Network Cable unplugged
Bluetooth Dongle unplugged
All data transfers done using USB thumb drive from/to uninfected laptop
Turned off realtime File system protection in Norton Antivirus
Booted in Safe Mode
Ran SDFix
Restarted
Ran ComboFix
When combofix tried to reboot computer, RTVscan was launched (even after my attempt to disable it), so I closed the window and allowed combofix to continue
On restart ERROR message:
Norton AntiVirus has encountered a problem and needs to close. We are sorry for the inconvenience... Send Error Report?
Norton Antivirus no longer works
So basically, same as last time. The way I got around this was to uninstall manually (no uninstall application provided) using instructions from Symantec's website and reinstalled.
Once again, I want to express my gratitude in helping me with these issues!!!!
Thank you thank you thank you!
See reports generated below:
----------------------------
SDFix:
SDFix: Version 1.213 Run by Garrett on Wed 08/06/2008 at 06:33 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\comsa32.sys - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-08-06 18:46:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0011954fbc34]
"0007e05a356c"=hex:9c,46,97,68,d8,99,d6,6c,58,c2,8d,5f,ca,33,17,85
"0070e0abf7fd"=hex:3f,f5,9d,99,42,0f,fd,6e,4c,d7,0b,c0,23,0e,26,08
"00149a9a83ee"=hex:ad,e6,f3,31,5b,a7,31,1a,42,b7,42,5c,f7,8b,2e,de
"0019a13cb12b"=hex:a8,c9,af,83,42,3b,72,68,76,b3,9d,43,91,c6,b0,44
"0015a8cea229"=hex:0d,6c,0f,e9,cb,f1,eb,58,65,78,99,74,33,1b,bf,19
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0011954fbc34]
"0007e05a356c"=hex:9c,46,97,68,d8,99,d6,6c,58,c2,8d,5f,ca,33,17,85
"0070e0abf7fd"=hex:3f,f5,9d,99,42,0f,fd,6e,4c,d7,0b,c0,23,0e,26,08
"00149a9a83ee"=hex:ad,e6,f3,31,5b,a7,31,1a,42,b7,42,5c,f7,8b,2e,de
"0019a13cb12b"=hex:a8,c9,af,83,42,3b,72,68,76,b3,9d,43,91,c6,b0,44
"0015a8cea229"=hex:0d,6c,0f,e9,cb,f1,eb,58,65,78,99,74,33,1b,bf,19
scanning hidden registry entries ...
scanning hidden files ...
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 65536 bytes
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Documents and Settings\\Anthony\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"="C:\\Documents and Settings\\Anthony\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe:*:Enabled:Juniper Terminal Services Client"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\TurboTax\\Premier 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Premier 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Premier 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Premier 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\proe2001\\i486_nt\\nms\\nmsd.exe"="C:\\Program Files\\proe2001\\i486_nt\\nms\\nmsd.exe:*:Enabled:nmsd"
"C:\\Program Files\\proe2001\\i486_nt\\obj\\pro_comm_msg.exe"="C:\\Program Files\\proe2001\\i486_nt\\obj\\pro_comm_msg.exe:*:Enabled:pro_comm_msg"
"C:\\Program Files\\proe2001\\i486_nt\\obj\\xtop.exe"="C:\\Program Files\\proe2001\\i486_nt\\obj\\xtop.exe:*:Enabled:xtop"
"C:\\Program Files\\Airlink101\\Airlink101 PS Software\\PsLink.exe"="C:\\Program Files\\Airlink101\\Airlink101 PS Software\\PsLink.exe:*:Enabled:PsLink"
"C:\\WINDOWS\\PsMon.exe"="C:\\WINDOWS\\PsMon.exe:*:Enabled:PsMonitor"
"C:\\Documents and Settings\\Garrett\\Desktop\\SymNRT.exe"="C:\\Documents and Settings\\Garrett\\Desktop\\SymNRT.exe:*:Enabled:Symantec Removal Utility"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 7 Jul 2008 2,156,368 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Mon 4 Dec 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 19 Sep 2006 304,736 A..H. --- "C:\Program Files\Canon\MP Navigator 2.2\Maint.exe"
Mon 19 Dec 2005 61,440 A..H. --- "C:\Program Files\Canon\MP Navigator 2.2\uinstrsc.dll"
Sun 21 Jul 2002 418,816 ...HR --- "C:\WINDOWS\system32\Tools\All.exe"
Thu 18 Jul 2002 390,144 ...HR --- "C:\WINDOWS\system32\Tools\Change.exe"
Fri 19 Jul 2002 574,464 ...HR --- "C:\WINDOWS\system32\Tools\CheckPath.exe"
Mon 19 Aug 2002 430,592 ...HR --- "C:\WINDOWS\system32\Tools\Counter.exe"
Mon 22 Jul 2002 390,656 ...HR --- "C:\WINDOWS\system32\Tools\DelFolders.exe"
Fri 22 Nov 2002 399,872 ...HR --- "C:\WINDOWS\system32\Tools\DirectSetup.exe"
Fri 19 Jul 2002 388,096 ...HR --- "C:\WINDOWS\system32\Tools\RegClean.exe"
Fri 19 Jul 2002 388,608 ...HR --- "C:\WINDOWS\system32\Tools\Regexe.exe"
Sun 1 Dec 2002 431,616 ...HR --- "C:\WINDOWS\system32\Tools\Restart.exe"
Fri 19 Jul 2002 388,096 ...HR --- "C:\WINDOWS\system32\Tools\RunRegexe.exe"
Tue 15 May 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT39.tmp"
Fri 18 May 2007 2,873 ..SH. --- "C:\Documents and Settings\Garrett\Local Settings\Application Data\NewSoft\PageManager\7.15.14A\Setting\PM65.BAK"
Finished!----------------------------
ComboFix:
ComboFix 08-08-06.02 - Garrett 2008-08-06 19:15:49.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.675 [GMT -7:00]
Running from: C:\Documents and Settings\Garrett\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\afinding.exe
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\Nobicyt.exe
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\WServing.exe
X:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_AFINDING
-------\Legacy_PERFMONS
-------\Legacy_ROUTING
-------\Legacy_WSERVING
-------\Service_AFinding
-------\Service_perfmons
-------\Service_Routing
-------\Service_WServing
-------\Legacy_NOBICYT
-------\Service_NOBICYT
((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))
.
2008-08-04 17:59 . 2008-08-04 18:07 <DIR> d-------- C:\Program Files\NavNT
2008-08-04 17:59 . 2008-08-04 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-01 15:52 . 2008-08-01 15:52 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-01 15:47 . 2008-08-06 18:55 <DIR> d-------- C:\SDFix
2008-07-25 10:56 . 2008-07-25 10:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-25 10:56 . 2008-07-25 10:56 <DIR> d-------- C:\Documents and Settings\Garrett\Application Data\Malwarebytes
2008-07-25 10:56 . 2008-07-25 10:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-25 10:56 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-25 10:56 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-25 10:27 . 2008-07-25 10:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-24 16:50 . 2008-08-03 06:43 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-22 16:53 . 2008-07-22 16:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-22 16:53 . 2008-07-22 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-17 18:13 . 2008-07-17 18:13 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
2008-07-14 19:50 . 2008-07-14 19:50 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 04:02 --------- d-----w C:\Program Files\Symantec
2008-08-05 00:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-23 00:33 --------- d-----w C:\Program Files\Neoteris
2008-07-23 00:33 --------- d-----w C:\Documents and Settings\Garrett\Application Data\Juniper Networks
2008-07-23 00:31 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-07-17 05:52 --------- d-----w C:\Program Files\QUICKENW
2008-07-14 00:09 --------- d-----w C:\Program Files\Java
2008-06-28 15:41 --------- d-----w C:\Documents and Settings\Garrett\Application Data\Canon
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-08 05:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-04-23 03:52 92,064 ----a-w C:\Documents and Settings\Garrett\mqdmmdm.sys
2007-04-23 03:52 9,232 ----a-w C:\Documents and Settings\Garrett\mqdmmdfl.sys
2007-04-23 03:52 79,328 ----a-w C:\Documents and Settings\Garrett\mqdmserd.sys
2007-04-23 03:52 66,656 ----a-w C:\Documents and Settings\Garrett\mqdmbus.sys
2007-04-23 03:52 6,208 ----a-w C:\Documents and Settings\Garrett\mqdmcmnt.sys
2007-04-23 03:52 5,936 ----a-w C:\Documents and Settings\Garrett\mqdmwhnt.sys
2007-04-23 03:52 4,048 ----a-w C:\Documents and Settings\Garrett\mqdmcr.sys
2007-04-23 03:52 25,600 ----a-w C:\Documents and Settings\Garrett\usbsermptxp.sys
2007-04-23 03:52 22,768 ----a-w C:\Documents and Settings\Garrett\usbsermpt.sys
2003-03-21 21:37 16,056 ----a-w C:\Program Files\owcstp16.dll
.
((((((((((((((((((((((((((((( snapshot_2008-08-03_ 7.12.31.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-01 11:32:34 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-08-03 11:05:39 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
- 2008-08-01 22:52:58 7,610,368 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\
00000001\NTUSER.DAT
+ 2008-08-07 01:27:22 7,610,368 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\
00000001\ntuser.dat
- 2008-08-01 22:52:58 598,016 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\
00000002\UsrClass.dat
+ 2008-08-07 01:27:23 598,016 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\
00000002\UsrClass.dat
- 2001-08-23 14:00:00 280,064 ----a-w C:\WINDOWS\system32\atsxyzd.sys
+ 2001-08-23 14:00:00 274,432 ----a-w C:\WINDOWS\system32\atsxyzd.sys
+ 2001-08-23 14:00:00 40,960 ----a-w C:\WINDOWS\system32\cfexfst.sys
- 2003-07-07 23:37:36 45,056 ----a-w C:\WINDOWS\system32\NavLogon.dll
+ 2003-07-07 22:37:36 45,056 ----a-w C:\WINDOWS\system32\NavLogon.dll
- 2008-08-03 13:49:34 59,780 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-07 01:17:58 59,780 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-03 13:49:34 397,560 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-07 01:17:58 397,560 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2001-08-23 14:00:00 186,880 ----a-w C:\WINDOWS\system32\perfs.exe
+ 2001-08-23 14:00:00 187,392 ----a-w C:\WINDOWS\system32\perfs.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-11-17 11:33 3022848]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 15:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 16:04 40960]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 02:50 204800]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 12:45 75304]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 18:08 813912]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 15:53 169264]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2003-07-07 15:39 77824]
"SoundMan"="SOUNDMAN.EXE" [2005-07-22 16:00 81920 C:\WINDOWS\SOUNDMAN.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2008-05-16 07:16:41 1757]
PS-Link.lnk - C:\Program Files\Airlink101\Airlink101 PS Software\PsLink.exe [2008-02-27 19:46:07 416768]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"Uniblue RegistryBooster 2"=C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
"nwiz"=nwiz.exe /install
"ControlCenter2.0"=C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SetDefPrt"=C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Documents and Settings\\Anthony\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\proe2001\\i486_nt\\nms\\nmsd.exe"=
"C:\\Program Files\\proe2001\\i486_nt\\obj\\pro_comm_msg.exe"=
"C:\\Program Files\\proe2001\\i486_nt\\obj\\xtop.exe"=
"C:\\Program Files\\Airlink101\\Airlink101 PS Software\\PsLink.exe"=
"C:\\WINDOWS\\PsMon.exe"=
R2 Maxtor Sync Service;Maxtor Service;C:\Program Files\Maxtor\Sync\SyncServices.exe [2007-09-28 13:24]
R3 BusRMUSB;Remote USB Bus;C:\WINDOWS\system32\DRIVERS\BusRMUSB.sys [2007-05-30 11:36]
R3 lknuhst;Linksys Network USB Host Controller;C:\WINDOWS\system32\DRIVERS\lknuhst.sys [2006-10-18 18:32]
R3 LKNUHUB;Linksys Network USB Root Hub;C:\WINDOWS\system32\DRIVERS\lknuhub.sys [2006-10-18 18:32]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-06-12 06:27]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 05:28]
S3 LKNUCMP;Linksys Network USB Composite Device;C:\WINDOWS\system32\DRIVERS\lknucmp.sys [2006-10-18 18:32]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Garrett\Application Data\Mozilla\Firefox\Profiles\zs6hl1jn.default\
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-08-06 19:24:17
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\CBA\PDS.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\CBA\XFR.EXE
C:\WINDOWS\system32\MSGSYS.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\PsMon.exe
.
**************************************************************************
.
Completion time: 2008-08-06 19:35:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-07 02:34:02
ComboFix2.txt 2008-08-03 14:13:55
ComboFix3.txt 2008-07-25 18:43:14
Pre-Run: 18,019,094,528 bytes free
Post-Run: 18,016,198,656 bytes free
183 --- E O F --- 2008-07-10 03:57:34
----------------------------
Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:01 PM, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Airlink101\Airlink101 PS Software\PsLink.exe
C:\WINDOWS\psmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: PS-Link.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List -
res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print -
res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview -
res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print -
res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) -
https://vpnla.fandango.com/dana-cached/ ... tupSP1.cabO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 7681 bytes
----------------------------