Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows Police Pro

Started by jay_sohhn , Oct 25 2009 11:06 AM

  • Please log in to reply

#76
noahdfear
Posted 15 December 2009 - 09:28 PM

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP
See if you can use the working flash drive to generate and save a log for me.

Please download DDS from one of the 3 mirrors.

Mirror 1 Mirror 2 Mirror 3

You should be able to use the Task Manager to run it right from the flash drive.
If successful, save the logs created to the flash drive and post them here as attachments.
I'd also like a copy of the ComboFix log created previously too. It's located at C:\combofix.txt
  • 0

Advertisements

#77
jay_sohhn
Posted 15 December 2009 - 09:46 PM

jay_sohhn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
Here are the files as requested. They are attached.

Attached Files


Edited by jay_sohhn, 15 December 2009 - 09:49 PM.

  • 0

#78
noahdfear
Posted 15 December 2009 - 10:14 PM

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP
Download driver_service_info and run it.
Press S then Enter for a Services report.
Press B then Enter for both.
When prompted, press N then Enter to skip LoadOrderGroup info.
Save the log to the flash drive and post it here.
  • 0

#79
jay_sohhn
Posted 15 December 2009 - 10:29 PM

jay_sohhn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
The log file is attached.

edit - this one is actually easier to read when posted, so I'm adding it below - noahdfear


~~~ Service Information report ~~~

Microsoft Windows XP Home Edition
Service Pack 3
5.1.2600

12/15/2009 11:27:22 PM


~~~Running Processes~~~

System Idle Process
PID: 0
Path:
Parent PID: 0

System
PID: 4
Path:
Parent PID: 0

smss.exe
PID: 596
Path: C:\WINDOWS\System32\smss.exe
Parent PID: 4

csrss.exe
PID: 652
Path:
Parent PID: 596

winlogon.exe
PID: 676
Path: C:\WINDOWS\system32\winlogon.exe
Parent PID: 596

services.exe
PID: 720
Path: C:\WINDOWS\system32\services.exe
Parent PID: 676

lsass.exe
PID: 732
Path: C:\WINDOWS\system32\lsass.exe
Parent PID: 676

svchost.exe
PID: 884
Path: C:\WINDOWS\system32\svchost.exe
Parent PID: 720

svchost.exe
PID: 960
Path:
Parent PID: 720

svchost.exe
PID: 1016
Path: C:\WINDOWS\System32\svchost.exe
Parent PID: 720

svchost.exe
PID: 1108
Path:
Parent PID: 720

svchost.exe
PID: 1192
Path:
Parent PID: 720

spoolsv.exe
PID: 1328
Path: C:\WINDOWS\system32\spoolsv.exe
Parent PID: 720

ccSetMgr.exe
PID: 1412
Path: C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
Parent PID: 720

DefWatch.exe
PID: 1440
Path: C:\Program Files\Symantec AntiVirus\DefWatch.exe
Parent PID: 720

iviRegMgr.exe
PID: 1516
Path: C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
Parent PID: 720

jqs.exe
PID: 1564
Path: C:\Program Files\Java\jre6\bin\jqs.exe
Parent PID: 720

mdm.exe
PID: 1784
Path: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
Parent PID: 720

SavRoam.exe
PID: 1836
Path: C:\Program Files\Symantec AntiVirus\SavRoam.exe
Parent PID: 720

svchost.exe
PID: 1900
Path: C:\WINDOWS\system32\svchost.exe
Parent PID: 720

ccEvtMgr.exe
PID: 1992
Path: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
Parent PID: 720

wuauclt.exe
PID: 860
Path: C:\WINDOWS\system32\wuauclt.exe
Parent PID: 1016

wscntfy.exe
PID: 1612
Path: C:\WINDOWS\system32\wscntfy.exe
Parent PID: 1016

taskmgr.exe
PID: 1976
Path: C:\WINDOWS\system32\taskmgr.exe
Parent PID: 676

driver_service_info.exe
PID: 548
Path: F:\GeeksToGo\driver_service_info.exe
Parent PID: 1976

cmd.exe
PID: 576
Path: C:\WINDOWS\system32\cmd.exe
Parent PID: 548

wmiprvse.exe
PID: 656
Path:
Parent PID: 884

cscript.exe
PID: 1428
Path: C:\WINDOWS\system32\cscript.exe
Parent PID: 576

findstr.exe
PID: 1176
Path: C:\WINDOWS\system32\findstr.exe
Parent PID: 576


~~~Running Services by PID~~~

PID: 1016
Windows Audio
Background Intelligent Transfer Service
Computer Browser
DHCP Client
Error Reporting Service
COM+ Event System
Fast User Switching Compatibility
Help and Support
HID Input Service
Server
Workstation
Task Scheduler
Secondary Logon
System Event Notification
Shell Hardware Detection
System Restore Service
Telephony
Themes
Distributed Link Tracking Client
Windows Time
Windows Management Instrumentation
Security Center
Automatic Updates
Wireless Zero Configuration
PID: 1992
Symantec Event Manager
PID: 1412
Symantec Settings Manager
PID: 884
DCOM Server Process Launcher
Terminal Services
PID: 1440
Symantec AntiVirus Definition Watcher
PID: 1108
DNS Client
PID: 720
Event Log
Plug and Play
PID: 1516
IviRegMgr
PID: 1564
Java Quick Starter
PID: 1192
TCP/IP NetBIOS Helper
PID: 1784
Machine Debug Manager
PID: 732
IPSEC Services
Protected Storage
Security Accounts Manager
PID: 960
Remote Procedure Call (RPC)
PID: 1836
SAVRoam
PID: 1328
Print Spooler
PID: 1900
Windows Image Acquisition (WIA)


~~~Running Services Configuration~~~

PID: 1016
Service: AudioSrv
Displayed: Windows Audio
Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto

PID: 1016
Service: BITS
Displayed: Background Intelligent Transfer Service
Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Auto

PID: 1016
Service: Browser
Displayed: Computer Browser
Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Auto

PID: 1992
Service: ccEvtMgr
Displayed: Symantec Event Manager
Image: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
Start Mode: Auto

PID: 1412
Service: ccSetMgr
Displayed: Symantec Settings Manager
Image: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
Start Mode: Auto

PID: 884
Service: DcomLaunch
Displayed: DCOM Server Process Launcher
Image: C:\WINDOWS\system32\svchost -k DcomLaunch
Start Mode: Auto

PID: 1440
Service: DefWatch
Displayed: Symantec AntiVirus Definition Watcher
Image: "C:\Program Files\Symantec AntiVirus\DefWatch.exe"
Start Mode: Auto

PID: 1016
Service: Dhcp
Displayed: DHCP Client
Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Auto

PID: 1108
Service: Dnscache
Displayed: DNS Client
Image: C:\WINDOWS\system32\svchost.exe -k NetworkService
Start Mode: Auto

PID: 1016
Service: ERSvc
Displayed: Error Reporting Service
Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto

PID: 720
Service: Eventlog
Displayed: Event Log
Image: C:\WINDOWS\system32\services.exe
Start Mode: Auto

PID: 1016
Service: EventSystem
Displayed: COM+ Event System
Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Manual

PID: 1016
Service: FastUserSwitchingCompatibility
Displayed: Fast User Switching Compatibility
Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Manual

PID: 1016
Service: helpsvc
Displayed: Help and Support
Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto

PID: 1016
Service: HidServ
Displayed: HID Input Service
Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto

PID: 1516
Service: IviRegMgr
Displayed: IviRegMgr
Image: "C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe"
Start Mode: Auto

PID: 1564
Service: JavaQuickStarterService
Displayed: Java Quick Starter
Image: "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
Start Mode: Auto

PID: 1016
Service: LanmanServer
Displayed: Server
Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Auto

PID: 1016
Service: lanmanworkstation
Displayed: Workstation
Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Auto

PID: 1192
Service: LmHosts
Displayed: TCP/IP NetBIOS Helper
Image: C:\WINDOWS\system32\svchost.exe -k LocalService
Start Mode: Auto

PID: 1784
Service: MDM
Displayed: Machine Debug Manager
Image: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe"
Start Mode: Auto

PID: 720
Service: PlugPlay
Displayed: Plug and Play
Image: C:\WINDOWS\system32\services.exe
Start Mode: Auto

PID: 732
Service: PolicyAgent
Displayed: IPSEC Services
Image: C:\WINDOWS\system32\lsass.exe
Start Mode: Auto

PID: 732
Service: ProtectedStorage
Displayed: Protected Storage
Image: C:\WINDOWS\system32\lsass.exe
Start Mode: Auto

PID: 960
Service: RpcSs
Displayed: Remote Procedure Call (RPC)
Image: C:\WINDOWS\system32\svchost -k rpcss
Start Mode: Auto

PID: 732
Service: SamSs
Displayed: Security Accounts Manager
Image: C:\WINDOWS\system32\lsass.exe
Start Mode: Auto

PID: 1836
Service: SavRoam
Displayed: SAVRoam
Image: "C:\Program Files\Symantec AntiVirus\SavRoam.exe"
Start Mode: Auto

PID: 1016
Service: Schedule
Displayed: Task Scheduler
Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto

PID: 1016
Service: seclogon
Displayed: Secondary Logon
Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto

PID: 1016
Service: SENS
Displayed: System Event Notification
Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Auto

PID: 1016
Service: ShellHWDetection
Displayed: Shell Hardware Detection
Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto

PID: 1328
Service: Spooler
Displayed: Print Spooler
Image: C:\WINDOWS\system32\spoolsv.exe
Start Mode: Auto

PID: 1016
Service: srservice
Displayed: System Restore Service
Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Auto

PID: 1016
Service: TapiSrv
Displayed: Telephony
Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Manual

PID: 884
Service: TermService
Displayed: Terminal Services
Image: C:\WINDOWS\System32\svchost -k DComLaunch
Start Mode: Manual

PID: 1016
Service: Themes
Displayed: Themes
Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto

PID: 1016
Service: TrkWks
Displayed: Distributed Link Tracking Client
Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Auto

PID: 1016
Service: W32Time
Displayed: Windows Time
Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto

PID: 1016
Service: winmgmt
Displayed: Windows Management Instrumentation
Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Auto

PID: 1016
Service: wscsvc
Displayed: Security Center
Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto

PID: 1016
Service: wuauserv
Displayed: Automatic Updates
Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Auto

PID: 1016
Service: WZCSVC
Displayed: Wireless Zero Configuration
Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto


~~~Inactive Services Configuration~~~

Service: Alerter
Displayed: Alerter
Path: C:\WINDOWS\system32\svchost.exe -k LocalService
Start Mode: Disabled

Service: ALG
Displayed: Application Layer Gateway Service
Path: C:\WINDOWS\System32\alg.exe
Start Mode: Manual

Service: AppMgmt
Displayed: Application Management
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Manual

Service: aspnet_state
Displayed: ASP.NET State Service
Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
Start Mode: Manual

Service: btwdins
Displayed: Bluetooth Service
Path: C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
Start Mode: Auto

Service: CiSvc
Displayed: Indexing Service
Path: C:\WINDOWS\system32\cisvc.exe
Start Mode: Manual

Service: ClipSrv
Displayed: ClipBook
Path: C:\WINDOWS\system32\clipsrv.exe
Start Mode: Manual

Service: clr_optimization_v2.0.50727_32
Displayed: .NET Runtime Optimization Service v2.0.50727_X86
Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Start Mode: Manual

Service: COMSysApp
Displayed: COM+ System Application
Path: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
Start Mode: Manual

Service: CryptSvc
Displayed: CryptSvc
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Auto

Service: dmadmin
Displayed: Logical Disk Manager Administrative Service
Path: C:\WINDOWS\System32\dmadmin.exe /com
Start Mode: Manual

Service: dmserver
Displayed: Logical Disk Manager
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Manual

Service: Dot3svc
Displayed: Wired AutoConfig
Path: C:\WINDOWS\System32\svchost.exe -k dot3svc
Start Mode: Manual

Service: EapHost
Displayed: Extensible Authentication Protocol Service
Path: C:\WINDOWS\System32\svchost.exe -k eapsvcs
Start Mode: Manual

Service: fastnetsrv
Displayed: fastnetsrv Service
Path: C:\WINDOWS\system32\FastNetSrv.exe
Start Mode: Auto

Service: FontCache3.0.0.0
Displayed: Windows Presentation Foundation Font Cache 3.0.0.0
Path: C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
Start Mode: Manual

Service: fsssvc
Displayed: Windows Live Family Safety
Path: "C:\Program Files\Windows Live\Family Safety\fsssvc.exe"
Start Mode: Manual

Service: hkmsvc
Displayed: Health Key and Certificate Management Service
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Manual

Service: HTTPFilter
Displayed: HTTP SSL
Path: C:\WINDOWS\System32\svchost.exe -k HTTPFilter
Start Mode: Manual

Service: idsvc
Displayed: Windows CardSpace
Path: "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
Start Mode: Manual

Service: ImapiService
Displayed: IMAPI CD-Burning COM Service
Path: C:\WINDOWS\system32\imapi.exe
Start Mode: Manual

Service: LiveUpdate
Displayed: LiveUpdate
Path: "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE"
Start Mode: Manual

Service: Messenger
Displayed: Messenger
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Disabled

Service: Microsoft Office Groove Audit Service
Displayed: Microsoft Office Groove Audit Service
Path: "C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe"
Start Mode: Manual

Service: mnmsrvc
Displayed: NetMeeting Remote Desktop Sharing
Path: C:\WINDOWS\system32\mnmsrvc.exe
Start Mode: Manual

Service: MSDTC
Displayed: Distributed Transaction Coordinator
Path: C:\WINDOWS\system32\msdtc.exe
Start Mode: Manual

Service: MSIServer
Displayed: Windows Installer
Path: C:\WINDOWS\system32\msiexec.exe /V
Start Mode: Manual

Service: napagent
Displayed: Network Access Protection Agent
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Manual

Service: NetDDE
Displayed: Network DDE
Path: C:\WINDOWS\system32\netdde.exe
Start Mode: Disabled

Service: NetDDEdsdm
Displayed: Network DDE DSDM
Path: C:\WINDOWS\system32\netdde.exe
Start Mode: Disabled

Service: Netlogon
Displayed: Net Logon
Path: C:\WINDOWS\system32\lsass.exe
Start Mode: Manual

Service: Netman
Displayed: Network Connections
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Manual

Service: NetTcpPortSharing
Displayed: Net.Tcp Port Sharing Service
Path: "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
Start Mode: Disabled

Service: Nla
Displayed: Network Location Awareness (NLA)
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Manual

Service: NtLmSsp
Displayed: NT LM Security Support Provider
Path: C:\WINDOWS\system32\lsass.exe
Start Mode: Manual

Service: NtmsSvc
Displayed: Removable Storage
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Manual

Service: odserv
Displayed: Microsoft Office Diagnostics Service
Path: "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE"
Start Mode: Manual

Service: ose
Displayed: Office Source Engine
Path: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
Start Mode: Manual

Service: RasAuto
Displayed: Remote Access Auto Connection Manager
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Manual

Service: RasMan
Displayed: Remote Access Connection Manager
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Manual

Service: RDSessMgr
Displayed: Remote Desktop Help Session Manager
Path: C:\WINDOWS\system32\sessmgr.exe
Start Mode: Manual

Service: RemoteAccess
Displayed: Routing and Remote Access
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Start Mode: Disabled

Service: RpcLocator
Displayed: Remote Procedure Call (RPC) Locator
Path: C:\WINDOWS\system32\locator.exe
Start Mode: Manual

Service: RSVP
Displayed: QoS RSVP
Path: C:\WINDOWS\system32\rsvp.exe
Start Mode: Manual

Service: SCardSvr
Displayed: Smart Card
Path: C:\WINDOWS\System32\SCardSvr.exe
Start Mode: Manual

Service: SeaPort
Displayed: SeaPort
Path: "C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe"
Start Mode: Auto

Service: SharedAccess
Displayed: Windows Firewall/Internet Connection Sharing (ICS)
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Auto

Service: SNDSrvc
Displayed: Symantec Network Drivers Service
Path: "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"
Start Mode: Manual

Service: SPBBCSvc
Displayed: Symantec SPBBCSvc
Path: "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"
Start Mode: Manual

Service: SSDPSRV
Displayed: SSDP Discovery Service
Path: C:\WINDOWS\system32\svchost.exe -k LocalService
Start Mode: Manual

Service: stisvc
Displayed: Windows Image Acquisition (WIA)
Path: C:\WINDOWS\system32\svchost.exe -k imgsvc
Start Mode: Auto

Service: SwPrv
Displayed: MS Software Shadow Copy Provider
Path: C:\WINDOWS\system32\dllhost.exe /Processid:{91260DAB-496B-4D3E-9A23-9E15DEE1A314}
Start Mode: Manual

Service: Symantec AntiVirus
Displayed: Symantec AntiVirus
Path: "C:\Program Files\Symantec AntiVirus\Rtvscan.exe"
Start Mode: Auto

Service: SysmonLog
Displayed: Performance Logs and Alerts
Path: C:\WINDOWS\system32\smlogsvc.exe
Start Mode: Manual

Service: upnphost
Displayed: Universal Plug and Play Device Host
Path: C:\WINDOWS\system32\svchost.exe -k LocalService
Start Mode: Manual

Service: UPS
Displayed: Uninterruptible Power Supply
Path: C:\WINDOWS\System32\ups.exe
Start Mode: Manual

Service: VSS
Displayed: Volume Shadow Copy
Path: C:\WINDOWS\System32\vssvc.exe
Start Mode: Manual

Service: WebClient
Displayed: WebClient
Path: C:\WINDOWS\system32\svchost.exe -k LocalService
Start Mode: Auto

Service: WmdmPmSN
Displayed: Portable Media Serial Number Service
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Manual

Service: WmiApSrv
Displayed: WMI Performance Adapter
Path: C:\WINDOWS\system32\wbem\wmiapsrv.exe
Start Mode: Manual

Service: WMPNetworkSvc
Displayed: Windows Media Player Network Sharing Service
Path: "C:\Program Files\Windows Media Player\WMPNetwk.exe"
Start Mode: Manual

Service: WudfSvc
Displayed: Windows Driver Foundation - User-mode Driver Framework
Path: C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
Start Mode: Manual

Service: xmlprov
Displayed: Network Provisioning Service
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Start Mode: Manual


~~~ svchost Export ~~~

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost
HTTPFilter REG_MULTI_SZ
HTTPFilter
LocalService REG_MULTI_SZ
Alerter
WebClient
LmHosts
RemoteRegistry
upnphost
SSDPSRV
NetworkService REG_MULTI_SZ
DnsCache
netsvcs REG_MULTI_SZ
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Messenger
Netman
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
napagent
hkmsvc
BITS
wuauserv
ShellHWDetection
helpsvc
WmdmPmSN
DcomLaunch REG_MULTI_SZ
DcomLaunch
TermService
rpcss REG_MULTI_SZ
RpcSs
eapsvcs REG_MULTI_SZ
eaphost
dot3svc REG_MULTI_SZ
dot3svc
imgsvc REG_MULTI_SZ
StiSvc
termsvcs REG_MULTI_SZ
TermService
WudfServiceGroup REG_MULTI_SZ
WUDFSvc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\DComLaunch
CoInitializeSecurityParam REG_DWORD 0x1
DefaultRpcStackSize REG_DWORD 0x8
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\dot3svc
AuthenticationCapabilities REG_DWORD 0x3020
CoInitializeSecurityParam REG_DWORD 0x1
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\eapsvcs
AuthenticationCapabilities REG_DWORD 0x3020
CoInitializeSecurityParam REG_DWORD 0x1
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\HTTPFilter
CoInitializeSecurityParam REG_DWORD 0x1
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\LocalService
CoInitializeSecurityParam REG_DWORD 0x1
AuthenticationCapabilities REG_DWORD 0x2000
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\netsvcs
CoInitializeSecurityParam REG_DWORD 0x1
AuthenticationCapabilities REG_DWORD 0x3020
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\PCHealth
CoInitializeSecurityParam REG_DWORD 0x2
AuthenticationCapabilities REG_DWORD 0x40
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\termsvcs
CoInitializeSecurityParam REG_DWORD 0x1
DefaultRpcStackSize REG_DWORD 0x8

~~~End of Report~~~

Attached Files


  • 0

#80
noahdfear
Posted 15 December 2009 - 10:51 PM

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP
Please download this renamed ComboFix and copy it to the computer, then run it and post the resulting log.
  • 0

#81
jay_sohhn
Posted 16 December 2009 - 11:22 AM

jay_sohhn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
When the scan gets to Stage 50 it just pauses. Nothing happens. Perhaps it's b/c my Norton antivirus is interfering with it? But I'm not sure how to disable it using task manager. I don't see anything under the Processes tab that is obvious.
  • 0

#82
noahdfear
Posted 16 December 2009 - 11:25 PM

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP
From the services log you posted, I wouldn't expect that NAV is interfering, though it could be. You did give it ample time to continue? Please try running it again in safe mode. If the result is the same we can try a slight re-configuration.
  • 0

#83
jay_sohhn
Posted 17 December 2009 - 10:26 PM

jay_sohhn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
OK, I got it to finish running. The kittyfix automatically restarted my computer and I waited about 15 minutes for a txt file of the log to come up...but nothing. I searched for it in my c:\ drive and in my flash drive. No luck. Hints?

By the way, I really appreciate you sticking through this with me...this must be a record-breakingly long post!
  • 0

#84
noahdfear
Posted 17 December 2009 - 10:37 PM

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP
Well shucks - give it another whirl in Safe Mode. If CF restarts the machine, force it back to Safe Mode to see if it runs to completion.
  • 0

#85
jay_sohhn
Posted 18 December 2009 - 12:04 AM

jay_sohhn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
Here it is, it worked this time. It's attached as a file too, if it's easier that way. I'll check back in tomorrow for your response.

ComboFix 09-12-15.03 - Amy Chen 12/18/2009 0:10.9.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.836 [GMT -5:00]
Running from: f:\geekstogo\KittyFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BTWSRV
-------\Legacy_FASTNETSRV
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_fastnetsrv


((((((((((((((((((((((((( Files Created from 2009-11-18 to 2009-12-18 )))))))))))))))))))))))))))))))
.

2011-02-27 04:02 . 2009-12-16 05:10 -------- d-----w- c:\program files\Elantech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 18:34 . 2010-02-19 18:34 -------- d-----w- c:\program files\microsoft frontpage
2010-02-19 18:32 . 2010-02-19 18:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-16 05:15 . 2009-12-16 05:15 100522 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP0.dll
2009-12-16 05:11 . 2009-12-16 05:11 32928 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP7.exe
2009-12-16 05:11 . 2009-06-04 05:45 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-16 05:10 . 2009-12-16 05:10 32928 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP6.exe
2009-12-16 05:10 . 2009-12-16 05:10 32928 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP5.exe
2009-12-16 04:44 . 2009-12-16 04:44 32928 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP4.exe
2009-12-16 02:35 . 2009-12-16 02:35 32928 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP3.exe
2009-11-11 20:53 . 2009-11-11 20:53 32928 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP2.EXE
2009-11-11 20:53 . 2009-11-11 20:53 32928 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP1.EXE
2009-11-11 20:53 . 2009-11-11 20:53 32928 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP0.EXE
2009-11-11 20:35 . 2010-02-19 18:33 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-11 04:52 . 2009-11-11 04:52 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ece04.vdb\NAVENG32.DLL
2009-11-11 04:52 . 2009-11-11 04:52 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ece04.vdb\NAVEX32A.DLL
2009-11-11 04:52 . 2009-11-11 04:52 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ece04.vdb\NAVEX15.SYS
2009-11-11 04:52 . 2009-11-11 04:52 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ece04.vdb\NAVENG.SYS
2009-11-11 04:52 . 2009-11-11 04:52 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ece04.vdb\EECTRL.SYS
2009-11-11 04:52 . 2009-11-11 04:52 2747952 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ece04.vdb\CCERASER.DLL
2009-11-11 04:52 . 2009-11-11 04:52 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ece04.vdb\ECMSVR32.DLL
2009-11-11 04:52 . 2009-11-11 04:52 102448 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ece04.vdb\ERASER.SYS
2009-11-07 04:49 . 2009-10-29 13:47 -------- d-----w- c:\program files\xhonsl
2009-11-07 04:49 . 2009-10-31 14:06 -------- d-----w- c:\program files\ewmnru
2009-11-04 14:48 . 2009-11-04 14:48 0 ----a-r- c:\windows\win32k.sys
2009-10-26 14:59 . 2009-10-26 14:59 0 ----a-w- c:\documents and settings\Amy Chen\settings.dat
2009-10-26 14:56 . 2009-06-07 16:21 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\U3
2009-10-10 00:33 . 2009-10-28 18:08 14336 ----a-w- c:\windows\system32\svchost.exe
.
<pre>
c:\program files\EeePC\ACPI\asacpisvr .exe
c:\program files\EeePC\ACPI\asepcmon .exe
c:\program files\EeePC\ACPI\astray .exe
c:\program files\Elantech\etdctrl .exe
c:\program files\ewmnru\ibpmsysguard .exe
c:\program files\Symantec AntiVirus\vptray .exe
c:\program files\xhonsl\yqspsysguard .exe
c:\windows\ime\imkr6_1\imekrmig .exe
</pre>

------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((( SnapShot_2009-11-11_04.47.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-19 17:21 . 2009-12-03 23:39 71810 c:\windows\system32\perfc009.dat
- 2010-02-19 17:21 . 2009-11-11 04:28 71810 c:\windows\system32\perfc009.dat
+ 2009-11-11 04:51 . 2008-04-14 05:10 96512 c:\windows\system32\drivers\atapi.sys
- 2008-04-14 00:10 . 2008-04-14 05:10 96512 c:\windows\system32\drivers\atapi.sys
+ 2009-12-05 18:44 . 2009-12-05 18:44 99840 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\a0a93ff86fb946104e90221f5791eb91\WindowsLive.Writer.Api.ni.dll
- 2009-11-07 04:47 . 2009-11-07 04:47 99840 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\a0a93ff86fb946104e90221f5791eb91\WindowsLive.Writer.Api.ni.dll
+ 2009-12-05 18:50 . 2009-12-05 18:50 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\8acb476a0d4ee17a12881e17ae74a6af\System.Windows.Presentation.ni.dll
+ 2009-12-05 18:49 . 2009-12-05 18:49 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\4b87ca3482a3c0ee733e028ecee7de65\System.Web.DynamicData.Design.ni.dll
+ 2009-12-05 18:45 . 2009-12-05 18:45 94208 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\a0c71055364bd356971791284c3fb910\System.ComponentModel.DataAnnotations.ni.dll
+ 2009-12-05 18:45 . 2009-12-05 18:45 82944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\f9a75bbdc2ce7db578b5977766a09b99\System.AddIn.Contract.ni.dll
+ 2009-12-05 18:47 . 2009-12-05 18:47 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\f2673aec397c52796aef05bb9d2668df\Microsoft.Vsa.ni.dll
+ 2009-12-05 18:43 . 2009-12-05 18:43 15872 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualC\704abb954db8c9a95118a8bde688d5c1\Microsoft.VisualC.ni.dll
+ 2009-12-05 18:45 . 2009-12-05 18:45 65024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\d513fe1a81c441e7656a9b062cff4e9f\Microsoft.Build.Framework.ni.dll
- 2009-11-07 04:47 . 2009-11-07 04:47 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\c5d504724d7f351b1d034615dbb72a2a\Microsoft.Build.Framework.ni.dll
+ 2009-12-05 18:45 . 2009-12-05 18:45 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\c5d504724d7f351b1d034615dbb72a2a\Microsoft.Build.Framework.ni.dll
+ 2009-12-05 18:44 . 2009-12-05 18:44 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\a664ccab020f93f1d533919f57131190\dfsvc.ni.exe
- 2009-11-07 04:47 . 2009-11-07 04:47 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\a664ccab020f93f1d533919f57131190\dfsvc.ni.exe
+ 2010-02-19 18:33 . 2009-11-11 20:35 2442 c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
+ 2009-12-06 00:45 . 2009-12-14 16:03 870012 c:\windows\system32\Restore\rstrlog.dat
+ 2010-02-19 17:21 . 2009-12-03 23:39 442024 c:\windows\system32\perfh009.dat
- 2010-02-19 17:21 . 2009-11-11 04:28 442024 c:\windows\system32\perfh009.dat
+ 2009-12-05 18:45 . 2009-12-05 18:45 321536 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\e2098e43d115155d6ba91ba3a7e577cf\WsatConfig.ni.exe
- 2009-11-07 04:47 . 2009-11-07 04:47 321536 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\e2098e43d115155d6ba91ba3a7e577cf\WsatConfig.ni.exe
+ 2009-12-05 18:44 . 2009-12-05 18:44 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLiveLocal.Wr#\e5fa3693acb5b4c1790edff45ee18351\WindowsLiveLocal.WriterPlugin.ni.dll
- 2009-11-07 04:47 . 2009-11-07 04:47 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLiveLocal.Wr#\e5fa3693acb5b4c1790edff45ee18351\WindowsLiveLocal.WriterPlugin.ni.dll
- 2009-11-07 04:47 . 2009-11-07 04:47 118784 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\fa99a5d10584b4d2d8836396e512fbfb\WindowsLive.Writer.Extensibility.ni.dll
+ 2009-12-05 18:44 . 2009-12-05 18:44 118784 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\fa99a5d10584b4d2d8836396e512fbfb\WindowsLive.Writer.Extensibility.ni.dll
- 2009-11-07 04:46 . 2009-11-07 04:46 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\f013d5f8178aea1f66ce25eb59f2dcfe\WindowsLive.Writer.Mshtml.ni.dll
+ 2009-12-05 18:44 . 2009-12-05 18:44 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\f013d5f8178aea1f66ce25eb59f2dcfe\WindowsLive.Writer.Mshtml.ni.dll
- 2009-11-07 04:47 . 2009-11-07 04:47 594944 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\df6d8f820d3e6270a946e81d0524a7f4\WindowsLive.Writer.HtmlEditor.ni.dll
+ 2009-12-05 18:44 . 2009-12-05 18:44 594944 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\df6d8f820d3e6270a946e81d0524a7f4\WindowsLive.Writer.HtmlEditor.ni.dll
+ 2009-12-05 18:44 . 2009-12-05 18:44 108544 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\c25eea93a159ff547be11a457a656548\WindowsLive.Writer.Passport.ni.dll
- 2009-11-07 04:46 . 2009-11-07 04:46 108544 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\c25eea93a159ff547be11a457a656548\WindowsLive.Writer.Passport.ni.dll
+ 2009-12-05 18:44 . 2009-12-05 18:44 428032 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\8579b5b4f162eb3f960302b9499508ab\WindowsLive.Writer.Localization.ni.dll
- 2009-11-07 04:46 . 2009-11-07 04:46 428032 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\8579b5b4f162eb3f960302b9499508ab\WindowsLive.Writer.Localization.ni.dll
+ 2009-12-05 18:44 . 2009-12-05 18:44 851968 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\5e2e32999db49ca703dde8cdb853e307\WindowsLive.Writer.BlogClient.ni.dll
- 2009-11-07 04:47 . 2009-11-07 04:47 851968 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\5e2e32999db49ca703dde8cdb853e307\WindowsLive.Writer.BlogClient.ni.dll
+ 2009-12-05 18:44 . 2009-12-05 18:44 119296 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\590e62c09e8ce5cae4a887d2d873d82d\WindowsLive.Writer.FileDestinations.ni.dll
- 2009-11-07 04:47 . 2009-11-07 04:47 119296 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\590e62c09e8ce5cae4a887d2d873d82d\WindowsLive.Writer.FileDestinations.ni.dll
- 2009-11-07 04:47 . 2009-11-07 04:47 117760 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\26307209b32171fbdf5c0bac64eac6f7\WindowsLive.Writer.Instrumentation.ni.dll
+ 2009-12-05 18:44 . 2009-12-05 18:44 117760 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\26307209b32171fbdf5c0bac64eac6f7\WindowsLive.Writer.Instrumentation.ni.dll
- 2009-11-07 04:47 . 2009-11-07 04:47 322048 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\12069ef1883e43e5a8ff387d5503ffae\WindowsLive.Writer.SpellChecker.ni.dll
+ 2009-12-05 18:44 . 2009-12-05 18:44 322048 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\12069ef1883e43e5a8ff387d5503ffae\WindowsLive.Writer.SpellChecker.ni.dll
- 2009-11-07 04:47 . 2009-11-07 04:47 145920 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Client\e24024d52bd85aeadcea859acf2f10d7\WindowsLive.Client.ni.dll
+ 2009-12-05 18:44 . 2009-12-05 18:44 145920 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Client\e24024d52bd85aeadcea859acf2f10d7\WindowsLive.Client.ni.dll
+ 2009-12-05 18:50 . 2009-12-05 18:50 400896 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\eb23b78564687badff1bd1f1d0a0ec97\System.Xml.Linq.ni.dll
+ 2009-12-05 18:49 . 2009-12-05 18:49 130048 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\f28c400fcfac57fb1bfb2806cc1bfc76\System.Web.Routing.ni.dll
+ 2009-12-05 18:44 . 2009-12-05 18:44 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\b5f1b8791e6c47e5bd5e7018c346c586\System.Web.RegularExpressions.ni.dll
- 2009-11-07 04:46 . 2009-11-07 04:46 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\b5f1b8791e6c47e5bd5e7018c346c586\System.Web.RegularExpressions.ni.dll
+ 2009-12-05 18:49 . 2009-12-05 18:49 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\884eacddf339b8b342f66aedff5f8ef9\System.Web.Extensions.Design.ni.dll
+ 2009-12-05 18:49 . 2009-12-05 18:49 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\9e199645bd26f1afe58ebe185d1e7f0f\System.Web.Entity.ni.dll
+ 2009-12-05 18:49 . 2009-12-05 18:49 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\652017ebe962ab2eb271c2524f31cd61\System.Web.Entity.Design.ni.dll
+ 2009-12-05 18:49 . 2009-12-05 18:49 554496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\b196f14bd08eca634cc0c417553bed2a\System.Web.DynamicData.ni.dll
+ 2009-12-05 18:48 . 2009-12-05 18:48 153600 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\d89d8c6b08028100248ffe028e346a6b\System.Web.Abstractions.ni.dll
+ 2009-12-05 18:48 . 2009-12-05 18:48 625664 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\a43137a0c143b36978953e161da49600\System.Transactions.ni.dll
- 2009-11-07 04:46 . 2009-11-07 04:46 625664 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\9d58688a10292063636c86442d29ee9c\System.Transactions.ni.dll
+ 2009-12-05 18:43 . 2009-12-05 18:43 625664 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\9d58688a10292063636c86442d29ee9c\System.Transactions.ni.dll
- 2009-11-07 04:46 . 2009-11-07 04:46 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\1f61bccb700d687775cf778dd77752e9\System.ServiceProcess.ni.dll
+ 2009-12-05 18:44 . 2009-12-05 18:44 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\1f61bccb700d687775cf778dd77752e9\System.ServiceProcess.ni.dll
- 2009-11-07 04:46 . 2009-11-07 04:46 771584 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\af21e3011fb4e107b13ea5c40c351ec4\System.Runtime.Remoting.ni.dll
+ 2009-12-05 18:43 . 2009-12-05 18:43 771584 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\af21e3011fb4e107b13ea5c40c351ec4\System.Runtime.Remoting.ni.dll
+ 2009-12-05 18:47 . 2009-12-05 18:47 621056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\5f74a84e9d28c2332c51f6e30da0e125\System.Net.ni.dll
+ 2009-12-05 18:47 . 2009-12-05 18:47 998400 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\2c208e4c5521f31057ea7d6e93c6a567\System.Management.ni.dll
+ 2009-12-05 18:47 . 2009-12-05 18:47 330752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\818b20a7c6f3b2fe97bf008ca24080c1\System.Management.Instrumentation.ni.dll
+ 2009-12-05 18:47 . 2009-12-05 18:47 280064 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\8a7d0bd0057a8ed38291d5662248f7a1\System.EnterpriseServices.Wrapper.dll
+ 2009-12-05 18:47 . 2009-12-05 18:47 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\8a7d0bd0057a8ed38291d5662248f7a1\System.EnterpriseServices.ni.dll
+ 2009-12-05 18:47 . 2009-12-05 18:47 881152 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\c92fc19800e701c90f90ab7a2ab44c47\System.DirectoryServices.AccountManagement.ni.dll
+ 2009-12-05 18:44 . 2009-12-05 18:44 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\a601f47a98ee67df424685c9a66ea449\System.DirectoryServices.Protocols.ni.dll
- 2009-11-07 04:46 . 2009-11-07 04:46 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\a601f47a98ee67df424685c9a66ea449\System.DirectoryServices.Protocols.ni.dll
+ 2009-12-05 18:47 . 2009-12-05 18:47 939008 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\b91b44015859163646f210d284f7166a\System.Data.Services.Client.ni.dll
+ 2009-12-05 18:47 . 2009-12-05 18:47 354816 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\1b35297e07b85071daecdb06f96750a1\System.Data.Services.Design.ni.dll
+ 2009-12-05 18:47 . 2009-12-05 18:47 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\cf906bf9146d1f0013451ec63b58e064\System.Data.Entity.Design.ni.dll
+ 2009-12-05 18:45 . 2009-12-05 18:45 135680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\4ff4134b0d490c090e03d74e104517c4\System.Data.DataSetExtensions.ni.dll
- 2009-11-07 04:46 . 2009-11-07 04:46 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\443e3a85c491b2de4a2ac654cb957484\System.Configuration.Install.ni.dll
+ 2009-12-05 18:44 . 2009-12-05 18:44 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\443e3a85c491b2de4a2ac654cb957484\System.Configuration.Install.ni.dll
+ 2009-12-05 18:45 . 2009-12-05 18:45 633856 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\cba35f47925431a54d0e6ae147a292f1\System.AddIn.ni.dll
+ 2009-12-05 18:45 . 2009-12-05 18:45 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\6af32fe5cbec0aa54e2efa6910c73651\SMSvcHost.ni.exe
- 2009-11-07 04:47 . 2009-11-07 04:47 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\6af32fe5cbec0aa54e2efa6910c73651\SMSvcHost.ni.exe
- 2009-11-07 04:47 . 2009-11-07 04:47 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\7602d7687fb9bd21cd9ae60d2b187c99\SMDiagnostics.ni.dll
+ 2009-12-05 18:44 . 2009-12-05 18:44 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\7602d7687fb9bd21cd9ae60d2b187c99\SMDiagnostics.ni.dll
- 2009-11-07 04:47 . 2009-11-07 04:47 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\a23dc25782df04533a13e348203e4dc5\ServiceModelReg.ni.exe
+ 2009-12-05 18:44 . 2009-12-05 18:44 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\a23dc25782df04533a13e348203e4dc5\ServiceModelReg.ni.exe
+ 2009-12-05 18:45 . 2009-12-05 18:45 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\eade8c1c9c1e8e5ffb50e6c9b9af0f6a\MSBuild.ni.exe
- 2009-11-07 04:47 . 2009-11-07 04:47 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\eade8c1c9c1e8e5ffb50e6c9b9af0f6a\MSBuild.ni.exe
+ 2009-12-05 18:44 . 2009-12-05 18:44 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\fc4d66e0a92b3767006a84f2519d2457\Microsoft.Transactions.Bridge.Dtc.ni.dll
- 2009-11-07 04:47 . 2009-11-07 04:47 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\fc4d66e0a92b3767006a84f2519d2457\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2009-12-05 18:45 . 2009-12-05 18:45 144384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\58ca3ecc52b7246b448c109817198a0b\Microsoft.Build.Utilities.ni.dll
+ 2009-12-05 18:45 . 2009-12-05 18:45 175104 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\4dd43724dd92026577c6f588270137a0\Microsoft.Build.Utilities.v3.5.ni.dll
+ 2009-12-05 18:45 . 2009-12-05 18:45 839680 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\8c651f75bb741330370986dcad8e9e5b\Microsoft.Build.Engine.ni.dll
+ 2009-12-05 18:45 . 2009-12-05 18:45 222720 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\a6dcbae619ccd938bfe808c54d6d3ae0\Microsoft.Build.Conversion.v3.5.ni.dll
+ 2009-12-05 18:45 . 2009-12-05 18:45 220672 c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\77688ce14f221ed94a9f442ae4736123\CustomMarshalers.ni.dll
- 2009-11-07 04:47 . 2009-11-07 04:47 376320 c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\382cc2ce9fcd975eed81a7183c2d8f81\ComSvcConfig.ni.exe
+ 2009-12-05 18:44 . 2009-12-05 18:44 376320 c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\382cc2ce9fcd975eed81a7183c2d8f81\ComSvcConfig.ni.exe
+ 2009-12-05 18:44 . 2009-12-05 18:44 1105920 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\6acc6f61fe15553bdb89e21a6a720578\WindowsLive.Writer.ApplicationFramework.ni.dll
- 2009-11-07 04:47 . 2009-11-07 04:47 1105920 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\6acc6f61fe15553bdb89e21a6a720578\WindowsLive.Writer.ApplicationFramework.ni.dll
+ 2009-12-05 18:50 . 2009-12-05 18:50 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\fa48917b13629d8effa80dd4a2f2973d\System.WorkflowServices.ni.dll
+ 2009-12-05 18:50 . 2009-12-05 18:50 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\6fe66ee6f3c81996bc148f1ebe7ec030\System.Workflow.Runtime.ni.dll
+ 2009-12-05 18:50 . 2009-12-05 18:50 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\9d0b61f2f1ebdc300bd970f594c422ef\System.Workflow.ComponentModel.ni.dll
+ 2009-12-05 18:50 . 2009-12-05 18:50 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\65328898148a720d394f802f192fc2a0\System.Workflow.Activities.ni.dll
+ 2009-12-05 18:44 . 2009-12-05 18:44 1838080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\ee59632d392e85b5a0b10ed2f9cdaa34\System.Web.Services.ni.dll
- 2009-11-07 04:46 . 2009-11-07 04:46 1838080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\ee59632d392e85b5a0b10ed2f9cdaa34\System.Web.Services.ni.dll
+ 2009-12-05 18:50 . 2009-12-05 18:50 1838080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\292cce5fbb6a3508552c9cd43445f792\System.Web.Services.ni.dll
+ 2009-12-05 18:49 . 2009-12-05 18:49 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\29e2f8b1fb691ced973acf49fcee6ec1\System.Web.Mobile.ni.dll
+ 2009-12-05 18:49 . 2009-12-05 18:49 2428416 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\d66aaf3bcb7eba90ae54ac6105d025ba\System.Web.Extensions.ni.dll
+ 2009-12-05 18:48 . 2009-12-05 18:48 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\e182695d05ea57257568bc5f3208aca7\System.ServiceModel.Web.ni.dll
- 2009-11-07 04:46 . 2009-11-07 04:46 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\f47ebb9db460874b1bcbfc391dc970b1\System.DirectoryServices.ni.dll
+ 2009-12-05 18:43 . 2009-12-05 18:43 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\f47ebb9db460874b1bcbfc391dc970b1\System.DirectoryServices.ni.dll
+ 2009-12-05 18:47 . 2009-12-05 18:47 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\112a48e34620a0210eb850040da8a31b\System.Data.Services.ni.dll
+ 2009-12-05 18:44 . 2009-12-05 18:44 1115136 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.OracleC#\e5b1899d48f01303824dc96ecf877b42\System.Data.OracleClient.ni.dll
- 2009-11-07 04:46 . 2009-11-07 04:46 1115136 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.OracleC#\e5b1899d48f01303824dc96ecf877b42\System.Data.OracleClient.ni.dll
+ 2009-12-05 18:47 . 2009-12-05 18:47 9924096 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\9012cac7819660f61f1c69cf8e4f2ccf\System.Data.Entity.ni.dll
+ 2009-12-05 18:45 . 2009-12-05 18:45 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\6eee9b772b6d12d3dbd82f118c2ab2e5\Microsoft.VisualBasic.ni.dll
- 2009-11-07 04:47 . 2009-11-07 04:47 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\f19e9b439636d0744597fff1331cad04\Microsoft.Transactions.Bridge.ni.dll
+ 2009-12-05 18:44 . 2009-12-05 18:44 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\f19e9b439636d0744597fff1331cad04\Microsoft.Transactions.Bridge.ni.dll
+ 2009-12-05 18:47 . 2009-12-05 18:47 2332160 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\5b1af7b5be24c7ace065fe1c81c2b650\Microsoft.JScript.ni.dll
+ 2009-12-05 18:45 . 2009-12-05 18:45 1620992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\9eec1cc7ac37e0c7f3205e8156149c5a\Microsoft.Build.Tasks.ni.dll
+ 2009-12-05 18:45 . 2009-12-05 18:45 1966080 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\28c0730288453d57d5dcd62903c4d31b\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2009-12-05 18:45 . 2009-12-05 18:45 1888768 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\5dd4f58999eed37c12aee7ea9f9863ac\Microsoft.Build.Engine.ni.dll
+ 2009-12-05 18:32 . 2009-11-05 14:36 26768832 c:\windows\system32\MRT.exe
+ 2009-12-05 18:50 . 2009-12-05 18:50 11794944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\09267ab20349a706f353aed0c9baa864\System.Web.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4e232aa-bd80-4ce2-896f-f0b02c7accc7}]
fupipivo.dll [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-13 17508864]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-2 604776]
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-2-19 376832]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-11 00:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2008-12-03 03:41 3882312 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2/19/2009 2:22 PM 55136]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 8:09 PM 11032]
S2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 4:41 PM 116664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/19/2009 1:56 PM 1684736]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [12/8/2008 5:01 PM 533344]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Amy Chen\Application Data\Mozilla\Firefox\Profiles\6qm4eeji.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Amy Chen\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-18 00:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,44,2c,d8,a1,66,c2,4f,93,d6,8e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,44,2c,d8,a1,66,c2,4f,93,d6,8e,\
.
Completion time: 2009-12-18 00:50:45
ComboFix-quarantined-files.txt 2009-12-18 05:50
ComboFix2.txt 2009-11-11 04:54
ComboFix3.txt 2009-11-04 15:31
ComboFix4.txt 2009-10-29 13:36
ComboFix5.txt 2009-11-11 20:38

Pre-Run: 27,048,972,288 bytes free
Post-Run: 27,032,735,744 bytes free

- - End Of File - - EF3F4B595D4B75EE580971EFFE37B462

Attached Files


  • 0

Advertisements

#86
noahdfear
Posted 18 December 2009 - 12:15 AM

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP
You can do the following from safe mode again if necessary.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it next to KittyFix.exe as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Folder::
c:\program files\xhonsl
c:\program files\ewmnru
File::
c:\windows\win32k.sys
RenV::
c:\program files\EeePC\ACPI\asacpisvr .exe
c:\program files\EeePC\ACPI\asepcmon .exe
c:\program files\EeePC\ACPI\astray .exe
c:\program files\Elantech\etdctrl .exe
c:\program files\Symantec AntiVirus\vptray .exe
c:\windows\ime\imkr6_1\imekrmig .exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4e232aa-bd80-4ce2-896f-f0b02c7accc7}]

Now drag the CFScript onto KittyFix.exe and drop it (should be able to do that from task manager too).
ComboFix should run and may reboot the computer.
Post the resulting log and let me know if there's any change in the system.
  • 0

#87
jay_sohhn
Posted 18 December 2009 - 10:35 AM

jay_sohhn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
Here's the log file. By the way, no change in the computer (i.e., in safe mode, blank screen, no icons, no task bar, no start menu). Still get the stop error too. In fact, I got the stop error a few times when I ran combofix, especially when it was preparing the log files.

ComboFix 09-12-15.03 - Amy Chen 12/18/2009 10:41:43.10.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.833 [GMT -5:00]
Running from: f:\geekstogo\KittyFix.exe
Command switches used :: f:\geekstogo\CFScript.txt.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\windows\win32k.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\ewmnru
c:\program files\ewmnru\ibpmsysguard .exe
c:\program files\xhonsl
c:\program files\xhonsl\yqspsysguard .exe
c:\windows\win32k.sys

.
((((((((((((((((((((((((( Files Created from 2009-11-18 to 2009-12-18 )))))))))))))))))))))))))))))))
.

2011-02-27 04:02 . 2009-12-18 15:41 -------- d-----w- c:\program files\Elantech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 18:34 . 2010-02-19 18:34 -------- d-----w- c:\program files\microsoft frontpage
2010-02-19 18:32 . 2010-02-19 18:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-18 15:41 . 2009-06-04 05:45 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-16 05:15 . 2009-12-16 05:15 100522 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP0.dll
2009-12-16 05:11 . 2009-12-16 05:11 32928 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP7.exe
2009-12-16 05:10 . 2009-12-16 05:10 32928 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP6.exe
2009-12-16 05:10 . 2009-12-16 05:10 32928 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP5.exe
2009-12-16 04:44 . 2009-12-16 04:44 32928 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP4.exe
2009-12-16 02:35 . 2009-12-16 02:35 32928 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP3.exe
2009-11-11 20:53 . 2009-11-11 20:53 32928 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP2.EXE
2009-11-11 20:53 . 2009-11-11 20:53 32928 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP1.EXE
2009-11-11 20:53 . 2009-11-11 20:53 32928 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP0.EXE
2009-11-11 20:35 . 2010-02-19 18:33 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-11 04:52 . 2009-11-11 04:52 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ece04.vdb\NAVENG32.DLL
2009-11-11 04:52 . 2009-11-11 04:52 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ece04.vdb\NAVEX32A.DLL
2009-11-11 04:52 . 2009-11-11 04:52 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ece04.vdb\NAVEX15.SYS
2009-11-11 04:52 . 2009-11-11 04:52 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ece04.vdb\NAVENG.SYS
2009-11-11 04:52 . 2009-11-11 04:52 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ece04.vdb\EECTRL.SYS
2009-11-11 04:52 . 2009-11-11 04:52 2747952 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ece04.vdb\CCERASER.DLL
2009-11-11 04:52 . 2009-11-11 04:52 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ece04.vdb\ECMSVR32.DLL
2009-11-11 04:52 . 2009-11-11 04:52 102448 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ece04.vdb\ERASER.SYS
2009-10-26 14:59 . 2009-10-26 14:59 0 ----a-w- c:\documents and settings\Amy Chen\settings.dat
2009-10-26 14:56 . 2009-06-07 16:21 -------- d-----w- c:\documents and settings\Amy Chen\Application Data\U3
2009-10-10 00:33 . 2009-10-28 18:08 14336 ----a-w- c:\windows\system32\svchost.exe
.

------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-13 17508864]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-2 604776]
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-2-19 376832]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-11 00:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2008-12-03 03:41 3882312 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2/19/2009 2:22 PM 55136]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 8:09 PM 11032]
S2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 4:41 PM 116664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/19/2009 1:56 PM 1684736]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [12/8/2008 5:01 PM 533344]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Amy Chen\Application Data\Mozilla\Firefox\Profiles\6qm4eeji.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Amy Chen\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-18 11:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,44,2c,d8,a1,66,c2,4f,93,d6,8e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,44,2c,d8,a1,66,c2,4f,93,d6,8e,\
.
Completion time: 2009-12-18 11:22:08
ComboFix-quarantined-files.txt 2009-12-18 16:22
ComboFix2.txt 2009-12-18 05:50
ComboFix3.txt 2009-11-11 04:54
ComboFix4.txt 2009-11-04 15:31
ComboFix5.txt 2009-12-18 15:39

Pre-Run: 27,047,477,248 bytes free
Post-Run: 27,026,812,928 bytes free

- - End Of File - - 3FFE6A53F99AD3EAE00A9506240F4BD7
  • 0

#88
noahdfear
Posted 18 December 2009 - 05:05 PM

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP
Please open the Service management console by typing services.msc in the File>New Task window.
Select the Cryptographic Services then right click and select Start.
If it fails to start close the console then type cmd in the File>New Task window to open a command window.
Type the following command then hit Enter.

reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /s >c:\crypt.txt

Post the contents of c:\crypt.txt here.

If the service does start, let me know please.
  • 0

#89
jay_sohhn
Posted 18 December 2009 - 09:17 PM

jay_sohhn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 92 posts
I typed in Services.msc, right-clicked on CryptSvc, and clicked Start. Got an error message (Error 193: Oxc1). So I opened a command window and entered in the command you indicated. The text file appears below:


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc
DependOnService REG_MULTI_SZ RpcSs\0\0
Description REG_SZ Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
DisplayName REG_SZ CryptSvc
ErrorControl REG_DWORD 0x1
ImagePath REG_EXPAND_SZ %SystemRoot%\system32\svchost.exe -k netsvcs
ObjectName REG_SZ LocalSystem
Start REG_DWORD 0x2
Type REG_DWORD 0x20

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\cryptsvc.dll
ServiceMain REG_SZ CryptServiceMain

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security
Security REG_BINARY 00000E0001

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Enum
0 REG_SZ Root\LEGACY_CRYPTSVC\0000
Count REG_DWORD 0x1
NextInstance REG_DWORD 0x1
  • 0

#90
noahdfear
Posted 18 December 2009 - 09:46 PM

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP
Open a command window and execute the following commands, one at a time. Click OK if prompted.

regsvr32 softpub.dll
regsvr32 wintrust.dll
regsvr32 initpki.dll
regsvr32 dssenh.dll
regsvr32 rsaenh.dll
regsvr32 gpkcsp.dll
regsvr32 sccbase.dll
regsvr32 slbcsp.dll
regsvr32 cryptdlg.dll
net start cryptsvc

Let me know the results of the final command.


Are you familiar with editing the registry?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP