ComboFix 09-07-08.06 - Lizzie 07/09/2009 1:16.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2006.1591 [GMT -7:00] Running from: D:\ComboFix.exe AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\recycler\S-1-5-21-4048949147-1105829529-1738707479-500 c:\windows\Downloaded Program Files\webinst.dll c:\windows\Installer\10d4d7.msi c:\windows\Installer\1a324.msi c:\windows\system32\cemomrx.dll c:\windows\system32\drivers\hezyipug.sys c:\windows\system32\drivers\wvptlctq.sys c:\windows\system32\ervoedn.dll c:\windows\system32\tfomcnql.dll c:\windows\Tasks\At1.job . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_HEZYIPUG -------\Legacy_VNSVLMTB -------\Service_hezyipug -------\Service_vnsvlmtb ((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 ))))))))))))))))))))))))))))))) . 2009-07-09 08:22 . 2009-06-09 06:01 165240 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll 2009-07-09 02:59 . 2009-07-09 02:59 -------- d-----w- C:\VundoFix Backups 2009-07-09 01:44 . 2009-07-09 01:44 -------- d-----w- c:\documents and settings\Lizzie\Application Data\Malwarebytes 2009-07-09 01:44 . 2009-07-09 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-07-08 23:25 . 2009-06-09 06:01 876144 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090708.034\NAVEX15.SYS 2009-07-08 23:25 . 2009-06-09 06:01 89104 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090708.034\NAVENG.SYS 2009-07-08 23:25 . 2009-06-09 06:01 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090708.034\EECTRL.SYS 2009-07-08 23:25 . 2009-06-09 06:01 101936 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090708.034\ERASER.SYS 2009-07-08 23:25 . 2009-06-09 06:01 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090708.034\NAVENG32.DLL 2009-07-08 23:25 . 2009-06-09 06:01 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090708.034\NAVEX32A.DLL 2009-07-08 23:25 . 2009-06-09 06:01 259368 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090708.034\ECMSVR32.DLL 2009-07-08 23:25 . 2009-06-09 06:01 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090708.034\CCERASER.DLL 2009-07-07 21:11 . 2009-06-09 06:01 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090707.001\IDSXpx86.sys 2009-07-07 21:11 . 2009-03-16 20:03 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090707.001\Scxpx86.dll 2009-07-07 21:11 . 2009-06-09 06:01 396848 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090707.001\IDSviA64.sys 2009-07-07 21:11 . 2009-06-09 06:01 292912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090707.001\IDSvix86.sys 2009-07-07 21:11 . 2009-06-09 06:01 447864 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090707.001\IDSxpx86.dll 2009-06-11 05:25 . 2009-06-11 05:25 -------- d-----w- c:\documents and settings\Lizzie\Local Settings\Application Data\Deployment 2009-06-11 05:23 . 2009-06-11 05:23 -------- d-----w- C:\N360_BACKUP . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-09 20:12 . 2007-08-03 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-06-09 06:13 . 2007-08-03 23:35 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-06-09 06:10 . 2009-06-09 06:01 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF 2009-06-09 06:10 . 2009-06-09 06:01 7386 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT 2009-06-09 06:10 . 2009-06-09 06:01 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL 2009-06-09 06:10 . 2009-06-09 06:01 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2009-06-09 06:10 . 2007-08-03 23:35 -------- d-----w- c:\program files\Symantec 2009-06-09 06:04 . 2009-06-08 04:35 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller 2009-06-09 06:02 . 2009-06-09 06:02 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B} 2009-06-09 06:00 . 2009-06-09 06:00 -------- d-----w- c:\program files\Windows Sidebar 2009-06-09 06:00 . 2009-06-09 06:00 -------- d-----w- c:\program files\NortonInstaller 2009-06-09 06:00 . 2009-03-29 21:36 -------- d-----w- c:\program files\Symantec AntiVirus 2009-06-08 04:45 . 2009-06-08 04:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2009-05-29 03:23 . 2009-05-29 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-05-29 03:22 . 2009-05-29 03:22 -------- d-----w- c:\documents and settings\Lizzie\Application Data\AVGTOOLBAR 2009-05-01 18:30 . 2009-05-01 18:30 3366912 ------w- c:\windows\system32\GPhotos.scr . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] c:\documents and settings\Lizzie\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-8-3 50688] hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456] hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] 2006-09-06 07:37 34344 ------w- c:\program files\Lenovo\HOTKEY\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2006-12-14 02:06 28672 ------w- c:\program files\Lenovo\HOTKEY\tphklock.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys] @="FSFilter Activity Monitor" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "tvtnetwk"=2 (0x2) "TVT Scheduler"=2 (0x2) "TVT Backup Service"=2 (0x2) "TVT Backup Protection Service"=2 (0x2) "RichVideo"=2 (0x2) "LightScribeService"=2 (0x2) "iPod Service"=3 (0x3) "IDriverT"=3 (0x3) "IBMPMSVC"=2 (0x2) "gusvc"=3 (0x3) "Diskeeper"=2 (0x2) "CiSvc"=3 (0x3) "Bonjour Service"=2 (0x2) "BcmSqlStartupSvc"=2 (0x2) "Apple Mobile Device"=2 (0x2) "AcSvc"=2 (0x2) "AcPrfMgrSvc"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [3/2/2007 5:49 PM 100656] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0300000.087\SymEFA.sys [6/8/2009 11:01 PM 310320] R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [3/2/2007 5:47 PM 19760] R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0300000.087\BHDrvx86.sys [6/8/2009 11:01 PM 258608] R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0300000.087\cchpx86.sys [6/8/2009 11:01 PM 482352] R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [8/3/2007 4:15 PM 4442] R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe [6/8/2009 11:01 PM 115560] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/8/2009 11:28 PM 101936] R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [8/3/2007 4:02 PM 13840] R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [9/13/2006 12:42 PM 35264] S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090707.001\IDSXpx86.sys [7/7/2009 2:11 PM 276344] S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/26/2008 10:08 PM 29183504] S4 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [1/11/2008 6:50 PM 30312] S4 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2/8/2007 1:11 PM 569344] --- Other Services/Drivers In Memory --- *NewlyCreated* - HEZYIPUG *Deregistered* - hezyipug . Contents of the 'Scheduled Tasks' folder 2009-05-22 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34] 2009-07-09 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 19:20] 2009-07-08 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8187379979.job - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 07:52] 2008-01-06 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8189200261.job - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 07:52] 2009-06-09 c:\windows\Tasks\PMTask.job - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-08-03 16:16] . - - - - ORPHANS REMOVED - - - - BHO-{03EBC35B-E398-4606-AADF-220341F87E55} - (no file) Notify-NavLogon - (no file) . ------- Supplementary Scan ------- . uDefault_Search_URL = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = *.local; uInternet Settings,ProxyServer = http=localhost:7171 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 TCP: {4B628FE1-7C21-4C4B-A102-80321EE907B2} = 213.174.139.72,96.225.224.1 TCP: {B5D14467-B006-44D1-944A-2C715DB1C4DA} = 213.174.139.72,96.225.224.1 TCP: {DF58A10A-B168-4119-ADC0-87EA5386430F} = 213.174.139.72,96.225.224.1 DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - hxxp://getav01.ad.pacificu.edu/PC/XP-32bit/webinst.cab FF - ProfilePath - c:\documents and settings\Lizzie\Application Data\Mozilla\Firefox\Profiles\gslpdj69.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.npr.org/ FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll FF - plugin: c:\documents and settings\Lizzie\My Documents\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-09 01:22 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360] "ImagePath"="\"c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.0.0.135\diMaster.dll\" /prefetch:1" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr] "ImagePath"="-" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT] "ImagePath"="-" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc] "ImagePath"="-" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\Æ*"!*Æ*"!* ] "Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1824) c:\program files\Lenovo\HOTKEY\tphklock.dll - - - - - - - > 'explorer.exe'(792) c:\windows\system32\hnetcfg.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe c:\windows\system32\TPHDEXLG.exe c:\windows\system32\TpKmpSvc.exe c:\program files\Lenovo\Client Security Solution\tvttcsd.exe c:\windows\system32\wdfmgr.exe c:\program files\Lenovo\System Update\SUService.exe c:\windows\system32\wscntfy.exe c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe . ************************************************************************** . Completion time: 2009-07-09 1:25 - machine was rebooted ComboFix-quarantined-files.txt 2009-07-09 08:25 Pre-Run: 206,854,991,872 bytes free Post-Run: 206,738,862,080 bytes free 226 --- E O F --- 2008-12-29 19:02