Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

backdoor.tidserv!inf virusremoval


  • This topic is locked This topic is locked
10 replies to this topic

#1 hom136

hom136

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 07 January 2010 - 02:39 PM

Hello,

I have Windows XP sp3 and Symantec Endpoint Protection. My problem is that backdoor.tidserv!inf keeps popping up on the auto-protect for Symantec, and it is removed when I use CCleaner for some reason, but it comes back. Also, whenever I click a Google search result, I am sometimes redirected to a bad website, and my computer has slowed down a bit during startup. Can you please help me with this problem? I have been battling this for a month now.Please reply back with what logs I need to post, but I'll go ahead now and I'll post a HJT log. Thank You Very Much. By the way, I can't load up safe mode, I have been solving my past problems with Windows Recovery Console.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:39:23 PM, on 1/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SavUI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hopsurf.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigseekpro.com/hypercam/{0765C4...A-9DD6C5512C3B}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~4\Office14\URLREDIR.DLL
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jyothi Nandala\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res:///105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.0.5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170119888078
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: vfsp - (no CLSID) - (no file)
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: console-3.0.2 - Unknown owner - C:\Sun\WebConsole\bin\swc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Sun StorageTek™ Fault Management Service (Sun_STK_FMS) - Unknown owner - C:\Program Files\Sun\Common Array Manager\Component\fms\sbin\wrapper.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9239 bytes

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

Edited by Animal, 07 January 2010 - 02:51 PM.


BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:38 AM

Posted 14 January 2010 - 11:48 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
PW

#3 hom136

hom136
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 14 January 2010 - 08:06 PM

Thank You for replying!!!!

So I downloaded DDS.scr and I ran it with my A/V and internet connection off. Here is the DDS.txt.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Jyothi Nandala at 19:41:59.00 on Thu 01/14/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1416 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\windows\system32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Jyothi Nandala\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hopsurf.com
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en
mSearch Page =
mStart Page = hxxp://www.bigseekpro.com/hypercam/{0765C49D-1402-470a-B93A-9DD6C5512C3B}
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~4\office14\URLREDIR.DLL
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No File
TB: {ECDEE021-0D17-467F-A1FF-C7A115230949} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uRun: [Google Update] "c:\documents and settings\jyothi nandala\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - /105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
Trusted Zone: wachovia.com
DPF: {01118A01-3E00-11D2-8470-0060089874ED} - hxxps://password.bellsouth.net/sdccommon/download/tgctlsr.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.0.5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170119888078
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jyothi~1\applic~1\mozilla\firefox\profiles\9mwz9wab.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\jyothi nandala\application data\mozilla\firefox\profiles\9mwz9wab.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\jyothi nandala\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\jyothi nandala\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\micros~4\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~4\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-1-7 20744]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-11-9 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-11-9 108392]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-10-5 10384]
R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [2007-1-3 10951]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2007-12-18 2189240]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-1-1 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100113.050\NAVENG.SYS [2010-1-14 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100113.050\NAVEX15.SYS [2010-1-14 1323568]
S2 console-3.0.2;console-3.0.2;c:\sun\webconsole\bin\swc.exe [2008-1-22 53248]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 Sun_STK_FMS;Sun StorageTek™ Fault Management Service;c:\program files\sun\common array manager\component\fms\sbin\wrapper.exe [2008-1-22 167936]
S3 ACGPRS;Sierra Wireless 3G Adapter;c:\windows\system32\drivers\acgprs.sys [2006-9-8 97920]
S3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [2009-5-5 55936]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2008-12-7 30088]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-29 23888]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-7-2 26248]
S3 NaiAvFilter102;NAI Anti Virus;\Device\NaiAvFilter102.sys --> \Device\NaiAvFilter102.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2009-9-26 4639136]
S3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys --> c:\windows\system32\drivers\activmouse.sys [?]
S4 vsdatant;vsdatant;a --> a [?]

=============== Created Last 30 ================

2010-01-15 00:23:20 96512 ----a-w- c:\windows\system32\drivers\OLD68.tmp
2010-01-14 23:23:16 96512 ----a-w- c:\windows\system32\drivers\OLD43.tmp
2010-01-13 22:14:30 196 ----a-w- c:\windows\system32\MRT.INI
2010-01-13 22:08:03 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-08 21:47:41 20992 ----a-w- c:\windows\jestertb.dll
2010-01-06 23:54:25 0 d-----w- c:\program files\AviSynth 2.5
2010-01-06 23:28:43 0 d-----w- c:\program files\COMODO
2010-01-06 23:28:39 120 ----a-w- c:\windows\CIS_Setup_3.13.125662.579_XP_Vista_x32.INI
2010-01-05 23:01:15 81 ----a-w- C:\CTX.DAT
2010-01-05 23:01:12 0 d-----w- c:\documents and settings\jyothi nandala\Citrix
2010-01-04 01:40:48 14 ----a-w- c:\windows\SOF_LOG_.INI
2010-01-04 01:40:46 98240 ----a-w- c:\windows\system32\SDE16.DLL
2010-01-04 01:40:46 269312 ----a-w- c:\windows\system32\SDENSX32.DLL
2010-01-04 01:40:46 236976 ----a-w- c:\windows\system32\SDENSX16.DLL
2010-01-04 01:40:46 123392 ----a-w- c:\windows\system32\SDE32.DLL
2010-01-04 01:40:45 0 d-----w- C:\For Credit
2010-01-03 02:40:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-03 02:40:10 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-02 20:22:18 0 d-----w- c:\program files\Windows Media Connect 2
2010-01-01 17:10:55 91008 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2010-01-01 17:10:26 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-01-01 17:10:26 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-01-01 17:10:26 136496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-01-01 17:10:26 10652 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-01-01 04:53:42 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-01 00:26:07 0 d-----w- c:\program files\Symantec
2009-12-31 20:56:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-25 20:37:09 0 d-----w- c:\program files\Alcohol Soft
2009-12-25 20:26:39 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-25 17:03:38 0 d-----w- c:\docume~1\jyothi~1\applic~1\TortoiseSVN
2009-12-25 16:45:13 0 d-----w- c:\docume~1\jyothi~1\applic~1\Subversion
2009-12-24 17:43:46 98360 ----a-w- c:\windows\system32\bass.dll
2009-12-24 17:43:46 688128 ----a-w- c:\windows\system32\libeay32.dll
2009-12-24 17:43:46 25152 ----a-w- c:\windows\system32\bassmidi.dll
2009-12-24 17:43:46 25152 ----a-w- c:\windows\system32\bassflac.dll
2009-12-24 17:43:46 155648 ----a-w- c:\windows\system32\ssleay32.dll
2009-12-24 17:43:46 0 d-----w- c:\program files\SCAR 3.22
2009-12-24 00:27:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-12-24 00:27:36 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2009-12-23 17:06:53 0 d-----w- c:\program files\danny_kay1710
2009-12-23 15:50:32 0 d-----w- c:\program files\YouTube Downloader
2009-12-23 14:57:45 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-12-23 14:57:45 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll

==================== Find3M ====================

2010-01-15 00:41:31 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-15 00:41:31 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2010-01-10 21:46:43 39 ----a-w- c:\documents and settings\jyothi nandala\jagex_runescape_preferences.dat
2010-01-10 21:44:02 69 ----a-w- c:\documents and settings\jyothi nandala\jagex_runescape_preferences2.dat
2009-12-14 22:40:08 78220 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-28 14:36:11 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-10-28 06:54:16 634632 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-10-28 06:52:46 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2006-10-29 22:48:56 56 --sh--r- c:\windows\system32\380F03A057.sys
2006-10-29 22:48:58 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 19:44:09.86 ===============

I have also attached Attach.txt in a ZIP file.
My problem is that a virus called backdoor.tidserv!inf keeps popping up in Symantec Endpoint Protection's auto protect. First, it infected atapi.sys. I don't know what exactly that is.
Since then, files like atapi.sys.tmp, and OLD68.tmp have been popping up in the auto protect. I don't know so much, but since then the computer has gotten much slower. In the midst of that,
I also accidentally downloaded a VLC Media Player that wasn't from the right site, so it installed the Hotbar Spyware search engine. But I think I removed, that. I'm telling just in case.
Once again, THANK YOU!!!!!!!

Attached Files


Edited by hom136, 14 January 2010 - 08:21 PM.


#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:38 AM

Posted 16 January 2010 - 09:42 AM

Hi hom136,




Welcome to BleepingComputer HijackThis Logs and Malware Removal, welcome.gif
My name is sundavis, I will be helping you to deal with your Malware problems today.

Step1

1.Go to this thread and Download TDSSKiller.zip to your Desktop.
2.Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
3.Start > Run and copy/paste the following bolded command into run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

4.If TDSSKiller alerts you that the system needs to reboot, please consent.
5.When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


Step2
  1. If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
  2. Please visit this webpage for download links, and instructions for running the tool:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  3. Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  4. Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  5. Click Yes to allow Combofix to continue scanning for malware.
  6. When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.
  7. Do not mouse click on Combofix while it is running. That may cause it to stall.


Step3

Please download GMER Rootkit Scanner from Here or Here.
  1. Extract the contents of the zipped file to desktop.
  2. Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  3. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  4. In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  5. Then click the Scan button & wait for it to finish. For more info, go to Here for your reference.
  6. Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" , and copy and paste the contents in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


In your next reply, please post back:

1.TDSSKiller.txt
2.ComboFix log
3.Gmer log Thanks.

#5 hom136

hom136
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 16 January 2010 - 12:14 PM

Hello, and thank you for replying quickly. I'm sorry I was a bit late with the reply. The requested logs are posted below.

1. 10:25:30:759 5980 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
10:25:30:759 5980 ================================================================================
10:25:30:759 5980 SystemInfo:

10:25:30:759 5980 OS Version: 5.1.2600 ServicePack: 3.0
10:25:30:759 5980 Product type: Workstation
10:25:30:759 5980 ComputerName: OPENSOFT
10:25:30:775 5980 UserName: Jyothi Nandala
10:25:30:775 5980 Windows directory: C:\WINDOWS
10:25:30:775 5980 Processor architecture: Intel x86
10:25:30:775 5980 Number of processors: 1
10:25:30:775 5980 Page size: 0x1000
10:25:30:775 5980 Boot type: Normal boot
10:25:30:775 5980 ================================================================================
10:25:30:775 5980 UnloadDriverW: NtUnloadDriver error 2
10:25:30:775 5980 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
10:25:30:821 5980 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
10:25:30:853 5980 UtilityInit: KLMD drop and load success
10:25:30:853 5980 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
10:25:30:853 5980 UtilityInit: KLMD open success
10:25:30:853 5980 UtilityInit: Initialize success
10:25:30:853 5980
10:25:30:853 5980 Scanning Services ...
10:25:30:853 5980 CreateRegParser: Registry parser init started
10:25:30:853 5980 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
10:25:30:853 5980 CreateRegParser: DisableWow64Redirection error
10:25:30:853 5980 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
10:25:30:853 5980 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
10:25:30:853 5980 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:25:30:853 5980 wfopen_ex: Trying to KLMD file open
10:25:30:853 5980 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
10:25:30:853 5980 wfopen_ex: File opened ok (Flags 2)
10:25:30:853 5980 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 294D50
10:25:30:853 5980 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
10:25:30:853 5980 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
10:25:30:853 5980 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:25:30:853 5980 wfopen_ex: Trying to KLMD file open
10:25:30:853 5980 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
10:25:30:853 5980 wfopen_ex: File opened ok (Flags 2)
10:25:30:853 5980 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 294C40
10:25:30:853 5980 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
10:25:30:853 5980 CreateRegParser: EnableWow64Redirection error
10:25:30:853 5980 CreateRegParser: RegParser init completed
10:25:31:524 5980 GetAdvancedServicesInfo: Raw services enum returned 450 services
10:25:31:524 5980 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
10:25:31:524 5980 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
10:25:31:524 5980
10:25:31:524 5980 Scanning Kernel memory ...
10:25:31:524 5980 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
10:25:31:524 5980 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8A8D0910
10:25:31:524 5980 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
10:25:31:524 5980
10:25:31:524 5980 DetectCureTDL3: DEVICE_OBJECT: 8A8BCC68
10:25:31:524 5980 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A8BCC68
10:25:31:524 5980 KLMD_ReadMem: Trying to ReadMemory 0x8A8BCC68[0x38]
10:25:31:524 5980 DetectCureTDL3: DRIVER_OBJECT: 8A8D0910
10:25:31:524 5980 KLMD_ReadMem: Trying to ReadMemory 0x8A8D0910[0xA8]
10:25:31:524 5980 KLMD_ReadMem: Trying to ReadMemory 0xE102E950[0x18]
10:25:31:524 5980 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:25:31:524 5980 DetectCureTDL3: IrpHandler (0) addr: BA0EEBB0
10:25:31:524 5980 DetectCureTDL3: IrpHandler (1) addr: 804F355A
10:25:31:524 5980 DetectCureTDL3: IrpHandler (2) addr: BA0EEBB0
10:25:31:524 5980 DetectCureTDL3: IrpHandler (3) addr: BA0E8D1F
10:25:31:524 5980 DetectCureTDL3: IrpHandler (4) addr: BA0E8D1F
10:25:31:524 5980 DetectCureTDL3: IrpHandler (5) addr: 804F355A
10:25:31:524 5980 DetectCureTDL3: IrpHandler (6) addr: 804F355A
10:25:31:524 5980 DetectCureTDL3: IrpHandler (7) addr: 804F355A
10:25:31:524 5980 DetectCureTDL3: IrpHandler (8) addr: 804F355A
10:25:31:524 5980 DetectCureTDL3: IrpHandler (9) addr: BA0E92E2
10:25:31:524 5980 DetectCureTDL3: IrpHandler (10) addr: 804F355A
10:25:31:524 5980 DetectCureTDL3: IrpHandler (11) addr: 804F355A
10:25:31:524 5980 DetectCureTDL3: IrpHandler (12) addr: 804F355A
10:25:31:524 5980 DetectCureTDL3: IrpHandler (13) addr: 804F355A
10:25:31:524 5980 DetectCureTDL3: IrpHandler (14) addr: BA0E93BB
10:25:31:524 5980 DetectCureTDL3: IrpHandler (15) addr: BA0ECF28
10:25:31:524 5980 DetectCureTDL3: IrpHandler (16) addr: BA0E92E2
10:25:31:524 5980 DetectCureTDL3: IrpHandler (17) addr: 804F355A
10:25:31:524 5980 DetectCureTDL3: IrpHandler (18) addr: 804F355A
10:25:31:524 5980 DetectCureTDL3: IrpHandler (19) addr: 804F355A
10:25:31:524 5980 DetectCureTDL3: IrpHandler (20) addr: 804F355A
10:25:31:524 5980 DetectCureTDL3: IrpHandler (21) addr: 804F355A
10:25:31:524 5980 DetectCureTDL3: IrpHandler (22) addr: BA0EAC82
10:25:31:524 5980 DetectCureTDL3: IrpHandler (23) addr: BA0EF99E
10:25:31:524 5980 DetectCureTDL3: IrpHandler (24) addr: 804F355A
10:25:31:524 5980 DetectCureTDL3: IrpHandler (25) addr: 804F355A
10:25:31:524 5980 DetectCureTDL3: IrpHandler (26) addr: 804F355A
10:25:31:524 5980 TDL3_FileDetect: Processing driver: Disk
10:25:31:524 5980 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
10:25:31:524 5980 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
10:25:31:556 5980 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:25:31:556 5980
10:25:31:556 5980 DetectCureTDL3: DEVICE_OBJECT: 8A7F0C68
10:25:31:556 5980 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A7F0C68
10:25:31:556 5980 KLMD_ReadMem: Trying to ReadMemory 0x8A7F0C68[0x38]
10:25:31:556 5980 DetectCureTDL3: DRIVER_OBJECT: 8A8D0910
10:25:31:556 5980 KLMD_ReadMem: Trying to ReadMemory 0x8A8D0910[0xA8]
10:25:31:556 5980 KLMD_ReadMem: Trying to ReadMemory 0xE102E950[0x18]
10:25:31:556 5980 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:25:31:556 5980 DetectCureTDL3: IrpHandler (0) addr: BA0EEBB0
10:25:31:556 5980 DetectCureTDL3: IrpHandler (1) addr: 804F355A
10:25:31:556 5980 DetectCureTDL3: IrpHandler (2) addr: BA0EEBB0
10:25:31:556 5980 DetectCureTDL3: IrpHandler (3) addr: BA0E8D1F
10:25:31:556 5980 DetectCureTDL3: IrpHandler (4) addr: BA0E8D1F
10:25:31:556 5980 DetectCureTDL3: IrpHandler (5) addr: 804F355A
10:25:31:556 5980 DetectCureTDL3: IrpHandler (6) addr: 804F355A
10:25:31:556 5980 DetectCureTDL3: IrpHandler (7) addr: 804F355A
10:25:31:556 5980 DetectCureTDL3: IrpHandler (8) addr: 804F355A
10:25:31:556 5980 DetectCureTDL3: IrpHandler (9) addr: BA0E92E2
10:25:31:556 5980 DetectCureTDL3: IrpHandler (10) addr: 804F355A
10:25:31:556 5980 DetectCureTDL3: IrpHandler (11) addr: 804F355A
10:25:31:556 5980 DetectCureTDL3: IrpHandler (12) addr: 804F355A
10:25:31:556 5980 DetectCureTDL3: IrpHandler (13) addr: 804F355A
10:25:31:556 5980 DetectCureTDL3: IrpHandler (14) addr: BA0E93BB
10:25:31:556 5980 DetectCureTDL3: IrpHandler (15) addr: BA0ECF28
10:25:31:556 5980 DetectCureTDL3: IrpHandler (16) addr: BA0E92E2
10:25:31:556 5980 DetectCureTDL3: IrpHandler (17) addr: 804F355A
10:25:31:556 5980 DetectCureTDL3: IrpHandler (18) addr: 804F355A
10:25:31:556 5980 DetectCureTDL3: IrpHandler (19) addr: 804F355A
10:25:31:556 5980 DetectCureTDL3: IrpHandler (20) addr: 804F355A
10:25:31:556 5980 DetectCureTDL3: IrpHandler (21) addr: 804F355A
10:25:31:556 5980 DetectCureTDL3: IrpHandler (22) addr: BA0EAC82
10:25:31:556 5980 DetectCureTDL3: IrpHandler (23) addr: BA0EF99E
10:25:31:556 5980 DetectCureTDL3: IrpHandler (24) addr: 804F355A
10:25:31:556 5980 DetectCureTDL3: IrpHandler (25) addr: 804F355A
10:25:31:556 5980 DetectCureTDL3: IrpHandler (26) addr: 804F355A
10:25:31:556 5980 TDL3_FileDetect: Processing driver: Disk
10:25:31:556 5980 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
10:25:31:556 5980 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
10:25:31:571 5980 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:25:31:571 5980
10:25:31:571 5980 DetectCureTDL3: DEVICE_OBJECT: 8A8959F0
10:25:31:571 5980 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A8959F0
10:25:31:571 5980 KLMD_ReadMem: Trying to ReadMemory 0x8A8959F0[0x38]
10:25:31:571 5980 DetectCureTDL3: DRIVER_OBJECT: 8A8D0910
10:25:31:571 5980 KLMD_ReadMem: Trying to ReadMemory 0x8A8D0910[0xA8]
10:25:31:571 5980 KLMD_ReadMem: Trying to ReadMemory 0xE102E950[0x18]
10:25:31:571 5980 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
10:25:31:571 5980 DetectCureTDL3: IrpHandler (0) addr: BA0EEBB0
10:25:31:571 5980 DetectCureTDL3: IrpHandler (1) addr: 804F355A
10:25:31:571 5980 DetectCureTDL3: IrpHandler (2) addr: BA0EEBB0
10:25:31:571 5980 DetectCureTDL3: IrpHandler (3) addr: BA0E8D1F
10:25:31:571 5980 DetectCureTDL3: IrpHandler (4) addr: BA0E8D1F
10:25:31:571 5980 DetectCureTDL3: IrpHandler (5) addr: 804F355A
10:25:31:571 5980 DetectCureTDL3: IrpHandler (6) addr: 804F355A
10:25:31:571 5980 DetectCureTDL3: IrpHandler (7) addr: 804F355A
10:25:31:571 5980 DetectCureTDL3: IrpHandler (8) addr: 804F355A
10:25:31:571 5980 DetectCureTDL3: IrpHandler (9) addr: BA0E92E2
10:25:31:571 5980 DetectCureTDL3: IrpHandler (10) addr: 804F355A
10:25:31:571 5980 DetectCureTDL3: IrpHandler (11) addr: 804F355A
10:25:31:571 5980 DetectCureTDL3: IrpHandler (12) addr: 804F355A
10:25:31:571 5980 DetectCureTDL3: IrpHandler (13) addr: 804F355A
10:25:31:571 5980 DetectCureTDL3: IrpHandler (14) addr: BA0E93BB
10:25:31:571 5980 DetectCureTDL3: IrpHandler (15) addr: BA0ECF28
10:25:31:571 5980 DetectCureTDL3: IrpHandler (16) addr: BA0E92E2
10:25:31:571 5980 DetectCureTDL3: IrpHandler (17) addr: 804F355A
10:25:31:571 5980 DetectCureTDL3: IrpHandler (18) addr: 804F355A
10:25:31:571 5980 DetectCureTDL3: IrpHandler (19) addr: 804F355A
10:25:31:571 5980 DetectCureTDL3: IrpHandler (20) addr: 804F355A
10:25:31:571 5980 DetectCureTDL3: IrpHandler (21) addr: 804F355A
10:25:31:571 5980 DetectCureTDL3: IrpHandler (22) addr: BA0EAC82
10:25:31:571 5980 DetectCureTDL3: IrpHandler (23) addr: BA0EF99E
10:25:31:571 5980 DetectCureTDL3: IrpHandler (24) addr: 804F355A
10:25:31:571 5980 DetectCureTDL3: IrpHandler (25) addr: 804F355A
10:25:31:571 5980 DetectCureTDL3: IrpHandler (26) addr: 804F355A
10:25:31:571 5980 TDL3_FileDetect: Processing driver: Disk
10:25:31:571 5980 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
10:25:31:571 5980 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
10:25:31:571 5980 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
10:25:31:571 5980
10:25:31:571 5980 DetectCureTDL3: DEVICE_OBJECT: 8A898AB8
10:25:31:571 5980 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A898AB8
10:25:31:571 5980 DetectCureTDL3: DEVICE_OBJECT: 8A8D0D98
10:25:31:571 5980 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A8D0D98
10:25:31:571 5980 KLMD_ReadMem: Trying to ReadMemory 0x8A8D0D98[0x38]
10:25:31:571 5980 DetectCureTDL3: DRIVER_OBJECT: 8A8A2228
10:25:31:571 5980 KLMD_ReadMem: Trying to ReadMemory 0x8A8A2228[0xA8]
10:25:31:571 5980 KLMD_ReadMem: Trying to ReadMemory 0x8A8AC030[0x38]
10:25:31:571 5980 KLMD_ReadMem: Trying to ReadMemory 0x8A8C1030[0xA8]
10:25:31:571 5980 KLMD_ReadMem: Trying to ReadMemory 0xE18DB6F0[0x1A]
10:25:31:571 5980 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
10:25:31:571 5980 DetectCureTDL3: IrpHandler (0) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (1) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (2) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (3) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (4) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (5) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (6) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (7) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (8) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (9) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (10) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (11) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (12) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (13) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (14) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (15) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (16) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (17) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (18) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (19) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (20) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (21) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (22) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (23) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (24) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (25) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: IrpHandler (26) addr: 8A7F4841
10:25:31:571 5980 DetectCureTDL3: All IRP handlers pointed to one addr: 8A7F4841
10:25:31:571 5980 KLMD_ReadMem: Trying to ReadMemory 0x8A7F4841[0x400]
10:25:31:571 5980 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 333, 121, 3, 109
10:25:31:571 5980 Driver "atapi" Irp handler infected by TDSS rootkit ... 10:25:31:571 5980 KLMD_WriteMem: Trying to WriteMemory 0x8A7F48BA[0xD]
10:25:31:571 5980 cured
10:25:31:571 5980 KLMD_ReadMem: Trying to ReadMemory 0x8A7F46EC[0x400]
10:25:31:571 5980 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
10:25:31:571 5980 Driver "atapi" StartIo handler infected by TDSS rootkit ... 10:25:31:571 5980 TDL3_StartIoHookCure: Number of patches 1
10:25:31:571 5980 KLMD_WriteMem: Trying to WriteMemory 0x8A7F47F5[0x6]
10:25:31:571 5980 cured
10:25:31:571 5980 TDL3_FileDetect: Processing driver: atapi
10:25:31:571 5980 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
10:25:31:571 5980 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
10:25:31:603 5980 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
10:25:31:603 5980 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 10:25:31:603 5980 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
10:25:31:603 5980 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
10:25:31:603 5980 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\driver.cab
10:25:31:728 5980 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp2.cab
10:25:31:774 5980 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp3.cab
10:25:31:806 5980 CabinetCallback: Backup candidate found: atapi.sys:96512, extracting..
10:25:31:899 5980 CabinetCallback: File extracted successfully: C:\DOCUME~1\JYOTHI~1\LOCALS~1\Temp\bck10.tmp
10:25:31:899 5980 ValidateDriverFile: Stage 1 passed
10:25:31:915 5980 ValidateDriverFile: Stage 2 passed
10:25:32:165 5980 DigitalSignVerifyByHandle: Embedded DS result: 800B0100
10:25:34:743 5980 DigitalSignVerifyByHandle: Cat DS result: 00000000
10:25:34:743 5980 ValidateDriverFile: Stage 3 passed
10:25:34:743 5980 CabinetCallback: File validated successfully, restore information prepared
10:25:34:743 5980 FindDriverFileBackup: Backup copy found in cab-file
10:25:34:743 5980 TDL3_FileCure: Backup copy found, using it..
10:25:34:758 5980 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tsk11.tmp
10:25:34:805 5980 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk11.tmp, system32\drivers\atapi.sys)
10:25:34:805 5980 TDL3_FileCure: KLMD jobs schedule success
10:25:34:805 5980 will be cured on next reboot
10:25:34:805 5980 UtilityBootReinit: Reboot required for cure complete..
10:25:34:805 5980 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
10:25:34:821 5980 UtilityBootReinit: KLMD drop success
10:25:34:821 5980 KLMD_ApplyPendList: Pending buffer(965_1614, 608) dropped successfully
10:25:34:821 5980 UtilityBootReinit: Cure on reboot scheduled successfully
10:25:34:821 5980
10:25:34:821 5980 Completed
10:25:34:821 5980
10:25:34:821 5980 Results:
10:25:34:821 5980 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
10:25:34:821 5980 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
10:25:34:821 5980 File objects infected / cured / cured on reboot: 1 / 0 / 1
10:25:34:821 5980
10:25:34:821 5980 UnloadDriverW: NtUnloadDriver error 1
10:25:34:821 5980 KLMD_Unload: UnloadDriverW(klmd21) error 1
10:25:34:821 5980 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
10:25:34:821 5980 UtilityDeinit: KLMD(ARK) unloaded successfully

2. ComboFix 10-01-15.05 - Jyothi Nandala 01/16/2010 10:46:36.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1475 [GMT -5:00]
Running from: c:\documents and settings\Jyothi Nandala\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\windows\jestertb.dll
c:\windows\kb913800.exe

.
((((((((((((((((((((((((( Files Created from 2009-12-16 to 2010-01-16 )))))))))))))))))))))))))))))))
.

2010-01-13 22:08 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-09 15:18 . 2010-01-14 00:06 -------- d-----w- c:\documents and settings\Jyothi Nandala\Application Data\vlc
2010-01-06 23:54 . 2010-01-06 23:54 -------- d-----w- c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\Geckofx
2010-01-06 23:54 . 2010-01-07 00:19 -------- d-----w- c:\program files\AviSynth 2.5
2010-01-06 23:28 . 2010-01-07 00:11 -------- d-----w- c:\program files\COMODO
2010-01-05 23:01 . 2010-01-05 23:01 81 ----a-w- C:\CTX.DAT
2010-01-05 23:01 . 2010-01-05 23:01 -------- d-----w- c:\documents and settings\Jyothi Nandala\Citrix
2010-01-04 01:40 . 1997-08-01 09:00 98240 ----a-w- c:\windows\system32\SDE16.DLL
2010-01-04 01:40 . 1997-08-01 09:00 269312 ----a-w- c:\windows\system32\SDENSX32.DLL
2010-01-04 01:40 . 1997-08-01 09:00 236976 ----a-w- c:\windows\system32\SDENSX16.DLL
2010-01-04 01:40 . 1997-08-01 09:00 123392 ----a-w- c:\windows\system32\SDE32.DLL
2010-01-04 01:40 . 2010-01-04 01:43 -------- d-----w- C:\For Credit
2010-01-03 02:40 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-31 17:42 . 2010-01-01 00:18 -------- d-----w- c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\kopoxc
2009-12-25 20:37 . 2009-12-25 20:37 -------- d-----w- c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\Conduit
2009-12-25 20:37 . 2009-12-25 20:37 -------- d-----w- c:\program files\Alcohol Soft
2009-12-25 20:26 . 2009-12-25 20:26 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-25 17:03 . 2009-12-25 17:03 -------- d-----w- c:\documents and settings\Jyothi Nandala\Application Data\TortoiseSVN
2009-12-25 16:45 . 2009-12-25 16:45 -------- d-----w- c:\documents and settings\Jyothi Nandala\Application Data\Subversion
2009-12-25 16:44 . 2009-12-25 20:28 -------- d-----w- c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\TSVNCache
2009-12-24 17:43 . 2009-12-25 20:42 -------- d-----w- c:\program files\SCAR 3.22
2009-12-24 17:43 . 2008-10-28 19:00 98360 ----a-w- c:\windows\system32\bass.dll
2009-12-24 17:43 . 2008-10-28 18:07 25152 ----a-w- c:\windows\system32\bassmidi.dll
2009-12-24 17:43 . 2008-04-02 17:26 25152 ----a-w- c:\windows\system32\bassflac.dll
2009-12-24 17:43 . 2004-06-17 19:19 155648 ----a-w- c:\windows\system32\ssleay32.dll
2009-12-24 17:43 . 2004-06-17 19:19 688128 ----a-w- c:\windows\system32\libeay32.dll
2009-12-24 00:27 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2009-12-23 17:06 . 2009-12-23 17:06 -------- d-----w- c:\program files\danny_kay1710
2009-12-23 15:50 . 2009-12-23 15:50 -------- d-----w- c:\program files\YouTube Downloader
2009-12-23 14:57 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-12-23 14:57 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2009-12-21 20:24 . 2009-12-21 20:24 -------- d-----w- c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-16 15:27 . 2004-08-04 04:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-14 00:09 . 2007-09-17 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-10 21:46 . 2008-12-26 22:35 39 ----a-w- c:\documents and settings\Jyothi Nandala\jagex_runescape_preferences.dat
2010-01-10 21:44 . 2009-10-25 16:42 69 ----a-w- c:\documents and settings\Jyothi Nandala\jagex_runescape_preferences2.dat
2009-12-25 17:14 . 2008-01-22 20:32 -------- d-----w- c:\program files\Sun
2009-12-25 17:13 . 2005-12-27 06:01 -------- d-----w- c:\program files\Java
2009-12-24 00:27 . 2009-12-24 00:27 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-12-14 22:40 . 2009-12-14 22:40 78220 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-10 21:48 . 2009-10-31 02:16 -------- d-----w- c:\program files\Mozilla Firefox 3.6 Beta 1
2009-12-08 01:51 . 2009-11-30 23:44 -------- d-----w- c:\program files\Kids Cam Show and Share Creativity Center
2009-12-04 15:03 . 2009-12-04 15:03 251376 ----a-w- c:\documents and settings\Jyothi Nandala\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-11-30 23:44 . 2009-11-30 23:44 -------- d-----w- c:\program files\MyDSC2
2009-11-30 23:44 . 2009-11-30 23:44 -------- d-----w- c:\program files\Mars
2009-11-30 23:44 . 2009-11-30 23:44 -------- d-----w- c:\program files\JL2005C
2009-11-30 23:44 . 2009-11-30 23:44 -------- d-----w- c:\program files\JL2005B
2009-11-27 16:06 . 2009-11-27 16:06 -------- d-----w- c:\documents and settings\Jyothi Nandala\Application Data\Roxio
2009-11-27 00:16 . 2008-09-01 16:07 -------- d-----w- c:\documents and settings\Jyothi Nandala\Application Data\Apple Computer
2009-11-26 20:07 . 2009-01-18 21:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-11-26 19:43 . 2009-11-26 19:42 -------- d-----w- c:\program files\iTunes
2009-11-26 19:43 . 2009-11-26 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-26 19:42 . 2009-11-26 19:42 -------- d-----w- c:\program files\iPod
2009-11-26 19:42 . 2009-11-26 19:38 -------- d-----w- c:\program files\Common Files\Apple
2009-11-26 19:41 . 2009-11-26 19:41 -------- d-----w- c:\program files\Bonjour
2009-11-26 19:41 . 2009-11-26 19:40 -------- d-----w- c:\program files\QuickTime
2009-11-26 04:55 . 2009-10-13 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-25 22:19 . 2009-11-25 22:19 -------- d-----w- c:\documents and settings\NetworkService\Application Data\SACore
2009-11-25 22:05 . 2009-11-25 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-11-25 16:59 . 2006-03-11 18:32 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2009-11-25 16:57 . 2005-12-27 06:07 -------- d-----w- c:\program files\Dell
2009-11-25 16:57 . 2005-12-27 06:17 -------- d-----w- c:\documents and settings\All Users\Application Data\GTek
2009-11-25 16:48 . 2008-01-28 15:42 -------- d-----w- c:\program files\Dell Support Center
2009-11-25 16:41 . 2009-11-07 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Toolbar4
2009-11-25 16:40 . 2008-02-20 14:58 -------- d-----w- c:\documents and settings\root\Application Data\AT&T
2009-11-25 16:40 . 2007-12-20 21:44 -------- d-----w- c:\documents and settings\Satwik Nandala\Application Data\AT&T
2009-11-25 16:40 . 2007-11-04 01:37 -------- d-----w- c:\documents and settings\Jyothi Nandala\Application Data\AT&T
2009-11-25 16:40 . 2007-11-03 15:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AT&T
2009-11-25 16:40 . 2009-02-27 23:44 -------- d-----w- c:\program files\CA
2009-11-25 16:34 . 2006-04-14 21:49 -------- d-----w- c:\program files\BellSouth
2009-11-25 15:21 . 2005-12-27 06:23 -------- d-----w- c:\program files\Google
2009-11-25 02:57 . 2009-11-25 02:57 -------- d-----w- c:\program files\CCleaner
2009-11-25 02:19 . 2009-11-25 02:19 -------- d-----w- c:\program files\Siber Systems
2009-11-24 23:30 . 2006-03-11 23:41 100664 ----a-w- c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-24 19:32 . 2009-11-24 19:32 -------- d-----w- c:\program files\Microsoft Synchronization Services
2009-11-24 19:31 . 2009-11-24 19:31 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-11-24 19:22 . 2009-11-24 19:22 -------- d-----w- c:\program files\Microsoft Analysis Services
2009-11-23 14:40 . 2009-11-23 14:40 152576 ----a-w- c:\documents and settings\Jyothi Nandala\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-23 14:40 . 2009-11-23 14:40 79488 ----a-w- c:\documents and settings\Jyothi Nandala\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-21 15:51 . 2005-08-16 10:18 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-12 22:07 . 2009-11-12 22:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-09 23:13 . 2009-09-21 23:55 1 ----a-w- c:\documents and settings\Jyothi Nandala\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-05 01:09 . 2009-11-05 01:09 10134 ----a-r- c:\documents and settings\Jyothi Nandala\Application Data\Microsoft\Installer\{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}\ARPPRODUCTICON.exe
2009-11-05 01:05 . 2009-11-05 01:04 12212040 ----a-w- c:\documents and settings\Jyothi Nandala\Application Data\Sony Setup\A34E95A5-C379-4746-B607-09AE7B36A102\WMFDist11-WindowsXP-x86-ENU.exe
2009-10-29 07:46 . 2005-08-16 10:18 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-24 17:47 . 2009-10-16 22:44 63488 ----a-w- c:\documents and settings\All Users\Application Data\Activ Software\ActivApplications\ActivFocusHook.dll
2009-10-21 05:38 . 2005-08-16 10:18 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-08-16 10:18 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 05:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2006-10-29 22:48 . 2006-01-06 14:56 56 --sh--r- c:\windows\system32\380F03A057.sys
2006-10-29 22:48 . 2006-10-29 22:43 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
2009-11-04 02:12 556432 ----a-w- c:\progra~1\MICROS~4\Office14\URLREDIR.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"Google Update"="c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-26 135664]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-04-24 203928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-11-09 115560]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OfficeSAS.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\OfficeSAS.lnk
backup=c:\windows\pss\OfficeSAS.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jyothi Nandala^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Jyothi Nandala\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jyothi Nandala^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Jyothi Nandala\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jyothi Nandala^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Jyothi Nandala\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2007-11-09 20:15 115560 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-12-30 19:55 1389904 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 01:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2007-02-21 01:18 366400 ----a-w- c:\program files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-09-18 23:53 214448 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
2009-02-23 13:05 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-09-18 23:53 185784 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-w- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)
"YahooAUService"=2 (0x2)
"SavRoam"=2 (0x2)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"PDEngine"=3 (0x3)
"PDAgent"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"LiveUpdate"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"ITMRTSVC"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"GoogleDesktopManager"=3 (0x3)
"Fax"=2 (0x2)
"RPSUpdaterR"=3 (0x3)
"DSBrokerService"=3 (0x3)
"CVPND"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\SAP\\FrontEnd\\SapGui\\saplogon.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\Jyothi Nandala\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Jyothi Nandala\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"6789:TCP"= 6789:TCP:CAM

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [10/5/2009 4:26 PM 10384]
R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [1/3/2007 6:53 PM 10951]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/1/2010 12:17 PM 102448]
S0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [1/7/2009 11:39 PM 20744]
S2 console-3.0.2;console-3.0.2;c:\sun\WebConsole\bin\swc.exe [1/22/2008 3:41 PM 53248]
S2 Sun_STK_FMS;Sun StorageTek™ Fault Management Service;c:\program files\Sun\Common Array Manager\Component\fms\sbin\wrapper.exe [1/22/2008 3:42 PM 167936]
S3 ACGPRS;Sierra Wireless 3G Adapter;c:\windows\system32\drivers\acgprs.sys [9/8/2006 4:06 PM 97920]
S3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [5/5/2009 4:25 PM 55936]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [12/7/2008 12:44 PM 30088]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 1:55 PM 23888]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [7/2/2008 2:58 PM 26248]
S3 NaiAvFilter102;NAI Anti Virus;\Device\NaiAvFilter102.sys --> \Device\NaiAvFilter102.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [9/26/2009 4:28 AM 4639136]
S3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\DRIVERS\activmouse.sys --> c:\windows\system32\DRIVERS\activmouse.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/25/2009 3:26 PM 721904]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmdb

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-01-16 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 13:09]

2009-12-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2944425343-3162817394-86957142-1006Core.job
- c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-26 16:46]

2010-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2944425343-3162817394-86957142-1006UA.job
- c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-26 16:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hopsurf.com
mStart Page = hxxp://www.bigseekpro.com/hypercam/{0765C49D-1402-470a-B93A-9DD6C5512C3B}
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - /105
Trusted Zone: musicmatch.com\online
Trusted Zone: wachovia.com
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
DPF: {01118A01-3E00-11D2-8470-0060089874ED} - hxxps://password.bellsouth.net/sdccommon/download/tgctlsr.cab
FF - ProfilePath - c:\documents and settings\Jyothi Nandala\Application Data\Mozilla\Firefox\Profiles\9mwz9wab.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\Jyothi Nandala\Application Data\Mozilla\Firefox\Profiles\9mwz9wab.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Jyothi Nandala\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\MICROS~4\Office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{ECDEE021-0D17-467F-A1FF-C7A115230949} - (no file)
Notify-NavLogon - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
SafeBoot-Symantec Antvirus
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-nuqpmwya - c:\windows\system32\config\systemprofile\Local Settings\Application Data\tallmh\walasysguard.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-16 10:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1104)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2010-01-16 11:00:20
ComboFix-quarantined-files.txt 2010-01-16 16:00

Pre-Run: 4,705,550,336 bytes free
Post-Run: 9,355,575,296 bytes free

- - End Of File - - A05E24F58584C6EC1E6CFA54A47C2551

The GMER scan would always fail in the middle of scanning. I unchecked the boxes you told me to, but it still went to the blue screen of death a couple of times.
I decided it would be best if I didn't continue to run it. I'm Sorry.

Again, thank you for helping me with my malware problems.

#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:38 AM

Posted 16 January 2010 - 02:52 PM

Hi hom136,



It seemed that you had not installed recovery console while running CF. May i know the reason why? Recovery console is considered vaulable asset to your system. You're well advised to install it while running CF.

Please uninstall all outdated java versions via Add/Remove Programs ( Java 2 Runtime Environment, SE v1.4.2_03, Java DB 10.4.2.1, ) and clean java cache as instructed in this thread .


Step1
  1. Close any open browsers
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  3. Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
CODE
File::
c:\windows\system32\drivers\OLD68.tmp
c:\windows\system32\drivers\OLD43.tmp

DDS::
mSearch Page =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride =
mSearchAssistant =
TB: {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No File
TB: {ECDEE021-0D17-467F-A1FF-C7A115230949} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
Trusted Zone: musicmatch.com\online
Trusted Zone: wachovia.com


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop



Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step2

Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step3


Please perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner.
  1. Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  2. Click Accept button on the "Requirements and limitations".
  3. When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  4. It will be Downloading and installing the program and Updating the database.
  5. When Updating the database have finished, click on Settings.
  6. Make sure all boxes are checked. then click on the Save button.
  7. Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  8. Once the scan is completed, Click on View Scan Report.
  9. You may see a list of infected items over there. Click on Save Report As.
  10. Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  11. Please post the contents in your next reply.
  12. You can refer to this animation

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



Please post back the logs in your next reply.

1.Kas Online Scan Report
2.Fresh HJT log

Tell me if you have any remaining issues on your pc.

#7 hom136

hom136
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 18 January 2010 - 12:28 PM

Hello,

I ran combofix with the script you posted, ran HTJ, and I tried to run Kaspersky Online Scanner, but many scripts were failing. It probably wasn't necessary anyway.
My computer booted up slower than normal today, but I don't know why. I probably have to run defragmentation. Below are the Combofix and HijackThis logs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:48 PM, on 1/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\luall.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hopsurf.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigseekpro.com/hypercam/{0765C4...A-9DD6C5512C3B}
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~4\Office14\URLREDIR.DLL
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jyothi Nandala\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res:///105
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_17.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_17.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.0.5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170119888078
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: vfsp - (no CLSID) - (no file)
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: console-3.0.2 - Unknown owner - C:\Sun\WebConsole\bin\swc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Sun StorageTek™ Fault Management Service (Sun_STK_FMS) - Unknown owner - C:\Program Files\Sun\Common Array Manager\Component\fms\sbin\wrapper.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9631 bytes

ComboFix 10-01-16.03 - Jyothi Nandala 01/17/2010 9:22.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1457 [GMT -5:00]
Running from: c:\documents and settings\Jyothi Nandala\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jyothi Nandala\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\windows\system32\drivers\OLD43.tmp"
"c:\windows\system32\drivers\OLD68.tmp"
.

((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
.

2010-01-13 22:08 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-09 15:18 . 2010-01-14 00:06 -------- d-----w- c:\documents and settings\Jyothi Nandala\Application Data\vlc
2010-01-06 23:54 . 2010-01-06 23:54 -------- d-----w- c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\Geckofx
2010-01-06 23:54 . 2010-01-07 00:19 -------- d-----w- c:\program files\AviSynth 2.5
2010-01-06 23:28 . 2010-01-07 00:11 -------- d-----w- c:\program files\COMODO
2010-01-05 23:01 . 2010-01-05 23:01 81 ----a-w- C:\CTX.DAT
2010-01-05 23:01 . 2010-01-05 23:01 -------- d-----w- c:\documents and settings\Jyothi Nandala\Citrix
2010-01-04 01:40 . 1997-08-01 09:00 98240 ----a-w- c:\windows\system32\SDE16.DLL
2010-01-04 01:40 . 1997-08-01 09:00 269312 ----a-w- c:\windows\system32\SDENSX32.DLL
2010-01-04 01:40 . 1997-08-01 09:00 236976 ----a-w- c:\windows\system32\SDENSX16.DLL
2010-01-04 01:40 . 1997-08-01 09:00 123392 ----a-w- c:\windows\system32\SDE32.DLL
2010-01-04 01:40 . 2010-01-04 01:43 -------- d-----w- C:\For Credit
2010-01-03 02:40 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-31 17:42 . 2010-01-01 00:18 -------- d-----w- c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\kopoxc
2009-12-25 20:37 . 2009-12-25 20:37 -------- d-----w- c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\Conduit
2009-12-25 20:37 . 2009-12-25 20:37 -------- d-----w- c:\program files\Alcohol Soft
2009-12-25 20:26 . 2009-12-25 20:26 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-25 17:03 . 2009-12-25 17:03 -------- d-----w- c:\documents and settings\Jyothi Nandala\Application Data\TortoiseSVN
2009-12-25 16:45 . 2009-12-25 16:45 -------- d-----w- c:\documents and settings\Jyothi Nandala\Application Data\Subversion
2009-12-25 16:44 . 2009-12-25 20:28 -------- d-----w- c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\TSVNCache
2009-12-24 17:43 . 2009-12-25 20:42 -------- d-----w- c:\program files\SCAR 3.22
2009-12-24 17:43 . 2008-10-28 19:00 98360 ----a-w- c:\windows\system32\bass.dll
2009-12-24 17:43 . 2008-10-28 18:07 25152 ----a-w- c:\windows\system32\bassmidi.dll
2009-12-24 17:43 . 2008-04-02 17:26 25152 ----a-w- c:\windows\system32\bassflac.dll
2009-12-24 17:43 . 2004-06-17 19:19 155648 ----a-w- c:\windows\system32\ssleay32.dll
2009-12-24 17:43 . 2004-06-17 19:19 688128 ----a-w- c:\windows\system32\libeay32.dll
2009-12-24 00:27 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2009-12-23 17:06 . 2009-12-23 17:06 -------- d-----w- c:\program files\danny_kay1710
2009-12-23 15:50 . 2009-12-23 15:50 -------- d-----w- c:\program files\YouTube Downloader
2009-12-23 14:57 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-12-23 14:57 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2009-12-21 20:24 . 2009-12-21 20:24 -------- d-----w- c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-17 14:18 . 2008-01-22 20:32 -------- d-----w- c:\program files\Sun
2010-01-17 14:17 . 2005-12-27 06:01 -------- d-----w- c:\program files\Java
2010-01-16 15:27 . 2004-08-04 04:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-14 00:09 . 2007-09-17 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-10 21:46 . 2008-12-26 22:35 39 ----a-w- c:\documents and settings\Jyothi Nandala\jagex_runescape_preferences.dat
2010-01-10 21:44 . 2009-10-25 16:42 69 ----a-w- c:\documents and settings\Jyothi Nandala\jagex_runescape_preferences2.dat
2009-12-24 00:27 . 2009-12-24 00:27 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-12-14 22:40 . 2009-12-14 22:40 78220 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-10 21:48 . 2009-10-31 02:16 -------- d-----w- c:\program files\Mozilla Firefox 3.6 Beta 1
2009-12-08 01:51 . 2009-11-30 23:44 -------- d-----w- c:\program files\Kids Cam Show and Share Creativity Center
2009-12-04 15:03 . 2009-12-04 15:03 251376 ----a-w- c:\documents and settings\Jyothi Nandala\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-11-30 23:44 . 2009-11-30 23:44 -------- d-----w- c:\program files\MyDSC2
2009-11-30 23:44 . 2009-11-30 23:44 -------- d-----w- c:\program files\Mars
2009-11-30 23:44 . 2009-11-30 23:44 -------- d-----w- c:\program files\JL2005C
2009-11-30 23:44 . 2009-11-30 23:44 -------- d-----w- c:\program files\JL2005B
2009-11-27 16:06 . 2009-11-27 16:06 -------- d-----w- c:\documents and settings\Jyothi Nandala\Application Data\Roxio
2009-11-27 00:16 . 2008-09-01 16:07 -------- d-----w- c:\documents and settings\Jyothi Nandala\Application Data\Apple Computer
2009-11-26 20:07 . 2009-01-18 21:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-11-26 19:43 . 2009-11-26 19:42 -------- d-----w- c:\program files\iTunes
2009-11-26 19:43 . 2009-11-26 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-26 19:42 . 2009-11-26 19:42 -------- d-----w- c:\program files\iPod
2009-11-26 19:42 . 2009-11-26 19:38 -------- d-----w- c:\program files\Common Files\Apple
2009-11-26 19:41 . 2009-11-26 19:41 -------- d-----w- c:\program files\Bonjour
2009-11-26 19:41 . 2009-11-26 19:40 -------- d-----w- c:\program files\QuickTime
2009-11-26 04:55 . 2009-10-13 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-25 22:19 . 2009-11-25 22:19 -------- d-----w- c:\documents and settings\NetworkService\Application Data\SACore
2009-11-25 22:05 . 2009-11-25 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-11-25 16:59 . 2006-03-11 18:32 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2009-11-25 16:57 . 2005-12-27 06:07 -------- d-----w- c:\program files\Dell
2009-11-25 16:57 . 2005-12-27 06:17 -------- d-----w- c:\documents and settings\All Users\Application Data\GTek
2009-11-25 16:48 . 2008-01-28 15:42 -------- d-----w- c:\program files\Dell Support Center
2009-11-25 16:41 . 2009-11-07 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Toolbar4
2009-11-25 16:40 . 2008-02-20 14:58 -------- d-----w- c:\documents and settings\root\Application Data\AT&T
2009-11-25 16:40 . 2007-12-20 21:44 -------- d-----w- c:\documents and settings\Satwik Nandala\Application Data\AT&T
2009-11-25 16:40 . 2007-11-04 01:37 -------- d-----w- c:\documents and settings\Jyothi Nandala\Application Data\AT&T
2009-11-25 16:40 . 2007-11-03 15:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AT&T
2009-11-25 16:40 . 2009-02-27 23:44 -------- d-----w- c:\program files\CA
2009-11-25 16:34 . 2006-04-14 21:49 -------- d-----w- c:\program files\BellSouth
2009-11-25 15:21 . 2005-12-27 06:23 -------- d-----w- c:\program files\Google
2009-11-25 02:57 . 2009-11-25 02:57 -------- d-----w- c:\program files\CCleaner
2009-11-25 02:19 . 2009-11-25 02:19 -------- d-----w- c:\program files\Siber Systems
2009-11-24 23:30 . 2006-03-11 23:41 100664 ----a-w- c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-24 19:32 . 2009-11-24 19:32 -------- d-----w- c:\program files\Microsoft Synchronization Services
2009-11-24 19:31 . 2009-11-24 19:31 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-11-24 19:22 . 2009-11-24 19:22 -------- d-----w- c:\program files\Microsoft Analysis Services
2009-11-23 14:40 . 2009-11-23 14:40 152576 ----a-w- c:\documents and settings\Jyothi Nandala\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-23 14:40 . 2009-11-23 14:40 79488 ----a-w- c:\documents and settings\Jyothi Nandala\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-21 15:51 . 2005-08-16 10:18 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-12 22:07 . 2009-11-12 22:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-09 23:13 . 2009-09-21 23:55 1 ----a-w- c:\documents and settings\Jyothi Nandala\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-05 01:09 . 2009-11-05 01:09 10134 ----a-r- c:\documents and settings\Jyothi Nandala\Application Data\Microsoft\Installer\{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}\ARPPRODUCTICON.exe
2009-11-05 01:05 . 2009-11-05 01:04 12212040 ----a-w- c:\documents and settings\Jyothi Nandala\Application Data\Sony Setup\A34E95A5-C379-4746-B607-09AE7B36A102\WMFDist11-WindowsXP-x86-ENU.exe
2009-10-29 07:46 . 2005-08-16 10:18 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-24 17:47 . 2009-10-16 22:44 63488 ----a-w- c:\documents and settings\All Users\Application Data\Activ Software\ActivApplications\ActivFocusHook.dll
2009-10-21 05:38 . 2005-08-16 10:18 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-08-16 10:18 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 05:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2006-10-29 22:48 . 2006-01-06 14:56 56 --sh--r- c:\windows\system32\380F03A057.sys
2006-10-29 22:48 . 2006-10-29 22:43 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-01-16_15.57.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-17 14:08 . 2010-01-17 14:08 16384 c:\windows\Temp\Perflib_Perfdata_1b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
2009-11-04 02:12 556432 ----a-w- c:\progra~1\MICROS~4\Office14\URLREDIR.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"Google Update"="c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-26 135664]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-04-24 203928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-11-09 115560]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OfficeSAS.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\OfficeSAS.lnk
backup=c:\windows\pss\OfficeSAS.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jyothi Nandala^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Jyothi Nandala\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jyothi Nandala^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Jyothi Nandala\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jyothi Nandala^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Jyothi Nandala\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2007-11-09 20:15 115560 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-12-30 19:55 1389904 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 01:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2007-02-21 01:18 366400 ----a-w- c:\program files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-09-18 23:53 214448 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
2009-02-23 13:05 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-09-18 23:53 185784 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-w- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)
"YahooAUService"=2 (0x2)
"SavRoam"=2 (0x2)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"PDEngine"=3 (0x3)
"PDAgent"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"LiveUpdate"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"ITMRTSVC"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"GoogleDesktopManager"=3 (0x3)
"Fax"=2 (0x2)
"RPSUpdaterR"=3 (0x3)
"DSBrokerService"=3 (0x3)
"CVPND"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\SAP\\FrontEnd\\SapGui\\saplogon.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\Jyothi Nandala\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Jyothi Nandala\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"6789:TCP"= 6789:TCP:CAM

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [1/7/2009 11:39 PM 20744]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [10/5/2009 4:26 PM 10384]
R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [1/3/2007 6:53 PM 10951]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/1/2010 12:17 PM 102448]
S2 console-3.0.2;console-3.0.2;c:\sun\WebConsole\bin\swc.exe [1/22/2008 3:41 PM 53248]
S2 Sun_STK_FMS;Sun StorageTek™ Fault Management Service;c:\program files\Sun\Common Array Manager\Component\fms\sbin\wrapper.exe [1/22/2008 3:42 PM 167936]
S3 ACGPRS;Sierra Wireless 3G Adapter;c:\windows\system32\drivers\acgprs.sys [9/8/2006 4:06 PM 97920]
S3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [5/5/2009 4:25 PM 55936]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [12/7/2008 12:44 PM 30088]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 1:55 PM 23888]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [7/2/2008 2:58 PM 26248]
S3 NaiAvFilter102;NAI Anti Virus;\Device\NaiAvFilter102.sys --> \Device\NaiAvFilter102.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [9/26/2009 4:28 AM 4639136]
S3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\DRIVERS\activmouse.sys --> c:\windows\system32\DRIVERS\activmouse.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/25/2009 3:26 PM 721904]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-01-17 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 13:09]

2009-12-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2944425343-3162817394-86957142-1006Core.job
- c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-26 16:46]

2010-01-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2944425343-3162817394-86957142-1006UA.job
- c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-26 16:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hopsurf.com
mStart Page = hxxp://www.bigseekpro.com/hypercam/{0765C49D-1402-470a-B93A-9DD6C5512C3B}
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - /105
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
DPF: {01118A01-3E00-11D2-8470-0060089874ED} - hxxps://password.bellsouth.net/sdccommon/download/tgctlsr.cab
FF - ProfilePath - c:\documents and settings\Jyothi Nandala\Application Data\Mozilla\Firefox\Profiles\9mwz9wab.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\Jyothi Nandala\Application Data\Mozilla\Firefox\Profiles\9mwz9wab.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Jyothi Nandala\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\MICROS~4\Office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-17 09:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1104)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(1524)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-17 09:34:10
ComboFix-quarantined-files.txt 2010-01-17 14:33
ComboFix2.txt 2010-01-16 16:00

Pre-Run: 9,350,230,016 bytes free
Post-Run: 9,309,556,736 bytes free

- - End Of File - - B34C3027BE1326CA160D0D3908AF6D04

I didn't want to install recovery console because I use my windows CD. By the way, can I defragment my hard drive, or will it change anything?
Thank you very much.




#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:38 AM

Posted 18 January 2010 - 12:49 PM

Hi hom136,



Please uninstall Viewpoint Media Player via Add/Remove Programs. Please run HijackThis! and click "Do a system scan only." Place check next to the following entry,(if present):

O18 - Protocol: vfsp - (no CLSID) - (no file)

Close all browsers and other windows except for HijackThis!, and click "Fix Checked". After that, please reboot your pc.

There is a Zone Alarm orphaned entry which may cause the system to act improperly. Let's fix it.

Step1
  1. Close any open browsers
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  3. Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
CODE
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop



Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step2

Let's do some maintenance and hope to get your system back to working order.

Click Start>Run>Type CMD>A command prompt DOS window will open. Type/Paste ipconfig /flushdns and then press Enter to purge the DNS resolver cache.

Please proceed to do some disk cleanup, disk defragmenter, and check disk as instructed in this thread .

Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.

Open IE, select Tools > Internet Options. Select the Connections tab.
  1. If you are using LAN, click "LAN Settings" button. If you are using Dial-up or Virtual Private Network connection, select necessary connection and click "Settings" button.
  2. In the "Proxy Server" area, uncheck the check mark next to Use a proxy server for ....
  3. Click OK.
  4. Click Advanced tab and click on Reset button
  5. In the Reset Internet Explorer Settings dialog box, click Reset to confirm.
After that, What I'd like you to do is a hard reset with your router if you have one. Leave it on, and there should be a little pinhole in the back of the unit. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). Then change your admin login and password--make it a strong password. You may also want to ask your ISP for help in case there are custom settings that need to be maintained.

If your Firefox can't work properly, you may try to uninstall FF completely and do a clean reinstall. You may backup Bookmark before proceeding. Please go to Here and Here .

Step3

Try the following instead if still not working for Kas Online Scanner:

Please run the ESET Online Scanner
Note: You will need to use Internet explorer for this scan
  1. Turn off the real time scanner of any existing antivirus program while performing the online scan
  2. Tick the box next to YES, I accept the Terms of Use.
  3. Click Start
  4. When asked, allow the activeX control to install
  5. Click Start
  6. Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  7. Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  8. Click Scan
  9. Wait for the scan to finish
  10. Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt .
  11. Copy and paste that log as a reply to this topic and also let me know how things are now.
In your next reply, please post back:

1.ComboFix log
2.Eset Online Scanner report

Tell me if you have any remaining issues on your pc.

Edited by sundavis, 19 January 2010 - 09:26 AM.


#9 hom136

hom136
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 20 January 2010 - 04:53 PM

Hello, here is the combofix log. I don't understand why I need to do step two, because my computer is working extremely fast. I think the virus has been cleaned.
The ESET online scanner produced no results, so I didn't post the log. Let me know if I need to to anything else.


ComboFix 10-01-16.03 - Jyothi Nandala 01/18/2010 17:23:55.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1460 [GMT -5:00]
Running from: c:\documents and settings\Jyothi Nandala\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jyothi Nandala\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-12-18 to 2010-01-18 )))))))))))))))))))))))))))))))
.

2010-01-13 22:08 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-09 15:18 . 2010-01-14 00:06 -------- d-----w- c:\documents and settings\Jyothi Nandala\Application Data\vlc
2010-01-06 23:54 . 2010-01-06 23:54 -------- d-----w- c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\Geckofx
2010-01-06 23:54 . 2010-01-07 00:19 -------- d-----w- c:\program files\AviSynth 2.5
2010-01-06 23:28 . 2010-01-07 00:11 -------- d-----w- c:\program files\COMODO
2010-01-05 23:01 . 2010-01-05 23:01 81 ----a-w- C:\CTX.DAT
2010-01-05 23:01 . 2010-01-05 23:01 -------- d-----w- c:\documents and settings\Jyothi Nandala\Citrix
2010-01-04 01:40 . 1997-08-01 09:00 98240 ----a-w- c:\windows\system32\SDE16.DLL
2010-01-04 01:40 . 1997-08-01 09:00 269312 ----a-w- c:\windows\system32\SDENSX32.DLL
2010-01-04 01:40 . 1997-08-01 09:00 236976 ----a-w- c:\windows\system32\SDENSX16.DLL
2010-01-04 01:40 . 1997-08-01 09:00 123392 ----a-w- c:\windows\system32\SDE32.DLL
2010-01-04 01:40 . 2010-01-04 01:43 -------- d-----w- C:\For Credit
2010-01-03 02:40 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-31 17:42 . 2010-01-01 00:18 -------- d-----w- c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\kopoxc
2009-12-25 20:37 . 2009-12-25 20:37 -------- d-----w- c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\Conduit
2009-12-25 20:37 . 2009-12-25 20:37 -------- d-----w- c:\program files\Alcohol Soft
2009-12-25 20:26 . 2009-12-25 20:26 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-25 17:03 . 2009-12-25 17:03 -------- d-----w- c:\documents and settings\Jyothi Nandala\Application Data\TortoiseSVN
2009-12-25 16:45 . 2009-12-25 16:45 -------- d-----w- c:\documents and settings\Jyothi Nandala\Application Data\Subversion
2009-12-25 16:44 . 2009-12-25 20:28 -------- d-----w- c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\TSVNCache
2009-12-24 17:43 . 2009-12-25 20:42 -------- d-----w- c:\program files\SCAR 3.22
2009-12-24 17:43 . 2008-10-28 19:00 98360 ----a-w- c:\windows\system32\bass.dll
2009-12-24 17:43 . 2008-10-28 18:07 25152 ----a-w- c:\windows\system32\bassmidi.dll
2009-12-24 17:43 . 2008-04-02 17:26 25152 ----a-w- c:\windows\system32\bassflac.dll
2009-12-24 17:43 . 2004-06-17 19:19 155648 ----a-w- c:\windows\system32\ssleay32.dll
2009-12-24 17:43 . 2004-06-17 19:19 688128 ----a-w- c:\windows\system32\libeay32.dll
2009-12-24 00:27 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2009-12-23 17:06 . 2009-12-23 17:06 -------- d-----w- c:\program files\danny_kay1710
2009-12-23 15:50 . 2009-12-23 15:50 -------- d-----w- c:\program files\YouTube Downloader
2009-12-23 14:57 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-12-23 14:57 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2009-12-21 20:24 . 2009-12-21 20:24 -------- d-----w- c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-17 14:18 . 2008-01-22 20:32 -------- d-----w- c:\program files\Sun
2010-01-17 14:17 . 2005-12-27 06:01 -------- d-----w- c:\program files\Java
2010-01-16 15:27 . 2004-08-04 04:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-14 00:09 . 2007-09-17 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-10 21:46 . 2008-12-26 22:35 39 ----a-w- c:\documents and settings\Jyothi Nandala\jagex_runescape_preferences.dat
2010-01-10 21:44 . 2009-10-25 16:42 69 ----a-w- c:\documents and settings\Jyothi Nandala\jagex_runescape_preferences2.dat
2009-12-24 00:27 . 2009-12-24 00:27 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-12-14 22:40 . 2009-12-14 22:40 78220 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-10 21:48 . 2009-10-31 02:16 -------- d-----w- c:\program files\Mozilla Firefox 3.6 Beta 1
2009-12-08 01:51 . 2009-11-30 23:44 -------- d-----w- c:\program files\Kids Cam Show and Share Creativity Center
2009-12-04 15:03 . 2009-12-04 15:03 251376 ----a-w- c:\documents and settings\Jyothi Nandala\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-11-30 23:44 . 2009-11-30 23:44 -------- d-----w- c:\program files\MyDSC2
2009-11-30 23:44 . 2009-11-30 23:44 -------- d-----w- c:\program files\Mars
2009-11-30 23:44 . 2009-11-30 23:44 -------- d-----w- c:\program files\JL2005C
2009-11-30 23:44 . 2009-11-30 23:44 -------- d-----w- c:\program files\JL2005B
2009-11-27 16:06 . 2009-11-27 16:06 -------- d-----w- c:\documents and settings\Jyothi Nandala\Application Data\Roxio
2009-11-27 00:16 . 2008-09-01 16:07 -------- d-----w- c:\documents and settings\Jyothi Nandala\Application Data\Apple Computer
2009-11-26 20:07 . 2009-01-18 21:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-11-26 19:43 . 2009-11-26 19:42 -------- d-----w- c:\program files\iTunes
2009-11-26 19:43 . 2009-11-26 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-26 19:42 . 2009-11-26 19:42 -------- d-----w- c:\program files\iPod
2009-11-26 19:42 . 2009-11-26 19:38 -------- d-----w- c:\program files\Common Files\Apple
2009-11-26 19:41 . 2009-11-26 19:41 -------- d-----w- c:\program files\Bonjour
2009-11-26 19:41 . 2009-11-26 19:40 -------- d-----w- c:\program files\QuickTime
2009-11-26 04:55 . 2009-10-13 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-25 22:19 . 2009-11-25 22:19 -------- d-----w- c:\documents and settings\NetworkService\Application Data\SACore
2009-11-25 22:05 . 2009-11-25 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-11-25 16:59 . 2006-03-11 18:32 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2009-11-25 16:57 . 2005-12-27 06:07 -------- d-----w- c:\program files\Dell
2009-11-25 16:57 . 2005-12-27 06:17 -------- d-----w- c:\documents and settings\All Users\Application Data\GTek
2009-11-25 16:48 . 2008-01-28 15:42 -------- d-----w- c:\program files\Dell Support Center
2009-11-25 16:41 . 2009-11-07 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Toolbar4
2009-11-25 16:40 . 2008-02-20 14:58 -------- d-----w- c:\documents and settings\root\Application Data\AT&T
2009-11-25 16:40 . 2007-12-20 21:44 -------- d-----w- c:\documents and settings\Satwik Nandala\Application Data\AT&T
2009-11-25 16:40 . 2007-11-04 01:37 -------- d-----w- c:\documents and settings\Jyothi Nandala\Application Data\AT&T
2009-11-25 16:40 . 2007-11-03 15:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AT&T
2009-11-25 16:40 . 2009-02-27 23:44 -------- d-----w- c:\program files\CA
2009-11-25 16:34 . 2006-04-14 21:49 -------- d-----w- c:\program files\BellSouth
2009-11-25 15:21 . 2005-12-27 06:23 -------- d-----w- c:\program files\Google
2009-11-25 02:57 . 2009-11-25 02:57 -------- d-----w- c:\program files\CCleaner
2009-11-25 02:19 . 2009-11-25 02:19 -------- d-----w- c:\program files\Siber Systems
2009-11-24 23:30 . 2006-03-11 23:41 100664 ----a-w- c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-24 19:32 . 2009-11-24 19:32 -------- d-----w- c:\program files\Microsoft Synchronization Services
2009-11-24 19:31 . 2009-11-24 19:31 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-11-24 19:22 . 2009-11-24 19:22 -------- d-----w- c:\program files\Microsoft Analysis Services
2009-11-23 14:40 . 2009-11-23 14:40 152576 ----a-w- c:\documents and settings\Jyothi Nandala\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-23 14:40 . 2009-11-23 14:40 79488 ----a-w- c:\documents and settings\Jyothi Nandala\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-21 15:51 . 2005-08-16 10:18 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-12 22:07 . 2009-11-12 22:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-09 23:13 . 2009-09-21 23:55 1 ----a-w- c:\documents and settings\Jyothi Nandala\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-05 01:09 . 2009-11-05 01:09 10134 ----a-r- c:\documents and settings\Jyothi Nandala\Application Data\Microsoft\Installer\{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}\ARPPRODUCTICON.exe
2009-11-05 01:05 . 2009-11-05 01:04 12212040 ----a-w- c:\documents and settings\Jyothi Nandala\Application Data\Sony Setup\A34E95A5-C379-4746-B607-09AE7B36A102\WMFDist11-WindowsXP-x86-ENU.exe
2009-10-29 07:46 . 2005-08-16 10:18 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2005-08-16 10:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-24 17:47 . 2009-10-16 22:44 63488 ----a-w- c:\documents and settings\All Users\Application Data\Activ Software\ActivApplications\ActivFocusHook.dll
2009-10-21 05:38 . 2005-08-16 10:18 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-08-16 10:18 25088 ----a-w- c:\windows\system32\httpapi.dll
2006-10-29 22:48 . 2006-01-06 14:56 56 --sh--r- c:\windows\system32\380F03A057.sys
2006-10-29 22:48 . 2006-10-29 22:43 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-01-16_15.57.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-18 22:00 . 2010-01-18 22:00 16384 c:\windows\Temp\Perflib_Perfdata_590.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
2009-11-04 02:12 556432 ----a-w- c:\progra~1\MICROS~4\Office14\URLREDIR.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"Google Update"="c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-26 135664]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-04-24 203928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-11-09 115560]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OfficeSAS.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\OfficeSAS.lnk
backup=c:\windows\pss\OfficeSAS.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jyothi Nandala^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Jyothi Nandala\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jyothi Nandala^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Jyothi Nandala\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jyothi Nandala^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Jyothi Nandala\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2007-11-09 20:15 115560 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-12-30 19:55 1389904 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 01:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2007-02-21 01:18 366400 ----a-w- c:\program files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-09-18 23:53 214448 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
2009-02-23 13:05 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-09-18 23:53 185784 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-w- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)
"YahooAUService"=2 (0x2)
"SavRoam"=2 (0x2)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"PDEngine"=3 (0x3)
"PDAgent"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"LiveUpdate"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"ITMRTSVC"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"GoogleDesktopManager"=3 (0x3)
"Fax"=2 (0x2)
"RPSUpdaterR"=3 (0x3)
"DSBrokerService"=3 (0x3)
"CVPND"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\SAP\\FrontEnd\\SapGui\\saplogon.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\Jyothi Nandala\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Jyothi Nandala\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"6789:TCP"= 6789:TCP:CAM

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [1/7/2009 11:39 PM 20744]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [10/5/2009 4:26 PM 10384]
R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [1/3/2007 6:53 PM 10951]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/1/2010 12:17 PM 102448]
S2 console-3.0.2;console-3.0.2;c:\sun\WebConsole\bin\swc.exe [1/22/2008 3:41 PM 53248]
S2 Sun_STK_FMS;Sun StorageTek™ Fault Management Service;c:\program files\Sun\Common Array Manager\Component\fms\sbin\wrapper.exe [1/22/2008 3:42 PM 167936]
S3 ACGPRS;Sierra Wireless 3G Adapter;c:\windows\system32\drivers\acgprs.sys [9/8/2006 4:06 PM 97920]
S3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [5/5/2009 4:25 PM 55936]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [12/7/2008 12:44 PM 30088]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 1:55 PM 23888]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [7/2/2008 2:58 PM 26248]
S3 NaiAvFilter102;NAI Anti Virus;\Device\NaiAvFilter102.sys --> \Device\NaiAvFilter102.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [9/26/2009 4:28 AM 4639136]
S3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\DRIVERS\activmouse.sys --> c:\windows\system32\DRIVERS\activmouse.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/25/2009 3:26 PM 721904]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-01-18 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 13:09]

2009-12-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2944425343-3162817394-86957142-1006Core.job
- c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-26 16:46]

2010-01-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2944425343-3162817394-86957142-1006UA.job
- c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-26 16:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hopsurf.com
mStart Page = hxxp://www.bigseekpro.com/hypercam/{0765C49D-1402-470a-B93A-9DD6C5512C3B}
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - /105
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
DPF: {01118A01-3E00-11D2-8470-0060089874ED} - hxxps://password.bellsouth.net/sdccommon/download/tgctlsr.cab
FF - ProfilePath - c:\documents and settings\Jyothi Nandala\Application Data\Mozilla\Firefox\Profiles\9mwz9wab.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\Jyothi Nandala\Application Data\Mozilla\Firefox\Profiles\9mwz9wab.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Jyothi Nandala\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Jyothi Nandala\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\MICROS~4\Office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\MICROS~4\Office14\NPSPWRAP.DLL
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-18 17:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1100)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(3972)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-18 17:34:26
ComboFix-quarantined-files.txt 2010-01-18 22:34
ComboFix2.txt 2010-01-17 14:34
ComboFix3.txt 2010-01-16 16:00

Pre-Run: 9,163,968,512 bytes free
Post-Run: 9,221,087,232 bytes free

- - End Of File - - F4E4EAD6CAF50C71C486141D044371B8

Thank you.

#10 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:38 AM

Posted 20 January 2010 - 08:13 PM

Hi hom136,


Since the culprit is gone, your system appears clean now. thumbup.gif If you have no remaining concerns on your pc, let's do some tidy up and we can send you on your way.

Step1

Click START then RUN
Now copy/paste ComboFix /Uninstall in the runbox and click OK.
Note the space between the X and the /Uninstall, it needs to be there.



This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step2

Download OTC by OldTimer and save it to your desktop.
  1. Double click OTC and let it run
  2. Then Click the Cleanup button.
  3. You will get a prompt saying "Being Cleanup Process". Please select Yes.
  4. Restart your computer when prompted.

Please delete the tools and logs we have used. Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  2. Update all programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  3. Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now. For more info: Here and Here .


Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!


#11 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:38 AM

Posted 25 January 2010 - 03:01 AM

Since this issue appears resolved ... this Topic is closed.

Glad we could help.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users