Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Multiple Trojan Infections [RESOLVED]


  • This topic is locked This topic is locked

#1
Solidus15

Solidus15

    New Member

  • Member
  • Pip
  • 4 posts
I've come across this site by searching some trojan names on google. From the looks of things, this is the best place I can find help. It would be greatly appreciated, and here is my current situation:

I am currently running Nod32 which began to detect multiple threats a few days ago. Things began to appear more serious when I could not access specific websites (Facebook, Gmail, etc.). I tried Adaware, PCpitstop Exterminate, and even installed a new antivirus program, Norton Internet Security with no success. I also ran Windows Live OneCare and this is what they came up with:

backdoor:Win32/Poisonivy.E

Trojan:Win32/Boaxxe.B

Trojan:Win32/Vundo.HN

Trojan:Win32/Vundo.gen!N

Trojan:JS/Agent.FA

Now I'm here, and I've followed the necessary steps prior to posting. Malwarebytes' Anti-Malware and SuperAntiSpyware seemed to have solved my problem of accessing certain websites and everything seems to load a little faster. But I get the feeling there is a lot more to fix because Nod32 is still detecting some threats such as this:

File
http://avwav.com/_js...077ahntdksr.dll

Threat:
variant of Win32/Agent.NSG trojan


Here are the logs from the programs I used in order:

-------------------------------------------
-------------------------------------------

Malwarebytes' Anti-Malware 1.19
Database version: 905
Windows 5.1.2600 Service Pack 2

9:50:03 PM 6/29/2008
mbam-log-6-29-2008 (21-50-03).txt

Scan type: Quick Scan
Objects scanned: 40641
Time elapsed: 3 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

------------------------------------------
------------------------------------------

SUPERAntiSpyware Scan Log
Generated 06/30/2008 at 00:10 AM

Application Version : 3.6.1000

Core Rules Database Version : 3493
Trace Rules Database Version: 1484

Scan type : Complete Scan
Total Scan Time : 02:13:25

Memory items scanned : 558
Memory threats detected : 0
Registry items scanned : 6018
Registry threats detected : 0
File items scanned : 194223
File threats detected : 1

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MCRH.TMP

******************************************************
ANALYSIS: 2008-06-30 02:00:22
PROTECTIONS: 2
MALWARE: 1
SUSPECTS: 0
*******************************************************
PROTECTIONS
Description Version Active Updated
=================================================
Norton Internet Security 15.5.0.23 Yes Yes
ESET NOD32 antivirus system 2.70 2.70 Yes Yes
=================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
===================================================================
03139565 Spyware/Virtumonde Spyware Yes 2 Yes No C:\WINDOWS\SYSTEM32\SBLOSOSD.DLL
===================================================================
SUSPECTS
Sent Location b
===============================================================
VULNERABILITIES
Id Severity Description b
===============================================================


----------------------------------------
----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:56 AM, on 6/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intouch.o...k.BE55/Home.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: (no name) - {52752F91-6B85-455E-9EB2-196D7438FD92} - C:\WINDOWS\system32\sblososd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [winsock32] C:\WINDOWS\system32:winsock32.exe
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe
O4 - HKLM\..\Run: [PCPitstop Registration Reminder] C:\Program Files\PCPitstop\Exterminate\Reminder.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ThePrivacyGuard] "C:\PROGRA~1\THEPRI~1\THEPRI~1.EXE" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9563.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopet...v/GoPetsWeb.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcp.../pcpitstop2.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 10341 bytes


If there is anything else I need to post, please let me know.

Edited by Solidus15, 30 June 2008 - 01:04 AM.

  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Uninstall the following via the Add/Remove Panel (Start->Settings->Control Panel->Add/Remove Programs) if found:

ThePrivacyGuard

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intouch.o...k.BE55/Home.htm
O2 - BHO: (no name) - {52752F91-6B85-455E-9EB2-196D7438FD92} - C:\WINDOWS\system32\sblososd.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [winsock32] C:\WINDOWS\system32:winsock32.exe
O4 - HKCU\..\Run: [ThePrivacyGuard] "C:\PROGRA~1\THEPRI~1\THEPRI~1.EXE" /startup


Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\sblososd.dll
C:\WINDOWS\system32\winsock32.exe
C:\PROGRA~1\THEPRI~1\
C:\WINDOWS\SYSTEM32\MCRH.TMP
C:\WINDOWS\SYSTEM32\SBLOSOSD.DLL


1. Download combofix at http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
Solidus15

Solidus15

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hey greyknight17 thanks for the response. For a second there I thought I 'fell through the cracks" and would have to wait 3 days. I've followed all your instructions with a few notes:

There was no 'ThePrivacyGuard' in the Add/Remove programs list.
I was able to check off everything in the HJT scan.
In your instructions I think you may have written SBLOSOSD.DLL twice but nonetheless, I ran a search for all of the files and folders you listed and they were gone.
Before running ComboFix, was I suppose to turn off my anti-virus program (Nod32)? It detected a threat as soon as I ran it:

File:
C:\DOCUME~1\REYNEL~1\LOCALS~1\Temp\Av-Test.txt

Threat:
Eicar test file

Comment:
Event occurred on a new file created by the application: C:\WINDOWS\system32\CF30177.exe. This file was moved to quarantine. You may close this window

I don't know how much that interfered with ComboFix but here is the log:

---------------------------------------------
---------------------------------------------

ComboFix 08-06-20.4 - Reynel Macatugob 2008-06-30 22:29:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1325 [GMT -4:00]
Running from: C:\Documents and Settings\Reynel Macatugob\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Recycled\Recycled
C:\WINDOWS\BMd7037d3c.xml
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\atlrudft.ini
C:\WINDOWS\system32\dbtjmxlf.ini
C:\WINDOWS\system32\DfhRCcfe.ini
C:\WINDOWS\system32\DfhRCcfe.ini2
C:\WINDOWS\system32\hwngnodc.ini
C:\WINDOWS\system32\ofcekeag.ini
C:\WINDOWS\system32\sblososd.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2015-06-26 21:40 . 2015-06-26 21:40 <DIR> d-------- C:\Documents and Settings\Reynel Macatugob\Application Data\Symantec
2015-06-26 21:37 . 2015-06-26 21:37 <DIR> d-------- C:\Program Files\Windows Sidebar
2015-06-26 21:35 . 2015-06-26 21:44 <DIR> d-------- C:\Program Files\Norton Internet Security
2015-06-26 21:33 . 2008-06-26 22:07 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2015-06-26 21:33 . 2008-06-26 22:07 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2015-06-26 21:33 . 2008-06-26 22:07 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2015-06-26 21:33 . 2008-06-26 22:07 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2015-06-26 21:04 . 2008-06-26 22:07 <DIR> d-------- C:\Program Files\Symantec
2008-06-30 02:13 . 2008-06-30 02:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-30 00:37 . 2008-06-30 00:38 <DIR> d-------- C:\Program Files\Panda Security
2008-06-29 21:52 . 2008-06-29 21:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-29 21:51 . 2008-06-30 02:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-29 21:51 . 2008-06-29 21:51 <DIR> d-------- C:\Documents and Settings\Reynel Macatugob\Application Data\SUPERAntiSpyware.com
2008-06-29 21:45 . 2008-06-29 21:45 <DIR> d-------- C:\Documents and Settings\Reynel Macatugob\Application Data\Malwarebytes
2008-06-29 21:45 . 2008-06-29 21:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-29 21:45 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-29 21:45 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-29 21:44 . 2008-06-29 21:45 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-29 21:44 . 2008-06-29 21:44 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-29 17:50 . 2008-06-29 20:10 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-06-29 17:50 . 2008-04-23 00:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-29 17:50 . 2007-04-17 05:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-29 17:50 . 2007-03-08 01:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-29 17:50 . 2008-04-23 00:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-29 17:50 . 2008-04-23 00:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-29 17:50 . 2008-04-23 00:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-29 17:50 . 2008-04-23 00:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-29 17:50 . 2008-04-23 00:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-29 17:50 . 2008-04-22 03:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-28 14:55 . 2008-06-30 12:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-28 14:55 . 2008-06-28 14:55 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-26 20:00 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DL1
2008-06-26 20:00 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DL1
2008-06-26 16:33 . 2008-06-26 16:33 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-26 16:33 . 2008-06-26 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-26 16:32 . 2008-06-29 21:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-26 00:19 . 2008-06-26 00:36 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-06-20 16:30 . 2008-06-20 16:33 21 --a------ C:\WINDOWS\popcinfot.dat
2008-06-20 16:30 . 2008-06-20 16:30 0 --a------ C:\WINDOWS\popcreg.dat
2008-06-13 14:45 . 2008-06-13 14:45 579,464 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-06-13 14:45 . 2008-06-13 14:45 207,240 --a------ C:\WINDOWS\system32\SymRedir.dll
2008-06-13 14:14 . 2008-06-13 14:14 31,280 --a------ C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 14:14 . 2008-06-13 14:14 13,093 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 14:14 . 2008-06-13 14:14 1,611 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 14:13 . 2008-06-13 14:13 184,240 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 14:13 . 2008-06-13 14:13 96,432 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 14:13 . 2008-06-13 14:13 41,008 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 14:13 . 2008-06-13 14:13 38,576 --a------ C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 14:13 . 2008-06-13 14:13 37,424 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 14:13 . 2008-06-13 14:13 22,320 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 14:13 . 2008-06-13 14:13 13,616 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2008-06-11 01:09 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 01:09 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-06 21:13 . 2008-06-06 21:13 <DIR> d-------- C:\Documents and Settings\Reynel Macatugob\snap
2008-06-06 20:56 . 2008-06-06 20:56 <DIR> d-------- C:\Documents and Settings\Reynel Macatugob\nvram
2008-06-06 20:56 . 2008-06-06 20:56 <DIR> d-------- C:\Documents and Settings\Reynel Macatugob\cfg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 02:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-30 04:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-29 21:15 --------- d-----w C:\Program Files\Steam
2008-06-27 03:31 --------- d-----w C:\Program Files\TouchLocker
2008-06-27 02:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-26 18:41 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-06-26 18:41 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-06-26 04:36 --------- d-----w C:\Program Files\PCPitstop
2008-05-22 18:11 --------- d-----w C:\Program Files\Java
2008-05-17 10:28 --------- d-----w C:\Documents and Settings\Reynel Macatugob\Application Data\Skype
2008-05-17 06:28 --------- d-----w C:\Documents and Settings\Reynel Macatugob\Application Data\skypePM
2008-05-14 19:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-03 01:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-07 21:47 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-31 11:14 22,328 ----a-w C:\Documents and Settings\Reynel Macatugob\Application Data\PnkBstrK.sys
2006-06-23 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-21 00:15 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2004-07-26 19:14 1867776]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-30 02:09 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 02:49 16126464 C:\WINDOWS\RTHDCPL.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17 159744]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-30 05:25 949376]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"FixCamera"="C:\WINDOWS\FixCamera.exe" [2007-07-11 16:09 20480]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2007-05-12 11:19 270336]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2007-05-10 16:58 344064]
"PC Pitstop Optimize Scheduler"="C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe" [2008-05-06 17:23 1684480]
"PCPitstop Optimize Registration Reminder"="C:\Program Files\PCPitstop\Optimize\Reminder.exe" [2006-06-13 12:11 881664]
"PCPitstop Registration Reminder"="C:\Program Files\PCPitstop\Exterminate\Reminder.exe" [2007-05-24 12:21 991232]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 21:47 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-07 02:49 718704]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-09-21 00:15:26 125624]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-06-30 02:09 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-06-30 02:09 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\AC3Filter\\ac3config.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-03-15 02:12]
R3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 16:22]
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2007-07-23 13:47]
S3 USB100TX;Linksys EtherFast 10/100 USB Network Adapter;C:\WINDOWS\system32\DRIVERS\USB100TX.sys [2002-03-22 17:12]

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{0DA3B9B7-3DB5-97A1-DA31-969D6950BB42}]
C:\WINDOWS\system32:winsock32.exe
.
Contents of the 'Scheduled Tasks' folder
"2015-06-27 01:40:38 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Reynel Macatugob.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 22:31:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-30 22:31:59
ComboFix-quarantined-files.txt 2008-07-01 02:31:32

Pre-Run: 139,891,920,896 bytes free
Post-Run: 139,868,770,304 bytes free

214 --- E O F --- 2008-06-30 07:01:40
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
It usually won't have trouble with the other security programs running. But yes, if it's interfering, disable them. I will add another parameter in the tool there so it will end all programs before running.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

KILLALL::
File::
C:\WINDOWS\system32\winsock32.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{0DA3B9B7-3DB5-97A1-DA31-969D6950BB42}]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is it running so far? :)
  • 0

#5
Solidus15

Solidus15

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Oh the computer's running great! :) I just want to make sure this machine is as malware free as possible. Seems like you're having a busy night too and here's the latest ComboFix log:

ComboFix 08-06-20.4 - Reynel Macatugob 2008-06-30 23:27:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1507 [GMT -4:00]
Running from: C:\Documents and Settings\Reynel Macatugob\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Reynel Macatugob\Desktop\CFScript.txt.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\winsock32.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\WINCN.DLL

.
((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2015-06-26 21:40 . 2015-06-26 21:40 <DIR> d-------- C:\Documents and Settings\Reynel Macatugob\Application Data\Symantec
2015-06-26 21:37 . 2015-06-26 21:37 <DIR> d-------- C:\Program Files\Windows Sidebar
2015-06-26 21:35 . 2015-06-26 21:44 <DIR> d-------- C:\Program Files\Norton Internet Security
2015-06-26 21:33 . 2008-06-26 22:07 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2015-06-26 21:33 . 2008-06-26 22:07 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2015-06-26 21:33 . 2008-06-26 22:07 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2015-06-26 21:33 . 2008-06-26 22:07 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2015-06-26 21:04 . 2008-06-26 22:07 <DIR> d-------- C:\Program Files\Symantec
2008-06-30 02:13 . 2008-06-30 02:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-30 00:37 . 2008-06-30 00:38 <DIR> d-------- C:\Program Files\Panda Security
2008-06-29 21:52 . 2008-06-29 21:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-29 21:51 . 2008-06-30 02:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-29 21:51 . 2008-06-29 21:51 <DIR> d-------- C:\Documents and Settings\Reynel Macatugob\Application Data\SUPERAntiSpyware.com
2008-06-29 21:45 . 2008-06-29 21:45 <DIR> d-------- C:\Documents and Settings\Reynel Macatugob\Application Data\Malwarebytes
2008-06-29 21:45 . 2008-06-29 21:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-29 21:45 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-29 21:45 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-29 21:44 . 2008-06-29 21:45 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-29 21:44 . 2008-06-29 21:44 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-29 17:50 . 2008-06-29 20:10 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-06-29 17:50 . 2008-04-23 00:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-29 17:50 . 2007-04-17 05:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-29 17:50 . 2007-03-08 01:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-29 17:50 . 2008-04-23 00:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-29 17:50 . 2008-04-23 00:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-29 17:50 . 2008-04-23 00:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-29 17:50 . 2008-04-23 00:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-29 17:50 . 2008-04-23 00:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-29 17:50 . 2008-04-22 03:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-28 14:55 . 2008-06-30 12:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-28 14:55 . 2008-06-28 14:55 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-26 20:00 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DL1
2008-06-26 20:00 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DL1
2008-06-26 16:33 . 2008-06-26 16:33 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-26 16:33 . 2008-06-26 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-26 16:32 . 2008-06-29 21:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-26 00:19 . 2008-06-26 00:36 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-06-20 16:30 . 2008-06-20 16:33 21 --a------ C:\WINDOWS\popcinfot.dat
2008-06-20 16:30 . 2008-06-20 16:30 0 --a------ C:\WINDOWS\popcreg.dat
2008-06-13 14:45 . 2008-06-13 14:45 579,464 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-06-13 14:45 . 2008-06-13 14:45 207,240 --a------ C:\WINDOWS\system32\SymRedir.dll
2008-06-13 14:14 . 2008-06-13 14:14 31,280 --a------ C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 14:14 . 2008-06-13 14:14 13,093 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 14:14 . 2008-06-13 14:14 1,611 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 14:13 . 2008-06-13 14:13 184,240 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 14:13 . 2008-06-13 14:13 96,432 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 14:13 . 2008-06-13 14:13 41,008 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 14:13 . 2008-06-13 14:13 38,576 --a------ C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 14:13 . 2008-06-13 14:13 37,424 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 14:13 . 2008-06-13 14:13 22,320 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 14:13 . 2008-06-13 14:13 13,616 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2008-06-11 01:09 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 01:09 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-06 21:13 . 2008-06-06 21:13 <DIR> d-------- C:\Documents and Settings\Reynel Macatugob\snap
2008-06-06 20:56 . 2008-06-06 20:56 <DIR> d-------- C:\Documents and Settings\Reynel Macatugob\nvram
2008-06-06 20:56 . 2008-06-06 20:56 <DIR> d-------- C:\Documents and Settings\Reynel Macatugob\cfg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 02:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-30 04:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-29 21:15 --------- d-----w C:\Program Files\Steam
2008-06-27 03:31 --------- d-----w C:\Program Files\TouchLocker
2008-06-27 02:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-26 18:41 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-06-26 04:36 --------- d-----w C:\Program Files\PCPitstop
2008-05-22 18:11 --------- d-----w C:\Program Files\Java
2008-05-17 10:28 --------- d-----w C:\Documents and Settings\Reynel Macatugob\Application Data\Skype
2008-05-17 06:28 --------- d-----w C:\Documents and Settings\Reynel Macatugob\Application Data\skypePM
2008-05-14 19:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-03 01:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-04-07 21:47 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-31 11:14 22,328 ----a-w C:\Documents and Settings\Reynel Macatugob\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((( [email protected]_22.31.25.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-30 16:05:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-01 03:30:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-21 00:15 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2004-07-26 19:14 1867776]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-30 02:09 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 02:49 16126464 C:\WINDOWS\RTHDCPL.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17 159744]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-30 05:25 949376]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"FixCamera"="C:\WINDOWS\FixCamera.exe" [2007-07-11 16:09 20480]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2007-05-12 11:19 270336]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2007-05-10 16:58 344064]
"PC Pitstop Optimize Scheduler"="C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe" [2008-05-06 17:23 1684480]
"PCPitstop Optimize Registration Reminder"="C:\Program Files\PCPitstop\Optimize\Reminder.exe" [2006-06-13 12:11 881664]
"PCPitstop Registration Reminder"="C:\Program Files\PCPitstop\Exterminate\Reminder.exe" [2007-05-24 12:21 991232]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 21:47 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-07 02:49 718704]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-09-21 00:15:26 125624]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-06-30 02:09 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-06-30 02:09 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\AC3Filter\\ac3config.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-03-15 02:12]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 16:22]
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2007-07-23 13:47]
S3 USB100TX;Linksys EtherFast 10/100 USB Network Adapter;C:\WINDOWS\system32\DRIVERS\USB100TX.sys [2002-03-22 17:12]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2015-06-27 01:40:38 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Reynel Macatugob.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 23:30:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-06-30 23:38:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-01 03:38:50
ComboFix2.txt 2008-07-01 02:32:00

Pre-Run: 139,941,761,024 bytes free
Post-Run: 139,940,921,344 bytes free

222 --- E O F --- 2008-06-30 07:01:40
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Do you have Norton and NOD32 Antivirus installed? If so, decide which one to keep and uninstall one of them now.

Good job. Your log is clean :)

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#7
Solidus15

Solidus15

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thank you so much for your help greyknight17, everything seems great from here. I'll do my best to protect my computer from here on out. Keep up the amazing work!
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP