gizzmojive

DDS (Ver_09-03-16.01) - NTFSx86
Run by Iverson at 20:45:56.71 on Tue 04/21/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.57 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Iverson\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\16.5.0.135\coIEPlg.dll
TB: ZeroBar: {f5735c15-1fb2-41fe-ba12-242757e69dde} - c:\program files\netzero\toolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [DadApp] c:\program files\dell\accessdirect\dadapp.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Dell QuickSet] c:\progra~1\dell\quickset\quickset.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Yahoo! Poker - hxxp://download.games.yahoo.com/games/clients/y/pt3_x.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/webplayer/stage6/windows/AutoDLDivXWebPlayerInstaller.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.89,85.255.112.201
TCP: {91CB9690-562F-4E99-8216-6C4B298FE610} = 85.255.112.89,85.255.112.201
TCP: {93A7A135-E82B-4C4A-839E-C035DAC23255} = 85.255.112.89,85.255.112.201
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\norton internet security\engine\16.5.0.135\CoIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\iverson\applic~1\mozilla\firefox\profiles\lhvny92v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.ftp - :0
FF - prefs.js: network.proxy.gopher - :0
FF - prefs.js: network.proxy.http - :0
FF - prefs.js: network.proxy.socks - :0
FF - prefs.js: network.proxy.ssl - :0
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\iverson\application data\mozilla\firefox\profiles\lhvny92v.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1005000.087\SymEFA.sys [2009-3-23 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1005000.087\BHDrvx86.sys [2009-3-23 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1005000.087\cchpx86.sys [2009-3-23 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090414.001\IDSXpx86.sys [2009-4-18 276344]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\16.5.0.135\ccSvcHst.exe [2009-3-23 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-26 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090420.024\NAVENG.SYS [2009-4-20 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090420.024\NAVEX15.SYS [2009-4-20 876144]

=============== Created Last 30 ================

2009-04-21 19:20 <DIR> --d----- c:\program files\common files\PC Tools
2009-04-21 17:04 664 a------- c:\windows\system32\d3d9caps.dat
2009-04-20 22:00 392 ---shr-- C:\autorun.inf
2009-04-19 16:35 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-19 16:35 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-19 16:35 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-19 16:35 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-19 16:35 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-19 16:35 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-19 16:35 99,328 a------- c:\windows\system32\srusd.dll
2009-04-19 16:35 99,328 a------- c:\windows\system32\dllcache\srusd.dll
2009-04-19 16:35 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-19 16:35 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-19 16:34 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-19 16:34 6,784 a------- c:\windows\system32\drivers\serscan.sys
2009-04-19 16:34 6,784 a------- c:\windows\system32\dllcache\serscan.sys
2009-04-19 16:34 71,680 a------- c:\windows\system32\fnfilter.dll
2009-04-19 16:34 71,680 a------- c:\windows\system32\dllcache\fnfilter.dll
2009-04-19 16:31 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-19 16:31 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-19 16:31 215,552 -------- c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-03-23 17:03 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-23 17:03 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-03-23 17:03 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-23 17:03 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-12 05:03 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 06:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\dllcache\sc.exe
2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 15:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2008-08-31 09:42 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083120080901\index.dat

============= FINISH: 20:46:53.27 ===============

Attached Files

	Attach.zip (3.6 KB, 3 views)
	ark.zip (45.3 KB, 4 views)

Angelfire777

Hi,

Please re-run GMER using the same instructions you did before then post the log.

gizzmojive

I got a warning when I ran GMER this time. It said:
"WARNING!!!
GMER has found system modification caused by ROOTKIT activity."

Here is my new GMER log:

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-22 22:07:25
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 82F365D0 ZwAlertResumeThread
SSDT 82EAF150 ZwAlertThread
SSDT 82EB0120 ZwAllocateVirtualMemory
SSDT 82F8B7D0 ZwAssignProcessToJobObject
SSDT 82DC5410 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xEF4AB040]
SSDT 82F8B920 ZwCreateMutant
SSDT 82F90778 ZwCreateSymbolicLinkObject
SSDT 82D6B198 ZwCreateThread
SSDT 82F57258 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xEF4AB2C0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xEF4AB820]
SSDT 82F5E008 ZwDuplicateObject
SSDT 82F8EF40 ZwFreeVirtualMemory
SSDT 82F587C0 ZwImpersonateAnonymousToken
SSDT 82F89AA0 ZwImpersonateThread
SSDT 82D08748 ZwLoadDriver
SSDT 82E31150 ZwMapViewOfSection
SSDT 82EC7C48 ZwOpenEvent
SSDT 82ED0868 ZwOpenProcess
SSDT 82EC1160 ZwOpenProcessToken
SSDT 82F58B80 ZwOpenSection
SSDT 82F626E8 ZwOpenThread
SSDT 82F562B0 ZwProtectVirtualMemory
SSDT 82F8B170 ZwResumeThread
SSDT 82EC4A28 ZwSetContextThread
SSDT 82F4E008 ZwSetInformationProcess
SSDT 82EAB7B8 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xEF4ABA70]
SSDT 82ECD588 ZwSuspendProcess
SSDT 82EAD150 ZwSuspendThread
SSDT 82EA3178 ZwTerminateProcess
SSDT 82EA1668 ZwTerminateThread
SSDT 82EA93B8 ZwUnmapViewOfSection
SSDT 82F4E868 ZwWriteVirtualMemory

Code 82E465D0 ZwEnumerateKey
Code 82CDD888 ZwFlushInstructionCache
Code 82E55216 IofCallDriver
Code 82E86CA6 IofCompleteRequest

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\gxvxcnndyouhhyiasityqqubrbexjwkmndrtx.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [1912] 0x10000000

---- EOF - GMER 1.0.15 ----


Please let me know how to proceed. Thanks.

Angelfire777

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Note: Please rename combofix.exe to cfix.exe

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

gizzmojive

ok.
Before Combofix ran it's scan it prompted me with two (2) separate pop up windows, not discussed in the directions on the Bleepingcomputer.com website. Those windows were for:

"Warning Norton Inernet Security Still Active"
&
"Rootkit!!"

I could not do anything about the pop ups, as they were just warning messages, but thought I should let you know about them.

Here is my combo fix log (I have attached it too):

ComboFix 09-04-23.06 - Iverson 04/23/2009 5:57.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.355 [GMT -4:00]
Running from: c:\documents and settings\Iverson\Desktop\cfix.exe.exe
AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *disabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\recycler\S-3-6-95-100020228-100020645-100009024-1699.com
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\drivers\gxvxcowqpulrwqtqrtfmqxodawijewsiomyrj.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcnndyouhhyiasityqqubrbexjwkmndrtx.dll
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-4-23 )))))))))))))))))))))))))))))))
.

2009-04-21 23:20 . 2009-04-21 23:59 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-21 23:20 . 2009-04-22 00:26 -------- d-----w c:\program files\Common Files\PC Tools
2009-04-21 22:54 . 2009-04-21 22:54 -------- d-----w c:\documents and settings\Administrator\Application Data\DivX
2009-04-21 21:07 . 2009-04-21 22:49 -------- d-----w c:\documents and settings\Administrator\.housecall6.6
2009-04-21 21:04 . 2009-04-21 21:04 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-19 21:38 . 2009-04-19 21:38 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-19 21:15 . 2009-04-20 02:21 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-04-19 21:15 . 2009-04-20 02:21 -------- d-----w c:\program files\NOS
2009-04-19 20:35 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-19 20:35 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-19 20:35 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-19 20:35 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-19 20:35 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-19 20:35 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-19 20:35 . 2001-08-18 02:36 99328 ----a-w c:\windows\system32\srusd.dll
2009-04-19 20:35 . 2001-08-18 02:36 99328 ----a-w c:\windows\system32\dllcache\srusd.dll
2009-04-19 20:35 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-19 20:35 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-19 20:34 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-19 20:34 . 2001-08-17 17:53 6784 ----a-w c:\windows\system32\drivers\serscan.sys
2009-04-19 20:34 . 2001-08-17 17:53 6784 ----a-w c:\windows\system32\dllcache\serscan.sys
2009-04-19 20:34 . 2001-08-18 02:36 71680 ----a-w c:\windows\system32\fnfilter.dll
2009-04-19 20:34 . 2001-08-18 02:36 71680 ----a-w c:\windows\system32\dllcache\fnfilter.dll
2009-04-19 20:31 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-19 20:31 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-19 20:31 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-18 19:28 . 2009-04-18 19:28 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\SupportSoft
2009-04-08 01:35 . 2009-04-08 01:35 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-04-03 00:58 . 2009-04-03 00:58 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-22 00:44 . 2005-01-23 22:39 -------- d-----w c:\program files\LimeWire
2009-04-22 00:08 . 2004-12-21 00:48 -------- d-----w c:\program files\Common Files\Real
2009-04-22 00:04 . 2005-01-25 01:50 -------- d-----w c:\program files\Winamp
2009-04-22 00:01 . 2007-10-06 21:35 -------- d-----w c:\program files\Bonjour
2009-04-21 02:09 . 2007-01-27 19:42 -------- d--h--w c:\documents and settings\Iverson\Application Data\Move Networks
2009-04-20 02:20 . 2008-03-07 02:09 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-19 21:31 . 2005-02-08 15:56 -------- d-----w c:\program files\Common Files\Adobe
2009-04-03 23:23 . 2004-12-21 00:43 -------- d-----w c:\program files\Java
2009-03-23 21:03 . 2008-10-02 10:39 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-03-23 21:03 . 2008-10-02 10:39 7386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-23 21:03 . 2008-10-02 10:39 60808 ----a-w c:\windows\SYSTEM32\S32EVNT1.DLL
2009-03-23 21:03 . 2008-10-02 10:39 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-23 21:03 . 2005-02-08 16:02 -------- d-----w c:\program files\Symantec
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\SYSTEM32\DLLCACHE\kernel32.dll
2009-03-12 09:03 . 2008-12-18 10:53 36400 ----a-r c:\windows\system32\drivers\SymIM.sys
2009-03-09 09:19 . 2009-02-12 23:40 410984 ----a-w c:\windows\SYSTEM32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 11:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll
2009-03-03 00:18 . 2006-05-10 05:23 826368 ----a-w c:\windows\SYSTEM32\DLLCACHE\wininet.dll
2009-03-03 00:18 . 2004-08-04 11:00 826368 ----a-w c:\windows\SYSTEM32\wininet.dll
2009-02-28 04:54 . 2006-10-17 18:04 636072 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2009-02-26 22:28 . 2008-03-07 02:09 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-20 10:20 . 2007-05-09 20:01 13824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2009-02-20 10:20 . 2006-10-27 07:44 70656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2009-02-20 05:14 . 2004-08-04 11:00 161792 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2009-02-09 12:10 . 2004-08-04 11:00 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 11:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 11:00 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 11:00 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll
2009-02-09 11:13 . 2008-10-14 23:19 1846784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-02-09 11:13 . 2004-08-04 11:00 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-07 23:02 . 2008-10-14 23:21 2066048 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2009-02-07 23:02 . 1980-01-01 06:00 2066048 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 11:00 110592 ----a-w c:\windows\SYSTEM32\services.exe
2009-02-06 11:08 . 2008-10-14 23:21 2189056 ------w c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
2009-02-06 11:08 . 1980-01-01 06:00 2189056 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-14 23:21 2145280 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2009-02-06 10:39 . 2004-08-04 11:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe
2009-02-06 10:39 . 2004-08-04 11:00 35328 ----a-w c:\windows\SYSTEM32\DLLCACHE\sc.exe
2009-02-06 10:32 . 2008-10-14 23:21 2023936 ------w c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\SYSTEM32\DLLCACHE\secur32.dll
2009-02-03 19:59 . 2004-08-04 11:00 56832 ----a-w c:\windows\SYSTEM32\secur32.dll
2008-10-09 23:35 . 2005-01-16 03:15 20816 -c--a-w c:\documents and settings\Iverson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-04-05 01:45 . 2006-04-05 01:45 130 -c--a-w c:\documents and settings\Iverson\Local Settings\Application Data\fusioncache.dat
2008-08-31 13:42 . 2008-08-31 13:42 32768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008083120080901\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-12-20 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1005000.087\SYMEFA.SYS [2009-03-12 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\NIS\1005000.087\BHDrvx86.sys [2009-03-12 258608]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NIS\1005000.087\ccHPx86.sys [2009-03-23 482352]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090414.001\IDSxpx86.sys [2009-01-29 276344]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe [2009-03-12 115560]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-25 101936]

.
Contents of the 'Scheduled Tasks' folder

2009-04-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Iverson\Application Data\Mozilla\Firefox\Profiles\lhvny92v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.ftp - :0
FF - prefs.js: network.proxy.gopher - :0
FF - prefs.js: network.proxy.http - :0
FF - prefs.js: network.proxy.socks - :0
FF - prefs.js: network.proxy.ssl - :0
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\Iverson\Application Data\Mozilla\Firefox\Profiles\lhvny92v.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-23 06:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1192)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-04-23 6:09
ComboFix-quarantined-files.txt 2009-04-23 10:09

Pre-Run: 3,151,507,456 bytes free
Post-Run: 3,211,587,584 bytes free

175 --- E O F --- 2009-04-20 01:58



After completion of the scan I got another pop up window that stated:

"Registry Editor
Cannot export RegRuns00: Error opening the file. There may be a disk or file system error."

Please let me know what to do next.

Attached Files

cfix log.txt (12.6 KB, 0 views)

Angelfire777

Hi,

*I see you have P2P software ( LimeWire) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

Please see this topic for more information:

http://www.techsupportforum.com/secu...e-sharing.html

I would strongly recommend that you uninstall this. You can do so via Control Panel >> Add or Remove Programs.

Also, uninstall these older versions of Java:

Java(TM) 6 Update 5
Java(TM) 6 Update 7
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2_03

They are security vulnerabilities and waste of space.


*You need to disable Norton first, instructions can be found here: http://service1.symantec.com/SUPPORT...03071515220236

*While both Tea timer and SpyBot are closed

• Run Spybot-S&D
• Go to the Mode menu, and make sure "Advanced Mode" is selected
• On the left hand side, choose Tools -> Resident
• Uncheck "Resident TeaTimer" and OK any prompts
• Restart your computer.

You may turn the Tea timer back on via SpyBots' tools> resident page when your computer is clean.

Note: If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.



*Open notepad.
Copy and paste the text inside the code box below to notepad

• Save and Name it as "CFScript"
• Drag and drop CFScript.txt to your copy of combofix.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.



*Next, it's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

On your next reply, please include a

• kaspersky scan log
• combofix log

gizzmojive

Here is my combofix log:

ComboFix 09-04-25.A3 - Iverson 04/26/2009 9:57.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.195 [GMT -4:00]
Running from: c:\documents and settings\Iverson\Desktop\cfix.exe.exe
Command switches used :: c:\documents and settings\Iverson\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.

2009-04-23 23:51 . 2009-04-26 13:29 -------- d-----w c:\windows\system32\CatRoot_bak
2009-04-21 23:20 . 2009-04-21 23:59 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-21 23:20 . 2009-04-22 00:26 -------- d-----w c:\program files\Common Files\PC Tools
2009-04-21 22:54 . 2009-04-21 22:54 -------- d-----w c:\documents and settings\Administrator\Application Data\DivX
2009-04-21 21:07 . 2009-04-21 22:49 -------- d-----w c:\documents and settings\Administrator\.housecall6.6
2009-04-21 21:04 . 2009-04-21 21:04 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-19 21:38 . 2009-04-19 21:38 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-19 21:15 . 2009-04-20 02:21 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-04-19 21:15 . 2009-04-20 02:21 -------- d-----w c:\program files\NOS
2009-04-19 20:35 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-19 20:35 . 2005-07-26 04:39 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-04-19 20:35 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-19 20:35 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-19 20:35 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-19 20:35 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-19 20:35 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-19 20:35 . 2001-08-18 02:36 99328 ----a-w c:\windows\system32\srusd.dll
2009-04-19 20:35 . 2001-08-18 02:36 99328 ----a-w c:\windows\system32\dllcache\srusd.dll
2009-04-19 20:35 . 2009-02-09 10:20 723456 ----a-w c:\windows\system32\dllcache\lsasrv.dll
2009-04-19 20:35 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-19 20:34 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-19 20:34 . 2001-08-17 17:53 6784 ----a-w c:\windows\system32\drivers\serscan.sys
2009-04-19 20:34 . 2001-08-17 17:53 6784 ----a-w c:\windows\system32\dllcache\serscan.sys
2009-04-19 20:34 . 2001-08-18 02:36 71680 ----a-w c:\windows\system32\fnfilter.dll
2009-04-19 20:34 . 2001-08-18 02:36 71680 ----a-w c:\windows\system32\dllcache\fnfilter.dll
2009-04-19 20:31 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-19 20:31 . 2009-03-27 07:09 1193414 ----a-w c:\windows\system32\dllcache\sysmain.sdb
2009-04-19 20:31 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-18 19:28 . 2009-04-18 19:28 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\SupportSoft
2009-04-08 01:35 . 2009-04-08 01:35 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-04-03 00:58 . 2009-04-03 00:58 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-23 21:28 . 2004-08-04 11:00 250032 --sha-r C:\NTLDR
2009-04-23 21:27 . 2004-08-10 19:13 78279 ----a-w c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-04-22 00:44 . 2005-01-23 22:39 -------- d-----w c:\program files\LimeWire
2009-04-22 00:08 . 2004-12-21 00:48 -------- d-----w c:\program files\Common Files\Real
2009-04-22 00:04 . 2005-01-25 01:50 -------- d-----w c:\program files\Winamp
2009-04-22 00:01 . 2007-10-06 21:35 -------- d-----w c:\program files\Bonjour
2009-04-21 02:09 . 2007-01-27 19:42 -------- d--h--w c:\documents and settings\Iverson\Application Data\Move Networks
2009-04-20 02:20 . 2008-03-07 02:09 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-19 21:31 . 2005-02-08 15:56 -------- d-----w c:\program files\Common Files\Adobe
2009-04-03 23:23 . 2004-12-21 00:43 -------- d-----w c:\program files\Java
2009-03-23 21:03 . 2008-10-02 10:39 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-03-23 21:03 . 2008-10-02 10:39 7386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-23 21:03 . 2008-10-02 10:39 60808 ----a-w c:\windows\SYSTEM32\S32EVNT1.DLL
2009-03-23 21:03 . 2008-10-02 10:39 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-23 21:03 . 2005-02-08 16:02 -------- d-----w c:\program files\Symantec
2009-03-12 09:03 . 2008-12-18 10:53 36400 ----a-r c:\windows\system32\drivers\SymIM.sys
2009-03-09 09:19 . 2009-02-12 23:40 410984 ----a-w c:\windows\SYSTEM32\deploytk.dll
2009-03-06 14:44 . 2004-08-04 11:00 283648 ----a-w c:\windows\SYSTEM32\pdh.dll
2009-03-03 00:18 . 2006-05-10 05:23 826368 ----a-w c:\windows\SYSTEM32\DLLCACHE\wininet.dll
2009-03-03 00:18 . 2004-08-04 11:00 826368 ----a-w c:\windows\SYSTEM32\wininet.dll
2009-02-28 04:54 . 2006-10-17 18:04 636072 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2009-02-26 22:28 . 2008-03-07 02:09 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-20 10:20 . 2007-05-09 20:01 13824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2009-02-20 10:20 . 2006-10-27 07:44 70656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2009-02-20 05:14 . 2004-08-04 11:00 161792 ----a-w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2009-02-09 10:20 . 2008-08-31 13:17 723456 ----a-w c:\windows\SYSTEM32\lsasrv.dll
2009-02-09 10:20 . 2004-08-04 11:00 399360 ----a-w c:\windows\SYSTEM32\rpcss.dll
2009-02-09 10:20 . 2008-08-31 13:17 616960 ----a-w c:\windows\SYSTEM32\advapi32.dll
2009-02-09 10:20 . 2008-08-31 13:17 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll
2009-02-09 10:19 . 2008-10-14 23:19 1846272 ----a-w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-02-09 10:19 . 2008-08-31 13:17 1846272 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-06 17:24 . 2008-10-14 23:21 2180480 ----a-w c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
2009-02-06 17:24 . 2008-08-31 13:17 2180480 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2009-02-06 17:22 . 2008-10-14 23:21 2136064 ----a-w c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2009-02-06 17:14 . 2008-08-31 13:17 110592 ----a-w c:\windows\SYSTEM32\services.exe
2009-02-06 16:49 . 2008-10-14 23:21 2015744 ----a-w c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
2009-02-06 16:49 . 2008-10-14 23:21 2057728 ----a-w c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2009-02-06 16:49 . 2008-08-31 13:17 2057728 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe
2009-02-06 10:39 . 2004-08-04 11:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe
2009-02-06 10:39 . 2004-08-04 11:00 35328 ----a-w c:\windows\SYSTEM32\DLLCACHE\sc.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\SYSTEM32\DLLCACHE\secur32.dll
2008-10-09 23:35 . 2005-01-16 03:15 20816 -c--a-w c:\documents and settings\Iverson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-04-05 01:45 . 2006-04-05 01:45 130 -c--a-w c:\documents and settings\Iverson\Local Settings\Application Data\fusioncache.dat
2008-08-31 13:42 . 2008-08-31 13:42 32768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008083120080901\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-14 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2004-03-04 211828]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"Dell QuickSet"="c:\progra~1\Dell\QuickSet\quickset.exe" [2004-03-05 487424]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-12-20 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1005000.087\SYMEFA.SYS [2009-03-12 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\NIS\1005000.087\BHDrvx86.sys [2009-03-12 258608]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NIS\1005000.087\ccHPx86.sys [2009-03-23 482352]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090420.001\IDSxpx86.sys [2009-01-29 276344]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe [2009-03-12 115560]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-25 101936]

.
Contents of the 'Scheduled Tasks' folder

2009-04-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Iverson\Application Data\Mozilla\Firefox\Profiles\lhvny92v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.ftp - :0
FF - prefs.js: network.proxy.gopher - :0
FF - prefs.js: network.proxy.http - :0
FF - prefs.js: network.proxy.socks - :0
FF - prefs.js: network.proxy.ssl - :0
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\Iverson\Application Data\Mozilla\Firefox\Profiles\lhvny92v.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 10:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1176)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3440)
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-26 10:03
ComboFix-quarantined-files.txt 2009-04-26 14:03
ComboFix2.txt 2009-04-26 13:47
ComboFix3.txt 2009-04-23 10:09

Pre-Run: 2,919,845,888 bytes free
Post-Run: 2,904,805,376 bytes free

186 --- E O F --- 2009-04-26 13:02


Here is my Kapersky san log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, April 26, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, April 26, 2009 16:04:28
Records in database: 2081286
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 104635
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 03:12:26


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\gxvxcnndyouhhyiasityqqubrbexjwkmndrtx.dll.vir Infected: Trojan-Downloader.Win32.Agent.brpo 1

The selected area was scanned.


Please let me know what the next steps are. I have attached the files to this post as well. Thanks!

Attached Files

	cfixlog4.26.2.txt (13.8 KB, 0 views)
	Kapersky scan 4.26.1.txt (955 Bytes, 0 views)

Angelfire777

Looks good.

The file that kaspersky detected is a file inside combofix's quarantine folder so no need to worry about it.

Click start > run > copy and paste:

combofix /u

That will hide your system files, clear your system restore cache and uninstall combofix.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Read TonyKlein's How Did I Get Infected In The First Place?.

Please check out miekiemoes' "How to Prevent Malware"

Happy safe surfing!

Note: Please reply to this thread one last time so I could mark it as resolved.

gizzmojive

I copy and pasted:

combofix /u

into the run command, but I got an "Error" pop up window that stated:

"You cannot rename Combofix.exe as cfix.exe
Please use another name, preferably made up of alphanumeric characters."

The only thing I could do was to Click "OK"

When I attempted to run the program again I was prompted with a "Combofix" window that stated:

"Windows cannot find 'combofix'. Make sure you typed the name correctly, then try again. To search for a file click the Start button, and then click Search."

The only thing I could do was to click "OK". Is this normal? What should I do to uninstall the combofix file? Please advise. Thanks.

Angelfire777

Rename cfix.exe back to combofix.exe

click start > run > copy and paste:

"%userprofile%\desktop\combofix.exe.exe" /u

press enter.

let me know how it goes.

gizzmojive

ok that did it. Thanks I appreciate it!