Tech Support Forum - View Single Post - search-daily hijack

mmartin784 · 01-12-2008, 08:37 PM

Nothing unusual accept when running combofix norton antivirus tried to block the script. Hope this does not create problems.

Thank you!

DAFT Log saved on 2008-01-12 21:04:06
-----------------------------------------------------------------------
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*

*********************************************************

ComboFix 08-01-13.1 - Martin 2008-01-12 21:14:08.3 - NTFSx86
Running from: C:\Documents and Settings\Martin\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-12 13:57 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SDTHOOK.SYS
2008-01-12 13:33 . 2008-01-12 14:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-01-12 13:33 . 2008-01-12 13:33 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-01-12 13:33 . 2008-01-12 13:33 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-01-12 13:33 . 2008-01-12 13:33 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-01-12 12:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-12 00:17 . 2008-01-12 00:17 <DIR> d-------- C:\Deckard
2008-01-12 00:09 . 2008-01-12 00:12 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-12 00:09 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\SYSTEM32\MSINET.OCX
2008-01-10 20:40 . 2008-01-10 20:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Webroot
2008-01-10 20:13 . 2008-01-10 20:13 <DIR> d-------- C:\Program Files\Webroot
2008-01-10 20:13 . 2008-01-10 20:13 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Webroot
2008-01-10 20:13 . 2008-01-10 20:13 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-10 20:13 . 2008-01-10 20:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-10 20:13 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2008-01-10 20:13 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ssidrv.sys
2008-01-10 20:13 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sskbfd.sys
2008-01-10 20:13 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sshrmd.sys
2008-01-10 20:13 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SSFS0BB9.sys
2008-01-10 20:12 . 2008-01-10 20:27 164 --a------ C:\install.dat
2008-01-09 21:46 . 2008-01-09 21:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-01-09 21:46 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2008-01-09 21:46 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-09 21:46 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2008-01-07 20:53 . 2008-01-07 20:59 <DIR> d-------- C:\Program Files\XoftSpySE
2008-01-06 14:59 . 2008-01-06 14:59 1,188,375 --a------ C:\WINDOWS\SYSTEM32\libeay32.dll
2008-01-06 14:59 . 2008-01-06 14:59 741,632 --a------ C:\WINDOWS\SYSTEM32\dhesaybh.dat
2008-01-06 14:59 . 2008-01-06 14:59 246,545 --a------ C:\WINDOWS\SYSTEM32\libssl32.dll
2008-01-06 14:59 . 2008-01-06 14:59 42,240 --a------ C:\WINDOWS\SYSTEM32\duaepeqa.dat
2008-01-06 14:59 . 2008-01-11 21:49 36,608 --a------ C:\WINDOWS\SYSTEM32\mwtmqymy.dat
2008-01-06 14:59 . 2008-01-06 14:59 35,072 --a------ C:\WINDOWS\SYSTEM32\lvuqxizx.dat
2008-01-06 14:42 . 2008-01-06 14:42 120,576 --a------ C:\WINDOWS\SYSTEM32\ygszobyi.dat
2008-01-06 14:33 . 2008-01-12 15:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\AppCert
2008-01-06 14:32 . 2004-09-07 11:55 16,384 --a------ C:\WINDOWS\SYSTEM32\s6i5w1euqxsh.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 20:32 --------- d-----w C:\Program Files\Norton AntiVirus
2008-01-12 20:26 --------- d-----w C:\Program Files\iTunes
2008-01-12 20:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-11 05:59 --------- d-----w C:\Program Files\Family Trees Quick & Easy 5
2007-12-24 05:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-01 18:51 20,748,502 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-11-14 06:38 --------- d-----w C:\Program Files\TotalFax 7.0
2007-11-07 04:40 724,984 ----a-w C:\Documents and Settings\Martin\gotomypc_437.exe
2005-08-25 21:14 2,819,072 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2005-08-25 20:49 1,392,640 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2005-02-22 23:00 3,023,872 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2005-02-22 22:59 1,933,312 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2005-01-28 09:28 1,930,240 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2005-01-18 04:40 1,925,120 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2004-11-05 23:50 1,338,880 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2004-03-16 01:39 2,696,704 ----a-w C:\WINDOWS\Internet Logs\xDB20.tmp
2004-03-16 01:39 1,019,904 ----a-w C:\WINDOWS\Internet Logs\xDB1F.tmp
2005-07-24 17:22 32 --sha-w C:\WINDOWS\{3E6F4D71-DAD8-40A3-A03E-6BAE2FEC7583}.dat
2005-07-24 17:22 32 --sha-w C:\WINDOWS\SYSTEM32\{9D957D8C-3407-47AA-AA06-4EC784B82DB4}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 00:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 00:07 114688]
"BCMSMMSG"="BCMSMMSG.exe" [2003-06-02 05:00 122880 C:\WINDOWS\BCMSMMSG.exe]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 10:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 19:47 204800]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 01:01 135264]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2003-10-07 16:21 294912]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-25 23:11 180269]
"ccApp"="-" []
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 21:23 34504]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-06-25 14:02 100056]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 15:59 218240]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 15:55 267064]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40 5367608]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ :\WINDOW

R2 A4SII300;A4SII300;C:\WINDOWS\System32\drivers\A4SII300.SYS [1998-02-26 14:10]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 06:28:54 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2005-07-24 17:43:52 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-01-11 02:13:49 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-12 21:17:54
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-12 21:18:44
ComboFix-quarantined-files.txt 2008-01-13 03:18:41
ComboFix2.txt 2008-01-13 02:43:32

*********************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:38 PM, on 1/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] "C:\Program Files\Common Files\Dell\EUSW\Support.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.isqft.com/Applets/ScriptX/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26f46bca...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1113627649515
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2000i\AcDcToday.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploa...loadClient.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\AutoCAD 2000i\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2000i\AcPreview.ocx
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7253 bytes

01-12-2008, 08:37 PM	#9 (permalink)
mmartin784 Registered User Join Date: Jan 2008 Posts: 23 OS: XP Home Edition 2002 service pack 1	Re: search-daily hijack Nothing unusual accept when running combofix norton antivirus tried to block the script. Hope this does not create problems. Thank you! DAFT Log saved on 2008-01-12 21:04:06 ----------------------------------------------------------------------- .cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%* ******************************************************* ComboFix 08-01-13.1 - Martin 2008-01-12 21:14:08.3 - NTFSx86 Running from: C:\Documents and Settings\Martin\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!** . ((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 ))))))))))))))))))))))))))))))) . 2008-01-12 13:57 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SDTHOOK.SYS 2008-01-12 13:33 . 2008-01-12 14:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan 2008-01-12 13:33 . 2008-01-12 13:33 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico 2008-01-12 13:33 . 2008-01-12 13:33 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico 2008-01-12 13:33 . 2008-01-12 13:33 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico 2008-01-12 12:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-12 00:17 . 2008-01-12 00:17 <DIR> d-------- C:\Deckard 2008-01-12 00:09 . 2008-01-12 00:12 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-01-12 00:09 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\SYSTEM32\MSINET.OCX 2008-01-10 20:40 . 2008-01-10 20:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Webroot 2008-01-10 20:13 . 2008-01-10 20:13 <DIR> d-------- C:\Program Files\Webroot 2008-01-10 20:13 . 2008-01-10 20:13 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Webroot 2008-01-10 20:13 . 2008-01-10 20:13 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot 2008-01-10 20:13 . 2008-01-10 20:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot 2008-01-10 20:13 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll 2008-01-10 20:13 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ssidrv.sys 2008-01-10 20:13 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sskbfd.sys 2008-01-10 20:13 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sshrmd.sys 2008-01-10 20:13 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SSFS0BB9.sys 2008-01-10 20:12 . 2008-01-10 20:27 164 --a------ C:\install.dat 2008-01-09 21:46 . 2008-01-09 21:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier 2008-01-09 21:46 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll 2008-01-09 21:46 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe 2008-01-09 21:46 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll 2008-01-07 20:53 . 2008-01-07 20:59 <DIR> d-------- C:\Program Files\XoftSpySE 2008-01-06 14:59 . 2008-01-06 14:59 1,188,375 --a------ C:\WINDOWS\SYSTEM32\libeay32.dll 2008-01-06 14:59 . 2008-01-06 14:59 741,632 --a------ C:\WINDOWS\SYSTEM32\dhesaybh.dat 2008-01-06 14:59 . 2008-01-06 14:59 246,545 --a------ C:\WINDOWS\SYSTEM32\libssl32.dll 2008-01-06 14:59 . 2008-01-06 14:59 42,240 --a------ C:\WINDOWS\SYSTEM32\duaepeqa.dat 2008-01-06 14:59 . 2008-01-11 21:49 36,608 --a------ C:\WINDOWS\SYSTEM32\mwtmqymy.dat 2008-01-06 14:59 . 2008-01-06 14:59 35,072 --a------ C:\WINDOWS\SYSTEM32\lvuqxizx.dat 2008-01-06 14:42 . 2008-01-06 14:42 120,576 --a------ C:\WINDOWS\SYSTEM32\ygszobyi.dat 2008-01-06 14:33 . 2008-01-12 15:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\AppCert 2008-01-06 14:32 . 2004-09-07 11:55 16,384 --a------ C:\WINDOWS\SYSTEM32\s6i5w1euqxsh.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-12 20:32 --------- d-----w C:\Program Files\Norton AntiVirus 2008-01-12 20:26 --------- d-----w C:\Program Files\iTunes 2008-01-12 20:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan 2008-01-11 05:59 --------- d-----w C:\Program Files\Family Trees Quick & Easy 5 2007-12-24 05:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-12-01 18:51 20,748,502 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip 2007-11-14 06:38 --------- d-----w C:\Program Files\TotalFax 7.0 2007-11-07 04:40 724,984 ----a-w C:\Documents and Settings\Martin\gotomypc_437.exe 2005-08-25 21:14 2,819,072 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp 2005-08-25 20:49 1,392,640 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp 2005-02-22 23:00 3,023,872 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp 2005-02-22 22:59 1,933,312 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp 2005-01-28 09:28 1,930,240 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp 2005-01-18 04:40 1,925,120 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp 2004-11-05 23:50 1,338,880 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp 2004-03-16 01:39 2,696,704 ----a-w C:\WINDOWS\Internet Logs\xDB20.tmp 2004-03-16 01:39 1,019,904 ----a-w C:\WINDOWS\Internet Logs\xDB1F.tmp 2005-07-24 17:22 32 --sha-w C:\WINDOWS\{3E6F4D71-DAD8-40A3-A03E-6BAE2FEC7583}.dat 2005-07-24 17:22 32 --sha-w C:\WINDOWS\SYSTEM32\{9D957D8C-3407-47AA-AA06-4EC784B82DB4}.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sonic RecordNow!"="" [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 00:19 155648] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 00:07 114688] "BCMSMMSG"="BCMSMMSG.exe" [2003-06-02 05:00 122880 C:\WINDOWS\BCMSMMSG.exe] "DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 10:27 28672] "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 19:47 204800] "diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 01:01 135264] "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720] "DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2003-10-07 16:21 294912] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-25 23:11 180269] "ccApp"="-" [] "ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 21:23 34504] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-06-25 14:02 100056] "SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 15:59 218240] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 15:55 267064] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016] "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40 5367608] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ :\WINDOW R2 A4SII300;A4SII300;C:\WINDOWS\System32\drivers\A4SII300.SYS [1998-02-26 14:10] . Contents of the 'Scheduled Tasks' folder "2008-01-11 06:28:54 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job" - C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca "2005-07-24 17:43:52 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE "2008-01-11 02:13:49 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job" - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex - A:\ . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-12 21:17:54 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . Completion time: 2008-01-12 21:18:44 ComboFix-quarantined-files.txt 2008-01-13 03:18:41 ComboFix2.txt 2008-01-13 02:43:32 ******************************************************* Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:29:38 PM, on 1/12/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\System32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\BCMSMMSG.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [DwlClient] "C:\Program Files\Common Files\Dell\EUSW\Support.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ccApp] - O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.isqft.com/Applets/ScriptX/ScriptX.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26f46bca...p/RdxIE601.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1113627649515 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2000i\AcDcToday.ocx O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploa...loadClient.cab O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\AutoCAD 2000i\InstFred.ocx O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2000i\AcPreview.ocx O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- End of file - 7253 bytes