Hello Guys,
As with others I have the Bamital trojan. Norton picked up the explorer infection & MBAM picked up the winlogon....files attached...
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4950
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
27/10/2010 13:05:39
mbam-log-2010-10-27 (13-05-39).txt
Scan type: Quick scan
Objects scanned: 139254
Time elapsed: 7 minute(s), 57 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-27 15:21:01
Windows 5.1.2600 Service Pack 3
Running: jw5zbqq1.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fgrcypog.sys
---- System - GMER 1.0.15 ----
SSDT 8561B050 ZwAlertResumeThread
SSDT 85620438 ZwAlertThread
SSDT 855EB740 ZwAllocateVirtualMemory
SSDT 85693050 ZwAssignProcessToJobObject
SSDT 85E20BF0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF5D2D210]
SSDT 855E0580 ZwCreateMutant
SSDT 855DB0A0 ZwCreateSymbolicLinkObject
SSDT 8665E700 ZwCreateThread
SSDT 85618050 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF5D2D490]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF5D2D9F0]
SSDT 855EB9D8 ZwDuplicateObject
SSDT 855E9FC0 ZwFreeVirtualMemory
SSDT 85695050 ZwImpersonateAnonymousToken
SSDT 85CAC050 ZwImpersonateThread
SSDT 85DD4C10 ZwLoadDriver
SSDT 866199B8 ZwMapViewOfSection
SSDT 85CAB050 ZwOpenEvent
SSDT 855EBC78 ZwOpenProcess
SSDT 85CB0050 ZwOpenProcessToken
SSDT 85694050 ZwOpenSection
SSDT 855EBB28 ZwOpenThread
SSDT 855DB6F0 ZwProtectVirtualMemory
SSDT 8561C1F0 ZwResumeThread
SSDT 85CAE910 ZwSetContextThread
SSDT 855E9B80 ZwSetInformationProcess
SSDT 85CAA050 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF5D2DC40]
SSDT 85619050 ZwSuspendProcess
SSDT 8561D1F0 ZwSuspendThread
SSDT 8561F2F0 ZwTerminateProcess
SSDT 85699050 ZwTerminateThread
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xF2D7E6D0]
SSDT 863BBC58 ZwUnmapViewOfSection
SSDT 855EB3B0 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!ZwYieldExecution + 3CA 804E4C24 4 Bytes JMP C3E2D1F3
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B30001
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ADVAPI32.dll!CreateProcessWithLogonW 77E16005 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16009 2 Bytes [05, 5F]
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ADVAPI32.dll!CreateServiceA 77E37219 6 Bytes JMP 5F190F5A
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ADVAPI32.dll!CreateServiceW 77E373B1 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02B20001
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 00B48328
.text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!CreateProcessWithLogonW 77E16005 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16009 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\taskswitch.exe[2128] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\taskswitch.exe[2128] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\taskswitch.exe[2128] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\taskswitch.exe[2128] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\taskswitch.exe[2128] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009C0001
.text C:\WINDOWS\system32\taskswitch.exe[2128] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\taskswitch.exe[2128] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\taskswitch.exe[2128] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\taskswitch.exe[2128] ADVAPI32.dll!CreateProcessWithLogonW 77E16005 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\taskswitch.exe[2128] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16009 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\taskswitch.exe[2128] ADVAPI32.dll!CreateServiceA 77E37219 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\taskswitch.exe[2128] ADVAPI32.dll!CreateServiceW 77E373B1 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A60001
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ADVAPI32.dll!CreateProcessWithLogonW 77E16005 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16009 2 Bytes [05, 5F]
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ADVAPI32.dll!CreateServiceA 77E37219 6 Bytes JMP 5F190F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ADVAPI32.dll!CreateServiceW 77E373B1 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\ctfmon.exe[2160] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00AD0001
.text C:\WINDOWS\system32\ctfmon.exe[2160] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2160] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!CreateProcessWithLogonW 77E16005 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16009 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!CreateServiceA 77E37219 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!CreateServiceW 77E373B1 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B80001
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ADVAPI32.dll!CreateProcessWithLogonW 77E16005 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16009 2 Bytes [05, 5F]
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ADVAPI32.dll!CreateServiceA 77E37219 6 Bytes JMP 5F190F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ADVAPI32.dll!CreateServiceW 77E373B1 6 Bytes JMP 5F1C0F5A
---- Devices - GMER 1.0.15 ----
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp mdvrmng.sys
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
DDS (Ver_10-10-21.02) - NTFSx86
Run by Will at 15:22:37.68 on 27/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.1023.429 [GMT 1:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\3 Mobile Broadband\3Connect\AutoUpdateSrv.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: MHURLSearchHook Class: {1c4ab6a5-595f-4e86-b15f-f93cce2bbd48} - c:\program files\family toolbar\tbhelper.dll
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: MHTBPos00 Class: {0c37b053-fd68-456a-82e1-d788ee342e6f} - c:\program files\family toolbar\tbcore3.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.8.0.5\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CMySite Class: {d62ec836-bf1e-4cac-81be-fb9179835d8e} - c:\program files\family toolbar\mhxpcomi.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Family Toolbar: {fd2fd708-1f6f-4b68-b141-c5778f0c19bb} - c:\program files\family toolbar\tbcore3.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [Dell AIO Printer A940] "c:\program files\dell aio printer a940\dlbabmgr.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\3connect.lnk - c:\program files\3 mobile broadband\3connect\Wilog.exe
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: MaxRecentDocs = 18 (0x12)
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
mPolicies-system: DisableStatusMessages = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - c:\program files\family toolbar\mhxpcomi.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\xta0fo0z.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.independent.ie/business/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\xta0fo0z.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\xta0fo0z.default\extensions\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}\components\mhxpcom2.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\xta0fo0z.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\opera\program\plugins\npdjvu.dll
FF - plugin: c:\program files\opera\program\plugins\npdjvu.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin6.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
============= SERVICES / DRIVERS ===============
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1108000.005\symds.sys [2010-10-19 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1108000.005\symefa.sys [2010-10-19 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20101001.001\BHDrvx86.sys [2010-10-2 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys [2010-10-19 501888]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 67656]
R1 SLEE_14_DRIVER;Steganos Live Encryption Engine 14 [Driver];c:\windows\system32\drivers\sleen14.sys [2006-11-8 72480]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1108000.005\ironx86.sys [2010-10-19 116784]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-8-27 312152]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2009-11-26 88176]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.8.0.5\ccsvchst.exe [2010-10-19 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-19 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20101015.005\IDSXpx86.sys [2010-10-13 341880]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20101019.004\NAVENG.SYS [2010-10-19 86064]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20101019.004\NAVEX15.SYS [2010-10-19 1371184]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [2009-10-19 9472]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-30 133104]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-9-29 100736]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-7-14 14424]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 12872]
=============== Created Last 30 ================
2010-10-26 11:45:00 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-10-26 11:39:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-10-25 11:26:34 509440 ----a-w- c:\windows\winlogon.exe
2010-10-19 12:07:51 361904 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symtdi.sys
2010-10-19 12:07:51 339504 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symtdiv.sys
2010-10-19 12:07:51 328752 ----a-r- c:\windows\system32\drivers\nis\1108000.005\symds.sys
2010-10-19 12:07:51 173104 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symefa.sys
2010-10-19 12:07:50 501888 ----a-w- c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys
2010-10-19 12:07:50 43696 ----a-w- c:\windows\system32\drivers\nis\1108000.005\srtspx.sys
2010-10-19 12:07:50 325680 ----a-w- c:\windows\system32\drivers\nis\1108000.005\srtsp.sys
2010-10-19 12:07:50 116784 ----a-w- c:\windows\system32\drivers\nis\1108000.005\ironx86.sys
2010-10-19 12:07:26 -------- d-----w- c:\windows\system32\drivers\nis\1108000.005
2010-10-18 22:51:33 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-18 22:51:33 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-10-18 22:51:33 -------- d-----w- c:\program files\Symantec
2010-10-18 22:51:33 -------- d-----w- c:\program files\common files\Symantec Shared
2010-10-18 22:50:49 -------- d-----w- c:\windows\system32\drivers\NIS
2010-10-18 22:50:44 -------- d-----w- c:\program files\Norton Internet Security
2010-10-18 22:50:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-10-18 21:51:17 -------- d-----w- c:\windows\Internet Logs
2010-10-18 21:45:36 -------- d-----w- c:\program files\NortonInstaller
2010-10-18 21:45:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-10-18 11:27:23 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-15 14:49:26 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll
2010-10-15 14:42:38 218112 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-10-15 14:42:37 1289216 ------w- c:\windows\system32\dllcache\ole32.dll
2010-10-15 14:32:20 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-15 14:32:20 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-15 14:32:20 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-15 14:30:46 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-07 16:01:44 -------- d-----w- c:\program files\PopCap Games
2010-10-06 10:24:27 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Adobe
2010-10-05 11:57:15 -------- d-----w- c:\program files\iPod
2010-10-05 11:57:11 -------- d-----w- c:\program files\iTunes
2010-09-29 16:40:24 -------- d-----w- c:\program files\uTorrent
2010-09-29 16:39:24 -------- d-----w- c:\docume~1\owner\applic~1\uTorrent
2010-09-29 10:54:53 -------- d-----w- c:\docume~1\owner\applic~1\Birdstep Technology
2010-09-29 10:53:58 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2010-09-29 10:53:58 112640 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2010-09-29 10:53:58 102528 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2010-09-29 10:53:58 100736 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
2010-09-29 10:53:47 71262 ----a-w- c:\windows\Huawei ModemsUninstall.exe
2010-09-29 10:53:47 -------- d-----w- c:\program files\Huawei Modems
2010-09-29 10:53:44 10240 ----a-w- c:\windows\system32\drivers\mdvrmng.sys
2010-09-29 10:52:11 -------- d-----w- c:\program files\3 Mobile Broadband
2010-09-29 10:46:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\Birdstep Technology
==================== Find3M ====================
2010-10-19 22:56:21 509440 ----a-w- c:\windows\system32\winlogon.exe
2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:48:34 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:38:48 1861888 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:01:06 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 06:05:07 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:43:28 590848 ----a-w- c:\windows\system32\rpcrt4.dll
============= FINISH: 15:23:52.87 ===============
Attach.txt is also zipped & attached.
Thanks in advance & Appreciate all the help..
Cheers
Will40
As with others I have the Bamital trojan. Norton picked up the explorer infection & MBAM picked up the winlogon....files attached...
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4950
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
27/10/2010 13:05:39
mbam-log-2010-10-27 (13-05-39).txt
Scan type: Quick scan
Objects scanned: 139254
Time elapsed: 7 minute(s), 57 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-27 15:21:01
Windows 5.1.2600 Service Pack 3
Running: jw5zbqq1.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fgrcypog.sys
---- System - GMER 1.0.15 ----
SSDT 8561B050 ZwAlertResumeThread
SSDT 85620438 ZwAlertThread
SSDT 855EB740 ZwAllocateVirtualMemory
SSDT 85693050 ZwAssignProcessToJobObject
SSDT 85E20BF0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF5D2D210]
SSDT 855E0580 ZwCreateMutant
SSDT 855DB0A0 ZwCreateSymbolicLinkObject
SSDT 8665E700 ZwCreateThread
SSDT 85618050 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF5D2D490]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF5D2D9F0]
SSDT 855EB9D8 ZwDuplicateObject
SSDT 855E9FC0 ZwFreeVirtualMemory
SSDT 85695050 ZwImpersonateAnonymousToken
SSDT 85CAC050 ZwImpersonateThread
SSDT 85DD4C10 ZwLoadDriver
SSDT 866199B8 ZwMapViewOfSection
SSDT 85CAB050 ZwOpenEvent
SSDT 855EBC78 ZwOpenProcess
SSDT 85CB0050 ZwOpenProcessToken
SSDT 85694050 ZwOpenSection
SSDT 855EBB28 ZwOpenThread
SSDT 855DB6F0 ZwProtectVirtualMemory
SSDT 8561C1F0 ZwResumeThread
SSDT 85CAE910 ZwSetContextThread
SSDT 855E9B80 ZwSetInformationProcess
SSDT 85CAA050 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF5D2DC40]
SSDT 85619050 ZwSuspendProcess
SSDT 8561D1F0 ZwSuspendThread
SSDT 8561F2F0 ZwTerminateProcess
SSDT 85699050 ZwTerminateThread
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xF2D7E6D0]
SSDT 863BBC58 ZwUnmapViewOfSection
SSDT 855EB3B0 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!ZwYieldExecution + 3CA 804E4C24 4 Bytes JMP C3E2D1F3
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B30001
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ADVAPI32.dll!CreateProcessWithLogonW 77E16005 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16009 2 Bytes [05, 5F]
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ADVAPI32.dll!CreateServiceA 77E37219 6 Bytes JMP 5F190F5A
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ADVAPI32.dll!CreateServiceW 77E373B1 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02B20001
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 00B48328
.text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!CreateProcessWithLogonW 77E16005 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16009 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\taskswitch.exe[2128] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\taskswitch.exe[2128] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\taskswitch.exe[2128] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\taskswitch.exe[2128] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\taskswitch.exe[2128] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009C0001
.text C:\WINDOWS\system32\taskswitch.exe[2128] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\taskswitch.exe[2128] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\taskswitch.exe[2128] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\taskswitch.exe[2128] ADVAPI32.dll!CreateProcessWithLogonW 77E16005 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\taskswitch.exe[2128] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16009 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\taskswitch.exe[2128] ADVAPI32.dll!CreateServiceA 77E37219 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\taskswitch.exe[2128] ADVAPI32.dll!CreateServiceW 77E373B1 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A60001
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ADVAPI32.dll!CreateProcessWithLogonW 77E16005 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16009 2 Bytes [05, 5F]
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ADVAPI32.dll!CreateServiceA 77E37219 6 Bytes JMP 5F190F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ADVAPI32.dll!CreateServiceW 77E373B1 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\ctfmon.exe[2160] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00AD0001
.text C:\WINDOWS\system32\ctfmon.exe[2160] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2160] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!CreateProcessWithLogonW 77E16005 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16009 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!CreateServiceA 77E37219 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!CreateServiceW 77E373B1 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B80001
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ADVAPI32.dll!CreateProcessWithLogonW 77E16005 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16009 2 Bytes [05, 5F]
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ADVAPI32.dll!CreateServiceA 77E37219 6 Bytes JMP 5F190F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ADVAPI32.dll!CreateServiceW 77E373B1 6 Bytes JMP 5F1C0F5A
---- Devices - GMER 1.0.15 ----
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp mdvrmng.sys
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
DDS (Ver_10-10-21.02) - NTFSx86
Run by Will at 15:22:37.68 on 27/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.1023.429 [GMT 1:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\3 Mobile Broadband\3Connect\AutoUpdateSrv.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: MHURLSearchHook Class: {1c4ab6a5-595f-4e86-b15f-f93cce2bbd48} - c:\program files\family toolbar\tbhelper.dll
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: MHTBPos00 Class: {0c37b053-fd68-456a-82e1-d788ee342e6f} - c:\program files\family toolbar\tbcore3.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.8.0.5\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CMySite Class: {d62ec836-bf1e-4cac-81be-fb9179835d8e} - c:\program files\family toolbar\mhxpcomi.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Family Toolbar: {fd2fd708-1f6f-4b68-b141-c5778f0c19bb} - c:\program files\family toolbar\tbcore3.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [Dell AIO Printer A940] "c:\program files\dell aio printer a940\dlbabmgr.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\3connect.lnk - c:\program files\3 mobile broadband\3connect\Wilog.exe
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: MaxRecentDocs = 18 (0x12)
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
mPolicies-system: DisableStatusMessages = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - c:\program files\family toolbar\mhxpcomi.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\xta0fo0z.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.independent.ie/business/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\xta0fo0z.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\xta0fo0z.default\extensions\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}\components\mhxpcom2.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\xta0fo0z.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\opera\program\plugins\npdjvu.dll
FF - plugin: c:\program files\opera\program\plugins\npdjvu.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin6.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
============= SERVICES / DRIVERS ===============
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1108000.005\symds.sys [2010-10-19 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1108000.005\symefa.sys [2010-10-19 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20101001.001\BHDrvx86.sys [2010-10-2 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys [2010-10-19 501888]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 67656]
R1 SLEE_14_DRIVER;Steganos Live Encryption Engine 14 [Driver];c:\windows\system32\drivers\sleen14.sys [2006-11-8 72480]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1108000.005\ironx86.sys [2010-10-19 116784]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-8-27 312152]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2009-11-26 88176]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.8.0.5\ccsvchst.exe [2010-10-19 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-19 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20101015.005\IDSXpx86.sys [2010-10-13 341880]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20101019.004\NAVENG.SYS [2010-10-19 86064]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20101019.004\NAVEX15.SYS [2010-10-19 1371184]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [2009-10-19 9472]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-30 133104]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-9-29 100736]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-7-14 14424]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 12872]
=============== Created Last 30 ================
2010-10-26 11:45:00 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-10-26 11:39:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-10-25 11:26:34 509440 ----a-w- c:\windows\winlogon.exe
2010-10-19 12:07:51 361904 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symtdi.sys
2010-10-19 12:07:51 339504 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symtdiv.sys
2010-10-19 12:07:51 328752 ----a-r- c:\windows\system32\drivers\nis\1108000.005\symds.sys
2010-10-19 12:07:51 173104 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symefa.sys
2010-10-19 12:07:50 501888 ----a-w- c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys
2010-10-19 12:07:50 43696 ----a-w- c:\windows\system32\drivers\nis\1108000.005\srtspx.sys
2010-10-19 12:07:50 325680 ----a-w- c:\windows\system32\drivers\nis\1108000.005\srtsp.sys
2010-10-19 12:07:50 116784 ----a-w- c:\windows\system32\drivers\nis\1108000.005\ironx86.sys
2010-10-19 12:07:26 -------- d-----w- c:\windows\system32\drivers\nis\1108000.005
2010-10-18 22:51:33 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-18 22:51:33 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-10-18 22:51:33 -------- d-----w- c:\program files\Symantec
2010-10-18 22:51:33 -------- d-----w- c:\program files\common files\Symantec Shared
2010-10-18 22:50:49 -------- d-----w- c:\windows\system32\drivers\NIS
2010-10-18 22:50:44 -------- d-----w- c:\program files\Norton Internet Security
2010-10-18 22:50:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-10-18 21:51:17 -------- d-----w- c:\windows\Internet Logs
2010-10-18 21:45:36 -------- d-----w- c:\program files\NortonInstaller
2010-10-18 21:45:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-10-18 11:27:23 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-15 14:49:26 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll
2010-10-15 14:42:38 218112 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-10-15 14:42:37 1289216 ------w- c:\windows\system32\dllcache\ole32.dll
2010-10-15 14:32:20 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-15 14:32:20 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-15 14:32:20 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-15 14:30:46 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-07 16:01:44 -------- d-----w- c:\program files\PopCap Games
2010-10-06 10:24:27 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Adobe
2010-10-05 11:57:15 -------- d-----w- c:\program files\iPod
2010-10-05 11:57:11 -------- d-----w- c:\program files\iTunes
2010-09-29 16:40:24 -------- d-----w- c:\program files\uTorrent
2010-09-29 16:39:24 -------- d-----w- c:\docume~1\owner\applic~1\uTorrent
2010-09-29 10:54:53 -------- d-----w- c:\docume~1\owner\applic~1\Birdstep Technology
2010-09-29 10:53:58 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2010-09-29 10:53:58 112640 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2010-09-29 10:53:58 102528 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2010-09-29 10:53:58 100736 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
2010-09-29 10:53:47 71262 ----a-w- c:\windows\Huawei ModemsUninstall.exe
2010-09-29 10:53:47 -------- d-----w- c:\program files\Huawei Modems
2010-09-29 10:53:44 10240 ----a-w- c:\windows\system32\drivers\mdvrmng.sys
2010-09-29 10:52:11 -------- d-----w- c:\program files\3 Mobile Broadband
2010-09-29 10:46:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\Birdstep Technology
==================== Find3M ====================
2010-10-19 22:56:21 509440 ----a-w- c:\windows\system32\winlogon.exe
2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:48:34 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:38:48 1861888 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:01:06 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 06:05:07 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:43:28 590848 ----a-w- c:\windows\system32\rpcrt4.dll
============= FINISH: 15:23:52.87 ===============
Attach.txt is also zipped & attached.
Thanks in advance & Appreciate all the help..
Cheers
Will40