Jump to content

Maple

Members
  • Content Count

    3
  • Joined

  • Last visited

About Maple

  • Rank
    New Member

Previous Fields

  • System Specifications:
    Dell Dimension 8200 (P4, 2.8), Win XP Pro SP3
  1. Below is the DrWeb log that you requested: data002\32788R22FWJFW\C.bat;C:\Computer security\ComboFix\ComboFix.exe\data002;Probably BATCH.Virus;; data002\32788R22FWJFW\psexec.cfexe;C:\Computer security\ComboFix\ComboFix.exe\data002;Program.PsExec.171;; data002;C:\Computer security\ComboFix\ComboFix.exe;Archive contains infected objects;; ComboFix.exe;C:\Computer security\ComboFix;Archive contains infected objects;; data002\32788R22FWJFW\C.bat;C:\Documents and Settings\Andy\Desktop\ComboFix.exe\data002;Probably BATCH.Virus;; data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Andy\Desktop\ComboFix.exe\data002;Program.PsExec.171;; data002;C:\Documents and Settings\Andy\Desktop\ComboFix.exe;Archive contains infected objects;; ComboFix.exe;C:\Documents and Settings\Andy\Desktop;Archive contains infected objects;; A0007980.bat;C:\System Volume Information\_restore{240FE57D-533E-4FB5-922A-A12BCC0C250B}\RP47;Probably BATCH.Virus;; The PC behaved OK for at least 3-4 hours today, but for the past two hours, both Task Manager and Norton IS 2009 have indicated that CPU usage is 100%. Task Manager shows that "System" is the process consuming 83% of the CPU time, although it can fluctuate as low as 70% and as high as 87%. Memory usage for the process is relatively low: just 236K. After "System," the most CPU-intensive processes are ccSvcHst.exe, WG111CFG.exe, and explorer.exe. Thanks for looking at the logs.
  2. Thanks for your help, noahdfear. Below are the logs that you requested, plus a ComboFix log that I didn't include in my first post. --------- DDS (Ver_09-01-07.01) - NTFSx86 Run by Andy at 20:44:21.65 on Mon 01/12/2009 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.653 [GMT -5:00] AV: Norton Internet Security *On-access scanning disabled* (Updated) FW: Webroot Internet Security Essentials *disabled* FW: Norton Internet Security *disabled* ============== Running Processes =============== C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe C:\WINDOWS\DELLMMKB.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Netropa\OSD.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\tbctray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\Andy\Desktop\dds.scr ============== Pseudo HJT Report =============== uInternet Settings,ProxyOverride = *.local BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.2.0.7\coIEPlg.dll BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.2.0.7\IPSBHO.DLL BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.2.0.7\coIEPlg.dll uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe" mRun: [DellTouch] "c:\windows\DELLMMKB.EXE" mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] "c:\windows\system32\nwiz.exe" /install mRun: [NvMediaCenter] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [TraySantaCruz] "c:\windows\system32\tbctray.exe" mRun: [spySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartw~1.lnk - c:\program files\netgear\wg111 configuration utility\WG111CFG.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL Trusted Zone: microsoft.com\*.update Trusted Zone: windowsupdate.com\download Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.2.0.7\CoIEPlg.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\andy\applic~1\mozilla\firefox\profiles\tbxuoa66.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/ FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll ============= SERVICES / DRIVERS =============== R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808] R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?] R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1002000.007\BHDrvx86.sys [2008-12-18 255536] R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1002000.007\cchpx86.sys [2008-12-18 362544] R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090109.001\IDSxpx86.sys [2009-1-12 274808] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-18 99376] R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090112.003\NAVENG.SYS [2009-1-12 89104] R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090112.003\NAVEX15.SYS [2009-1-12 876112] R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2008-12-12 144768] R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2008-12-12 545088] R4 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.2.0.7\ccSvcHst.exe [2008-12-18 115560] R4 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2008-11-12 3667312] R4 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-1-6 1086840] =============== Created Last 30 ================ 2009-01-09 13:46 73,728 a------- c:\windows\system32\javacpl.cpl 2009-01-09 12:30 <DIR> a-dshr-- C:\cmdcons 2009-01-09 12:29 161,792 a------- c:\windows\SWREG.exe 2009-01-09 12:29 98,816 a------- c:\windows\sed.exe 2009-01-09 12:01 410,984 a------- c:\windows\system32\deploytk.dll 2009-01-09 00:43 <DIR> --d----- c:\program files\SpeedFan 2009-01-09 00:43 45 a------- c:\windows\system32\initdebug.nfo 2009-01-08 11:14 <DIR> --d----- c:\program files\MSXML 4.0 2009-01-07 18:14 <DIR> --d----- c:\docume~1\andy\applic~1\Malwarebytes 2009-01-07 18:13 15,504 a------- c:\windows\system32\drivers\mbam.sys 2009-01-07 18:13 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-07 18:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-01-07 18:13 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-01-07 18:05 <DIR> --d----- C:\Computer security 2009-01-06 23:20 1,553,272 a------- c:\windows\WRSetup.dll 2009-01-06 23:20 <DIR> --d----- c:\program files\Webroot 2009-01-06 23:20 <DIR> --d----- c:\docume~1\andy\applic~1\Webroot 2009-01-06 23:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot 2009-01-06 23:06 164 a------- C:\install.dat 2009-01-06 23:04 <DIR> --d----- C:\Spy Sweeper 2009-01-06 13:06 664 a------- c:\windows\system32\d3d9caps.dat 2008-12-27 18:19 <DIR> --d-h--- c:\windows\system32\GroupPolicy 2008-12-19 20:33 88,566 a------- c:\windows\system32\nvapps.xml 2008-12-19 20:33 208,896 a------- c:\windows\system32\nvudisp.exe 2008-12-19 20:33 17,056 a------- c:\windows\system32\nvdisp.nvu 2008-12-19 20:32 208,896 a------- c:\windows\system32\NVUNINST.EXE 2008-12-19 20:32 <DIR> --d----- C:\NVIDIA 2008-12-19 20:19 <DIR> --d----- c:\program files\SystemRequirementsLab 2008-12-19 18:55 248,448 a------- c:\windows\system32\PROUnstl.exe 2008-12-19 18:52 <DIR> --d----- c:\program files\Windows Media Connect 2 2008-12-19 18:51 <DIR> --d----- c:\windows\system32\LogFiles 2008-12-19 18:46 <DIR> --d----- c:\windows\nview 2008-12-19 18:45 <DIR> --d----- c:\program files\CONEXANT 2008-12-19 18:43 <DIR> --d----- c:\windows\system32\URTTemp 2008-12-19 17:29 30,512 a------- c:\windows\system32\mdimon.dll 2008-12-19 17:24 <DIR> --d----- c:\windows\SHELLNEW 2008-12-19 16:14 26,368 ac------ c:\windows\system32\dllcache\usbstor.sys 2008-12-19 15:50 376 a------- c:\windows\ODBC.INI 2008-12-19 15:43 268,648 a------- c:\windows\system32\mucltui.dll 2008-12-19 15:43 27,496 a------- c:\windows\system32\mucltui.dll.mui 2008-12-18 19:32 107,368 a------- c:\windows\system32\GEARAspi.dll 2008-12-18 19:32 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys 2008-12-18 19:31 <DIR> --d----- c:\program files\iPod 2008-12-18 19:31 <DIR> --d----- c:\program files\iTunes 2008-12-18 19:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-12-18 19:31 <DIR> --d----- c:\program files\Bonjour 2008-12-18 17:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec 2008-12-18 17:11 <DIR> --d--r-- c:\program files\Norton Support 2008-12-18 14:56 36,272 a----r-- c:\windows\system32\drivers\SymIM.sys 2008-12-18 13:52 6,066,176 -c------ c:\windows\system32\dllcache\ieframe.dll 2008-12-18 13:52 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat 2008-12-18 13:52 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui 2008-12-18 13:52 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll 2008-12-18 13:52 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll 2008-12-18 13:52 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll 2008-12-18 13:52 63,488 -c------ c:\windows\system32\dllcache\icardie.dll 2008-12-18 13:52 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll 2008-12-18 13:52 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe 2008-12-18 13:23 <DIR> --d----- c:\windows\system32\scripting 2008-12-18 13:23 <DIR> --d----- c:\windows\l2schemas 2008-12-18 13:23 <DIR> --d----- c:\windows\system32\en 2008-12-18 13:23 <DIR> --d----- c:\windows\system32\bits 2008-12-18 13:20 <DIR> --d----- c:\windows\ServicePackFiles 2008-12-18 13:16 <DIR> --d----- c:\windows\network diagnostic 2008-12-18 13:02 104,960 -------- c:\windows\system32\drivers\atinrvxx.sys 2008-12-18 12:52 272,128 -c------ c:\windows\system32\dllcache\bthport.sys 2008-12-18 12:51 138,496 -c------ c:\windows\system32\dllcache\afd.sys 2008-12-18 12:51 333,824 -c------ c:\windows\system32\dllcache\srv.sys 2008-12-18 12:50 826,368 -c------ c:\windows\system32\dllcache\wininet.dll 2008-12-18 12:50 1,160,192 -c------ c:\windows\system32\dllcache\urlmon.dll 2008-12-18 12:50 1,499,136 -c------ c:\windows\system32\dllcache\shdocvw.dll 2008-12-18 12:49 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys 2008-12-18 12:49 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe 2008-12-18 12:49 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe 2008-12-18 12:49 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe 2008-12-18 12:49 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe 2008-12-18 12:49 3,593,216 -c------ c:\windows\system32\dllcache\mshtml.dll 2008-12-18 12:49 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys 2008-12-18 12:49 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys 2008-12-18 12:49 331,776 -c------ c:\windows\system32\dllcache\msadce.dll 2008-12-18 12:49 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll 2008-12-18 12:48 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll 2008-12-18 12:48 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll 2008-12-18 12:48 <DIR> --dsh--- c:\documents and settings\andy\UserData 2008-12-18 12:47 <DIR> --d----- c:\windows\system32\PreInstall 2008-12-18 12:47 26,488 a------- c:\windows\system32\spupdsvc.exe 2008-12-18 12:35 60,808 a------- c:\windows\system32\S32EVNT1.DLL 2008-12-18 12:35 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS 2008-12-18 12:35 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT 2008-12-18 12:35 806 a------- c:\windows\system32\drivers\SYMEVENT.INF 2008-12-18 12:35 <DIR> --d----- c:\program files\Symantec 2008-12-18 12:35 <DIR> --d----- c:\program files\common files\Symantec Shared 2008-12-18 12:35 <DIR> --d----- c:\windows\system32\drivers\NIS 2008-12-18 12:35 <DIR> --d----- c:\program files\Norton Internet Security 2008-12-18 12:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton 2008-12-18 12:26 <DIR> --d----- c:\program files\NortonInstaller 2008-12-18 12:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller ==================== Find3M ==================== 2008-12-18 17:26 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat 2008-12-12 20:00 21,640 a------- c:\windows\system32\emptyregdb.dat 2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll 2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll 2008-10-16 14:07 208,744 a------- c:\windows\system32\muweb.dll ============= FINISH: 20:48:52.06 =============== UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-01-07.01) Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 12/12/2008 8:06:00 PM System Uptime: 1/12/2009 10:49:34 AM (10 hours ago) Motherboard: Dell Computer Corp. | | Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2784/133mhz ==== Disk Partitions ========================= A: is Removable C: is FIXED (NTFS) - 112 GiB total, 91.522 GiB free. D: is CDROM () ==== Disabled Device Manager Items ============= ==== System Restore Points =================== RP1: 12/12/2008 8:26:54 PM - System Checkpoint RP2: 12/12/2008 8:29:14 PM - Installed NETGEAR WG111 Software RP3: 12/12/2008 8:30:36 PM - Unsigned driver install RP4: 12/12/2008 8:56:54 PM - Printer Driver HP LaserJet 2200 Series PCL 6 Installed RP5: 12/13/2008 9:13:55 PM - System Checkpoint RP6: 12/13/2008 10:24:20 PM - Andy restore point, clean XP, before apps and XP updates installed RP7: 12/18/2008 12:47:32 PM - Software Distribution Service 3.0 RP8: 12/18/2008 12:51:10 PM - Software Distribution Service 3.0 RP9: 12/18/2008 1:07:34 PM - Software Distribution Service 3.0 RP10: 12/18/2008 1:33:58 PM - Software Distribution Service 3.0 RP11: 12/18/2008 1:46:31 PM - Software Distribution Service 3.0 RP12: 12/18/2008 1:57:59 PM - Software Distribution Service 3.0 RP13: 12/18/2008 2:00:42 PM - Software Distribution Service 3.0 RP14: 12/18/2008 7:31:45 PM - Installed iTunes RP15: 12/18/2008 8:50:55 PM - Installed Adobe Reader 9. RP16: 12/19/2008 3:48:59 PM - Installed Microsoft FrontPage 2002 RP17: 12/19/2008 3:57:02 PM - Installed Microsoft Office FrontPage 2003 RP18: 12/19/2008 5:22:45 PM - Installed Microsoft Office Professional 2007 RP19: 12/19/2008 5:29:53 PM - Printer Driver Microsoft Office Document Image Writer Installed RP20: 12/19/2008 6:00:20 PM - Software Distribution Service 3.0 RP21: 12/19/2008 6:43:21 PM - Software Distribution Service 3.0 RP22: 12/19/2008 7:07:12 PM - Software Distribution Service 3.0 RP23: 12/20/2008 2:53:45 AM - Configured Microsoft Office Professional 2007 RP24: 12/20/2008 3:00:13 AM - Software Distribution Service 3.0 RP25: 12/20/2008 3:06:22 AM - Software Distribution Service 3.0 RP26: 12/21/2008 3:51:56 AM - System Checkpoint RP27: 12/23/2008 10:57:32 PM - System Checkpoint RP28: 12/27/2008 10:35:44 PM - System Checkpoint RP29: 12/28/2008 11:31:21 PM - System Checkpoint RP30: 12/30/2008 1:43:29 PM - System Checkpoint RP31: 12/31/2008 7:49:59 PM - System Checkpoint RP32: 1/1/2009 8:11:30 PM - System Checkpoint RP33: 1/2/2009 8:22:35 PM - System Checkpoint RP34: 1/3/2009 10:54:38 PM - System Checkpoint RP35: 1/4/2009 11:09:48 PM - System Checkpoint RP36: 1/5/2009 9:59:19 PM - Restore Operation RP37: 1/6/2009 10:48:01 AM - Restore Operation RP38: 1/6/2009 10:50:11 AM - Restore Operation RP39: 1/6/2009 10:52:13 AM - Restore Operation RP40: 1/6/2009 10:54:19 AM - Restore Operation RP41: 1/6/2009 11:02:40 AM - Restore Operation RP42: 1/6/2009 11:05:01 AM - Restore Operation RP43: 1/6/2009 11:10:32 AM - Restore Operation RP44: 1/7/2009 3:50:08 PM - System Checkpoint RP45: 1/8/2009 11:14:17 AM - Software Distribution Service 3.0 RP46: 1/9/2009 12:00:55 PM - Installed Java 6 Update 11 RP47: 1/9/2009 12:29:31 PM - ComboFix created restore point RP48: 1/9/2009 1:12:20 PM - Removed Java 6 Update 11 RP49: 1/9/2009 1:18:55 PM - Installed Java 6 Update 11 RP50: 1/9/2009 1:42:29 PM - Removed Java 6 Update 11 RP51: 1/9/2009 1:45:44 PM - Installed Java 6 Update 11 RP52: 1/12/2009 11:36:02 AM - System Checkpoint ==== Installed Programs ====================== 2007 Microsoft Office Suite Service Pack 1 (SP1) Acrobat.com Adobe AIR Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Reader 9 Apple Mobile Device Support Apple Software Update Bonjour Conexant HSF V92 56K RTAD Speakerphone PCI Modem Dell ResourceCD DellTouch HijackThis 2.0.2 Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB952287) HP LaserJet 2200 Uninstaller Intel® Network Connections Drivers iTunes Java 6 Update 11 Malwarebytes' Anti-Malware Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Service Pack 1 Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office Access MUI (English) 2007 Microsoft Office Access Setup Metadata MUI (English) 2007 Microsoft Office Excel MUI (English) 2007 Microsoft Office FrontPage 2003 Microsoft Office Outlook MUI (English) 2007 Microsoft Office PowerPoint MUI (English) 2007 Microsoft Office Professional 2007 Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (English) 2007 Microsoft Office Publisher MUI (English) 2007 Microsoft Office Shared MUI (English) 2007 Microsoft Office Shared Setup Metadata MUI (English) 2007 Microsoft Office Word MUI (English) 2007 Microsoft Silverlight Microsoft Software Update for Web Folders (English) 12 Microsoft User-Mode Driver Framework Feature Pack 1.0 Mozilla Firefox (3.0.5) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 and SOAP Toolkit 3.0 NETGEAR WG111 Software Norton Internet Security NVIDIA Drivers QuickTime Santa Cruz Security Update for 2007 Microsoft Office System (KB951550) Security Update for 2007 Microsoft Office System (KB951944) Security Update for 2007 Microsoft Office System (KB958439) Security Update for Microsoft Office Excel 2007 (KB958437) Security Update for Microsoft Office PowerPoint 2007 (KB951338) Security Update for Microsoft Office Publisher 2007 (KB950114) Security Update for Microsoft Office system 2007 (KB954326) Security Update for Microsoft Office system 2007 (KB956828) Security Update for Microsoft Office Word 2007 (KB956358) Security Update for Windows Internet Explorer 7 (KB938127-v2) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows XP (KB923789) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958215) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB960714) Spy Sweeper Spy Sweeper Core System Requirements Lab Update for Microsoft Office 2007 Help for Common Features (KB957244) Update for Microsoft Office Access 2007 Help (KB957241) Update for Microsoft Office Excel 2007 Help (KB957242) Update for Microsoft Office Outlook 2007 (KB952142) Update for Microsoft Office Outlook 2007 Help (KB957246) Update for Microsoft Office PowerPoint 2007 Help (KB957247) Update for Microsoft Office Publisher 2007 Help (KB957249) Update for Microsoft Office Word 2007 Help (KB957252) Update for Microsoft Script Editor Help (KB957253) Update for Office 2007 (KB946691) Update for Outlook 2007 Junk Email Filter (kb958619) Update for Windows XP (KB951978) Update for Windows XP (KB955839) WebFldrs XP Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage Validation Tool (KB892130) Windows Internet Explorer 7 Windows Media Format 11 runtime Windows Media Player 11 Windows XP Service Pack 3 ==== Event Viewer Messages From Past Week ======== 1/6/2009 11:09:56 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 1/6/2009 11:09:57 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064} 1/6/2009 11:10:01 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E} 1/6/2009 11:17:39 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751) 1/6/2009 11:20:50 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect. 1/6/2009 11:20:50 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 1/6/2009 1:06:49 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BHDrvx86 ccHP eeCtrl Fips IDSxpx86 intelppm OMCI SRTSPX SYMTDI 1/6/2009 2:21:19 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811} 1/8/2009 2:28:51 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s). 1/8/2009 2:30:38 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. 1/8/2009 10:58:57 AM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Start with the following error: Access is denied. 1/11/2009 1:22:23 AM, error: Dhcp [1002] - The IP address lease 10.0.1.3 for the Network Card with network address 000FB59133EF has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message). 1/11/2009 8:19:45 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect. 1/11/2009 8:19:45 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. ==== End Of File =========================== GMER 1.0.14.14536 - http://www.gmer.net Rootkit scan 2009-01-12 21:49:51 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.14 ---- SSDT 86543820 ZwAlertResumeThread SSDT 8654E0F0 ZwAlertThread SSDT 85708730 ZwAllocateVirtualMemory SSDT 86534F30 ZwAssignProcessToJobObject SSDT 86542B58 ZwConnectPort SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF5AA5020] SSDT 85705DE0 ZwCreateMutant SSDT 867D99A0 ZwCreateProcess SSDT 867D9928 ZwCreateProcessEx SSDT 85705828 ZwCreateSymbolicLinkObject SSDT 865A2760 ZwCreateThread SSDT 86536200 ZwDebugActiveProcess SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF5AA52A0] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF5AA5800] SSDT 85708808 ZwDuplicateObject SSDT 85706808 ZwFreeVirtualMemory SSDT 8653D628 ZwImpersonateAnonymousToken SSDT 8653E0A8 ZwImpersonateThread SSDT 865A7C40 ZwLoadDriver SSDT 865A23B8 ZwMapViewOfSection SSDT 8653A1B8 ZwOpenEvent SSDT 856F5CB8 ZwOpenProcess SSDT 86587280 ZwOpenProcessToken SSDT 86537188 ZwOpenSection SSDT 85708898 ZwOpenThread SSDT 857058B8 ZwProtectVirtualMemory SSDT 867925C0 ZwQueueApcThread SSDT 86792458 ZwReadVirtualMemory SSDT 867D9B80 ZwRenameKey SSDT 86694F68 ZwResumeThread SSDT 865B37B0 ZwSetContextThread SSDT 867D9B08 ZwSetInformationKey SSDT 857066E8 ZwSetInformationProcess SSDT 86792728 ZwSetInformationThread SSDT 86536730 ZwSetSystemInformation SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF5AA5A50] SSDT 865390B8 ZwSuspendProcess SSDT 8654F500 ZwSuspendThread SSDT 86587358 ZwTerminateProcess SSDT 8656AC08 ZwTerminateThread SSDT 865B37E8 ZwUnmapViewOfSection SSDT 85706898 ZwWriteVirtualMemory ---- Devices - GMER 1.0.14 ---- AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com)) Device \Driver\Tcpip \Device\Ip 8675C2A8 Device \Driver\Tcpip \Device\Ip 86609718 Device \Driver\Tcpip \Device\Ip 86572530 Device \Driver\Tcpip \Device\Ip 86348430 Device \Driver\Tcpip \Device\Ip 86292970 Device \Driver\Tcpip \Device\Ip 864D8A00 AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\Tcpip \Device\Tcp 8675C2A8 Device \Driver\Tcpip \Device\Tcp 86609718 Device \Driver\Tcpip \Device\Tcp 86572530 Device \Driver\Tcpip \Device\Tcp 86348430 Device \Driver\Tcpip \Device\Tcp 86292970 Device \Driver\Tcpip \Device\Tcp 864D8A00 AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\Tcpip \Device\Udp 8675C2A8 Device \Driver\Tcpip \Device\Udp 86609718 Device \Driver\Tcpip \Device\Udp 86572530 Device \Driver\Tcpip \Device\Udp 86348430 Device \Driver\Tcpip \Device\Udp 86292970 Device \Driver\Tcpip \Device\Udp 864D8A00 AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\Tcpip \Device\RawIp 8675C2A8 Device \Driver\Tcpip \Device\RawIp 86609718 Device \Driver\Tcpip \Device\RawIp 86572530 Device \Driver\Tcpip \Device\RawIp 86348430 Device \Driver\Tcpip \Device\RawIp 86292970 Device \Driver\Tcpip \Device\RawIp 864D8A00 AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\Tcpip \Device\IPMULTICAST 8675C2A8 Device \Driver\Tcpip \Device\IPMULTICAST 86609718 Device \Driver\Tcpip \Device\IPMULTICAST 86572530 Device \Driver\Tcpip \Device\IPMULTICAST 86348430 Device \Driver\Tcpip \Device\IPMULTICAST 86292970 Device \Driver\Tcpip \Device\IPMULTICAST 864D8A00 ---- EOF - GMER 1.0.14 ---- ComboFix 09-01-08.05 - Andy 2009-01-09 12:31:37.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.661 [GMT -5:00] Running from: c:\documents and settings\Andy\Desktop\ComboFix.exe AV: Norton Internet Security *On-access scanning disabled* (Updated) FW: Norton Internet Security *disabled* FW: Webroot Internet Security Essentials *disabled* * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 ))))))))))))))))))))))))))))))) . 2009-01-09 12:01 . 2009-01-09 12:01 410,984 --a------ c:\windows\system32\deploytk.dll 2009-01-09 12:01 . 2009-01-09 12:01 73,728 --a------ c:\windows\system32\javacpl.cpl 2009-01-09 12:00 . 2009-01-09 12:00 <DIR> d-------- c:\program files\Java 2009-01-09 00:43 . 2009-01-09 00:55 <DIR> d-------- c:\program files\SpeedFan 2009-01-09 00:43 . 2009-01-09 00:43 45 --a------ c:\windows\system32\initdebug.nfo 2009-01-08 11:14 . 2009-01-08 11:14 <DIR> d-------- c:\program files\MSXML 4.0 2009-01-07 18:14 . 2009-01-07 18:14 <DIR> d-------- c:\documents and settings\Andy\Application Data\Malwarebytes 2009-01-07 18:13 . 2009-01-07 18:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-01-07 18:13 . 2009-01-07 18:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-01-07 18:13 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-07 18:13 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-01-07 18:05 . 2009-01-09 11:44 <DIR> d-------- C:\Computer security 2009-01-06 23:20 . 2009-01-06 23:20 <DIR> d-------- c:\program files\Webroot 2009-01-06 23:20 . 2009-01-06 23:20 <DIR> d-------- c:\documents and settings\Andy\Application Data\Webroot 2009-01-06 23:20 . 2009-01-06 23:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Webroot 2009-01-06 23:20 . 2008-11-13 17:11 1,553,272 --a------ c:\windows\WRSetup.dll 2009-01-06 23:06 . 2009-01-06 23:19 164 --a------ C:\install.dat 2009-01-06 23:04 . 2009-01-06 23:04 <DIR> d-------- C:\Spy Sweeper 2009-01-06 13:06 . 2009-01-06 13:06 664 --a------ c:\windows\system32\d3d9caps.dat 2008-12-27 18:19 . 2008-12-27 18:19 <DIR> d--h----- c:\windows\system32\GroupPolicy 2008-12-24 10:26 . 2009-01-06 11:14 <DIR> d-------- c:\documents and settings\Cedar 2008-12-20 02:54 . 2008-12-20 02:54 <DIR> d-------- c:\program files\Microsoft.NET 2008-12-19 20:33 . 2006-10-22 12:22 208,896 --a------ c:\windows\system32\nvudisp.exe 2008-12-19 20:33 . 2009-01-09 10:36 88,566 --a------ c:\windows\system32\nvapps.xml 2008-12-19 20:33 . 2006-10-22 12:22 17,056 --a------ c:\windows\system32\nvdisp.nvu 2008-12-19 20:32 . 2008-12-19 20:32 <DIR> d-------- C:\NVIDIA 2008-12-19 20:32 . 2006-10-22 15:06 208,896 --a------ c:\windows\system32\NVUNINST.EXE 2008-12-19 20:19 . 2008-12-19 20:19 <DIR> d-------- c:\program files\SystemRequirementsLab 2008-12-19 18:55 . 2008-12-19 18:55 <DIR> d-------- c:\program files\Microsoft Silverlight 2008-12-19 18:55 . 2007-12-20 10:43 248,448 --a------ c:\windows\system32\PROUnstl.exe 2008-12-19 18:52 . 2008-12-19 18:52 <DIR> d-------- c:\program files\Windows Media Connect 2 2008-12-19 18:51 . 2008-12-19 18:51 <DIR> d-------- c:\windows\system32\LogFiles 2008-12-19 18:51 . 2008-12-19 18:51 <DIR> d-------- c:\windows\system32\drivers\UMDF 2008-12-19 18:46 . 2008-12-19 20:34 <DIR> d-------- c:\windows\nview 2008-12-19 18:45 . 2008-12-19 18:45 <DIR> d-------- c:\program files\CONEXANT 2008-12-19 18:43 . 2008-12-19 18:43 <DIR> d-------- c:\windows\system32\URTTemp 2008-12-19 17:29 . 2006-10-26 19:58 30,512 --a------ c:\windows\system32\mdimon.dll 2008-12-19 17:28 . 2008-12-19 17:28 <DIR> d-------- c:\program files\Microsoft Works 2008-12-19 17:24 . 2008-12-19 17:27 <DIR> d-------- c:\windows\SHELLNEW 2008-12-19 17:23 . 2009-01-01 16:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help 2008-12-19 16:14 . 2008-04-13 13:45 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys 2008-12-19 15:51 . 2008-12-19 15:51 <DIR> dr-h----- C:\MSOCache 2008-12-19 15:50 . 2008-12-19 15:59 376 --a------ c:\windows\ODBC.INI 2008-12-19 15:43 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll 2008-12-19 15:43 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui 2008-12-18 20:51 . 2008-12-18 20:51 <DIR> d-------- c:\program files\Common Files\Adobe AIR 2008-12-18 20:51 . 2008-12-18 20:51 <DIR> d-------- c:\program files\Common Files\Adobe 2008-12-18 19:32 . 2008-12-18 19:32 <DIR> d-------- c:\documents and settings\Andy\Application Data\Apple Computer 2008-12-18 19:32 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll 2008-12-18 19:32 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys 2008-12-18 19:31 . 2008-12-18 19:32 <DIR> d-------- c:\program files\iTunes 2008-12-18 19:31 . 2008-12-18 19:31 <DIR> d-------- c:\program files\iPod 2008-12-18 19:31 . 2008-12-18 19:31 <DIR> d-------- c:\program files\Bonjour 2008-12-18 19:31 . 2008-12-18 19:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-12-18 19:30 . 2008-12-18 19:32 <DIR> d----c--- c:\windows\system32\DRVSTORE 2008-12-18 19:30 . 2008-12-18 19:31 <DIR> d-------- c:\program files\QuickTime 2008-12-18 19:30 . 2008-12-18 19:30 <DIR> d-------- c:\program files\Apple Software Update 2008-12-18 19:30 . 2008-12-18 19:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer 2008-12-18 19:29 . 2008-12-18 19:31 <DIR> d-------- c:\program files\Common Files\Apple 2008-12-18 19:29 . 2008-12-18 19:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple 2008-12-18 17:38 . 2008-12-18 17:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec 2008-12-18 17:11 . 2008-12-18 17:11 <DIR> dr------- c:\program files\Norton Support 2008-12-18 14:56 . 2008-12-11 22:28 36,272 -ra------ c:\windows\system32\drivers\SymIM.sys 2008-12-18 14:44 . 2008-12-19 15:42 <DIR> d-------- c:\program files\NOS 2008-12-18 14:44 . 2008-12-19 15:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS 2008-12-18 14:17 . 2008-12-18 14:17 0 --a------ c:\windows\nsreg.dat 2008-12-18 13:52 . 2008-10-16 15:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll 2008-12-18 13:52 . 2007-04-17 04:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat 2008-12-18 13:52 . 2007-03-08 00:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui 2008-12-18 13:52 . 2008-10-16 15:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll 2008-12-18 13:52 . 2008-10-16 15:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll 2008-12-18 13:52 . 2008-10-16 15:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll 2008-12-18 13:52 . 2008-10-16 15:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll 2008-12-18 13:52 . 2008-10-16 15:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll 2008-12-18 13:52 . 2008-10-16 08:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe 2008-12-18 13:23 . 2008-12-18 13:23 <DIR> d-------- c:\windows\system32\scripting 2008-12-18 13:23 . 2008-12-18 13:23 <DIR> d-------- c:\windows\system32\en 2008-12-18 13:23 . 2008-12-18 13:23 <DIR> d-------- c:\windows\system32\bits 2008-12-18 13:23 . 2008-12-18 13:23 <DIR> d-------- c:\windows\l2schemas 2008-12-18 13:20 . 2008-12-18 13:23 <DIR> d-------- c:\windows\ServicePackFiles 2008-12-18 13:02 . 2004-08-03 22:29 701,440 --------- c:\windows\system32\drivers\ati2mtag.sys 2008-12-18 12:52 . 2008-06-13 06:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys 2008-12-18 12:51 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys 2008-12-18 12:51 . 2008-08-14 05:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys 2008-12-18 12:50 . 2008-10-15 20:00 1,499,136 -----c--- c:\windows\system32\dllcache\shdocvw.dll 2008-12-18 12:50 . 2008-10-16 15:38 1,160,192 -----c--- c:\windows\system32\dllcache\urlmon.dll 2008-12-18 12:50 . 2008-10-16 15:38 826,368 -----c--- c:\windows\system32\dllcache\wininet.dll 2008-12-18 12:49 . 2008-12-13 01:40 3,593,216 -----c--- c:\windows\system32\dllcache\mshtml.dll 2008-12-18 12:49 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe 2008-12-18 12:49 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-12-18 12:49 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-12-18 12:49 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe 2008-12-18 12:49 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys 2008-12-18 12:49 . 2008-04-11 14:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll 2008-12-18 12:49 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys 2008-12-18 12:49 . 2008-05-01 09:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll 2008-12-18 12:49 . 2008-05-08 09:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys 2008-12-18 12:48 . 2008-12-18 12:48 <DIR> d--hs---- c:\documents and settings\Andy\UserData 2008-12-18 12:48 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll 2008-12-18 12:48 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll 2008-12-18 12:47 . 2007-08-10 20:46 26,488 --a------ c:\windows\system32\spupdsvc.exe 2008-12-18 12:35 . 2008-12-18 17:07 <DIR> d-------- c:\windows\system32\drivers\NIS 2008-12-18 12:35 . 2008-12-18 12:35 <DIR> d-------- c:\program files\Windows Sidebar 2008-12-18 12:35 . 2008-12-18 12:35 <DIR> d-------- c:\program files\Symantec 2008-12-18 12:35 . 2008-12-18 12:35 <DIR> d-------- c:\program files\Norton Internet Security 2008-12-18 12:35 . 2008-12-18 13:29 <DIR> d-------- c:\program files\Common Files\Symantec Shared 2008-12-18 12:35 . 2008-12-18 12:35 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS 2008-12-18 12:35 . 2008-12-18 12:35 60,808 --a------ c:\windows\system32\S32EVNT1.DLL 2008-12-18 12:35 . 2008-12-18 12:35 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT 2008-12-18 12:35 . 2008-12-18 12:35 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF 2008-12-18 12:34 . 2008-12-18 12:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton 2008-12-18 12:26 . 2008-12-18 12:26 <DIR> d-------- c:\program files\NortonInstaller 2008-12-18 12:26 . 2008-12-18 12:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-20 01:32 --------- d-----w c:\program files\Common Files\InstallShield 2008-12-13 01:56 --------- d-----w c:\program files\Hewlett-Packard 2008-12-13 01:51 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-13 01:51 --------- d-----w c:\program files\Turtle Beach 2008-12-13 01:51 --------- d-----w c:\program files\Common Files\Voyetra 2008-12-13 01:39 --------- d-----w c:\program files\Netropa 2008-12-13 01:29 --------- d-----w c:\program files\NETGEAR 2008-12-13 01:04 --------- d-----w c:\program files\microsoft frontpage 2008-11-12 21:02 29,808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys 2008-11-12 21:02 23,152 ----a-w c:\windows\system32\drivers\sshrmd.sys 2008-11-12 21:02 170,608 ----a-w c:\windows\system32\drivers\ssidrv.sys 2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll 2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll 2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 19:07 208,744 ----a-w c:\windows\system32\muweb.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId] @="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}" [HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}] 2008-11-13 17:04 238968 --a------ c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellTouch"="c:\windows\DELLMMKB.EXE" [2001-09-23 163840] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480] "nwiz"="c:\windows\system32\nwiz.exe" [2006-10-22 1622016] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016] "TraySantaCruz"="c:\windows\system32\tbctray.exe" [2002-04-03 290816] "SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2008-11-13 6273400] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-09 136600] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Smart Wizard Wireless Settings.lnk - c:\program files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe [2008-12-12 1056864] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808] R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?] R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1002000.007\BHDrvx86.sys [2008-12-18 255536] R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1002000.007\cchpx86.sys [2008-12-18 362544] R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20081220.001\IDSxpx86.sys [2008-12-20 274808] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-18 99376] R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2008-12-12 144768] R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2008-12-12 545088] R4 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe [2008-12-18 115560] R4 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [2009-01-06 1086840] --- Other Services/Drivers In Memory --- *NewlyCreated* - JAVAQUICKSTARTERSERVICE *NewlyCreated* - PCANDIS5 . Contents of the 'Scheduled Tasks' folder 2009-01-03 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: *.update.microsoft.com Trusted Zone: download.windowsupdate.com Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\Norton Internet Security\Engine\16.2.0.7\CoIEPlg.dll FF - ProfilePath - c:\documents and settings\Andy\Application Data\Mozilla\Firefox\Profiles\tbxuoa66.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/ FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-09 12:37:12 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet
  3. Hi, I would greatly appreciate your assistance with a potential malware problem. Quick summary: My computer has slowed to a crawl, with CPU usage at 100%. Task Manager shows that the main CPU-consuming process is “System.” In addition, when I recently pasted into MS Word 2007, I was alarmed to see that the clipboard contained perfect screen captures of every Word and Excel file that I had opened during the previous 24 hours. Additional info: Several weeks ago, my Dell PC mysteriously began overheating and shutting down. At boot-up, the system log contained error messages that the fan and CPU temperature were out of range. I carefully cleaned some dust inside the PC and ran the hardware diagnostic utilities, which the PC passed. Next, I had an expert PC-repair technician examine the computer; he said that the fan and motherboard were fine. He recommended reinstalling XP. Reinstalling Win XP Pro (SP3) solved the problem for about 2.5 weeks. Now, the issue has resurfaced, even when booting in safe mode. Using System Restore also has not fixed the problem. A complete scan of the PC with Norton IS 2009 and Webroot SpySweeper 6.0.2, using the latest definitions, found nothing awry. I also did a full scan using Kaspersky’s online scanner, as well as a full scan with Malwarebytes’ Anti-Malware, using the latest updates; neither program found any viruses/malware. After the PC started to misbehave, I searched for new or recently modified files using “My Computer,” then did a print-screen and pasted the results into Word 2007. As noted above, it was then that I was alarmed to discover that the clipboard contained screen captures of all my recently opened MS Office documents, including ones that I had not copied/pasted/modified. I found a mysterious toolbar, CLView12, that had been newly placed into the Application Data\Microsoft\Office subdirectory, as well as a mystery .exe file (C:\WINDOWS\Prefetch\CLVIEW.EXE-1013077A.pf). I scanned both files, as well as my Excel macro workbook (Personal.xls), with VirusTotal’s online scanner, which detected nothing abnormal. I ran ATF Cleaner (“Select All” and “Empty Selected” actions for both Main and Firefox menus), to no avail. The HJT log is posted below. Any help you can provide will be greatly appreciated. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:59:15 PM, on 1/10/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\DELLMMKB.EXE C:\Program Files\Netropa\OSD.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\tbctray.exe C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Webroot\WebrootSecurity\SSU.EXE C:\Computer security\HijackThis\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\IPSBHO.DLL O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll O4 - HKLM\..\Run: [DellTouch] "C:\WINDOWS\DELLMMKB.EXE" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [TraySantaCruz] "C:\WINDOWS\system32\tbctray.exe" O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe" O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://download.windowsupdate.com O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229622580468 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flash...ent/swflash.cab O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe -- End of file - 6482 bytes
×
×
  • Create New...