|
-
December 16th, 2009, 04:57 PM
#1
Symantec AntiVirus Notifications
You have a very interesting site.
I'm here because I have something popping up from time to time. The popups are "Symantec AntiVirus Notifications" with Tamper Protection Alerts. I am not sure how to put a picture here and that is the only way I can put that information. I don't really have anyplace on the web I can put it and link.
I've done a little research on these online and apparently the do pop up from time to time but do not necessarily mean there is a virus/Trojan etc.
Some of the files that are mentioned in the alerts are:
ccSetMgr.exe
VPTray.exe
ccEventMgr.exe etc.
I read several of your posts here so decided to try and get ahead of the issue. I have done the following:
Downloaded and ran (under safe mode) Superantispyware
Downloaded and ran malwarebytes
There were absolutely no issues found with either so I have no log file for them.
I downloaded and ran gmer and ran it. It did show something that said "Rootkit-like behavior sector 63 etc.
Unfortunately it would not let me save the log file. It kept either dumping out of the program or locking the computer to a point that I had to do a cold boot.
I was able to get Hijack this to run and the results are below. I will try and run gmer again to get a report but it really doesn't like it. in fact, at one point I was getting those Tamper protection alerts by the thousands, literally.
Any help you can be would be greatly appreciated.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:44:06 PM, on 12/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cobian Backup 9\cbService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Client\commagent.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Webroot\Client\spysweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Client\SpySweeperUI.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe
C:\Program Files\Cobian Backup 9\cbInterface.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\SHARP\Printer Status Monitor\Smon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://winnersedge.winnco.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://winnersedge.winnco.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WebrootClientUI] "C:\Program Files\Webroot\Client\SpySweeperUI.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpbdfawep] "C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe" 1
O4 - HKLM\..\Run: [HP LaserJet P3005-P3004 Install] "D:\setup.exe" /PNP
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cobian Backup 9 interface] "C:\Program Files\Cobian Backup 9\cbInterface.exe" -service
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\DellTPad\Apoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Printer Status Monitor.lnk = C:\Program Files\SHARP\Printer Status Monitor\Smon.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://winnersedge.winnco.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://www.winnremote.com/vdesk/cac...2009,0514,2202
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://www.winnremote.com/vdesk/ter...,2009,514,2217
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://yardi/voyager/activexviewer9.cab
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} (F5 Networks Dynamic Application Tunnel Control) - https://www.winnremote.com/vdesk/ter...,2009,514,2213
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://www.winnremote.com/vdesk/ter...2009,0514,2216
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.4.8.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://www.winnremote.com/vdesk/ter...2009,0514,2204
O16 - DPF: {6B68CDBA-8AFE-4CAC-80FB-727B9F946957} (IObjSafety.UsrAudit) - http://helpstar/helpstar/hsActiveX/HPluginI.cab
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks Static Application Tunnel Control) - https://www.winnremote.com/vdesk/ter...2007,1001,2136
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1210174627660
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://www.winnremote.com/vdesk/ter...,2009,514,2210
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe...bat/nos/gp.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://www.winnremote.com/vdesk/ter...,2009,514,2205
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WINNCO.COM
O17 - HKLM\Software\..\Telephony: DomainName = WINNCO.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WINNCO.COM
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cobian Backup 9 service (CobianBackupAmanita) - Luis Cobian - C:\Program Files\Cobian Backup 9\cbService.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1ca2bfda2bb6012) (gupdate1ca2bfda2bb6012) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intellex Service Manager (NtlxSrvMgr) - Unknown owner - C:\Program Files\Sensormatic\NetworkClient\bin\NtlxSrvMgr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Client\commagent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Client\spysweeper.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 13191 bytes
-
December 16th, 2009, 07:51 PM
#2
Please download ComboFix from [PM sent] to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Please, never rename Combofix unless instructed.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE. If Combofix asks you to install Recovery Console, please allow it.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
- Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
Make sure, you re-enable your security programs, when you're done with Combofix.
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
-
December 16th, 2009, 07:53 PM
#3
For some reason, PM option is not available.
Hold on there. I'll ask Staff what's going on.
-
December 16th, 2009, 07:56 PM
#4
Check your settings, if you have PM enabled.
-
December 16th, 2009, 08:12 PM
#5
Might want to enable:
Pop up a Notification Box When a Private Message is Received
Sure beats looking up toward the top right under your name to see if you have a PM.
-
December 16th, 2009, 08:43 PM
#6
No, the problem is, that there is no PM option in his profile, so I can't send any PM to him.
-
December 16th, 2009, 08:59 PM
#7
No, he needs to enable it, not you.
He may not have enough posts for the PMs to be active.
-
December 16th, 2009, 09:31 PM
#8
Oh....
-
December 16th, 2009, 11:59 PM
#9
Right, I don't see a PM option. I won't be back to that computer until tomorrow.
Thanks for the quick responses!
-
December 17th, 2009, 12:00 AM
#10
Actually, I was wondering if you saw anythin gin the log file or have any idea what the problem is?
-
December 17th, 2009, 12:48 AM
#11
From HJT log, I can't tell.
Can you sign up at my forum (click on my signature) and PM me from there?
-
December 17th, 2009, 10:25 PM
#12
New version of Combofix is out, so....
Please download ComboFix from Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Please, never rename Combofix unless instructed.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE. If Combofix asks you to install Recovery Console, please allow it.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
- Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
Make sure, you re-enable your security programs, when you're done with Combofix.
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
-
December 18th, 2009, 09:53 AM
#13
Thanks you. I'll let you know how it goes.
-
December 18th, 2009, 01:21 PM
#14
Log Files
First, Thank you again for your help. It took a while to disable all of the symantec files and keep access to the internet (I don't know what most of those files are in the MSConfig Services are)
______________________________________________________________
ComboFix 09-12-17.03 - criddle 12/18/2009 12:07:04.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3156 [GMT -5:00]
Running from: c:\documents and settings\criddle\Desktop\KittyFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\EventSystem.log
.
---- Previous Run -------
.
c:\windows\AegisP.inf
c:\windows\EventSystem.log
c:\windows\system32\st325602.dll
.
((((((((((((((((((((((((( Files Created from 2009-11-18 to 2009-12-18 )))))))))))))))))))))))))))))))
.
2009-12-18 15:09 . 2009-12-18 15:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-12-16 19:21 . 2009-12-16 19:21 -------- d-----w- c:\program files\Trend Micro
2009-12-15 16:44 . 2009-12-15 16:44 117760 ----a-w- c:\documents and settings\criddle\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-15 16:44 . 2009-12-15 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-15 16:43 . 2009-12-15 16:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-15 16:43 . 2009-12-15 16:43 -------- d-----w- c:\documents and settings\criddle\Application Data\SUPERAntiSpyware.com
2009-12-14 20:20 . 2009-12-14 20:20 -------- d-----w- c:\documents and settings\criddle\Application Data\Apple Computer
2009-12-14 19:28 . 2009-06-08 20:08 38200 ----a-w- c:\documents and settings\criddle\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-12-09 19:55 . 2009-12-09 19:55 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-09 19:55 . 2009-12-09 19:55 -------- d-----w- c:\documents and settings\criddle\Application Data\Malwarebytes
2009-12-09 19:55 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-09 19:55 . 2009-12-09 19:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-09 19:55 . 2009-12-09 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-09 19:55 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-09 19:54 . 2009-12-09 19:54 -------- d-----w- C:\Malwarebytes
2009-12-04 20:09 . 2009-12-09 20:07 -------- d-----w- c:\windows\LMIED.tmp
2009-12-03 22:11 . 2009-12-03 22:11 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-18 17:00 . 2009-04-21 11:54 -------- d-----w- c:\program files\Mozilla Firefox 3.1 Beta 3
2009-12-18 14:33 . 2008-05-07 16:58 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-18 14:19 . 2008-05-07 18:22 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-15 16:43 . 2008-05-07 17:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-14 19:58 . 2009-05-28 18:44 -------- d-----w- c:\program files\GRETECH
2009-12-14 19:42 . 2009-04-13 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-11 12:52 . 2009-04-13 12:56 -------- d-----w- c:\program files\DYMO Label
2009-12-03 22:11 . 2009-06-09 19:13 -------- d-----w- c:\program files\Google
2009-11-25 19:43 . 2009-04-08 17:12 261161 ----a-w- c:\windows\system32\nvModes.dat
2009-11-17 17:10 . 2009-11-17 17:10 105984 ----a-w- c:\windows\system32\MSDShellIcon.dll
2009-11-17 17:10 . 2008-05-07 17:21 -------- d-----w- c:\program files\Cobian Backup 9
2009-11-10 15:40 . 2009-07-17 18:10 -------- d-----w- c:\program files\Yahoo!
2009-11-10 15:33 . 2009-11-10 15:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2009-11-10 15:14 . 2009-11-10 15:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2009-11-10 09:00 . 2009-11-11 17:21 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ed403.vdb\ECMSVR32.DLL
2009-11-05 20:06 . 2009-11-05 20:01 -------- d-----w- c:\program files\FLIR Systems
2009-11-05 20:02 . 2009-11-05 20:02 -------- d-----w- c:\documents and settings\criddle\Application Data\ThermaCAM Connect 3
2009-11-05 20:01 . 2009-11-05 20:01 -------- d-----w- c:\program files\Bonjour
2009-11-05 20:00 . 2009-11-05 20:00 -------- d-----w- c:\program files\ffdshow
2009-11-04 19:21 . 2008-05-07 17:24 -------- d-----w- c:\program files\Java
2009-11-04 19:20 . 2009-11-04 19:20 152576 ----a-w- c:\documents and settings\criddle\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-28 15:06 . 2009-09-02 15:25 -------- d-----w- c:\program files\Sensormatic
2009-10-23 15:38 . 2008-05-07 17:14 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-11 09:17 . 2009-04-20 15:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-27 08:00 . 2009-09-28 20:56 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e7602.vdb\ECMSVR32.DLL
.
------- Sigcheck -------
[7] 2008-10-16 . E654B78D2F1D791B30D0ED9A8195EC22 . 51224 . . [7.2.6001.788] . . c:\windows\system32\dllcache\wuauclt.exe
[7] 2008-04-14 . ED7262E52C31CF1625B65039102BC16C . 111104 . . [5.4.3790.5512] . . c:\windows\ServicePackFiles\i386\wuauclt.exe
[7] 2004-08-04 . 4126D27CECE4471E00E425411F7306B5 . 111104 . . [5.4.3790.2180] . . c:\windows\$NtServicePackUninstall$\wuauclt.exe
c:\windows\System32\wuauclt.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MSDOverlayIcon]
@="{EFE100B8-AA75-44AF-A7C8-C9E4B1EE4976}"
[HKEY_CLASSES_ROOT\CLSID\{EFE100B8-AA75-44AF-A7C8-C9E4B1EE4976}]
2009-11-17 17:10 105984 ----a-w- c:\windows\system32\MSDShellIcon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MSDOverlayIconLnk]
@="{E56571FC-D775-4768-AEB1-569A6179E5DD}"
[HKEY_CLASSES_ROOT\CLSID\{E56571FC-D775-4768-AEB1-569A6179E5DD}]
2009-11-17 17:10 105984 ----a-w- c:\windows\system32\MSDShellIcon.dll
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2025429265-1202660629-682003330-4400\Scripts\Logon\0\0]
"Script"=defuser.bat
________________________________________________________________
________________________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:38 PM, on 12/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://winnersedge.winnco.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://winnersedge.winnco.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://www.winnremote.com/vdesk/cac...2009,0514,2202
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://www.winnremote.com/vdesk/ter...,2009,514,2217
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://yardi/voyager/activexviewer9.cab
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} (F5 Networks Dynamic Application Tunnel Control) - https://www.winnremote.com/vdesk/ter...,2009,514,2213
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://www.winnremote.com/vdesk/ter...2009,0514,2216
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.4.8.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://www.winnremote.com/vdesk/ter...2009,0514,2204
O16 - DPF: {6B68CDBA-8AFE-4CAC-80FB-727B9F946957} (IObjSafety.UsrAudit) - http://helpstar/helpstar/hsActiveX/HPluginI.cab
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks Static Application Tunnel Control) - https://www.winnremote.com/vdesk/ter...2007,1001,2136
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1210174627660
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://www.winnremote.com/vdesk/ter...,2009,514,2210
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe...bat/nos/gp.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://www.winnremote.com/vdesk/ter...,2009,514,2205
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WINNCO.COM
O17 - HKLM\Software\..\Telephony: DomainName = WINNCO.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WINNCO.COM
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 5534 bytes
-
December 18th, 2009, 09:29 PM
#15
Combofix log is incomplete. Please, re-post it.
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
