3 computers affected with trogan.gen

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

tomob

Thread Starter
Joined
Dec 18, 2003
Messages
214
Files on the server all appear faded and many show as exe files sysamtec end point show frequent trogan.gen infections

Below is the combofix and hijackthis logs on one of them

combofix
ComboFix 13-01-27.03 - Rob 01/27/2013 10:54:39.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1076 [GMT -5:00]
Running from: c:\documents and settings\Rob\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Don\g2ax_customer_downloadhelper_win32_x86.exe
c:\documents and settings\Don\GoToAssistDownloadHelper.exe
c:\documents and settings\Rob\Application Data\PriceGong
c:\documents and settings\Rob\Application Data\PriceGong\Data\1.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\10.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\11123.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\2124.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\2229.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\2994.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\300.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\592.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\6018.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\6927.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\946.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\947.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\9549.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\959.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\9880.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\a.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\b.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\c.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\d.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\e.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\f.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\g.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\h.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\i.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\j.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\k.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\l.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\m.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Rob\Application Data\PriceGong\Data\n.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\o.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\p.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\q.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\r.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\s.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\t.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\u.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\v.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\w.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\x.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\y.txt
c:\documents and settings\Rob\Application Data\PriceGong\Data\z.txt
c:\documents and settings\Rob\My Documents\ShopToWin
c:\windows\system32\Temp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-12-27 to 2013-01-27 )))))))))))))))))))))))))))))))
.
.
2013-01-21 19:27 . 2013-01-21 19:27 -------- d-----w- c:\documents and settings\Rob\Application Data\Malwarebytes
2013-01-21 19:26 . 2013-01-21 19:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-01-21 19:26 . 2013-01-21 19:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-01-21 19:26 . 2012-12-14 21:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-01-16 14:43 . 2013-01-25 20:26 -------- d-----w- C:\tom01162013
2013-01-10 17:03 . 2013-01-10 17:03 -------- d-----w- c:\program files\Dropbox
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-14 16:48 . 2012-05-07 11:25 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-14 16:48 . 2011-05-31 10:14 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-16 12:23 . 2004-08-04 04:56 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-13 01:25 . 2004-08-04 03:17 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-06 02:01 . 2009-08-19 22:07 1371648 ----a-w- c:\windows\system32\msxml6.dll
2012-11-02 02:02 . 2004-08-04 04:56 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2004-08-04 04:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 12:17 . 2004-08-04 04:56 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2004-08-04 04:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 00:35 . 2004-08-04 02:59 385024 ----a-w- c:\windows\system32\html.iec
2001-12-03 21:09 . 2010-03-09 17:53 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\Rob\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\Rob\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\Rob\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\Rob\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2012-02-23 59240]
"RTHDCPL"="RTHDCPL.EXE" [2012-06-06 20065936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
.
c:\documents and settings\Rob\Start Menu\Programs\Startup\
DOSPRN.lnk - c:\program files\DOSPRN\DOSprn.exe [2011-6-29 815104]
Dropbox.lnk - c:\documents and settings\Rob\Application Data\Dropbox\bin\Dropbox.exe [2013-1-4 28539232]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CardMinder Viewer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CardMinder Viewer.lnk
backup=c:\windows\pss\CardMinder Viewer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Conversion to PDF with ScanSnap Organizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Conversion to PDF with ScanSnap Organizer.lnk
backup=c:\windows\pss\Conversion to PDF with ScanSnap Organizer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Driver Performer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Driver Performer.lnk
backup=c:\windows\pss\Driver Performer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Calendar Sync.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Calendar Sync.lnk
backup=c:\windows\pss\Google Calendar Sync.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Scanner File Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Scanner File Utility.lnk
backup=c:\windows\pss\Scanner File Utility.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ScanSnap Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ScanSnap Manager.lnk
backup=c:\windows\pss\ScanSnap Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Don^Start Menu^Programs^Startup^Adobe SendNow Desktop.lnk]
path=c:\documents and settings\Don\Start Menu\Programs\Startup\Adobe SendNow Desktop.lnk
backup=c:\windows\pss\Adobe SendNow Desktop.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Don^Start Menu^Programs^Startup^DOSPRN.lnk]
path=c:\documents and settings\Don\Start Menu\Programs\Startup\DOSPRN.lnk
backup=c:\windows\pss\DOSPRN.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Don^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Don\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-12-03 07:35 946352 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akamai NetSession Interface]
2011-12-13 04:20 3305760 ----a-w- c:\documents and settings\Don\Local Settings\Application Data\Akamai\netsession_win.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2010-11-03 22:13 64104 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2012-02-23 15:38 59240 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-11-28 19:13 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BTSETBOOTKEY]
2003-04-15 15:48 36864 ----a-w- c:\windows\system32\BTSetBootKey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BTUSRBDG]
2003-11-06 03:21 53248 ----a-w- c:\windows\system32\BtUsrBdg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DynSite]
2008-09-25 09:01 1342072 ----a-w- c:\program files\Noel Danjou\DynSite\DynSite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-12-12 18:57 152544 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-04-19 17:26 7700480 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-04-19 17:26 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-04-19 17:26 1626112 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeachtreePrefetcher.exe]
2010-04-10 18:06 29480 ----a-r- c:\program files\Sage Software\Peachtree\PeachtreePrefetcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 08:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2012-06-06 18:00 20065936 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung PanelMgr]
2009-02-04 22:55 548864 -c--a-w- c:\windows\Samsung\PanelMgr\SSMMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2010-11-03 22:15 1833576 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-03-15 13:48 39408 -c--a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\SUPDSvc.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Kyocera Mita\\FileUtility\\NsCatCom.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Documents and Settings\\Don\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Documents and Settings\\Don\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\File Type Assistant\\TSAssist.exe"=
"c:\\Documents and Settings\\Rob\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:pervasive DBEngine
"3351:TCP"= 3351:TCP:pervasive DBEngine
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1207020.003\symds.sys [6/11/2012 5:50 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1207020.003\symefa.sys [6/11/2012 5:50 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20130116.013\BHDrvx86.sys [1/15/2013 9:51 PM 997464]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1207020.003\ironx86.sys [6/11/2012 5:50 PM 136312]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/3/2004 11:56 PM 14336]
R2 LnsMtsSvc;Echelon Support Service for Microsoft Terminal Services (MTS);c:\lonworks\bin\LnsMtsSvc.exe [9/21/2007 2:40 AM 62776]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [1/21/2013 2:26 PM 398184]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/21/2013 2:26 PM 682344]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.7.2.3\ccsvchst.exe [6/11/2012 5:50 PM 130008]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe [9/19/2012 6:20 AM 132056]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Engine\2.0.12.27\ccSvcHst.exe [9/15/2011 5:42 PM 126392]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [6/6/2008 12:03 PM 435496]
R3 BTCOMM;BTCOMM;c:\windows\system32\drivers\Btcomm.sys [1/3/2011 8:50 AM 57512]
R3 BTKRNBDG;Bluetooth COM Bridge;c:\windows\system32\drivers\BtKrnBdg.sys [1/3/2011 8:50 AM 15876]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/12/2012 6:54 PM 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20130124.001\IDSXpx86.sys [1/24/2013 9:36 PM 373728]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/21/2013 2:26 PM 21104]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/30/2012 2:21 PM 1691480]
S3 LdvxBroker;Echelon xDriver Connection Broker;c:\lonworks\bin\LdvxBroker.exe [9/21/2007 2:40 AM 66872]
S3 MosIrUsb;MosIrUsb.sys;c:\windows\system32\drivers\MosIrUsb.sys [4/14/2004 2:52 PM 20736]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [7/25/2010 12:44 PM 18432]
S3 Peachtree SmartPosting 2011;Peachtree SmartPosting 2011;c:\program files\Sage Software\Peachtree\SmartPostingService2011.exe [4/10/2010 1:32 PM 43816]
S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [2/12/2010 1:20 PM 127656]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [8/30/2012 1:46 PM 13024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-07 16:48]
.
2013-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
.
2013-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-24 16:07]
.
2013-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-24 16:07]
.
2013-01-27 c:\windows\Tasks\Norton AntiVirus - Don - Full System Scan.job
- c:\program files\Norton Internet Security\Engine\18.7.2.3\navw32.exe [2012-06-11 00:01]
.
2013-01-27 c:\windows\Tasks\PC Checkup 3 Weekly Scan.job
- c:\program files\Norton PC Checkup 3.0\NLAppLauncher.exe [2012-09-19 19:14]
.
2013-01-27 c:\windows\Tasks\ProgramUpdateCheck.job
- c:\program files\File Type Assistant\tsassist.exe [2011-09-01 19:33]
.
2013-01-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-854245398-879983540-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2013-01-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-854245398-879983540-839522115-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2013-01-24 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-854245398-879983540-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2013-01-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-854245398-879983540-839522115-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: DhcpNameServer = 24.92.226.11 24.92.226.12
DPF: {C60C276B-0F00-44D8-8D68-7B326A35401E} - hxxp://network.construction.com/ActiveX/FileDownloader2.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-ApnUpdater - c:\program files\Ask.com\Updater\Updater.exe
MSConfigStartUp-DW6 - e:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
MSConfigStartUp-PfuSsSct - c:\program files\PFU\ScanSnap\PfuSsSct.exe
MSConfigStartUp-StartNowToolbarHelper - c:\program files\StartNow Toolbar\ToolbarHelper.exe
MSConfigStartUp-TkBellExe - c:\program files\Real\RealPlayer\update\realsched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-27 11:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.7.2.3\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Engine\2.0.12.27\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Engine\2.0.12.27\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_ce5ba24.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
Completion time: 2013-01-27 11:20:34
ComboFix-quarantined-files.txt 2013-01-27 16:20
.
Pre-Run: 368,407,367,680 bytes free
Post-Run: 368,753,233,920 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - F274A34031A72896590BF4632B69E08D

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:38:40 AM, on 1/27/2013
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\LonWorks\bin\LnsMtsSvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton PC Checkup\Engine\2.0.12.27\ccSvcHst.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
C:\Program Files\Kyocera Mita\FileUtility\SFUSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kyocera Mita\FileUtility\nsCatCom.exe
C:\Program Files\Norton PC Checkup\Engine\2.0.12.27\ccSvcHst.exe
C:\Program Files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DOSPRN\DOSprn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe
C:\Program Files\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\18.7.2.3\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\18.7.2.3\IPS\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ChromeFrame BHO - {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - C:\Program Files\Google\Chrome\Application\24.0.1312.56\npchrome_frame.dll
O3 - Toolbar: Autodesk DWF - {F03966D3-8EA0-47b4-BBE0-85BFE6CBC8AC} - C:\Program Files\Autodesk\Autodesk DWF Writer\DWF Addin\DWFIEAddin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.7.2.3\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - Startup: DOSPRN.lnk = C:\Program Files\DOSPRN\DOSprn.exe
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Rob\Application Data\Dropbox\bin\Dropbox.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C60C276B-0F00-44D8-8D68-7B326A35401E} (Documents Downloader Control 2.0) - http://network.construction.com/ActiveX/FileDownloader2.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=724
O18 - Protocol: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - C:\Program Files\Google\Chrome\Application\24.0.1312.56\npchrome_frame.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Echelon xDriver Connection Broker (LdvxBroker) - Echelon Corporation - C:\LonWorks\bin\LdvxBroker.exe
O23 - Service: Echelon Support Service for Microsoft Terminal Services (MTS) (LnsMtsSvc) - Echelon Corporation - C:\LonWorks\bin\LnsMtsSvc.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe
O23 - Service: Norton PC Checkup Application Launcher - Symantec Corporation - C:\Program Files\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Common Client Job Manager Service (PCCUJobMgr) - Symantec Corporation - C:\Program Files\Norton PC Checkup\Engine\2.0.12.27\ccSvcHst.exe
O23 - Service: Peachtree SmartPosting 2011 - Sage Software, Inc. - C:\Program Files\Sage Software\Peachtree\SmartPostingService2011.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Pervasive PSQL Workgroup Engine (psqlWGE) - Pervasive Software Inc. - C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
O23 - Service: Samsung UPD Service - Samsung Electronics CO., LTD. - C:\WINDOWS\system32\SUPDSvc.exe
O23 - Service: SFUSVC - KYOCERA MITA CORPORATION - C:\Program Files\Kyocera Mita\FileUtility\SFUSVC.exe

--
End of file - 10435 bytes

I will post the others later
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top