net/files.php
Unzip the file, and double click on gmer.exe, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.
November 17th, 2009, 02:26 AM
tenneyn

1 Attachment(s)

Crunchie

here's the gmer log. I didn't select show all. The file is gigantic; I'll try to post as a single post but will probably have to split it over several. Looking forward to your reply, thanks again,

Tenney

***

actually it would take about 10-12 different screens to post it, so I'll try to send it as an attachment. (It didn't give me any choice actually about SHOW ALL, that was unchecked but greyed out--is this a "show all" log? hope it will post as attached file!
November 17th, 2009, 05:34 AM
crunchie

Still see nothing untoward there.

Download DDS from the following location:

DDS Tool

Save dds.scr to the desktop

Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.

Once you double-click the icon a Windows security warning may also appear asking if you are sure you would like to run the program. Click on the Run button to start DDS. If no warning appeared, then you should just continue.

DDS will now display a small black window providing information as to what DDS is doing on your computer.

DDS will now start scanning your computer and compiling a variety of information about what programs are starting on your computer, what files have been recently created, and the general configuration of your computer. When DDS has finished scanning, all of this information will be compiled and be displayed in two Notepad windows named dds.txt and attach.txt.

You will then be shown a small box giving instructions as to what you should do with these files. Feel free to close this message box by pressing the OK button.

We now need to save the two log files that were created. First click on the DDS.txt window and click on the File menu and then select Save As... menu option.

Save DDS.txt to the desktop. Now click on the Attach.txt Notepad window and save that to the desktop also.

Copy the contents of the DDS.txt log and paste it into your reply here.
Attach the attach.txt log with your reply using Reply to Thread button, then the Manage Attachments button.
November 18th, 2009, 02:53 PM
tenneyn

DDS (Ver_09-10-26.01) - NTFSx86
Run by Tenney Nathanson at 11:48:44.90 on Wed 11/18/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.931 [GMT -7:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\University of Arizona Software\U of A VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\cryptainersrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\meetingmaker\mm.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Documents and Settings\Tenney Nathanson\My Documents\downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.5.2.11\IPSBHO.DLL
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: ShimHelper Class: {776bad77-f558-4692-b692-43afdcff0320} - c:\program files\browserhighlighter\Shim.dll
BHO: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn4\YTSingleInstance.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
TB: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [nwiz] nwiz.exe /install
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {02818a03-790c-4dc1-b92b-85a79d635dfa} - c:\windows\system32\telenav-ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201562111109
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201562203718
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9C0B28E0-FCF4-40B5-ABD2-D223EA7AF839} - hxxp://my.telenav.com/mytn/MyTN.CAB
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: AutorunsDisabled\skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.5.2.11\CoIEPlg.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tenney~1\applic~1\mozilla\firefox\profiles\q7vpbbf6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?sourceid=navclient-ff
FF - prefs.js: keyword.URL - hxxp://errorpage.comcast.net/?cat=Web&con=dc&safe=on&q=
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\mozilla firefox\extensions\[email protected]\components\Shim.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPInfotl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0305020.00b\SymEFA.sys [2009-9-8 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0305020.00b\BHDrvx86.sys [2009-9-8 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0305020.00b\cchpx86.sys [2009-9-8 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20091111.001\IDSXpx86.sys [2009-11-12 329592]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R2 cyphxdrv;cyphxdrv;c:\windows\system32\drivers\cyphxdrv.sys [2009-3-2 100728]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.5.2.11\ccSvcHst.exe [2009-9-8 117640]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [2008-2-15 100728]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-11-16 102448]
S2 cypherixservice;Cypherix service;cypherixsrv.exe --> cypherixsrv.exe [?]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-2-15 30192]
S3 JTVNCProxy_10.0;JTVNCProxy;c:\program files\freedom scientific\jaws\10.0\JTVNCProxy.exe [2009-6-9 16152]
S4 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-3-16 616408]
S4 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-9-2 18176]
S4 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-9-2 7680]
S4 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-9-2 23680]

=============== Created Last 30 ================

2009-11-16 06:00:47 0 d-----w- c:\windows\pss
2009-11-11 17:09:01 0 d-sha-r- C:\cmdcons
2009-11-11 16:28:33 98816 ----a-w- c:\windows\sed.exe
2009-11-11 16:28:33 77312 ----a-w- c:\windows\MBR.exe
2009-11-11 16:28:33 267264 ----a-w- c:\windows\PEV.exe
2009-11-11 16:28:33 161792 ----a-w- c:\windows\SWREG.exe
2009-11-06 00:14:23 0 d-----w- c:\docume~1\tenney~1\applic~1\Malwarebytes
2009-11-06 00:14:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-06 00:14:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-06 00:14:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-06 00:14:12 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-11-17 06:51:40 256 ----a-w- c:\documents and settings\tenney nathanson\pool.bin
2009-10-20 03:33:28 139251 ----a-w- c:\windows\hpoins15.dat
2009-10-11 11:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-07 05:16:12 2000000 ----atw- c:\windows\system32\HJSMEM.DAT
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ------w- c:\windows\system32\wininet.dll
2009-08-29 02:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 18:29:53 19521 ----a-w- c:\windows\hpqins13.dat
2009-08-20 22:09:06 1193832 ----a-w- c:\windows\system32\FM20.DLL
2008-05-07 04:20:21 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008050620080507\index.dat

============= FINISH: 11:50:32.73 ===============
November 18th, 2009, 02:55 PM
tenneyn

1 Attachment(s)

here's the attach log
November 18th, 2009, 04:52 PM
crunchie

Are you still using Cypherix encryption software?

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

c:\windows\sed.exe
c:\windows\MBR.exe
c:\windows\PEV.exe
November 19th, 2009, 04:34 PM
tenneyn

sed.exe is clean
Norman timed out, all the others returned "found nothing"

additional info:

File size: 98816 bytes
Filetype: PE32 executable for MS Windows (console) Intel 80386 32-bit
MD5: 2b657a67aebb84aea5632c53e61e23bf
SHA1: 7d723cf82658da76bda85ae00bf20cb01b43edc8
November 19th, 2009, 05:05 PM
tenneyn

MBR.exe

additional info:
mostly comes up "found nothing"
but VBA32 says "2009-11-18 Win32 Shadow Driver Install"
Norman timed out

File size: 77312 bytes
Filetype: PE32 executable for MS Windows (console) Intel 80386 32-bit
MD5: c5ec72a20b4c98db5314e6c46765b148
SHA1: e51e0b26d3a8fb28e0e4dcf78b6e4df2da879ff4
File size: 77312 bytes
Filetype: PE32 executable for MS Windows (console) Intel 80386 32-bit
MD5: c5ec72a20b4c98db5314e6c46765b148
SHA1: e51e0b26d3a8fb28e0e4dcf78b6e4df2da879ff4
Packer (Avast): UPX
Packer (Drweb): UPX, BINARYRES
Packer (Kaspersky): PE_Patch.UPX, UPX
November 19th, 2009, 05:07 PM
tenneyn

yes I'm still using Cypherix to create little virtual drives on my hard drive where I can store certain documents (financial, medical, etc.)
November 19th, 2009, 05:09 PM
tenneyn

PEV.exe

found something!

CP Secure says: "2009-11-19 BackDoor.W32.Agent.akon"
all others says "found nothing"

additional file info:

File size: 267264 bytes
Filetype: PE32 executable for MS Windows (console) Intel 80386 32-bit
MD5: 13b17ee805b761a23690c060e22606e8
SHA1: eb752476f75c7775d9edc3bdd92bda58c9eb5770
Packer (Avast): PECompact
Packer (Drweb): PECOMPACT
Packer (Kaspersky): PE_Patch.PECompact, PecBundle, PECompact

what's the next step?

thanks!

Tenney
November 19th, 2009, 09:26 PM
crunchie
1. Please open Notepad
- Click Start , then Run
- Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

KillAll:: File:: c:\windows\PEV.exe FileLook:: c:\windows\sed.exe c:\windows\MBR.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

https://discussions.virtualdr.com/im.../2010/07/1.gif

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
- Combofix.txt
- A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
November 19th, 2009, 11:39 PM
tenneyn

Crunchie--

here is new Combofix log, split into two posts bc of length limits:

ComboFix 09-11-19.05 - Tenney Nathanson 11/19/2009 19:42.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1056 [GMT -7:00]
Running from: c:\documents and settings\Tenney Nathanson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tenney Nathanson\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2009-10-20 to 2009-11-20 )))))))))))))))))))))))))))))))
.

2009-11-20 02:58 . 2009-08-22 08:26 165240 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2009-11-20 01:54 . 2009-08-25 08:00 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091119.024\NAVENG.SYS
2009-11-20 01:54 . 2009-08-25 08:00 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091119.024\NAVENG32.DLL
2009-11-20 01:54 . 2009-08-25 08:00 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091119.024\NAVEX32A.DLL
2009-11-20 01:54 . 2009-08-25 08:00 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091119.024\NAVEX15.SYS
2009-11-20 01:54 . 2009-09-22 08:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091119.024\ECMSVR32.DLL
2009-11-20 01:54 . 2009-08-26 08:00 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091119.024\EECTRL.SYS
2009-11-20 01:54 . 2009-08-26 08:00 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091119.024\ERASER.SYS
2009-11-20 01:54 . 2009-09-15 08:00 2747952 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091119.024\CCERASER.DLL
2009-11-13 01:44 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091111.001\Scxpx86.dll
2009-11-13 01:44 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091111.001\IDSvix86.sys
2009-11-13 01:44 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091111.001\IDSXpx86.sys
2009-11-13 01:44 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091111.001\IDSxpx86.dll
2009-11-13 01:44 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091111.001\IDSviA64.sys
2009-11-11 21:04 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091107.001\IDSXpx86.sys
2009-11-11 21:04 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091107.001\Scxpx86.dll
2009-11-11 21:04 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091107.001\IDSxpx86.dll
2009-11-11 21:04 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091107.001\IDSvix86.sys
2009-11-11 21:04 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091107.001\IDSviA64.sys
2009-11-11 19:44 . 2009-11-11 19:44 -------- d-----w- c:\documents and settings\Tenney Nathanson\Local Settings\Application Data\Amazon
2009-11-06 15:56 . 2009-10-13 17:20 669032 ----a-w- c:\documents and settings\Tenney Nathanson\Application Data\Microsoft\Internet Explorer\Quick Launch\autoruns.exe
2009-11-06 00:14 . 2009-11-06 00:14 -------- d-----w- c:\documents and settings\Tenney Nathanson\Application Data\Malwarebytes
2009-11-06 00:14 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-06 00:14 . 2009-11-06 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-06 00:14 . 2009-11-06 00:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-06 00:14 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-04 04:10 . 2009-11-04 04:10 152576 ----a-w- c:\documents and settings\Tenney Nathanson\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-02 04:55 . 2009-11-02 04:55 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-28 22:37 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-10-28 22:37 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSXpx86.sys
2009-10-28 22:37 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSviA64.sys
2009-10-25 22:46 . 2009-10-25 22:46 6729728 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181625-18178.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-20 03:26 . 2009-03-31 07:19 256 ----a-w- c:\documents and settings\Tenney Nathanson\pool.bin
2009-11-20 02:57 . 2008-02-27 14:46 12 ----a-w- c:\windows\bthservsdp.dat
2009-11-20 00:48 . 2009-03-03 04:52 -------- d-----w- c:\program files\Cypherix PE
2009-11-19 17:18 . 2008-02-15 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-17 03:56 . 2009-02-16 19:44 -------- d-----w- c:\program files\UnHackMe
2009-11-15 15:57 . 2009-05-17 18:28 -------- d-----w- c:\documents and settings\Tenney Nathanson\Application Data\CallingID
2009-11-15 06:10 . 2009-09-21 07:08 -------- d-----w- c:\documents and settings\Tenney Nathanson\Application Data\SlimBrowser
2009-11-12 16:14 . 2009-05-17 18:25 -------- d-----w- c:\documents and settings\Tenney Nathanson\Application Data\comcasttb
2009-11-11 19:44 . 2008-06-13 04:52 -------- d-----w- c:\program files\Amazon
2009-11-11 06:11 . 2009-02-16 19:44 2 --shatr- c:\windows\winstart.bat
2009-11-04 04:12 . 2008-01-29 17:43 -------- d-----w- c:\program files\Java
2009-11-02 05:06 . 2008-10-13 23:54 -------- d-----w- c:\program files\iTunes
2009-11-02 05:04 . 2008-10-13 23:54 -------- d-----w- c:\program files\iPod
2009-10-27 00:56 . 2008-02-14 21:14 -------- d-----w- c:\documents and settings\Tenney Nathanson\Application Data\U3
2009-10-25 22:47 . 2008-02-18 03:23 -------- d-----w- c:\program files\Quicken
2009-10-25 22:43 . 2009-06-24 01:56 245760 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2009-10-23 21:03 . 2008-02-17 06:56 -------- d-----w- c:\documents and settings\Tenney Nathanson\Application Data\Apple Computer
2009-10-20 03:33 . 2008-04-06 06:01 139251 ----a-w- c:\windows\hpoins15.dat
2009-10-14 22:17 . 2008-01-28 23:24 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-11 11:17 . 2009-01-09 19:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-06 08:08 . 2009-10-06 08:07 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-28 19:51 . 2009-09-28 19:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\comcasttb
2009-09-28 19:42 . 2009-09-28 19:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Logitech
2009-09-22 16:00 . 2008-01-29 17:38 -------- d-----w- c:\program files\Common Files\Real
2009-09-22 15:59 . 2009-09-22 15:59 -------- d-----w- c:\program files\Common Files\xing shared
2009-09-21 19:43 . 2008-09-28 03:24 -------- d-----w- c:\program files\QuickTime
2009-09-21 19:39 . 2008-02-17 06:54 -------- d-----w- c:\program files\Common Files\Apple
2009-09-21 07:09 . 2009-09-21 07:09 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
2009-09-21 07:08 . 2009-09-21 07:08 -------- d-----w- c:\program files\Siber Systems
2009-09-21 07:07 . 2009-09-21 07:07 -------- d-----w- c:\program files\SlimBrowser
2009-09-11 14:18 . 2006-06-01 04:16 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-07 05:16 . 2009-06-09 18:52 2000000 ----atw- c:\windows\system32\HJSMEM.DAT
2009-09-04 21:03 . 2006-06-01 04:16 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2006-06-01 04:17 916480 ------w- c:\windows\system32\wininet.dll
2009-08-29 02:42 . 2009-03-17 16:17 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 02:42 . 2008-02-17 06:55 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 08:00 . 2006-06-01 04:17 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 18:29 . 2009-08-25 18:13 19521 ----a-w- c:\windows\hpqins13.dat
2009-08-25 18:17 . 2008-02-15 12:47 32768 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2009-08-25 18:17 . 2009-05-27 06:56 392320 ----a-w- c:\windows\system32\drivers\timntr.sys
2009-08-25 18:17 . 2008-02-15 12:47 99776 ----a-w- c:\windows\system32\drivers\snapman.sys
2009-08-24 06:32 . 2009-03-31 06:31 256 ----a-w- c:\windows\system32\pool.bin
2009-08-24 05:26 . 2009-08-24 05:26 10134 ----a-r- c:\documents and settings\Tenney Nathanson\Application Data\Microsoft\Installer\{62880A3B-2F9C-4C58-8FFA-1DA280262B5E}\ARPPRODUCTICON.exe
2009-04-01 05:47 . 2009-04-07 05:56 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2008-11-26 00:08 . 2008-08-21 02:03 61440 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2009-10-30 17:48 . 2008-02-15 20:41 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
November 19th, 2009, 11:39 PM
tenneyn

((((((((((((((((((((((((((((( SnapShot@2009-11-11_17.23.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-20 02:58 . 2009-11-20 02:58 16384 c:\windows\Temp\Perflib_Perfdata_7d0.dat
+ 2009-11-20 03:00 . 2009-11-20 03:00 16384 c:\windows\Temp\Perflib_Perfdata_3c4.dat
+ 2009-11-20 02:58 . 2009-11-20 02:58 16384 c:\windows\Temp\Perflib_Perfdata_20c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-04-30 00:19 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-04-30 00:19 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-04-30 00:19 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-15 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-30 30192]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-02-13 282624]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-07-21 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 09:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\QWS3270 Secure\\QWS3287p.exe"=
"c:\\Program Files\\QWS3270 Secure\\QWS3270s.exe"=
"c:\\Program Files\\QWS3270 Secure\\lpd.exe"=
"c:\\Program Files\\QWS3270 Secure\\AutoUpdt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0305020.00B\SymEFA.sys [9/8/2009 8:19 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0305020.00B\BHDrvx86.sys [9/8/2009 8:19 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0305020.00B\cchpx86.sys [9/8/2009 8:19 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091111.001\IDSXpx86.sys [11/12/2009 6:44 PM 329592]
R2 cyphxdrv;cyphxdrv;c:\windows\system32\drivers\cyphxdrv.sys [3/2/2009 9:52 PM 100728]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe [9/8/2009 8:18 PM 117640]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [2/15/2008 1:16 PM 100728]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/19/2009 9:28 AM 102448]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 4:47 AM 98304]
S2 cypherixservice;Cypherix service;cypherixsrv.exe --> cypherixsrv.exe [?]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 3:40 AM 118784]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/15/2008 1:41 PM 30192]
S3 JTVNCProxy_10.0;JTVNCProxy;c:\program files\Freedom Scientific\JAWS\10.0\JTVNCProxy.exe [6/9/2009 12:28 PM 16152]
S4 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [3/16/2009 2:37 PM 616408]
S4 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [9/2/2008 9:45 AM 18176]
S4 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [9/2/2008 9:45 AM 7680]
S4 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [9/2/2008 9:45 AM 23680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2009-11-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]

2009-11-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-15 23:10]

2009-11-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3473810947-3136250097-2599601964-1007Core.job
- c:\documents and settings\Tenney Nathanson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 03:12]

2009-11-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3473810947-3136250097-2599601964-1007UA.job
- c:\documents and settings\Tenney Nathanson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 03:12]

2008-01-28 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-01 00:12]

2008-01-28 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-01 00:12]

2008-01-28 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-01 00:12]

2009-11-20 c:\windows\Tasks\User_Feed_Synchronization-{75E32A0D-FB27-4BA9-A1FD-2B5426F5BAE9}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{02818a03-790c-4dc1-b92b-85a79d635dfa} - c:\windows\system32\telenav-ie.htm
Trusted Zone: turbotax.com
DPF: {9C0B28E0-FCF4-40B5-ABD2-D223EA7AF839} - hxxp://my.telenav.com/mytn/MyTN.CAB
FF - ProfilePath - c:\documents and settings\Tenney Nathanson\Application Data\Mozilla\Firefox\Profiles\q7vpbbf6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?sourceid=navclient-ff
FF - prefs.js: keyword.URL - hxxp://errorpage.comcast.net/?cat=Web&con=dc&safe=on&q=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\extensions\[email protected]\components\Shim.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPInfotl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-19 20:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.5.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1464)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(1520)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(1144)
c:\windows\system32\WININET.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe
c:\program files\University of Arizona Software\U of A VPN Client\cvpnd.exe
c:\program files\CA\PPRT\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\cryptainersrv.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\LVCOMSX.EXE
c:\windows\system32\rundll32.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe
c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
c:\program files\Java\jre6\bin\jusched.exe
c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
c:\program files\Logitech\SetPoint\SetPoint.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe
c:\program files\Common Files\Real\Update_OB\realsched.exe
c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2009-11-19 20:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-20 03:30
ComboFix2.txt 2009-11-11 17:31

Pre-Run: 43,428,315,136 bytes free
Post-Run: 43,487,768,576 bytes free

- - End Of File - - 632E90940A6E0D57A02E916810A2316D

Show 40 post(s) from this thread on one page