Google search redirects - Malware antivirus not picking it up

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Page 1 of 1

You cannot start a new topic
This topic is locked

Google search redirects - Malware antivirus not picking it up I do not know how to fix this alone

#1 hbianchi

New Member

Group: Members
Posts: 2
Joined: 26-October 11

Posted 26 October 2011 - 08:28 PM

I continue to get re directed during google searches. Most of the time when I click a link I get redirected to other sites. I noticed this almost 2 weeks ago.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_26
Run by Heather Bianchi at 21:16:09 on 2011-10-26
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3036.2121 [GMT -4:00]
.
AV: Trend Micro Internet Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
C:\Program Files\Norton 360 Premier Edition\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\WINDOWS\system32\NLSSRV32.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Norton 360 Premier Edition\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360 premier edition\engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360 premier edition\engine\5.1.0.29\ips\IPSBHO.DLL
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360 premier edition\engine\5.1.0.29\coIEPlg.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TrueCrypt] "c:\program files\truecrypt\TrueCrypt.exe" /q preferences /a logon
uRun: [TrueCrypt Format] "c:\program files\truecrypt\TrueCrypt Format.exe" /acsysenc
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell2.exe" /mode2
mRun: [acevents] "c:\program files\actividentity\activclient\acevents.exe"
mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [EPSON Stylus C88 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKAIO2StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKAiO2MUI.exe
StartupFolder: c:\docume~1\heathe~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\activc~1.lnk - c:\program files\actividentity\activclient\acsagent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Trusted Zone: cgifederal.com\privia
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {819EDD4C-7EB6-4D97-B831-D68B57E7D3ED} - hxxp://stafford.gayle.schoolfusion.us/modules/calendar/wyncs-4-1-8/Wyncs.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{9164AFCD-E137-411B-99CA-914E67AE2D1A} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
Handler: x-owacid - {0215258f-f0a8-49de-bf1b-0ff02eda8807} - c:\program files\microsoft\outlook web access smime client\mimectl.dll
Notify: ackpbsc - c:\program files\actividentity\activclient\ackpbsc.dll
Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 nwprovau
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\heather bianchi\application data\mozilla\firefox\profiles\aos9c3w6.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/?pc=Z128&install_date=20111011
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z128&form=ZGAADF&install_date=20111011&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\coffplgn_2011_7_2_3\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation

foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Symantec IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\coFFPlgn_2011_7_2_3
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\SymDS.sys [2011-10-20 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\SymEFA.sys [2011-10-20 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\bashdefs\20111014.001\BHDrvx86.sys [2011-10-14 818808]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\Ironx86.sys [2011-10-20 136312]
R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\common files\actividentity\ac.sharedstore.exe [2009-6-3 207400]
R2 DisplayLinkService;DisplayLink Service;c:\program files\displaylink core software\DisplayLinkService.exe [2009-6-26 447848]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKAiOHostService.exe [2011-9-5 393648]
R2 N360;Norton 360;c:\program files\norton 360 premier edition\engine\5.1.0.29\ccSvcHst.exe [2011-10-20 130008]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2011-9-24 196928]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2011-9-24 68928]
R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-7-18 45056]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-7-18 48640]
R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [2010-7-18 134144]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2010-7-18 143968]
R3 DisplayLinkGA;DisplayLinkGA;c:\windows\system32\drivers\DisplayLinkGAport.sys [2009-6-26 20736]
R3 DisplayLinkmirror;DisplayLinkmirror;c:\windows\system32\drivers\DisplayLinkmirrorport.sys [2009-6-26 18944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-10-20 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\ipsdefs\20111025.030\IDSXpx86.sys [2011-10-25 356280]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20111026.002\NAVENG.SYS [2011-10-26 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application

data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20111026.002\NAVEX15.SYS [2011-10-26 1576312]
R3 tmcfw;tmcfw;c:\windows\system32\drivers\TM_CFW.sys [2009-8-12 335376]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-17 135664]
S2 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-8-17 135664]
S3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\drivers\DisplayLinkUsbPort.sys [2010-8-20 20992]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]
.
=============== Created Last 30 ================
.
2011-10-21 17:02:28 388096 ----a-r- c:\documents and settings\heather bianchi\application

data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-10-20 18:12:21 -------- d-----w- c:\documents and settings\heather bianchi\local settings\application data\NPE
2011-10-20 16:23:52 -------- d-----w- c:\windows\system32\drivers\n360\0501000.01D
2011-10-20 16:23:52 -------- d-----w- c:\windows\system32\drivers\N360
2011-10-20 16:23:50 -------- d-----w- c:\program files\Norton 360 Premier Edition
2011-10-20 16:17:04 -------- d-----w- c:\documents and settings\all users\application data\PCSettings
2011-10-20 00:00:15 62976 --sha-r- c:\windows\system32\rsaenhv.dll
2011-10-12 15:03:33 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll
2011-10-12 15:03:33 17728 ----a-w- c:\windows\system32\nitrolocalui.dll
2011-10-12 15:03:18 -------- d-----w- c:\program files\Nitro PDF
2011-10-12 15:03:18 -------- d-----w- c:\program files\common files\Nitro PDF
2011-10-12 15:01:44 -------- d-----w- c:\documents and settings\heather bianchi\application data\Downloaded Installations
2011-10-11 02:18:49 98304 ----a-w- c:\windows\system32\redmonnt.dll
2011-10-11 02:18:41 -------- d-----w- c:\program files\FoxTabPDFConverter
2011-10-10 22:13:28 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2011-10-10 22:13:28 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2011-10-10 22:07:55 -------- d-----w- c:\documents and settings\heather bianchi\local settings\application data\Eastman_Kodak_Company
2011-10-10 22:06:33 -------- d-----w- c:\documents and settings\heather bianchi\local settings\application data\Eastman Kodak Company
2011-10-10 22:06:18 -------- d-----w- c:\windows\system32\kodak
2011-10-10 22:05:33 -------- d-----w- c:\program files\Kodak
2011-10-10 22:03:44 -------- d-----w- c:\documents and settings\heather bianchi\application data\Temp
2011-10-10 22:03:41 -------- d-----w- c:\documents and settings\all users\application data\Kodak
2011-10-06 15:40:34 -------- d-----w- c:\windows\system32\Adobe
2011-09-28 01:08:45 -------- d-----w- c:\documents and settings\heather bianchi\local settings\application data\Help
.
==================== Find3M ====================
.
2011-10-20 16:24:54 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-10-20 16:24:54 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-10-06 12:59:44 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-24 19:03:42 68928 ----a-w- c:\windows\system32\NLSSRV32.EXE
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:25:11 1867904 ----a-w- c:\windows\system32\win32k.sys
2011-09-02 16:37:54 59392 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\EKAiO2PPR.dll
2011-09-02 16:29:08 777728 ----a-w- c:\windows\system32\EKAiO2MON.dll
2011-09-02 16:29:08 146432 ----a-w- c:\windows\system32\EKAiO2COI05.dll
2011-08-17 21:32:17 832512 ----a-w- c:\windows\system32\wininet.dll
2011-08-17 21:32:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-08-17 21:32:16 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-08-17 21:32:15 17408 ----a-w- c:\windows\system32\corpol.dll
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-17 12:22:23 389120 ----a-w- c:\windows\system32\html.iec
2011-08-12 15:52:48 10240 ----a-w- c:\windows\system32\EKaio2WiaCoInstRes.dll
2011-08-12 15:52:46 123904 ----a-w- c:\windows\system32\EKaio2WiaCoInst.dll
.
============= FINISH: 21:16:39.26 ===============

Attached File(s)

attach.txt (18.54K)
Number of downloads: 0
ark.log (12.41K)
Number of downloads: 0

#2 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,522
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 29 October 2011 - 10:02 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

Do not run any other tool untill instructed to do so!
please Do not Attach logs or put in code boxes.
Tell me about any problems that have occurred during the fix.
Tell me of any other symptoms you may be having as these can help also.
Do not run anything while running a fix.
Do not run any other tool untill instructed to do so!

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

Link 1

Link 2

Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

#3 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,522
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 01 November 2011 - 12:47 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

do you still need help with this?
do you need more time?
are you having problems following my instructions?
if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

<-- Don't worry every little bit helps.

#4 hbianchi

New Member

Group: Members
Posts: 2
Joined: 26-October 11

Posted 02 November 2011 - 10:11 AM

Sorry it took me so long to get back to you. Here is the log from combofix.

ComboFix 11-11-02.01 - Heather Bianchi 11/02/2011 10:42:54.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3036.2091 [GMT -4:00]
Running from: c:\documents and settings\Heather Bianchi\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *Disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Heather Bianchi\System
c:\documents and settings\Heather Bianchi\System\win_qs8.jqx
C:\install.exe
C:\Thumbs.db
c:\windows\system32\Cache
c:\windows\system32\d3d9caps.dat
.
.
((((((((((((((((((((((((( Files Created from 2011-10-02 to 2011-11-02 )))))))))))))))))))))))))))))))
.
.
2011-10-21 17:02 . 2011-10-21 17:02 388096 ----a-r- c:\documents and settings\Heather Bianchi\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-10-20 18:12 . 2011-10-21 11:33 -------- d-----w- c:\documents and settings\Heather Bianchi\Local Settings\Application Data\NPE
2011-10-20 16:24 . 2011-10-20 16:24 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-10-20 16:24 . 2011-10-20 16:24 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-10-20 16:24 . 2011-10-20 16:38 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-10-20 16:24 . 2011-10-20 16:24 -------- d-----w- c:\program files\Symantec
2011-10-20 16:24 . 2010-08-21 03:59 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2011-10-20 16:23 . 2011-10-20 16:23 -------- d-----w- c:\windows\system32\drivers\N360
2011-10-20 16:23 . 2011-10-20 16:23 -------- d-----w- c:\program files\Norton 360 Premier Edition
2011-10-20 16:17 . 2011-10-20 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2011-10-20 00:00 . 2011-10-20 00:00 62976 --sha-r- c:\windows\system32\rsaenhv.dll
2011-10-12 15:15 . 2011-10-26 02:12 -------- d-----w- c:\documents and settings\Heather Bianchi\Application Data\Nitro PDF
2011-10-12 15:03 . 2011-09-24 19:01 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll
2011-10-12 15:03 . 2011-09-24 19:01 17728 ----a-w- c:\windows\system32\nitrolocalui.dll
2011-10-12 15:03 . 2011-10-12 15:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Nitro PDF
2011-10-12 15:03 . 2011-10-12 15:03 -------- d-----w- c:\program files\Nitro PDF
2011-10-12 15:03 . 2011-10-12 15:03 -------- d-----w- c:\program files\Common Files\Nitro PDF
2011-10-12 15:01 . 2011-10-12 15:01 -------- d-----w- c:\documents and settings\Heather Bianchi\Application Data\Downloaded Installations
2011-10-11 23:35 . 2011-10-11 23:35 -------- d-----w- c:\documents and settings\LocalService\Application Data\Temp
2011-10-11 19:54 . 2011-10-11 19:54 -------- d-----w- c:\documents and settings\Heather Bianchi\Application Data\EPSON
2011-10-11 02:18 . 2007-08-21 17:32 98304 ----a-w- c:\windows\system32\redmonnt.dll
2011-10-11 02:18 . 2011-10-11 02:18 -------- d-----w- c:\program files\FoxTabPDFConverter
2011-10-10 22:13 . 2001-08-17 17:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2011-10-10 22:13 . 2001-08-17 17:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2011-10-10 22:07 . 2011-10-10 22:20 -------- d-----w- c:\documents and settings\Heather Bianchi\Local Settings\Application Data\Eastman_Kodak_Company
2011-10-10 22:06 . 2011-10-10 22:06 -------- d-----w- c:\documents and settings\Heather Bianchi\Local Settings\Application Data\Eastman Kodak Company
2011-10-10 22:06 . 2011-10-10 22:06 -------- d-----w- c:\windows\system32\kodak
2011-10-10 22:05 . 2011-10-10 22:05 -------- d-----w- c:\program files\Kodak
2011-10-10 22:03 . 2011-10-10 22:03 -------- d-----w- c:\documents and settings\Heather Bianchi\Application Data\Temp
2011-10-10 22:03 . 2011-11-02 14:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2011-10-06 15:40 . 2011-10-06 15:41 -------- d-----w- c:\windows\system32\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-06 12:59 . 2011-05-14 00:43 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-26 15:41 . 2008-07-30 07:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2008-04-25 16:16 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2008-04-25 16:16 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-24 19:03 . 2011-09-24 19:03 68928 ----a-w- c:\windows\system32\NLSSRV32.EXE
2011-09-09 09:12 . 2008-04-25 16:16 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:25 . 2008-04-25 16:16 1867904 ----a-w- c:\windows\system32\win32k.sys
2011-09-02 16:37 . 2011-09-02 16:37 59392 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EKAiO2PPR.dll
2011-09-02 16:29 . 2011-09-02 16:29 777728 ----a-w- c:\windows\system32\EKAiO2MON.dll
2011-09-02 16:29 . 2011-09-02 16:29 146432 ----a-w- c:\windows\system32\EKAiO2COI05.dll
2011-08-17 21:32 . 2008-04-25 16:16 832512 ----a-w- c:\windows\system32\wininet.dll
2011-08-17 21:32 . 2008-04-25 16:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-08-17 21:32 . 2008-04-25 16:16 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-08-17 21:32 . 2008-04-25 16:16 17408 ----a-w- c:\windows\system32\corpol.dll
2011-08-17 13:49 . 2008-04-25 16:16 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-17 12:22 . 2008-04-25 16:16 389120 ----a-w- c:\windows\system32\html.iec
2011-08-12 15:52 . 2011-08-12 15:52 10240 ----a-w- c:\windows\system32\EKaio2WiaCoInstRes.dll
2011-08-12 15:52 . 2011-08-12 15:52 123904 ----a-w- c:\windows\system32\EKaio2WiaCoInst.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueCrypt"="c:\program files\TrueCrypt\TrueCrypt.exe" [2010-08-17 1492944]
"TrueCrypt Format"="c:\program files\TrueCrypt\TrueCrypt Format.exe" [2010-08-17 1587152]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-03-10 233472]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-03 153640]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-03 400936]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"EPSON Stylus C88 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" [2005-01-27 98304]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKAIO2StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe" [2011-09-02 2717696]
.
c:\documents and settings\Heather Bianchi\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2009-6-3 130600]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2009-06-03 20:14 113152 ----a-w- c:\program files\ActivIdentity\ActivClient\ackpbsc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2009-06-03 20:13 299520 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\wowd.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\AiOHomeCenter.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\NetworkPrinterDiscovery.exe"=
"c:\\Program Files\\Kodak\\AiO\\Firmware\\KodakAiOUpdater.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kodak\\Installer\\Setup.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"9322:TCP"= 9322:TCP:EKDiscovery
"5353:UDP"= 5353:UDP:Bonjour Port 5353
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\SymDS.sys [10/20/2011 12:24 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\SymEFA.sys [10/20/2011 12:24 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20111027.001\BHDrvx86.sys [11/1/2011 4:00 PM 818808]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\Ironx86.sys [10/20/2011 12:24 PM 136312]
R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [6/3/2009 4:16 PM 207400]
R2 DisplayLinkService;DisplayLink Service;c:\program files\DisplayLink Core Software\DisplayLinkService.exe [6/26/2009 9:20 AM 447848]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKAiOHostService.exe [9/5/2011 5:00 PM 393648]
R2 N360;Norton 360;c:\program files\Norton 360 Premier Edition\Engine\5.1.0.29\ccSvcHst.exe [10/20/2011 12:23 PM 130008]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [9/24/2011 3:03 PM 196928]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [9/24/2011 3:03 PM 68928]
R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [7/18/2010 6:46 PM 45056]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [7/18/2010 6:46 PM 48640]
R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [7/18/2010 4:20 PM 134144]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [7/18/2010 4:20 PM 143968]
R3 DisplayLinkGA;DisplayLinkGA;c:\windows\system32\drivers\DisplayLinkGAport.sys [6/26/2009 9:20 AM 20736]
R3 DisplayLinkmirror;DisplayLinkmirror;c:\windows\system32\drivers\DisplayLinkmirrorport.sys [6/26/2009 9:20 AM 18944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/20/2011 4:19 PM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20111031.030\IDSXpx86.sys [11/2/2011 8:57 AM 356280]
R3 tmcfw;tmcfw;c:\windows\system32\drivers\TM_CFW.sys [8/12/2009 7:38 AM 335376]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/17/2010 12:58 PM 135664]
S2 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/17/2010 12:58 PM 135664]
S3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\drivers\DisplayLinkUsbPort.sys [8/20/2010 7:58 AM 20992]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 12:16 PM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-17 16:58]
.
2011-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-17 16:58]
.
2011-11-02 c:\windows\Tasks\User_Feed_Synchronization-{54C505CF-F5B1-4E1A-9752-C9061E7D526A}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 22:36]
.
.
------- Supplementary Scan -------
.
Trusted Zone: cgifederal.com\privia
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
DPF: {819EDD4C-7EB6-4D97-B831-D68B57E7D3ED} - hxxp://stafford.gayle.schoolfusion.us/modules/calendar/wyncs-4-1-8/Wyncs.cab
FF - ProfilePath - c:\documents and settings\Heather Bianchi\Application Data\Mozilla\Firefox\Profiles\aos9c3w6.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/?pc=Z128&install_date=20111011
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z128&form=ZGAADF&install_date=20111011&q=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Symantec IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\coFFPlgn_2011_7_2_3
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-uCertify CISSP - c:\program files\uCertify\uninstall.exe
AddRemove-uCertify ICAP - c:\program files\uCertify\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-02 10:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360 Premier Edition\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360 Premier Edition\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1344)
c:\program files\ActivIdentity\ActivClient\ackpbsc.dll
c:\program files\ActivIdentity\ActivClient\aclog.dll
c:\program files\ActivIdentity\ActivClient\accrypto.dll
c:\program files\ActivIdentity\ActivClient\ACLIBEAY.dll
c:\program files\ActivIdentity\ActivClient\acevtsub.dll
c:\program files\ActivIdentity\ActivClient\asphat32.dll
c:\program files\ActivIdentity\ActivClient\acerrmes.dll
c:\program files\ActivIdentity\ActivClient\aiwinext.dll
c:\program files\ActivIdentity\ActivClient\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\asphatrc.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\program files\ActivIdentity\ActivClient\aipingui.dll
c:\program files\ActivIdentity\ActivClient\aicext.dll
c:\program files\ActivIdentity\ActivClient\Resources\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIlrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\acunlockrc.dll
.
- - - - - - - > 'explorer.exe'(2604)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\System32\SCardSvr.exe
c:\program files\DisplayLink Core Software\DisplayLinkManager.exe
c:\program files\DisplayLink Core Software\DisplayLinkUI.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\windows\system32\SearchFilterHost.exe
c:\windows\system32\SearchProtocolHost.exe
.
**************************************************************************
.
Completion time: 2011-11-02 10:56:07 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-02 14:56
.
Pre-Run: 224,487,632,896 bytes free
Post-Run: 224,427,929,600 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 5A818849A679CC53DD3504AB29B61A23

Let me know what you would like me to do next. Thanks for your help!!

#5 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,522
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 02 November 2011 - 12:38 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
c:\windows\system32\rsaenhv.dll

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

In your next post I need the following

report from Combofix
let me know of any problems you may have had
How is the computer doing now after running the script?

Gringo

<-- Don't worry every little bit helps.

#6 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,522
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 05 November 2011 - 06:36 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

do you still need help with this?
do you need more time?
are you having problems following my instructions?
if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

<-- Don't worry every little bit helps.

#7 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,522
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 07 November 2011 - 11:13 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.