• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
DavSabu

TDSS rootkill

14 posts in this topic

A couple of days ago I got hit with a virus. It showed me a fake security program stating I had 40 viruses on my machine. I blocked all warning through Norton and also looked up the "program" and realized it was fake. I quickly installed Malwarebytes and cleaned out the computer.

 

I ran Spybot and Norton in Safe Mode.

 

I then continued to get the tabs that would randomly open up in Firefox and IE. The tabs tend to be some form of fake "news" called "Tribune News" stating something about google and how they are paying people from home.

 

Also searches using google or yahoo have gotten better but I still get redicrects to home mortgage, gardening, all fake sights.

 

I also found after running Spybot and Norton in Safe Mode I can no longer access Safte Mode in order to run SuperAntiSpyware, which I've read is recommended.

I get the following message after a scroll of date and then a blue screen stating windows could not be opened and something in regards to a device driver and look below for the code which is;

 

Stop:0x0000007E (0xC0000005,0x80537009,0xF797B509,0xF797B204)

 

I've also run Rkill before running Malwarebytes or SuperAntiSpyware and the dos windown opens and then closes so I read that means its working.

 

Any help would be greatly appreciated. I posted on another site and it seemed that although I had 85 views only one person responded and it wasn't a tech on the board.

 

I'm also using Windows XP, if anyone is able to help.

 

Here is the online scan from BitDefender that states I have no viruses/malware/etc

 

BitDefender QuickScan Beta 32-bit v0.9.8.2

------------------------------------------

 

Scan date: Tue Dec 08 11:18:24 2009

Machine ID: 4DD6CA1

 

 

 

No infection found.

---------------------

 

 

Processes

---------

<unsigned> Dropbox 3604 C:\Documents and Settings\DL\Application Data\Dropbox\bin\Dropbox.exe

<unsigned> Canon Camera Access Library 8 2920 C:\Program Files\Canon\CAL\CALMAIN.exe

 

<verified> Bonjour Service 2044 C:\Program Files\Bonjour\mDNSResponder.exe

<verified> NMSAccessU.exe 2156 C:\Program Files\CDBurnerXP\NMSAccessU.exe

<verified> Apple Mobile Device Service 1976 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

<verified> Symantec Event Manager Service 512 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

<verified> symlcsvc.exe 1212 C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

<verified> Symantec Network Proxy Service 308 C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

<verified> Symantec Settings Manager Service 1648 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

<verified> LiveUpdate Notice Service 704 C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

<verified> Network Driver Service 164 C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

<verified> SPBBC Service 1176 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

<verified> Java Quick Starter Service 864 C:\Program Files\Java\jre6\bin\jqs.exe

<verified> Memeo AutoBackup Client 1800 C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe

<verified> ActiveSync RAPI Manager 3824 C:\Program Files\Microsoft ActiveSync\rapimgr.exe

<verified> ActiveSync Connection Manager 3440 C:\Program Files\Microsoft ActiveSync\Wcescomm.exe

<verified> Firefox 3708 C:\Program Files\Mozilla Firefox\firefox.exe

<verified> Norton AntiVirus Auto-Protect Service 1764 C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

<verified> Automatic LiveUpdate Scheduler Service 2004 C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

<verified> Media Center Receiver Service 220 C:\WINDOWS\eHome\ehRecvr.exe

<verified> Media Center Scheduler Service 296 C:\WINDOWS\eHome\ehSched.exe

<verified> MCRD Device Service 2660 C:\WINDOWS\ehome\mcrdsvc.exe

<verified> Windows Explorer 1816 C:\WINDOWS\Explorer.EXE

<verified> Application Layer Gateway Service 3920 C:\WINDOWS\System32\alg.exe

<verified> Client Server Runtime Process 732 C:\WINDOWS\system32\csrss.exe

<verified> CTF Loader 3388 C:\WINDOWS\system32\ctfmon.exe

<verified> COM Surrogate 2992 C:\WINDOWS\system32\dllhost.exe

<verified> LSA Shell (Export Version) 820 C:\WINDOWS\system32\lsass.exe

<verified> NVIDIA Driver Helper Service, Version 163.71 2192 C:\WINDOWS\system32\nvsvc32.exe

<verified> Services and Controller app 808 C:\WINDOWS\system32\services.exe

<verified> Windows NT Session Manager 676 C:\WINDOWS\System32\smss.exe

<verified> Spooler SubSystem App 1660 C:\WINDOWS\system32\spoolsv.exe

<verified> Generic Host Process for Win32 Services 1040 C:\WINDOWS\system32\svchost.exe

<verified> Generic Host Process for Win32 Services 2336 C:\WINDOWS\system32\svchost.exe

<verified> Generic Host Process for Win32 Services 1564 C:\WINDOWS\system32\svchost.exe

<verified> Generic Host Process for Win32 Services 1456 C:\WINDOWS\system32\svchost.exe

<verified> Generic Host Process for Win32 Services 1312 C:\WINDOWS\system32\svchost.exe

<verified> Generic Host Process for Win32 Services 1944 C:\WINDOWS\system32\svchost.exe

<verified> Generic Host Process for Win32 Services 1236 C:\WINDOWS\System32\svchost.exe

<verified> Generic Host Process for Win32 Services 1120 C:\WINDOWS\system32\svchost.exe

<verified> Generic Host Process for Win32 Services 2508 C:\WINDOWS\system32\svchost.exe

<verified> Windows NT Logon Application 756 C:\WINDOWS\system32\winlogon.exe

<verified> Windows Update 3260 C:\WINDOWS\system32\wuauclt.exe

 

 

Network activity

----------------

Process ccProxy.exe (308) connected on port 80 (HTTP) - qy-in-f101.1e100.net

Process ccProxy.exe (308) connected on port 80 (HTTP) - vw-in-f189.1e100.net

Process ccProxy.exe (308) connected on port 80 (HTTP) - vw-in-f166.1e100.net

Process ccProxy.exe (308) connected on port 80 (HTTP) - yo-in-f105.1e100.net

Process ccProxy.exe (308) connected on port 80 (HTTP) - vw-in-f19.1e100.net

Process ccProxy.exe (308) connected on port 80 (HTTP) - a69-192-76-20.deploy.akamaitechnologies.com

Process ccProxy.exe (308) connected on port 80 (HTTP) - vw-in-f19.1e100.net

Process ccProxy.exe (308) connected on port 80 (HTTP) - *.112.2o7.net

Process ccProxy.exe (308) connected on port 80 (HTTP) - vw-in-f19.1e100.net

Process ccProxy.exe (308) connected on port 80 (HTTP) - 208.43.202.41-static.reverse.softlayer.com

 

Process svchost.exe (1120) listens on ports: 135 (RPC)

Process rapimgr.exe (3824) listens on ports: 990 (FTP over SSL)

 

 

Autoruns and critical files

---------------------------

<unsigned> Dropbox C:\Documents and Settings\DL\Application Data\Dropbox\bin\Dropbox.exe

<unsigned> ShellExecuteHook C:\Program Files\SUPERAntiSpyware\SASSEH.DLL

<unsigned> SUPERAntiSpyware WinLogon Processor C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

 

<verified> Apple Software Update C:\Program Files\Apple Software Update\SoftwareUpdate.exe

<verified> Citrix Online GoToAssist C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll

<verified> ActiveSync Connection Manager C:\Program Files\Microsoft ActiveSync\Wcescomm.exe

<verified> Norton AntiVirus Scanner Module C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVW32.EXE

<verified> Shell Browser UI Library C:\WINDOWS\system32\browseui.dll

<verified> Crypto API32 C:\WINDOWS\system32\crypt32.dll

<verified> Crypto Network Related API C:\WINDOWS\system32\cryptnet.dll

<verified> Offline Network Agent C:\WINDOWS\system32\cscdll.dll

<verified> CTF Loader C:\WINDOWS\system32\ctfmon.exe

<verified> DIMS Notification Handler C:\WINDOWS\system32\dimsntfy.dll

<verified> Windows Logon UI C:\WINDOWS\system32\logonui.exe

<verified> NVIDIA Display Properties Extension C:\WINDOWS\system32\NvCpl.dll

<verified> Secondary Logon Service Notification DLL C:\WINDOWS\system32\sclgntfy.dll

<verified> Windows Shell Common Dll C:\WINDOWS\system32\shell32.dll

<verified> Systray shell service object C:\WINDOWS\system32\stobject.dll

<verified> Userinit Logon Application c:\windows\system32\userinit.exe

<verified> Web Site Monitor C:\WINDOWS\system32\webcheck.dll

<verified> Common DLL to receive Winlogon notifications C:\WINDOWS\system32\wlnotify.dll

<verified> Windows Portable Device Shell Service Object C:\WINDOWS\system32\WPDShServiceObj.dll

 

 

Browser plugins

---------------

<unsigned> Bonjour Namespace Provider C:\Program Files\Bonjour\mdnsNSP.dll

<unsigned> DivX® Content Upload Plugin C:\Program Files\DivX\DivX Content Uploader\npUpload.dll

<unsigned> Garmin Communicator Plug-In 2.5.2.0 C:\Program Files\Garmin GPS Plugin\npGarmin.dll

<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Internet Explorer\plugins\npqtplugin.dll

<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll

<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll

<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll

<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll

<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll

<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll

<unsigned> OpenSSL Shared Library C:\Program Files\Mozilla Firefox\plugins\libdivx.dll

<unsigned> npdnu C:\Program Files\Mozilla Firefox\plugins\npdnu.dll

<unsigned> npdnupdater2 C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll

<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll

<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll

<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll

<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll

<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll

<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll

<unsigned> The QuickTime Plugin allows you to view a wide var C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll

<unsigned> RealJukebox Netscape Plugin C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll

<unsigned> 6.0.12.46 C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll

<unsigned> npsnapfish C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll

<unsigned> OpenSSL Shared Library C:\Program Files\Mozilla Firefox\plugins\ssldivx.dll

<unsigned> RealJukebox Netscape Plugin C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll

<unsigned> 6.0.12.46 C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll

<unsigned> F-Secure Automatic Update Agent API DLL C:\WINDOWS\Downloaded Program Files\auc_lib.dll

<unsigned> daas C:\WINDOWS\Downloaded Program Files\daas_s.dll

<unsigned> InstallShield Update Service Setup Player Module C:\WINDOWS\Downloaded Program Files\dwusplay.dll

<unsigned> InstallShield Update Service Setup Player C:\WINDOWS\Downloaded Program Files\dwusplay.exe

<unsigned> fscax module C:\WINDOWS\Downloaded Program Files\fscax.dll

<unsigned> InstallShield Update Service Web Agent C:\WINDOWS\Downloaded Program Files\isusweb.dll

 

<verified> npmnqmp 989898989877 C:\Documents and Settings\DL\Application Data\Move Networks\plugins\npqmp071505000011.dll

<verified> NIS Shell Extension c:\program files\common files\symantec shared\adblocking\nisshext.dll

<verified> DivX Web Player version 1.5.0.52 C:\Program Files\DivX\DivX Web Player\npdivx32.dll

<verified> Adobe PDF Plug-In For Firefox and Netscape C:\Program Files\Internet Explorer\plugins\nppdf32.dll

<verified> npitunes.dll C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll

<verified> Windows Messenger C:\Program Files\Messenger\msmsgs.exe

<verified> np-mswmp C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll

<verified> NPRuntime Script Plug-in Library for Java Depl C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll

<verified> DivX Web Player version 1.5.0.52 C:\Program Files\Mozilla Firefox\plugins\npdivx32.dll

<verified> Default Plug-in C:\Program Files\Mozilla Firefox\plugins\npnul32.dll

<verified> Office Plugin for Netscape Navigator C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL

<verified> Adobe PDF Plug-In For Firefox and Netscape C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll

<verified> RealPlayer LiveConnect-Enabled Plug-In C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll

<verified> Norton AntiVirus Shell Extension Module c:\program files\norton internet security\norton antivirus\navshext.dll

<verified> RealPlayer LiveConnect-Enabled Plug-In C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll

<verified> Adobe® Flash® Player ActiveX Installer C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe

<verified> fslauncher module C:\WINDOWS\Downloaded Program Files\fslauncher.dll

<verified> F-Secure GateLauncher C:\WINDOWS\Downloaded Program Files\gatelauncher.exe

<verified> Windows Presentation Foundation (WPF) plug-in for c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

<verified> Network Diagnostic for Windows XP C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

<verified> Internet Explorer C:\WINDOWS\system32\ieframe.dll

<verified> NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll

<verified> Microsoft Windows Sockets 2.0 Service Provider C:\WINDOWS\system32\mswsock.dll

<verified> Microsoft Windows Rsvp 1.0 Service Provider C:\WINDOWS\system32\rsvpsp.dll

<verified> LDAP RnR Provider DLL C:\WINDOWS\system32\winrnr.dll

 

 

Scan

----

 

No file uploaded.

 

Scan finished - communication took 3 sec

Total traffic - 0.06 MB sent, 2.98 KB recvd

Scanned 1103 files and modules - 88 seconds

 

Hi,

 

Help us help you.

 

Please read this article and follow the protocol.

http://spywareinfoforum.com/index.php?showtopic=23382

Then submit a fresh HijackThis log. One of our helpers will take care of you. It's the only way we can give you sound advice.

Edited by DavSabu
HijackThis log requested.

Share this post


Link to post
Share on other sites

Hello I'm re-posting according to the forum rules from my previous post.

 

This is my logfile

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:14:50 PM, on 12/8/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\Wcescomm.exe

C:\PROGRA~1\MICROS~3\rapimgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optimum.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab

O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) - http://webiq005.webiqonline.com/WebIQ/DataServer/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223575658919

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

--

End of file - 8652 bytes

 

I also ran the tdsskiller and that is where I discovered that I had the TDSS rootkit in C:\windows\system32\drivers\iastor.sys. The cure failed there but was able to cure the following (although they returned at reboot)

driver "iastor" Irp handler infected by TDSS & driver "iasto" StartIo handler infected by TDSS rootkit. I've also run Spybot Search and Destroy, Malwarebytes,SuperAntiSpyware,Norton,AdAware. It all seems to come back to the this TDSS rootkit.

Thanks for any help anyone can provide.

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

 

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Sorry about the wait, we're very busy. Do you still need help with this issue?

 

jedi

Share this post


Link to post
Share on other sites

Hey Jedi,

No worries I realize a lot of people seemed to of gotten hit with problems this last week. I tried a couple of different approaches and did the rkill followed by TDSS killer It told me there was a TDSS rootkit and that it could not clean from the disk and that driver "iastor" was infected by the the TDSS rootkit. I ended up doing an online scan through Pandascan and it found a digstream.exe (which I read is sometimes left over by espn website). However since I've never gone there I realized it was probably the virus,worm,rootkit in hiding. Once PandaScan deleted it I was able to open in safe mode,download Google chrome, and also the annoying redirects stopped.

I've learned more then I knew before I had this problem with my computer but from your knowledge does this sound like it was resolved or is the virus,worm,rootkit simply in hiding?

Thanks for any insight you can give me

Share this post


Link to post
Share on other sites

Hi,

 

I think it's unlikely the infection is entirely gone, please do the following:

 

Download ComboFix from one of these locations:

 

Link 1

Link 2

Link 3

 

* IMPORTANT !!! Save ComboFix.exe to your Desktop

 

 

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
     
     
  • Double click on ComboFix.exe & follow the prompts.
     
     
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
     
     
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

 

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

RC1.png

 

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

 

cfRC_screen_2.png

 

 

Click on Yes, to continue scanning for malware.

 

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

 

jedi

Share this post


Link to post
Share on other sites

Hey Jedi,

I downloaded the combo fix and I had some questions. At one point it seemed to send me to the blue screen stating that a serious error had occurred. Also do I keep my internet on while running combo scan or shut it off since I don't have my Norton protection enabled?

Thanks again for the help

Share this post


Link to post
Share on other sites

Hey Jedi,

Please disregard my above message. I let it run with the internet still on and it worked. Here is the log for you below

Thanks!

 

 

ComboFix 09-12-11.05 - DL 12/12/2009 16:01:36.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.565 [GMT -5:00]

Running from: c:\documents and settings\DL\Desktop\ComboFix.exe

AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\kb913800.exe

c:\windows\system32\drivers\npf.sys

c:\windows\system32\lsprst7.dll

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\ssprs.dll

c:\windows\system32\wpcap.dll

 

.

((((((((((((((((((((((((( Files Created from 2009-11-12 to 2009-12-12 )))))))))))))))))))))))))))))))

.

 

2009-12-12 18:55 . 2009-12-12 18:57 -------- dc-h--w- c:\windows\ie8

2009-12-12 17:53 . 2009-12-09 22:49 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20091212.004\NAVENG.SYS

2009-12-12 17:53 . 2009-12-09 22:49 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20091212.004\EECTRL.SYS

2009-12-12 17:53 . 2009-12-09 22:49 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20091212.004\CCERASER.DLL

2009-12-12 17:53 . 2009-12-09 22:49 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20091212.004\ECMSVR32.DLL

2009-12-12 17:53 . 2009-12-09 22:49 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20091212.004\NAVENG32.DLL

2009-12-12 17:53 . 2009-12-09 22:49 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20091212.004\NAVEX32A.DLL

2009-12-12 17:53 . 2009-12-09 22:49 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20091212.004\NAVEX15.SYS

2009-12-12 17:53 . 2009-12-09 22:49 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20091212.004\ERASER.SYS

2009-12-11 00:43 . 2009-12-11 00:43 -------- d-----w- c:\documents and settings\DL\Local Settings\Application Data\Temp

2009-12-09 22:49 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20091111.001\IDSvix86.sys

2009-12-09 22:49 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20091111.001\IDSXpx86.sys

2009-12-09 22:49 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20091111.001\Scxpx86.dll

2009-12-09 22:49 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20091111.001\IDSxpx86.dll

2009-12-09 22:49 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20091111.001\IDSviA64.sys

2009-12-09 22:45 . 2009-10-29 02:31 784752 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn\components\coFFPlgn.dll

2009-12-09 22:45 . 2009-10-01 09:19 164216 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\IPSFFPlgn\components\IPSFFPl.dll

2009-12-09 22:45 . 2009-12-09 22:45 -------- d-----w- c:\program files\Symantec

2009-12-09 22:45 . 2009-12-09 22:45 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2009-12-09 22:45 . 2009-12-09 22:45 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-12-09 22:45 . 2009-10-05 17:34 929648 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\OCS\hsplayer.dll

2009-12-09 22:45 . 2009-11-07 01:08 893296 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\CLT\cltLMSx.dll

2009-12-09 22:44 . 2009-12-09 22:44 -------- d-----w- c:\windows\system32\drivers\NIS

2009-12-09 22:44 . 2009-12-09 22:44 -------- d-----w- c:\program files\Windows Sidebar

2009-12-09 22:44 . 2009-12-09 22:44 -------- d-----w- c:\program files\Norton Internet Security

2009-12-09 22:32 . 2009-12-09 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings

2009-12-09 22:32 . 2009-12-09 22:32 -------- d-----w- c:\program files\NortonInstaller

2009-12-09 22:32 . 2009-12-09 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-12-09 22:31 . 2009-12-09 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2009-12-09 20:44 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2009-12-09 04:24 . 2009-06-30 14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2009-12-09 04:24 . 2009-12-09 04:24 -------- d-----w- c:\program files\Panda Security

2009-12-09 04:13 . 2009-12-09 04:13 401720 ----a-w- C:\HiJackThis.exe

2009-12-08 16:18 . 2009-12-10 20:57 -------- d-----w- c:\documents and settings\DL\Application Data\QuickScan

2009-12-08 15:56 . 2009-12-08 15:56 -------- d-----w- c:\program files\Trend Micro

2009-12-07 20:49 . 2009-12-07 21:40 -------- d-----w- c:\program files\RegistryFix

2009-12-06 04:38 . 2009-12-09 16:08 117760 ----a-w- c:\documents and settings\DL\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-12-06 04:37 . 2009-12-06 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-12-06 04:37 . 2009-12-06 04:37 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-12-06 04:37 . 2009-12-06 04:37 -------- d-----w- c:\documents and settings\DL\Application Data\SUPERAntiSpyware.com

2009-12-05 07:15 . 2009-12-05 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-12-05 07:15 . 2009-12-05 07:18 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-12-04 00:01 . 2009-12-04 00:01 -------- d-----w- c:\documents and settings\DL\Application Data\Malwarebytes

2009-12-04 00:01 . 2009-12-04 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-12-01 20:38 . 2009-12-01 20:38 -------- d-----w- c:\program files\iPod

2009-12-01 20:38 . 2009-12-01 20:39 -------- d-----w- c:\program files\iTunes

2009-12-01 20:38 . 2009-12-01 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2009-12-01 20:26 . 2009-12-01 20:26 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe

2009-11-19 07:12 . 2009-11-19 07:12 127325 ----a-w- c:\documents and settings\DL\Application Data\Move Networks\uninstall.exe

2009-11-19 07:11 . 2009-11-19 07:11 1408800 ----a-w- c:\documents and settings\DL\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe

2009-11-14 15:25 . 2009-11-14 15:25 152576 ----a-w- c:\documents and settings\DL\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-12 20:40 . 2007-11-01 03:56 -------- d-----w- c:\program files\Common Files\Adobe

2009-12-10 18:10 . 2007-10-31 03:48 -------- d-----w- c:\program files\Microsoft ActiveSync

2009-12-09 22:50 . 2007-10-31 02:19 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-12-09 22:45 . 2009-12-09 22:45 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2009-12-09 22:45 . 2009-12-09 22:45 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2009-12-09 20:52 . 2009-06-13 04:33 -------- d-----w- c:\program files\Nero

2009-12-09 20:52 . 2009-06-13 04:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero

2009-12-09 17:14 . 2006-04-26 12:23 250880 ----a-w- c:\windows\system32\drivers\iaStor.sys

2009-12-09 15:28 . 2007-10-31 02:08 -------- d-----w- c:\program files\DIGStream

2009-12-08 15:31 . 2009-11-03 23:29 -------- d-----w- c:\documents and settings\DL\Application Data\Dropbox

2009-12-06 04:36 . 2008-02-09 17:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-12-05 16:46 . 2007-10-31 05:56 -------- d-----w- c:\program files\Google

2009-12-05 07:24 . 2008-02-09 17:26 -------- d-----w- c:\program files\Lavasoft

2009-12-05 03:05 . 2008-08-06 03:27 -------- d-----w- c:\program files\Yahoo SiteBuilder

2009-12-05 03:05 . 2007-11-10 15:45 -------- d-----w- c:\program files\Windows Media Connect 2

2009-12-05 03:05 . 2007-10-31 02:09 -------- d-----w- c:\program files\RGB

2009-12-05 03:05 . 2007-10-31 02:08 -------- d-----w- c:\program files\ESPNMotion

2009-12-05 03:05 . 2007-10-31 02:08 -------- d-----w- c:\program files\GemMaster

2009-12-05 03:05 . 2007-10-31 02:08 -------- d-----w- c:\program files\EnglishOtto

2009-12-05 03:05 . 2007-12-12 04:02 -------- d-----w- c:\program files\DivX

2009-12-05 03:05 . 2009-10-17 21:00 -------- d-----w- c:\program files\CDBurnerXP

2009-12-01 20:38 . 2009-09-10 03:31 -------- d-----w- c:\program files\Common Files\Apple

2009-12-01 20:37 . 2008-08-07 03:09 -------- d-----w- c:\program files\Bonjour

2009-12-01 20:32 . 2008-06-28 17:58 -------- d-----w- c:\program files\QuickTime

2009-11-21 15:51 . 2004-08-10 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

2009-11-19 15:51 . 2008-02-20 03:04 -------- d-----w- c:\documents and settings\DL\Application Data\Move Networks

2009-11-19 07:12 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\DL\Application Data\Move Networks\plugins\npqmp071505000011.dll

2009-11-14 15:31 . 2007-12-02 21:43 -------- d-----w- c:\program files\Java

2009-11-14 15:25 . 2009-11-11 02:16 79488 ----a-w- c:\documents and settings\DL\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-11-13 03:42 . 2009-11-12 16:01 -------- d-----w- c:\program files\FTP

2009-11-12 15:59 . 2009-11-12 15:59 -------- d-----w- c:\program files\WS_FTP

2009-11-04 23:50 . 2009-11-04 23:50 201616 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091104.001\BHRules.dll

2009-11-04 23:50 . 2009-11-04 23:50 663088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091104.001\BHDrvx64.sys

2009-11-04 23:50 . 2009-11-04 23:50 524848 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091104.001\BHDrvx86.sys

2009-11-04 23:50 . 2009-11-04 23:50 1413520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091104.001\BHEngine.dll

2009-11-04 23:50 . 2009-11-04 23:50 610704 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091104.001\bbRGen.dll

2009-11-03 23:30 . 2009-11-03 23:30 89962 ----a-w- c:\documents and settings\DL\Application Data\Dropbox\bin\Uninstall.exe

2009-11-03 23:17 . 2009-09-25 20:56 -------- d-----w- c:\documents and settings\DL\Application Data\YouSendIt

2009-10-30 05:29 . 2007-10-31 03:53 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys

2009-10-29 07:45 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll

2009-10-28 22:37 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\IDSvix86.sys

2009-10-28 22:37 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\IDSXpx86.sys

2009-10-28 22:37 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\Scxpx86.dll

2009-10-28 22:37 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\IDSxpx86.dll

2009-10-28 22:37 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\IDSviA64.sys

2009-10-21 05:38 . 2004-08-10 11:00 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38 . 2004-08-10 11:00 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 16:20 . 2004-08-10 11:00 265728 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-17 21:04 . 2009-10-17 21:04 -------- d-----w- c:\program files\Cucusoft

2009-10-17 21:00 . 2009-10-17 21:00 -------- d-----w- c:\documents and settings\DL\Application Data\Canneverbe_Limited

2009-10-17 21:00 . 2009-10-17 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited

2009-10-17 20:42 . 2009-10-17 20:39 -------- d-----w- c:\documents and settings\DL\Application Data\acccore

2009-10-17 20:39 . 2009-10-17 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM

2009-10-17 20:39 . 2009-10-17 20:39 -------- d-----w- c:\program files\AIM

2009-10-17 20:39 . 2009-10-17 20:39 -------- d-----w- c:\program files\Common Files\Software Update Utility

2009-10-17 20:39 . 2009-10-17 20:39 -------- d-----w- c:\program files\Common Files\AOL

2009-10-17 16:05 . 2009-10-16 15:22 -------- d-----w- c:\documents and settings\DL\Application Data\DVD Flick

2009-10-17 04:04 . 2009-10-16 02:32 -------- d-----w- c:\documents and settings\DL\Application Data\Ahead

2009-10-16 15:21 . 2009-10-16 15:21 -------- d-----w- c:\program files\DVD Flick

2009-10-16 14:19 . 2009-10-16 14:19 -------- d-----w- c:\program files\Garmin GPS Plugin

2009-10-16 02:44 . 2009-06-13 04:38 -------- d-----w- c:\documents and settings\DL\Application Data\Nero

2009-10-16 02:31 . 2009-10-16 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead

2009-10-16 02:22 . 2009-09-08 02:13 -------- d-----w- c:\program files\PeerGuardian2

2009-10-13 10:30 . 2004-08-10 11:00 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38 . 2004-08-10 11:00 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38 . 2004-08-10 11:00 79872 ----a-w- c:\windows\system32\raschap.dll

2009-10-11 09:17 . 2008-12-09 00:02 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-10-09 01:18 . 2009-10-09 01:18 26805255 ----a-w- c:\documents and settings\DL\Application Data\Dropbox\bin\Dropbox.exe

2009-10-08 21:18 . 2009-10-08 21:18 499712 ----a-w- c:\documents and settings\DL\Application Data\Dropbox\bin\msvcp71.dll

2009-10-08 21:18 . 2009-10-08 21:18 348160 ----a-w- c:\documents and settings\DL\Application Data\Dropbox\bin\msvcr71.dll

2009-10-08 21:18 . 2009-10-08 21:18 77824 ----a-w- c:\documents and settings\DL\Application Data\Dropbox\bin\DropboxExt.3.dll

2009-09-29 01:57 . 2009-10-17 21:00 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys

2009-09-24 03:39 . 2009-09-24 03:39 1025 ----a-w- c:\windows\system32\sysprs7.dll

2009-09-24 03:39 . 2009-09-24 03:39 1025 ----a-w- c:\windows\system32\clauth2.dll

2009-09-24 03:39 . 2009-09-24 03:39 1025 ----a-w- c:\windows\system32\clauth1.dll

2009-09-14 06:37 . 2009-09-14 06:37 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe

2009-06-15 02:26 . 2009-06-15 02:26 15 ----a-w- c:\program files\winreg.ini

2008-05-29 20:56 . 2008-05-29 20:56 37375 ----a-w- c:\program files\openoffice.org-xsltfilter.cab

2008-05-29 20:56 . 2008-05-29 20:56 2490452 ----a-w- c:\program files\openoffice.org-writer.cab

2008-05-29 20:56 . 2008-05-29 20:56 207388 ----a-w- c:\program files\openoffice.org-testtool.cab

2008-05-29 20:55 . 2008-05-29 20:55 2504975 ----a-w- c:\program files\openoffice.org-pyuno.cab

2008-05-29 20:55 . 2008-05-29 20:55 51973 ----a-w- c:\program files\openoffice.org-onlineupdate.cab

2008-05-29 20:55 . 2008-05-29 20:55 1090334 ----a-w- c:\program files\openoffice.org-math.cab

2008-05-29 20:55 . 2008-05-29 20:55 118910 ----a-w- c:\program files\openoffice.org-javafilter.cab

2008-05-29 20:55 . 2008-05-29 20:55 1254017 ----a-w- c:\program files\openoffice.org-impress.cab

2008-05-29 20:55 . 2008-05-29 20:55 86870 ----a-w- c:\program files\openoffice.org-graphicfilter.cab

2008-05-29 20:55 . 2008-05-29 20:55 919329 ----a-w- c:\program files\openoffice.org-draw.cab

2008-05-29 20:55 . 2008-05-29 20:55 2769 ----a-w- c:\program files\openoffice.org-emailmerge.cab

2008-05-29 20:55 . 2008-05-29 20:55 2031954 ----a-w- c:\program files\openoffice.org-core09.cab

2008-05-29 20:55 . 2008-05-29 20:55 293078 ----a-w- c:\program files\openoffice.org-core08.cab

2008-05-29 20:55 . 2008-05-29 20:55 3842531 ----a-w- c:\program files\openoffice.org-core07.cab

2008-05-29 20:54 . 2008-05-29 20:54 28847705 ----a-w- c:\program files\openoffice.org-core06.cab

2008-05-29 20:50 . 2008-05-29 20:50 18634513 ----a-w- c:\program files\openoffice.org-core05.cab

2008-05-29 20:49 . 2008-05-29 20:49 16503595 ----a-w- c:\program files\openoffice.org-core04.cab

2008-05-29 20:48 . 2008-05-29 20:48 9117929 ----a-w- c:\program files\openoffice.org-core03.cab

2008-05-29 20:48 . 2008-05-29 20:48 3860980 ----a-w- c:\program files\openoffice.org-core02.cab

2008-05-29 20:47 . 2008-05-29 20:47 15104219 ----a-w- c:\program files\openoffice.org-core01.cab

2008-05-29 20:47 . 2008-05-29 20:47 4694039 ----a-w- c:\program files\openoffice.org-calc.cab

2008-05-29 20:47 . 2008-05-29 20:47 1803630 ----a-w- c:\program files\openoffice.org-base.cab

2008-05-29 20:46 . 2008-05-29 20:46 43005 ----a-w- c:\program files\openoffice.org-activex.cab

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2009-10-08 21:18 77824 ----a-w- c:\documents and settings\DL\Application Data\Dropbox\bin\DropboxExt.3.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2009-10-08 21:18 77824 ----a-w- c:\documents and settings\DL\Application Data\Dropbox\bin\DropboxExt.3.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2009-10-08 21:18 77824 ----a-w- c:\documents and settings\DL\Application Data\Dropbox\bin\DropboxExt.3.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\DL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-11 135664]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2007-10-31 03:21 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^DL^Start Menu^Programs^Startup^Dropbox.lnk]

path=c:\documents and settings\DL\Start Menu\Programs\Startup\Dropbox.lnk

backup=c:\windows\pss\Dropbox.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^DL^Start Menu^Programs^Startup^Memeo AutoBackup Launcher.lnk]

path=c:\documents and settings\DL\Start Menu\Programs\Startup\Memeo AutoBackup Launcher.lnk

backup=c:\windows\pss\Memeo AutoBackup Launcher.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

 

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [12/8/2009 11:24 PM 28552]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1101000.013\SymDS.sys [12/9/2009 5:45 PM 328752]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1101000.013\SymEFA.sys [12/9/2009 5:45 PM 171056]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091104.001\BHDrvx86.sys [11/4/2009 6:50 PM 524848]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1101000.013\cchpx86.sys [12/9/2009 5:45 PM 501888]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1101000.013\Ironx86.sys [12/9/2009 5:45 PM 114736]

R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe [12/9/2009 5:45 PM 126392]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/9/2009 5:49 PM 102448]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20091111.001\IDSXpx86.sys [12/9/2009 5:49 PM 329592]

R3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [4/9/2008 8:28 AM 80512]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.optimum.net/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\DL\Application Data\Mozilla\Firefox\Profiles\5jhgl06v.default\

FF - prefs.js: browser.search.selectedEngine - SearchGeek

FF - prefs.js: browser.startup.homepage - hxxp://www.optimum.net/

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\IPSFFPlgn\components\IPSFFPl.dll

FF - plugin: c:\documents and settings\DL\Application Data\Move Networks\plugins\npqmp071505000011.dll

FF - plugin: c:\documents and settings\DL\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

.

- - - - ORPHANS REMOVED - - - -

 

MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-12 16:07

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NIS]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.1.0.19\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]

"Version"=hex:9d,07,b8,64,f9,8c,6a,43,76,46,0a,ac,ed,be,85,9d,68,bf,6c,30,d6,

f1,95,c5,78,d2,ca,ec,1a,cb,f7,12,c4,29,83,05,67,f5,3c,ff,2e,56,90,91,c1,29,\

 

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]

"Version"=hex:9d,07,b8,64,f9,8c,6a,43,76,46,0a,ac,ed,be,85,9d,68,bf,6c,30,d6,

f1,95,c5,78,d2,ca,ec,1a,cb,f7,12,c4,29,83,05,67,f5,3c,ff,2e,56,90,91,c1,29,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(712)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll

.

Completion time: 2009-12-12 16:10:05

ComboFix-quarantined-files.txt 2009-12-12 21:10

 

Pre-Run: 58,138,324,992 bytes free

Post-Run: 58,482,278,400 bytes free

 

- - End Of File - - EFDF89AFEF2DBAECAAFC974FF12C876D

Share this post


Link to post
Share on other sites

Hi again,

 

Combofix has removed some items, but there's no sign of a rootkit. This may be good news but I want to run one more program to double-check:

 

Download GMER from here:

http://www.gmer.net/gmer.zip

 

Unzip it to Desktop.

 

Please close any open programs/windows!

 

Open the program and click on the Rootkit/Malware tab.

xgbxemvqycsn3ou37ky.gif

 

Make sure all the boxes on the right of the screen are checked, apart from 'Show All'.

mc8zo8f6hmawt24wq1f.gif

 

Click on Scan (1).

p2o519byjnbpg3a23qez.gif

 

When the scan has run click Copy (2) and paste the results (if any) into this thread.

 

jedi

Share this post


Link to post
Share on other sites

Thanks Jedi I ran the program and here is the log. I'll keep my fingers crossed

 

GMER 1.0.15.15279 - http://www.gmer.net

Rootkit scan 2009-12-13 15:42:58

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\DL\LOCALS~1\Temp\ufxcqfod.sys

 

 

---- System - GMER 1.0.15 ----

 

SSDT 864DB408 ZwAlertResumeThread

SSDT 863AB890 ZwAlertThread

SSDT 86215500 ZwAllocateVirtualMemory

SSDT 863A73C8 ZwAssignProcessToJobObject

SSDT 8640A768 ZwConnectPort

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xECCDB210]

SSDT 861F1EC0 ZwCreateMutant

SSDT 8637A9B8 ZwCreateSymbolicLinkObject

SSDT 86214AF0 ZwCreateThread

SSDT 862D6248 ZwDebugActiveProcess

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xECCDB490]

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xECCDB9F0]

SSDT 86215798 ZwDuplicateObject

SSDT 8620F8A8 ZwFreeVirtualMemory

SSDT 863AB0A8 ZwImpersonateAnonymousToken

SSDT 8646E910 ZwImpersonateThread

SSDT 863C9108 ZwLoadDriver

SSDT 8620F708 ZwMapViewOfSection

SSDT 86516850 ZwOpenEvent

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwOpenKey [0xECCDB7A0]

SSDT 86215A38 ZwOpenProcess

SSDT 8631A050 ZwOpenProcessToken

SSDT 8633B710 ZwOpenSection

SSDT 862158E8 ZwOpenThread

SSDT 86275830 ZwProtectVirtualMemory

SSDT 86487990 ZwResumeThread

SSDT 861B8A88 ZwSetContextThread

SSDT 86212F80 ZwSetInformationProcess

SSDT 8632E710 ZwSetSystemInformation

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xECCDBC40]

SSDT 86337710 ZwSuspendProcess

SSDT 86326050 ZwSuspendThread

SSDT 86342050 ZwTerminateProcess

SSDT 861DE8F0 ZwTerminateThread

SSDT 862C4050 ZwUnmapViewOfSection

SSDT 8620FC78 ZwWriteVirtualMemory

 

Code \??\C:\DOCUME~1\DL\LOCALS~1\Temp\catchme.sys pIofCallDriver

 

---- Kernel code sections - GMER 1.0.15 ----

 

.text ntkrnlpa.exe!ZwCallbackReturn + 2D30 805045CC 4 Bytes JMP 9958CC17

.text ntkrnlpa.exe!ZwCallbackReturn + 2DC4 80504660 4 Bytes CALL CED667BD

? SYMDS.SYS The system cannot find the file specified. !

? SYMEFA.SYS The system cannot find the file specified. !

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6325360, 0x307AC7, 0xE8000020]

? C:\DOCUME~1\DL\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !

? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

 

---- Devices - GMER 1.0.15 ----

 

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

 

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

 

---- Registry - GMER 1.0.15 ----

 

Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version

Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0x9D 0x07 0xB8 0x64 ...

 

---- EOF - GMER 1.0.15 ----

Share this post


Link to post
Share on other sites

Hi again,

 

Good, the log shows nothing unusual, I'd say you were clean.

 

In order to be better protected in the future, I recommend the following programs:

 

SpywareBlaster protects against bad ActiveX.

http://www.javacoolsoftware.com/spywareblaster.html

 

SpywareGuard stops Spyware from being installed.

http://www.javacoolsoftware.com/spywareguard.html

 

Also install the MVPS hosts file:

http://www.mvps.org/winhelp2002/hosts.htm

which blocks innocent looking sites that are not so innocent.

 

All three are very small free programs that you run once, and then just occasionally to check for updates.

 

Also see

How did I get Infected?

 

Finally, it is best to update your system regularly, to ensure you have the latest security patches from Microsoft. Update by clicking

here http://v4.windowsupdate.microsoft.com/

and following the prompts.

 

jedi

Share this post


Link to post
Share on other sites

That's great news Jedi. Glad that all seems well with my computer. I"m going to install both Spyware Guard and Blaster and I actually checked out the "how did I get infected" back when this all happened but I'll give it another read.

Thanks again for the help!

Share this post


Link to post
Share on other sites

You're very welcome. :)

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0