Jump to content


Photo

TDSS rootkill


  • This topic is locked This topic is locked
13 replies to this topic

#1 DavSabu

DavSabu

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 08 December 2009 - 11:11 AM

A couple of days ago I got hit with a virus. It showed me a fake security program stating I had 40 viruses on my machine. I blocked all warning through Norton and also looked up the "program" and realized it was fake. I quickly installed Malwarebytes and cleaned out the computer.

I ran Spybot and Norton in Safe Mode.

I then continued to get the tabs that would randomly open up in Firefox and IE. The tabs tend to be some form of fake "news" called "Tribune News" stating something about google and how they are paying people from home.

Also searches using google or yahoo have gotten better but I still get redicrects to home mortgage, gardening, all fake sights.

I also found after running Spybot and Norton in Safe Mode I can no longer access Safte Mode in order to run SuperAntiSpyware, which I've read is recommended.
I get the following message after a scroll of date and then a blue screen stating windows could not be opened and something in regards to a device driver and look below for the code which is;

Stop:0x0000007E (0xC0000005,0x80537009,0xF797B509,0xF797B204)

I've also run Rkill before running Malwarebytes or SuperAntiSpyware and the dos windown opens and then closes so I read that means its working.

Any help would be greatly appreciated. I posted on another site and it seemed that although I had 85 views only one person responded and it wasn't a tech on the board.

I'm also using Windows XP, if anyone is able to help.

Here is the online scan from BitDefender that states I have no viruses/malware/etc

BitDefender QuickScan Beta 32-bit v0.9.8.2
------------------------------------------

Scan date: Tue Dec 08 11:18:24 2009
Machine ID: 4DD6CA1



No infection found.
---------------------


Processes
---------
<unsigned> Dropbox 3604 C:\Documents and Settings\DL\Application Data\Dropbox\bin\Dropbox.exe
<unsigned> Canon Camera Access Library 8 2920 C:\Program Files\Canon\CAL\CALMAIN.exe

<verified> Bonjour Service 2044 C:\Program Files\Bonjour\mDNSResponder.exe
<verified> NMSAccessU.exe 2156 C:\Program Files\CDBurnerXP\NMSAccessU.exe
<verified> Apple Mobile Device Service 1976 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
<verified> Symantec Event Manager Service 512 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
<verified> symlcsvc.exe 1212 C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
<verified> Symantec Network Proxy Service 308 C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
<verified> Symantec Settings Manager Service 1648 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
<verified> LiveUpdate Notice Service 704 C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
<verified> Network Driver Service 164 C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
<verified> SPBBC Service 1176 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
<verified> Java™ Quick Starter Service 864 C:\Program Files\Java\jre6\bin\jqs.exe
<verified> Memeo AutoBackup Client 1800 C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
<verified> ActiveSync RAPI Manager 3824 C:\Program Files\Microsoft ActiveSync\rapimgr.exe
<verified> ActiveSync Connection Manager 3440 C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
<verified> Firefox 3708 C:\Program Files\Mozilla Firefox\firefox.exe
<verified> Norton AntiVirus Auto-Protect Service 1764 C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
<verified> Automatic LiveUpdate Scheduler Service 2004 C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
<verified> Media Center Receiver Service 220 C:\WINDOWS\eHome\ehRecvr.exe
<verified> Media Center Scheduler Service 296 C:\WINDOWS\eHome\ehSched.exe
<verified> MCRD Device Service 2660 C:\WINDOWS\ehome\mcrdsvc.exe
<verified> Windows Explorer 1816 C:\WINDOWS\Explorer.EXE
<verified> Application Layer Gateway Service 3920 C:\WINDOWS\System32\alg.exe
<verified> Client Server Runtime Process 732 C:\WINDOWS\system32\csrss.exe
<verified> CTF Loader 3388 C:\WINDOWS\system32\ctfmon.exe
<verified> COM Surrogate 2992 C:\WINDOWS\system32\dllhost.exe
<verified> LSA Shell (Export Version) 820 C:\WINDOWS\system32\lsass.exe
<verified> NVIDIA Driver Helper Service, Version 163.71 2192 C:\WINDOWS\system32\nvsvc32.exe
<verified> Services and Controller app 808 C:\WINDOWS\system32\services.exe
<verified> Windows NT Session Manager 676 C:\WINDOWS\System32\smss.exe
<verified> Spooler SubSystem App 1660 C:\WINDOWS\system32\spoolsv.exe
<verified> Generic Host Process for Win32 Services 1040 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 2336 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 1564 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 1456 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 1312 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 1944 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 1236 C:\WINDOWS\System32\svchost.exe
<verified> Generic Host Process for Win32 Services 1120 C:\WINDOWS\system32\svchost.exe
<verified> Generic Host Process for Win32 Services 2508 C:\WINDOWS\system32\svchost.exe
<verified> Windows NT Logon Application 756 C:\WINDOWS\system32\winlogon.exe
<verified> Windows Update 3260 C:\WINDOWS\system32\wuauclt.exe


Network activity
----------------
Process ccProxy.exe (308) connected on port 80 (HTTP) - qy-in-f101.1e100.net
Process ccProxy.exe (308) connected on port 80 (HTTP) - vw-in-f189.1e100.net
Process ccProxy.exe (308) connected on port 80 (HTTP) - vw-in-f166.1e100.net
Process ccProxy.exe (308) connected on port 80 (HTTP) - yo-in-f105.1e100.net
Process ccProxy.exe (308) connected on port 80 (HTTP) - vw-in-f19.1e100.net
Process ccProxy.exe (308) connected on port 80 (HTTP) - a69-192-76-20.deploy.akamaitechnologies.com
Process ccProxy.exe (308) connected on port 80 (HTTP) - vw-in-f19.1e100.net
Process ccProxy.exe (308) connected on port 80 (HTTP) - *.112.2o7.net
Process ccProxy.exe (308) connected on port 80 (HTTP) - vw-in-f19.1e100.net
Process ccProxy.exe (308) connected on port 80 (HTTP) - 208.43.202.41-static.reverse.softlayer.com

Process svchost.exe (1120) listens on ports: 135 (RPC)
Process rapimgr.exe (3824) listens on ports: 990 (FTP over SSL)


Autoruns and critical files
---------------------------
<unsigned> Dropbox C:\Documents and Settings\DL\Application Data\Dropbox\bin\Dropbox.exe
<unsigned> ShellExecuteHook C:\Program Files\SUPERAntiSpyware\SASSEH.DLL
<unsigned> SUPERAntiSpyware WinLogon Processor C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

<verified> Apple Software Update C:\Program Files\Apple Software Update\SoftwareUpdate.exe
<verified> Citrix Online GoToAssist C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll
<verified> ActiveSync Connection Manager C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
<verified> Norton AntiVirus Scanner Module C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVW32.EXE
<verified> Shell Browser UI Library C:\WINDOWS\system32\browseui.dll
<verified> Crypto API32 C:\WINDOWS\system32\crypt32.dll
<verified> Crypto Network Related API C:\WINDOWS\system32\cryptnet.dll
<verified> Offline Network Agent C:\WINDOWS\system32\cscdll.dll
<verified> CTF Loader C:\WINDOWS\system32\ctfmon.exe
<verified> DIMS Notification Handler C:\WINDOWS\system32\dimsntfy.dll
<verified> Windows Logon UI C:\WINDOWS\system32\logonui.exe
<verified> NVIDIA Display Properties Extension C:\WINDOWS\system32\NvCpl.dll
<verified> Secondary Logon Service Notification DLL C:\WINDOWS\system32\sclgntfy.dll
<verified> Windows Shell Common Dll C:\WINDOWS\system32\shell32.dll
<verified> Systray shell service object C:\WINDOWS\system32\stobject.dll
<verified> Userinit Logon Application c:\windows\system32\userinit.exe
<verified> Web Site Monitor C:\WINDOWS\system32\webcheck.dll
<verified> Common DLL to receive Winlogon notifications C:\WINDOWS\system32\wlnotify.dll
<verified> Windows Portable Device Shell Service Object C:\WINDOWS\system32\WPDShServiceObj.dll


Browser plugins
---------------
<unsigned> Bonjour Namespace Provider C:\Program Files\Bonjour\mdnsNSP.dll
<unsigned> DivX® Content Upload Plugin C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
<unsigned> Garmin Communicator Plug-In 2.5.2.0 C:\Program Files\Garmin GPS Plugin\npGarmin.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
<unsigned> OpenSSL Shared Library C:\Program Files\Mozilla Firefox\plugins\libdivx.dll
<unsigned> npdnu C:\Program Files\Mozilla Firefox\plugins\npdnu.dll
<unsigned> npdnupdater2 C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
<unsigned> RealJukebox Netscape Plugin C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll
<unsigned> 6.0.12.46 C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
<unsigned> npsnapfish C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll
<unsigned> OpenSSL Shared Library C:\Program Files\Mozilla Firefox\plugins\ssldivx.dll
<unsigned> RealJukebox Netscape Plugin C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
<unsigned> 6.0.12.46 C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
<unsigned> F-Secure Automatic Update Agent API DLL C:\WINDOWS\Downloaded Program Files\auc_lib.dll
<unsigned> daas C:\WINDOWS\Downloaded Program Files\daas_s.dll
<unsigned> InstallShield Update Service Setup Player Module C:\WINDOWS\Downloaded Program Files\dwusplay.dll
<unsigned> InstallShield Update Service Setup Player C:\WINDOWS\Downloaded Program Files\dwusplay.exe
<unsigned> fscax module C:\WINDOWS\Downloaded Program Files\fscax.dll
<unsigned> InstallShield Update Service Web Agent C:\WINDOWS\Downloaded Program Files\isusweb.dll

<verified> npmnqmp 989898989877 C:\Documents and Settings\DL\Application Data\Move Networks\plugins\npqmp071505000011.dll
<verified> NIS Shell Extension c:\program files\common files\symantec shared\adblocking\nisshext.dll
<verified> DivX Web Player version 1.5.0.52 C:\Program Files\DivX\DivX Web Player\npdivx32.dll
<verified> Adobe PDF Plug-In For Firefox and Netscape C:\Program Files\Internet Explorer\plugins\nppdf32.dll
<verified> npitunes.dll C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
<verified> Windows Messenger C:\Program Files\Messenger\msmsgs.exe
<verified> np-mswmp C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
<verified> NPRuntime Script Plug-in Library for Java™ Depl C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
<verified> DivX Web Player version 1.5.0.52 C:\Program Files\Mozilla Firefox\plugins\npdivx32.dll
<verified> Default Plug-in C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
<verified> Office Plugin for Netscape Navigator C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL
<verified> Adobe PDF Plug-In For Firefox and Netscape C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
<verified> RealPlayer™ LiveConnect-Enabled Plug-In C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
<verified> Norton AntiVirus Shell Extension Module c:\program files\norton internet security\norton antivirus\navshext.dll
<verified> RealPlayer™ LiveConnect-Enabled Plug-In C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
<verified> Adobe® Flash® Player ActiveX Installer C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
<verified> fslauncher module C:\WINDOWS\Downloaded Program Files\fslauncher.dll
<verified> F-Secure GateLauncher C:\WINDOWS\Downloaded Program Files\gatelauncher.exe
<verified> Windows Presentation Foundation (WPF) plug-in for c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
<verified> Network Diagnostic for Windows XP C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
<verified> Internet Explorer C:\WINDOWS\system32\ieframe.dll
<verified> NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
<verified> Microsoft Windows Sockets 2.0 Service Provider C:\WINDOWS\system32\mswsock.dll
<verified> Microsoft Windows Rsvp 1.0 Service Provider C:\WINDOWS\system32\rsvpsp.dll
<verified> LDAP RnR Provider DLL C:\WINDOWS\system32\winrnr.dll


Scan
----

No file uploaded.

Scan finished - communication took 3 sec
Total traffic - 0.06 MB sent, 2.98 KB recvd
Scanned 1103 files and modules - 88 seconds

Hi,

Help us help you.

Please read this article and follow the protocol.
http://spywareinfofo...showtopic=23382
Then submit a fresh HijackThis log. One of our helpers will take care of you. It's the only way we can give you sound advice.

Edited by DavSabu, 08 December 2009 - 11:44 AM.
HijackThis log requested.


#2 DavSabu

DavSabu

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 09 December 2009 - 01:53 AM

Hello I'm re-posting according to the forum rules from my previous post.

This is my logfile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:50 PM, on 12/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optimum.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} (F-Secure Online Scanner Launcher) - http://download.sp.f.../fslauncher.cab
O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) - http://webiq005.webi...6-6D5536C585C9}
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1223575658919
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8652 bytes

I also ran the tdsskiller and that is where I discovered that I had the TDSS rootkit in C:\windows\system32\drivers\iastor.sys. The cure failed there but was able to cure the following (although they returned at reboot)
driver "iastor" Irp handler infected by TDSS & driver "iasto" StartIo handler infected by TDSS rootkit. I've also run Spybot Search and Destroy, Malwarebytes,SuperAntiSpyware,Norton,AdAware. It all seems to come back to the this TDSS rootkit.
Thanks for any help anyone can provide.

#3 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 10 December 2009 - 11:27 PM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.


[this is an automated reply]
This is an automated message. It does not count as help.

#4 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 11 December 2009 - 10:22 AM

Sorry about the wait, we're very busy. Do you still need help with this issue?

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#5 DavSabu

DavSabu

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 12 December 2009 - 06:02 AM

Hey Jedi,
No worries I realize a lot of people seemed to of gotten hit with problems this last week. I tried a couple of different approaches and did the rkill followed by TDSS killer It told me there was a TDSS rootkit and that it could not clean from the disk and that driver "iastor" was infected by the the TDSS rootkit. I ended up doing an online scan through Pandascan and it found a digstream.exe (which I read is sometimes left over by espn website). However since I've never gone there I realized it was probably the virus,worm,rootkit in hiding. Once PandaScan deleted it I was able to open in safe mode,download Google chrome, and also the annoying redirects stopped.
I've learned more then I knew before I had this problem with my computer but from your knowledge does this sound like it was resolved or is the virus,worm,rootkit simply in hiding?
Thanks for any insight you can give me

#6 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 12 December 2009 - 06:48 AM

Hi,

I think it's unlikely the infection is entirely gone, please do the following:

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#7 DavSabu

DavSabu

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 12 December 2009 - 02:19 PM

Hey Jedi,
I downloaded the combo fix and I had some questions. At one point it seemed to send me to the blue screen stating that a serious error had occurred. Also do I keep my internet on while running combo scan or shut it off since I don't have my Norton protection enabled?
Thanks again for the help

#8 DavSabu

DavSabu

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 12 December 2009 - 04:13 PM

Hey Jedi,
Please disregard my above message. I let it run with the internet still on and it worked. Here is the log for you below
Thanks!


ComboFix 09-12-11.05 - DL 12/12/2009 16:01:36.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.565 [GMT -5:00]
Running from: c:\documents and settings\DL\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\kb913800.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\lsprst7.dll
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\ssprs.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-12 to 2009-12-12 )))))))))))))))))))))))))))))))
.

2009-12-12 18:55 . 2009-12-12 18:57 -------- dc-h--w- c:\windows\ie8
2009-12-12 17:53 . 2009-12-09 22:49 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20091212.004\NAVENG.SYS
2009-12-12 17:53 . 2009-12-09 22:49 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20091212.004\EECTRL.SYS
2009-12-12 17:53 . 2009-12-09 22:49 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20091212.004\CCERASER.DLL
2009-12-12 17:53 . 2009-12-09 22:49 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20091212.004\ECMSVR32.DLL
2009-12-12 17:53 . 2009-12-09 22:49 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20091212.004\NAVENG32.DLL
2009-12-12 17:53 . 2009-12-09 22:49 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20091212.004\NAVEX32A.DLL
2009-12-12 17:53 . 2009-12-09 22:49 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20091212.004\NAVEX15.SYS
2009-12-12 17:53 . 2009-12-09 22:49 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20091212.004\ERASER.SYS
2009-12-11 00:43 . 2009-12-11 00:43 -------- d-----w- c:\documents and settings\DL\Local Settings\Application Data\Temp
2009-12-09 22:49 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20091111.001\IDSvix86.sys
2009-12-09 22:49 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20091111.001\IDSXpx86.sys
2009-12-09 22:49 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20091111.001\Scxpx86.dll
2009-12-09 22:49 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20091111.001\IDSxpx86.dll
2009-12-09 22:49 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20091111.001\IDSviA64.sys
2009-12-09 22:45 . 2009-10-29 02:31 784752 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn\components\coFFPlgn.dll
2009-12-09 22:45 . 2009-10-01 09:19 164216 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\IPSFFPlgn\components\IPSFFPl.dll
2009-12-09 22:45 . 2009-12-09 22:45 -------- d-----w- c:\program files\Symantec
2009-12-09 22:45 . 2009-12-09 22:45 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-12-09 22:45 . 2009-12-09 22:45 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-12-09 22:45 . 2009-10-05 17:34 929648 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\OCS\hsplayer.dll
2009-12-09 22:45 . 2009-11-07 01:08 893296 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\CLT\cltLMSx.dll
2009-12-09 22:44 . 2009-12-09 22:44 -------- d-----w- c:\windows\system32\drivers\NIS
2009-12-09 22:44 . 2009-12-09 22:44 -------- d-----w- c:\program files\Windows Sidebar
2009-12-09 22:44 . 2009-12-09 22:44 -------- d-----w- c:\program files\Norton Internet Security
2009-12-09 22:32 . 2009-12-09 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2009-12-09 22:32 . 2009-12-09 22:32 -------- d-----w- c:\program files\NortonInstaller
2009-12-09 22:32 . 2009-12-09 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-12-09 22:31 . 2009-12-09 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-09 20:44 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-09 04:24 . 2009-06-30 14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-12-09 04:24 . 2009-12-09 04:24 -------- d-----w- c:\program files\Panda Security
2009-12-09 04:13 . 2009-12-09 04:13 401720 ----a-w- C:\HiJackThis.exe
2009-12-08 16:18 . 2009-12-10 20:57 -------- d-----w- c:\documents and settings\DL\Application Data\QuickScan
2009-12-08 15:56 . 2009-12-08 15:56 -------- d-----w- c:\program files\Trend Micro
2009-12-07 20:49 . 2009-12-07 21:40 -------- d-----w- c:\program files\RegistryFix
2009-12-06 04:38 . 2009-12-09 16:08 117760 ----a-w- c:\documents and settings\DL\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-06 04:37 . 2009-12-06 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-06 04:37 . 2009-12-06 04:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-06 04:37 . 2009-12-06 04:37 -------- d-----w- c:\documents and settings\DL\Application Data\SUPERAntiSpyware.com
2009-12-05 07:15 . 2009-12-05 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-05 07:15 . 2009-12-05 07:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-04 00:01 . 2009-12-04 00:01 -------- d-----w- c:\documents and settings\DL\Application Data\Malwarebytes
2009-12-04 00:01 . 2009-12-04 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-01 20:38 . 2009-12-01 20:38 -------- d-----w- c:\program files\iPod
2009-12-01 20:38 . 2009-12-01 20:39 -------- d-----w- c:\program files\iTunes
2009-12-01 20:38 . 2009-12-01 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-01 20:26 . 2009-12-01 20:26 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-19 07:12 . 2009-11-19 07:12 127325 ----a-w- c:\documents and settings\DL\Application Data\Move Networks\uninstall.exe
2009-11-19 07:11 . 2009-11-19 07:11 1408800 ----a-w- c:\documents and settings\DL\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe
2009-11-14 15:25 . 2009-11-14 15:25 152576 ----a-w- c:\documents and settings\DL\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-12 20:40 . 2007-11-01 03:56 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-10 18:10 . 2007-10-31 03:48 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-12-09 22:50 . 2007-10-31 02:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-09 22:45 . 2009-12-09 22:45 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-12-09 22:45 . 2009-12-09 22:45 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-12-09 20:52 . 2009-06-13 04:33 -------- d-----w- c:\program files\Nero
2009-12-09 20:52 . 2009-06-13 04:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-12-09 17:14 . 2006-04-26 12:23 250880 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-12-09 15:28 . 2007-10-31 02:08 -------- d-----w- c:\program files\DIGStream
2009-12-08 15:31 . 2009-11-03 23:29 -------- d-----w- c:\documents and settings\DL\Application Data\Dropbox
2009-12-06 04:36 . 2008-02-09 17:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-05 16:46 . 2007-10-31 05:56 -------- d-----w- c:\program files\Google
2009-12-05 07:24 . 2008-02-09 17:26 -------- d-----w- c:\program files\Lavasoft
2009-12-05 03:05 . 2008-08-06 03:27 -------- d-----w- c:\program files\Yahoo SiteBuilder
2009-12-05 03:05 . 2007-11-10 15:45 -------- d-----w- c:\program files\Windows Media Connect 2
2009-12-05 03:05 . 2007-10-31 02:09 -------- d-----w- c:\program files\RGB
2009-12-05 03:05 . 2007-10-31 02:08 -------- d-----w- c:\program files\ESPNMotion
2009-12-05 03:05 . 2007-10-31 02:08 -------- d-----w- c:\program files\GemMaster
2009-12-05 03:05 . 2007-10-31 02:08 -------- d-----w- c:\program files\EnglishOtto
2009-12-05 03:05 . 2007-12-12 04:02 -------- d-----w- c:\program files\DivX
2009-12-05 03:05 . 2009-10-17 21:00 -------- d-----w- c:\program files\CDBurnerXP
2009-12-01 20:38 . 2009-09-10 03:31 -------- d-----w- c:\program files\Common Files\Apple
2009-12-01 20:37 . 2008-08-07 03:09 -------- d-----w- c:\program files\Bonjour
2009-12-01 20:32 . 2008-06-28 17:58 -------- d-----w- c:\program files\QuickTime
2009-11-21 15:51 . 2004-08-10 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-19 15:51 . 2008-02-20 03:04 -------- d-----w- c:\documents and settings\DL\Application Data\Move Networks
2009-11-19 07:12 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\DL\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-14 15:31 . 2007-12-02 21:43 -------- d-----w- c:\program files\Java
2009-11-14 15:25 . 2009-11-11 02:16 79488 ----a-w- c:\documents and settings\DL\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-13 03:42 . 2009-11-12 16:01 -------- d-----w- c:\program files\FTP
2009-11-12 15:59 . 2009-11-12 15:59 -------- d-----w- c:\program files\WS_FTP
2009-11-04 23:50 . 2009-11-04 23:50 201616 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091104.001\BHRules.dll
2009-11-04 23:50 . 2009-11-04 23:50 663088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091104.001\BHDrvx64.sys
2009-11-04 23:50 . 2009-11-04 23:50 524848 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091104.001\BHDrvx86.sys
2009-11-04 23:50 . 2009-11-04 23:50 1413520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091104.001\BHEngine.dll
2009-11-04 23:50 . 2009-11-04 23:50 610704 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091104.001\bbRGen.dll
2009-11-03 23:30 . 2009-11-03 23:30 89962 ----a-w- c:\documents and settings\DL\Application Data\Dropbox\bin\Uninstall.exe
2009-11-03 23:17 . 2009-09-25 20:56 -------- d-----w- c:\documents and settings\DL\Application Data\YouSendIt
2009-10-30 05:29 . 2007-10-31 03:53 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-10-29 07:45 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-28 22:37 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-10-28 22:37 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\IDSXpx86.sys
2009-10-28 22:37 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\IDSxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\IDSviA64.sys
2009-10-21 05:38 . 2004-08-10 11:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 11:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-10 11:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-17 21:04 . 2009-10-17 21:04 -------- d-----w- c:\program files\Cucusoft
2009-10-17 21:00 . 2009-10-17 21:00 -------- d-----w- c:\documents and settings\DL\Application Data\Canneverbe_Limited
2009-10-17 21:00 . 2009-10-17 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited
2009-10-17 20:42 . 2009-10-17 20:39 -------- d-----w- c:\documents and settings\DL\Application Data\acccore
2009-10-17 20:39 . 2009-10-17 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2009-10-17 20:39 . 2009-10-17 20:39 -------- d-----w- c:\program files\AIM
2009-10-17 20:39 . 2009-10-17 20:39 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-10-17 20:39 . 2009-10-17 20:39 -------- d-----w- c:\program files\Common Files\AOL
2009-10-17 16:05 . 2009-10-16 15:22 -------- d-----w- c:\documents and settings\DL\Application Data\DVD Flick
2009-10-17 04:04 . 2009-10-16 02:32 -------- d-----w- c:\documents and settings\DL\Application Data\Ahead
2009-10-16 15:21 . 2009-10-16 15:21 -------- d-----w- c:\program files\DVD Flick
2009-10-16 14:19 . 2009-10-16 14:19 -------- d-----w- c:\program files\Garmin GPS Plugin
2009-10-16 02:44 . 2009-06-13 04:38 -------- d-----w- c:\documents and settings\DL\Application Data\Nero
2009-10-16 02:31 . 2009-10-16 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2009-10-16 02:22 . 2009-09-08 02:13 -------- d-----w- c:\program files\PeerGuardian2
2009-10-13 10:30 . 2004-08-10 11:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-10 11:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-10 11:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 09:17 . 2008-12-09 00:02 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-09 01:18 . 2009-10-09 01:18 26805255 ----a-w- c:\documents and settings\DL\Application Data\Dropbox\bin\Dropbox.exe
2009-10-08 21:18 . 2009-10-08 21:18 499712 ----a-w- c:\documents and settings\DL\Application Data\Dropbox\bin\msvcp71.dll
2009-10-08 21:18 . 2009-10-08 21:18 348160 ----a-w- c:\documents and settings\DL\Application Data\Dropbox\bin\msvcr71.dll
2009-10-08 21:18 . 2009-10-08 21:18 77824 ----a-w- c:\documents and settings\DL\Application Data\Dropbox\bin\DropboxExt.3.dll
2009-09-29 01:57 . 2009-10-17 21:00 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2009-09-24 03:39 . 2009-09-24 03:39 1025 ----a-w- c:\windows\system32\sysprs7.dll
2009-09-24 03:39 . 2009-09-24 03:39 1025 ----a-w- c:\windows\system32\clauth2.dll
2009-09-24 03:39 . 2009-09-24 03:39 1025 ----a-w- c:\windows\system32\clauth1.dll
2009-09-14 06:37 . 2009-09-14 06:37 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-06-15 02:26 . 2009-06-15 02:26 15 ----a-w- c:\program files\winreg.ini
2008-05-29 20:56 . 2008-05-29 20:56 37375 ----a-w- c:\program files\openoffice.org-xsltfilter.cab
2008-05-29 20:56 . 2008-05-29 20:56 2490452 ----a-w- c:\program files\openoffice.org-writer.cab
2008-05-29 20:56 . 2008-05-29 20:56 207388 ----a-w- c:\program files\openoffice.org-testtool.cab
2008-05-29 20:55 . 2008-05-29 20:55 2504975 ----a-w- c:\program files\openoffice.org-pyuno.cab
2008-05-29 20:55 . 2008-05-29 20:55 51973 ----a-w- c:\program files\openoffice.org-onlineupdate.cab
2008-05-29 20:55 . 2008-05-29 20:55 1090334 ----a-w- c:\program files\openoffice.org-math.cab
2008-05-29 20:55 . 2008-05-29 20:55 118910 ----a-w- c:\program files\openoffice.org-javafilter.cab
2008-05-29 20:55 . 2008-05-29 20:55 1254017 ----a-w- c:\program files\openoffice.org-impress.cab
2008-05-29 20:55 . 2008-05-29 20:55 86870 ----a-w- c:\program files\openoffice.org-graphicfilter.cab
2008-05-29 20:55 . 2008-05-29 20:55 919329 ----a-w- c:\program files\openoffice.org-draw.cab
2008-05-29 20:55 . 2008-05-29 20:55 2769 ----a-w- c:\program files\openoffice.org-emailmerge.cab
2008-05-29 20:55 . 2008-05-29 20:55 2031954 ----a-w- c:\program files\openoffice.org-core09.cab
2008-05-29 20:55 . 2008-05-29 20:55 293078 ----a-w- c:\program files\openoffice.org-core08.cab
2008-05-29 20:55 . 2008-05-29 20:55 3842531 ----a-w- c:\program files\openoffice.org-core07.cab
2008-05-29 20:54 . 2008-05-29 20:54 28847705 ----a-w- c:\program files\openoffice.org-core06.cab
2008-05-29 20:50 . 2008-05-29 20:50 18634513 ----a-w- c:\program files\openoffice.org-core05.cab
2008-05-29 20:49 . 2008-05-29 20:49 16503595 ----a-w- c:\program files\openoffice.org-core04.cab
2008-05-29 20:48 . 2008-05-29 20:48 9117929 ----a-w- c:\program files\openoffice.org-core03.cab
2008-05-29 20:48 . 2008-05-29 20:48 3860980 ----a-w- c:\program files\openoffice.org-core02.cab
2008-05-29 20:47 . 2008-05-29 20:47 15104219 ----a-w- c:\program files\openoffice.org-core01.cab
2008-05-29 20:47 . 2008-05-29 20:47 4694039 ----a-w- c:\program files\openoffice.org-calc.cab
2008-05-29 20:47 . 2008-05-29 20:47 1803630 ----a-w- c:\program files\openoffice.org-base.cab
2008-05-29 20:46 . 2008-05-29 20:46 43005 ----a-w- c:\program files\openoffice.org-activex.cab
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\documents and settings\DL\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\documents and settings\DL\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\documents and settings\DL\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\DL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-11 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2007-10-31 03:21 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^DL^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\DL\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^DL^Start Menu^Programs^Startup^Memeo AutoBackup Launcher.lnk]
path=c:\documents and settings\DL\Start Menu\Programs\Startup\Memeo AutoBackup Launcher.lnk
backup=c:\windows\pss\Memeo AutoBackup Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [12/8/2009 11:24 PM 28552]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1101000.013\SymDS.sys [12/9/2009 5:45 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1101000.013\SymEFA.sys [12/9/2009 5:45 PM 171056]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091104.001\BHDrvx86.sys [11/4/2009 6:50 PM 524848]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1101000.013\cchpx86.sys [12/9/2009 5:45 PM 501888]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1101000.013\Ironx86.sys [12/9/2009 5:45 PM 114736]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe [12/9/2009 5:45 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/9/2009 5:49 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20091111.001\IDSXpx86.sys [12/9/2009 5:49 PM 329592]
R3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [4/9/2008 8:28 AM 80512]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.optimum.net/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\DL\Application Data\Mozilla\Firefox\Profiles\5jhgl06v.default\
FF - prefs.js: browser.search.selectedEngine - SearchGeek
FF - prefs.js: browser.startup.homepage - hxxp://www.optimum.net/
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\DL\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\DL\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-12 16:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.1.0.19\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:9d,07,b8,64,f9,8c,6a,43,76,46,0a,ac,ed,be,85,9d,68,bf,6c,30,d6,
f1,95,c5,78,d2,ca,ec,1a,cb,f7,12,c4,29,83,05,67,f5,3c,ff,2e,56,90,91,c1,29,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:9d,07,b8,64,f9,8c,6a,43,76,46,0a,ac,ed,be,85,9d,68,bf,6c,30,d6,
f1,95,c5,78,d2,ca,ec,1a,cb,f7,12,c4,29,83,05,67,f5,3c,ff,2e,56,90,91,c1,29,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
.
Completion time: 2009-12-12 16:10:05
ComboFix-quarantined-files.txt 2009-12-12 21:10

Pre-Run: 58,138,324,992 bytes free
Post-Run: 58,482,278,400 bytes free

- - End Of File - - EFDF89AFEF2DBAECAAFC974FF12C876D

#9 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 13 December 2009 - 04:34 AM

Hi again,

Combofix has removed some items, but there's no sign of a rootkit. This may be good news but I want to run one more program to double-check:

Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it to Desktop.

Please close any open programs/windows!

Open the program and click on the Rootkit/Malware tab.
Posted Image

Make sure all the boxes on the right of the screen are checked, apart from 'Show All'.
Posted Image

Click on Scan (1).
Posted Image

When the scan has run click Copy (2) and paste the results (if any) into this thread.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#10 DavSabu

DavSabu

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 13 December 2009 - 03:45 PM

Thanks Jedi I ran the program and here is the log. I'll keep my fingers crossed

GMER 1.0.15.15279 - http://www.gmer.net
Rootkit scan 2009-12-13 15:42:58
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\DL\LOCALS~1\Temp\ufxcqfod.sys


---- System - GMER 1.0.15 ----

SSDT 864DB408 ZwAlertResumeThread
SSDT 863AB890 ZwAlertThread
SSDT 86215500 ZwAllocateVirtualMemory
SSDT 863A73C8 ZwAssignProcessToJobObject
SSDT 8640A768 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xECCDB210]
SSDT 861F1EC0 ZwCreateMutant
SSDT 8637A9B8 ZwCreateSymbolicLinkObject
SSDT 86214AF0 ZwCreateThread
SSDT 862D6248 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xECCDB490]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xECCDB9F0]
SSDT 86215798 ZwDuplicateObject
SSDT 8620F8A8 ZwFreeVirtualMemory
SSDT 863AB0A8 ZwImpersonateAnonymousToken
SSDT 8646E910 ZwImpersonateThread
SSDT 863C9108 ZwLoadDriver
SSDT 8620F708 ZwMapViewOfSection
SSDT 86516850 ZwOpenEvent
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwOpenKey [0xECCDB7A0]
SSDT 86215A38 ZwOpenProcess
SSDT 8631A050 ZwOpenProcessToken
SSDT 8633B710 ZwOpenSection
SSDT 862158E8 ZwOpenThread
SSDT 86275830 ZwProtectVirtualMemory
SSDT 86487990 ZwResumeThread
SSDT 861B8A88 ZwSetContextThread
SSDT 86212F80 ZwSetInformationProcess
SSDT 8632E710 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xECCDBC40]
SSDT 86337710 ZwSuspendProcess
SSDT 86326050 ZwSuspendThread
SSDT 86342050 ZwTerminateProcess
SSDT 861DE8F0 ZwTerminateThread
SSDT 862C4050 ZwUnmapViewOfSection
SSDT 8620FC78 ZwWriteVirtualMemory

Code \??\C:\DOCUME~1\DL\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2D30 805045CC 4 Bytes JMP 9958CC17
.text ntkrnlpa.exe!ZwCallbackReturn + 2DC4 80504660 4 Bytes CALL CED667BD
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6325360, 0x307AC7, 0xE8000020]
? C:\DOCUME~1\DL\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0x9D 0x07 0xB8 0x64 ...

---- EOF - GMER 1.0.15 ----

#11 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 14 December 2009 - 02:58 AM

Hi again,

Good, the log shows nothing unusual, I'd say you were clean.

In order to be better protected in the future, I recommend the following programs:

SpywareBlaster protects against bad ActiveX.
http://www.javacools...areblaster.html

SpywareGuard stops Spyware from being installed.
http://www.javacools...ywareguard.html

Also install the MVPS hosts file:
http://www.mvps.org/...p2002/hosts.htm
which blocks innocent looking sites that are not so innocent.

All three are very small free programs that you run once, and then just occasionally to check for updates.

Also see
How did I get Infected?

Finally, it is best to update your system regularly, to ensure you have the latest security patches from Microsoft. Update by clicking
here http://v4.windowsupdate.microsoft.com/
and following the prompts.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#12 DavSabu

DavSabu

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 14 December 2009 - 08:40 AM

That's great news Jedi. Glad that all seems well with my computer. I"m going to install both Spyware Guard and Blaster and I actually checked out the "how did I get infected" back when this all happened but I'll give it another read.
Thanks again for the help!

#13 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 14 December 2009 - 12:46 PM

You're very welcome. :)
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#14 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 05 January 2010 - 02:04 PM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button