Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HTTPS Tidserv C & D - Malware/ Trojan Infection?


  • This topic is locked This topic is locked
17 replies to this topic

#1 taro_boy

taro_boy

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Honolulu, Hawaii
  • Local time:11:54 AM

Posted 11 January 2010 - 04:14 PM

Aloha Bleeping Forum Experts!

This is my first post (duh!), so please pardon me if I am out-of-line, posting in the wrong place (I don't think I am), etc.

Since last Friday, Norton Internet Security has been giving me warning windows at least once every 5 minutes saying that "a recent attempt to attack my computer has been blocked". The info Norton gives me for each attack attempt is:

Risk Name: HTTPS Tidserv C and D Domain Request
Severity: High
Attacking Computer: 212.117.174.172,443
Source Traffic: 212.117.174.172
Traffic Description: TCP, https
Application Path: \DEVICE\HARDDISKVOCUME2\WINDOWS\SYSTEM32\SVCHOST.EXE

I have never received these warnings prior to last Friday, 1/8/2010.

I'm in the trial period for UnHackMe (27 days remaining). The scan I ran on Friday showed nothing obvious other than 4 "inaccesible" files that were listed as "not found". They are:

FTSATA2.SYS
SYMDNS.SYS
SYMEFA.SYS
SYMREDRV.SYS

When I ran the scan again this morning (it is set to auto run on boot-up), I noticed that 3 new files have been added to the "not found" list. They are:

NAVENG.SYS
NAVEX15.SYS
REALSCHED.EXE

These three new "not found" files all seem to be part of my Norton Internet Security Suite; however, I found each of these files listed again later in the scan as "good". Each "good" file had the same name as the ones listed as "file not found".

To my knowledge, NIS is working fine and I was able to download updates through LiveUpdate this morning as usual.

I also have Reanimator 6 installed - it seems to have come with or been part of the UnHackMe program...? At least, I hope so. I haven't been able to find it listed anywhere as a "rouge" program.

Anyway, I'm hoping someone can help me figure out exactly what infection I have on my PC and how to (hopefully) clean it. I have HiJackThis already installed, but have not used it to run or produce a scan/ log since this infection started. The most recent regrun logfile produced by UnHackMe is attached.

Did I mention...HELP!!

Thanks in advance, oh great ones.

Aloha-
taro_boy

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:54 PM

Posted 16 January 2010 - 08:44 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open on your desktop.
  • Click the tab.
  • Click the button.
  • Check all seven boxes:
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Posted Image
m0le is a proud member of UNITE

#3 taro_boy

taro_boy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Honolulu, Hawaii
  • Local time:11:54 AM

Posted 19 January 2010 - 01:54 PM

Aloha m0le-

Thank you very much for taking the time to reply with your assistance. Please forgive my tardy response - since posting, my computer was rendered inoperable by what I assume was the result of the suspected virus(es) on my computer. I ended up having to do a system restore from the D partition on my HP computer to get it back up and running. I did NOT do the "destructive" restore, which would have performed a reformat before installing the OEM package.

My company has a support contract with Net Enterprises (local IT company), and one of their techs worked with me over three days to recover my files, back them up on a 1TB WD My Book, and reconfigure my computer back to (kind of) where it was before all the madness happened.

Since then, I have not had any Norton notifications of the HTTPS Tidserv C & D attacks, and my computer seems to be running smoothly.

Because I did not reformat, I am not 100% confident that the virus(es), rootkits, or malware is gone, although the Net Enterprises tech said it/ they "should be". We ran Malwarebytes' Anti-Malware numerous times with updated engines and found nothing. I've scanned with UnHackMe and Reanimator numerous times and found nothing. I've scanned with Norton Internet Security 2010 with updated virus definitions and found nothing.

I ran RootRepeal as you suggested and came up with the following:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/19 08:19
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF158D000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B5E000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xED969000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMDS.SYS
Image Path: SYMDS.SYS
Address: 0xF7279000 Size: 352256 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF723B000 Size: 180224 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x85c15228

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x85c08488

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x859d46a0

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x85be3cf8

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x85564828

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf192e210

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x85995988

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x8596fa68

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x85ac3c68

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x85bcb6c8

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf192e490

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf192e9f0

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x859a4768

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x85aeda20

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x85c0d548

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x85bf78f0

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x859bc598

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x85ae1560

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x85c063e0

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf192e7a0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x85d54938

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x85c348e0

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x85bdde50

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x859a48b8

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x85a17920

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x85c3f9d8

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x85c22338

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x859656e0

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x85be2290

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf192ec40

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x85c0ece8

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x85c44d08

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x85c7d7b0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x85c43370

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x85c268b0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x85a7d400

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x859d7050

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x85a18128

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x85b7f398

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x85b5d498

#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x85b82408

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x859749c0

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x8593da70

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x85af88f0

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x8596f960

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x848574c8

==EOF==

Having no real clue as to what these findings represent, some of the descriptions are worrying. For example, #041 and #043 under SSDT, and #414 and #428 under Shadow SSDT.

I will run the DDS program as soon as I send this and (hopefully) post the results. In the meantime, can you see anything to be concerned about based on the Root Repeal log?

Thank you so very much.

- taro_boy

Attached Files


Edited by taro_boy, 19 January 2010 - 02:27 PM.


#4 taro_boy

taro_boy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Honolulu, Hawaii
  • Local time:11:54 AM

Posted 19 January 2010 - 02:27 PM

m0le-

I decided to hold off on running the DDR.scr program since scanning it with Virus Total online scanner came up with numerous "suspicious" results indicating it may be malware or a virus. unsure.gif

While I did read the "Information on A/V control" link you provided, having just come off of an apparent infection, I really don't want to go through it again. I know you can't do it for me, so I guess I'm just looking for some reassurance.

Edited by taro_boy, 19 January 2010 - 02:31 PM.


#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:54 PM

Posted 19 January 2010 - 03:09 PM

The best thing I can say is that DDS is developed by the same developer who wrote ComboFix.

If you know about Combofix you will know that it is the most powerful malware removal program in the world.

If you don't know it then read this

The other thing to say is that DDS is a scanner. It does nothing more that scan your PC for areas which are known to be attacked by malware. If you used the links I gave you to download it then it is 100% safe to run.
Posted Image
m0le is a proud member of UNITE

#6 taro_boy

taro_boy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Honolulu, Hawaii
  • Local time:11:54 AM

Posted 19 January 2010 - 03:53 PM

Hi m0le-

Thanks for your reply. I'm sure it's irritating to read my email when you're trying to help me. At the same time, I'm sure you understand my wanting to step cautiously as I proceed since I really don't want to go through this again.

I downloaded the file from the first link you gave me and will try running it as you recommended and will post the results as directed by the program.

Question: were you able to see anything unusual in the Root Repeal log I posted?

Thank you for your ongoing assistance.

Aloha-
taro_boy

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:54 PM

Posted 19 January 2010 - 05:08 PM

It's not irritating at all. It's understandable. After all a stranger is helping you fix a problem with expensive equipment over a forum. Glad you're now ready to proceed.

Nothing bad showing in the RootRepeal log so that's a good start thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#8 taro_boy

taro_boy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Honolulu, Hawaii
  • Local time:11:54 AM

Posted 19 January 2010 - 05:54 PM

m0le-

Thanks for your understanding and assistance. For what it's worth, I do appreciate it.

Okay, I ran the DDS.scr program, and here's what it gave me:


DDS (Ver_09-12-01.01) - NTFSx86
Run by HP_Administrator at 12:30:52.23 on Tue 01/19/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.415 [GMT -10:00]

AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscGui.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\DISC\DiscStreamHub.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\HP_Administrator.HTC-PRODMGR\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hawaiitheatre.com/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.1.0.19\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.1.0.19\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.1.0.19\coIEPlg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DriverMax_RESTART] "c:\program files\innovative solutions\drivermax\devices.exe" -RESTART
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [DISCover] c:\program files\disc\DISCover.exe
mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: trymedia.com
DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1.htc\applic~1\mozilla\firefox\profiles\vdsgg78d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.hawaiitheatre.com/
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1101000.013\SymDS.sys [2010-1-12 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1101000.013\SymEFA.sys [2010-1-12 171056]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\bashdefs\20091205.001\BHDrvx86.sys [2009-12-4 529456]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1101000.013\cchpx86.sys [2010-1-12 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1101000.013\Ironx86.sys [2010-1-12 114736]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-11-30 236368]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.1.0.19\ccSvcHst.exe [2010-1-12 126392]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-1-12 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\ipsdefs\20100116.002\IDSXpx86.sys [2010-1-16 329592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-1-13 19160]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\virusdefs\20100118.039\NAVENG.SYS [2010-1-19 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\virusdefs\20100118.039\NAVEX15.SYS [2010-1-19 1323568]

=============== Created Last 30 ================

2010-01-17 01:18:58 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-01-17 01:18:57 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-01-15 21:26:49 0 d-----w- c:\documents and settings\hp_administrator.htc-prodmgr\TOSHIBA
2010-01-15 21:26:39 303104 ----a-r- c:\windows\system32\eST3snm.dll
2010-01-15 20:58:38 0 ----a-w- c:\windows\ativpsrm.bin
2010-01-15 09:12:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Innovative Solutions
2010-01-15 08:54:20 0 d-----w- c:\docume~1\hp_adm~1.htc\applic~1\Foxit Software
2010-01-15 08:53:29 0 d-----w- c:\program files\foxit software
2010-01-15 06:36:25 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-01-15 06:36:25 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-01-15 06:30:17 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-01-15 06:30:17 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-01-15 06:06:04 0 d-----w- c:\program files\K-Lite Codec Pack
2010-01-15 05:58:03 0 d-sh--w- c:\documents and settings\hp_administrator.htc-prodmgr\IECompatCache
2010-01-15 05:57:29 0 d-sh--w- c:\documents and settings\hp_administrator.htc-prodmgr\PrivacIE
2010-01-15 05:28:39 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-01-15 05:28:39 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2010-01-15 04:42:45 0 d-sh--w- c:\documents and settings\hp_administrator.htc-prodmgr\IETldCache
2010-01-15 04:28:33 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-15 04:28:33 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-01-15 04:28:14 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-01-15 02:18:19 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-01-15 02:18:19 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-01-15 02:18:17 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-01-15 02:18:17 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-01-15 02:18:17 1241088 ----a-w- c:\windows\system32\dllcache\ieframe.dll.mui
2010-01-15 02:18:15 11069952 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-01-15 02:18:14 445952 ----a-w- c:\windows\system32\dllcache\ieapfltr.dll
2010-01-15 02:18:13 59904 ----a-w- c:\windows\system32\dllcache\icardie.dll
2010-01-15 02:18:13 3698584 ----a-w- c:\windows\system32\dllcache\ieapfltr.dat
2010-01-14 20:34:23 3251 ----a-w- c:\windows\system32\wbem\Outlook_01ca9558f497a01e.mof
2010-01-14 20:25:40 0 d-----w- c:\windows\SHELLNEW
2010-01-14 13:31:12 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-01-14 04:14:01 0 d-----w- C:\06e32448d15c97f70820e70b5538d8
2010-01-14 03:55:35 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-01-14 03:24:18 215920 ----a-w- c:\windows\system32\muweb.dll
2010-01-14 03:24:18 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-01-14 03:24:17 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-14 02:38:14 0 d-----w- c:\windows\system32\appmgmt
2010-01-14 01:51:11 0 d-----w- c:\windows\system32\scripting
2010-01-14 01:51:10 0 d-----w- c:\windows\system32\en
2010-01-14 01:51:10 0 d-----w- c:\windows\system32\bits
2010-01-14 01:41:56 153088 ----a-w- c:\windows\system32\dllcache\triedit.dll
2010-01-14 01:40:59 76800 ----a-w- c:\windows\system32\nslookup.exe
2010-01-14 01:29:18 52736 ----a-w- c:\windows\system32\SET18C.tmp
2010-01-14 01:28:59 53248 ------w- c:\windows\system32\tsgqec.dll
2010-01-14 01:27:59 4608 ----a-w- c:\windows\system32\SET30F.tmp
2010-01-14 01:26:59 8704 ----a-w- c:\windows\system32\SET42D.tmp
2010-01-14 00:54:35 0 d-----w- c:\docume~1\hp_adm~1.htc\applic~1\Malwarebytes
2010-01-14 00:54:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-14 00:54:09 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-13 20:26:19 0 d-----w- c:\docume~1\hp_adm~1.htc\applic~1\TeamViewer
2010-01-13 20:26:09 0 d-----w- c:\documents and settings\hp_administrator.htc-prodmgr\temp
2010-01-13 19:14:16 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-01-13 19:13:25 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2010-01-13 19:13:25 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2010-01-13 19:13:19 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2010-01-13 19:13:18 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2010-01-13 19:13:18 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-01-13 19:13:18 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2010-01-13 19:13:18 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2010-01-13 19:13:18 110592 ------w- c:\windows\system32\dllcache\services.exe
2010-01-13 19:13:17 730112 ------w- c:\windows\system32\dllcache\lsasrv.dll
2010-01-13 19:13:17 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2010-01-13 19:13:17 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2010-01-13 19:11:08 455296 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-13 19:11:05 333952 ------w- c:\windows\system32\dllcache\srv.sys
2010-01-13 19:11:02 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2010-01-13 19:10:34 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-01-13 19:10:32 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-01-13 19:10:31 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-01-13 19:10:03 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2010-01-13 19:09:44 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-01-13 19:09:43 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-01-13 02:33:29 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-13 02:31:47 0 d-----w- c:\windows\system32\PreInstall
2010-01-12 22:01:57 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-12 20:50:48 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-01-12 20:50:48 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-01-12 20:50:48 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-01-12 20:50:48 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-01-12 20:50:48 0 d-----w- c:\program files\Symantec
2010-01-12 20:49:07 0 d-----w- c:\windows\system32\drivers\NIS
2010-01-12 20:48:53 0 d-----w- c:\program files\Norton Internet Security
2010-01-12 20:40:58 0 d-----w- c:\program files\NortonInstaller
2010-01-12 20:15:48 0 d-s---w- c:\documents and settings\hp_administrator.htc-prodmgr\UserData
2010-01-12 20:13:59 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-01-12 20:11:54 73728 ----a-w- c:\windows\system32\RtNicProp32.dll
2010-01-12 20:11:54 130432 ----a-w- c:\windows\system32\drivers\Rtnicxp.sys
2010-01-12 20:11:53 0 d-----w- c:\program files\Realtek
2010-01-12 19:24:17 0 d-----w- c:\docume~1\hp_adm~1.htc\applic~1\HPQ
2010-01-12 18:02:07 0 d-----w- c:\windows\RestoreSafeDeleted
2010-01-12 17:24:11 0 d-sh--r- C:\cmdcons
2010-01-12 17:21:42 1865 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_EL453AA-ABA a1320n_YC_0Pavi_QCNN551_E61NAemMPC1_48_IAsterope_SHewleet-Packard_V1.0_B3.03_T051118_WXP2_L409_M960_J200_7Intel_8Pentium 4_93.06_#060907_N_Z_G10025A61_OTSSTcorp CD DVDW TS-H552L_DEPI7750.MRK
2010-01-12 17:17:32 0 d-----w- c:\docume~1\hp_adm~1.htc\applic~1\Intuit
2010-01-12 17:17:32 0 d-----w- c:\docume~1\hp_adm~1.htc\applic~1\Digital Interactive Systems Corporation
2010-01-12 15:37:20 0 d-sh--r- c:\windows\system32\dllcache
2010-01-09 05:18:52 0 d-sh--r- C:\desktop.ini
2010-01-09 05:18:52 0 d-sh--r- C:\comment.htt
2010-01-09 05:18:52 0 d-sh--r- C:\autorun.inf
2010-01-09 04:19:49 2 --shatr- c:\windows\winstart.bat
2010-01-09 04:18:53 0 d-----w- c:\program files\UnHackMe
2010-01-08 00:15:10 0 d-----w- c:\program files\TrendMicro
2009-12-24 01:53:50 0 d-----w- c:\program files\iPod
2009-12-24 01:53:26 0 d-----w- c:\program files\iTunes
2009-12-24 01:53:26 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-24 01:47:35 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-01-12 17:34:37 112954 ----a-w- c:\windows\hpoins07.dat
2010-01-05 18:00:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-12-12 14:15:30 178176 ----a-w- c:\windows\system32\unrar.dll
2009-11-12 03:22:13 146514 ----a-w- c:\windows\fonts\AdobeFnt07.lst
2009-10-29 07:46:51 133120 ------w- c:\windows\system32\dllcache\extmgr.dll
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:45:38 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2009-10-29 07:45:37 5940736 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-29 07:45:37 206848 ------w- c:\windows\system32\dllcache\occache.dll
2009-10-29 07:45:37 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-10-29 07:45:35 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2009-10-29 07:45:34 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-10-29 07:45:32 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

============= FINISH: 12:31:56.82 ===============

I've also attached the zipped "Attach" file, as instructed at the conclusion of the scan.

Let me know what your all-knowing eyes see.

Glad the RootRepeal log didn't show anything. What are those functions/ items I mentioned that looked worrisome??

Attached Files



#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:54 PM

Posted 19 January 2010 - 08:40 PM

The items are not dangerous and all except the last (just a file) are application drivers.

FastTrak
FTSATA2.SYS

Symantec
SYMDNS.SYS
SYMEFA.SYS
SYMREDRV.SYS
NAVENG.SYS
NAVEX15.SYS

RealPlayer
REALSCHED.EXE

The DDS log does show some temp files which are associated with TDSS (the tidserv in the title) so we need to see whether that is still lurking in some form.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

TDSS is reknown for stopping Combofix so if you are having problems running it please post back. smile.gif
Posted Image
m0le is a proud member of UNITE

#10 taro_boy

taro_boy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Honolulu, Hawaii
  • Local time:11:54 AM

Posted 19 January 2010 - 11:06 PM

m0le-

Thanks again for your ongoing assistance and support.

I did as you directed and ran the comfix.exe program. Here is the log it generated:

ComboFix 10-01-19.03 - HP_Administrator 01/19/2010 17:13:20.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.328 [GMT -10:00]
Running from: c:\documents and settings\HP_Administrator.HTC-PRODMGR\Desktop\comfix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\SET5A6.tmp
c:\recycler\S-1-5-21-4124807930-1438922699-213152686-1008
c:\recycler\S-1-5-21-527237240-179605362-725345543-500
c:\windows\Downloaded Program Files\CpnMgr.dll
c:\windows\jestertb.dll
c:\windows\kb913800.exe
c:\windows\system32\_008313_.tmp.dll
c:\windows\system32\_008314_.tmp.dll
c:\windows\system32\_008315_.tmp.dll
c:\windows\system32\_008316_.tmp.dll
c:\windows\system32\_008323_.tmp.dll
c:\windows\system32\_008324_.tmp.dll
c:\windows\system32\_008325_.tmp.dll
c:\windows\system32\_008326_.tmp.dll
c:\windows\system32\_008328_.tmp.dll
c:\windows\system32\_008329_.tmp.dll
c:\windows\system32\_008332_.tmp.dll
c:\windows\system32\_008333_.tmp.dll
c:\windows\system32\_008335_.tmp.dll
c:\windows\system32\_008336_.tmp.dll
c:\windows\system32\_008337_.tmp.dll
c:\windows\system32\_008339_.tmp.dll
c:\windows\system32\_008341_.tmp.dll
c:\windows\system32\_008342_.tmp.dll
c:\windows\system32\_008343_.tmp.dll
c:\windows\system32\_008347_.tmp.dll
c:\windows\system32\_008348_.tmp.dll
c:\windows\system32\_008350_.tmp.dll
c:\windows\system32\_008352_.tmp.dll
c:\windows\system32\_008353_.tmp.dll
c:\windows\system32\_008355_.tmp.dll
c:\windows\system32\_008356_.tmp.dll
c:\windows\system32\_008357_.tmp.dll
c:\windows\system32\_008358_.tmp.dll
c:\windows\system32\_008359_.tmp.dll
c:\windows\system32\_008362_.tmp.dll
c:\windows\system32\_008363_.tmp.dll
c:\windows\system32\_008364_.tmp.dll
c:\windows\system32\_008365_.tmp.dll
c:\windows\system32\_008366_.tmp.dll
c:\windows\system32\_008371_.tmp.dll
c:\windows\system32\_008373_.tmp.dll
c:\windows\system32\_008374_.tmp.dll
c:\windows\system32\ps2.bat

.
((((((((((((((((((((((((( Files Created from 2009-12-20 to 2010-01-20 )))))))))))))))))))))))))))))))
.

2010-01-20 00:31 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100119.001\Scxpx86.dll
2010-01-20 00:31 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100119.001\IDSXpx86.sys
2010-01-20 00:31 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100119.001\IDSxpx86.dll
2010-01-20 00:31 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100119.001\IDSvix86.sys
2010-01-20 00:31 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100119.001\IDSviA64.sys
2010-01-20 00:30 . 2010-01-13 00:31 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100119.008\NAVENG.SYS
2010-01-20 00:30 . 2010-01-13 00:31 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100119.008\EECTRL.SYS
2010-01-20 00:30 . 2010-01-13 00:31 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100119.008\ECMSVR32.DLL
2010-01-20 00:30 . 2010-01-13 00:31 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100119.008\NAVENG32.DLL
2010-01-20 00:30 . 2010-01-13 00:31 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100119.008\NAVEX32A.DLL
2010-01-20 00:30 . 2010-01-13 00:31 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100119.008\NAVEX15.SYS
2010-01-20 00:30 . 2010-01-13 00:31 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100119.008\ERASER.SYS
2010-01-20 00:30 . 2010-01-13 00:31 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100119.008\CCERASER.DLL
2010-01-17 01:18 . 2001-08-18 08:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-01-17 01:18 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-01-16 18:35 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100116.002\IDSvix86.sys
2010-01-16 18:35 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100116.002\IDSXpx86.sys
2010-01-16 18:35 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100116.002\Scxpx86.dll
2010-01-16 18:35 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100116.002\IDSxpx86.dll
2010-01-16 18:35 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100116.002\IDSviA64.sys
2010-01-16 04:05 . 2010-01-16 04:05 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Local Settings\Application Data\iRinger
2010-01-15 21:26 . 2010-01-15 21:26 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\TOSHIBA
2010-01-15 21:26 . 2009-02-18 17:41 303104 ----a-r- c:\windows\system32\eST3snm.dll
2010-01-15 20:58 . 2010-01-15 20:58 0 ----a-w- c:\windows\ativpsrm.bin
2010-01-15 20:55 . 2009-07-22 04:55 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-01-15 20:55 . 2009-07-22 04:44 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-01-15 20:55 . 2009-07-22 04:01 49664 ----a-w- c:\windows\system32\amdpcom32.dll
2010-01-15 20:55 . 2009-07-22 03:53 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-01-15 20:55 . 2009-07-22 03:52 3227648 ----a-w- c:\windows\system32\aticaldd.dll
2010-01-15 20:55 . 2009-04-28 17:08 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-01-15 20:55 . 2008-10-22 06:51 118784 ----a-w- c:\windows\system32\atibrtmon.exe
2010-01-15 20:55 . 2009-07-22 03:55 126976 ----a-w- c:\windows\system32\atiadlxx.dll
2010-01-15 20:55 . 2009-07-22 03:53 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-01-15 20:55 . 2009-07-22 03:52 290816 ----a-w- c:\windows\system32\atiok3x2.dll
2010-01-15 20:55 . 2009-04-28 17:08 3107788 ----a-w- c:\windows\system32\ativva5x.dat
2010-01-15 10:40 . 2010-01-15 10:40 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-01-15 09:12 . 2010-01-15 09:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Innovative Solutions
2010-01-15 09:06 . 2010-01-15 09:06 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Local Settings\Application Data\Innovative Solutions
2010-01-15 08:54 . 2010-01-15 08:54 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Application Data\Foxit Software
2010-01-15 08:53 . 2010-01-15 08:53 -------- d-----w- c:\program files\foxit software
2010-01-15 08:51 . 2010-01-15 08:51 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Local Settings\Application Data\WMTools Downloaded Files
2010-01-15 06:36 . 2010-01-19 17:43 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Application Data\Apple Computer
2010-01-15 06:36 . 2009-05-19 00:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-01-15 06:36 . 2008-04-17 23:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-01-15 06:30 . 2010-01-15 06:30 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Local Settings\Application Data\Apple
2010-01-15 06:30 . 2010-01-15 20:55 -------- dc----w- c:\windows\system32\DRVSTORE
2010-01-15 06:30 . 2009-08-29 05:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-01-15 06:30 . 2009-08-29 05:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-01-15 06:24 . 2010-01-15 06:46 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Local Settings\Application Data\Apple Computer
2010-01-15 05:58 . 2010-01-15 05:58 -------- d-sh--w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\IECompatCache
2010-01-15 05:57 . 2010-01-15 05:57 -------- d-sh--w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\PrivacIE
2010-01-15 05:28 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-01-15 05:28 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2010-01-15 04:42 . 2010-01-15 04:42 -------- d-sh--w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\IETldCache
2010-01-15 04:28 . 2009-10-29 07:45 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-01-15 04:28 . 2009-10-29 07:45 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-15 04:28 . 2009-10-02 04:44 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-01-15 04:14 . 2010-01-15 04:14 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Application Data\Media Player Classic
2010-01-15 02:18 . 2009-10-29 07:45 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-01-15 02:18 . 2009-10-29 07:45 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-01-15 02:18 . 2009-10-29 07:45 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-01-15 02:18 . 2009-10-28 14:36 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-01-15 02:18 . 2009-10-29 07:45 11069952 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-01-15 02:18 . 2009-03-08 14:11 445952 ----a-w- c:\windows\system32\dllcache\ieapfltr.dll
2010-01-15 02:18 . 2009-03-08 14:31 59904 ----a-w- c:\windows\system32\dllcache\icardie.dll
2010-01-15 02:18 . 2009-02-07 07:07 3698584 ----a-w- c:\windows\system32\dllcache\ieapfltr.dat
2010-01-15 02:12 . 2010-01-15 02:12 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Application Data\AdobeUM
2010-01-14 20:28 . 2010-01-14 20:28 -------- d-----w- c:\program files\Microsoft.NET
2010-01-14 20:25 . 2010-01-14 20:29 -------- d-----w- c:\windows\SHELLNEW
2010-01-14 17:57 . 2010-01-14 17:57 0 ----a-w- c:\windows\nsreg.dat
2010-01-14 17:57 . 2010-01-14 17:57 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Local Settings\Application Data\Mozilla
2010-01-14 13:31 . 2010-01-14 13:31 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-01-14 04:14 . 2010-01-14 13:56 -------- d-----w- C:\06e32448d15c97f70820e70b5538d8
2010-01-14 04:07 . 2010-01-14 04:07 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Local Settings\Application Data\Help
2010-01-14 03:55 . 2009-12-23 00:38 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-01-14 03:24 . 2009-08-07 05:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-01-14 03:24 . 2009-08-07 05:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-14 02:53 . 2010-01-14 02:53 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Local Settings\Application Data\Microsoft Help
2010-01-14 01:51 . 2010-01-15 01:02 -------- d-----w- c:\windows\system32\scripting
2010-01-14 01:51 . 2010-01-15 01:02 -------- d-----w- c:\windows\system32\en
2010-01-14 01:51 . 2010-01-15 01:02 -------- d-----w- c:\windows\system32\bits
2010-01-14 01:41 . 2009-06-21 22:04 153088 ----a-w- c:\windows\system32\dllcache\triedit.dll
2010-01-14 01:40 . 2009-09-11 14:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2010-01-14 01:28 . 2008-04-14 00:12 53248 ------w- c:\windows\system32\tsgqec.dll
2010-01-14 01:27 . 2008-04-14 00:12 33792 ------w- c:\windows\system32\mmcperf.exe
2010-01-14 01:26 . 2008-04-14 00:11 12800 ------w- c:\windows\system32\credssp.dll
2010-01-14 00:54 . 2010-01-14 00:54 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Application Data\Malwarebytes
2010-01-14 00:54 . 2010-01-08 02:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-14 00:54 . 2010-01-08 02:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-13 20:26 . 2010-01-13 20:26 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Application Data\TeamViewer
2010-01-13 20:26 . 2010-01-13 20:26 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\temp
2010-01-13 19:14 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-01-13 19:13 . 2009-10-15 16:28 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2010-01-13 19:13 . 2009-10-15 16:28 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2010-01-13 19:13 . 2009-03-06 14:22 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2010-01-13 19:13 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2010-01-13 19:13 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-01-13 19:13 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2010-01-13 19:13 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe
2010-01-13 19:13 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2010-01-13 19:13 . 2009-06-25 08:25 730112 ------w- c:\windows\system32\dllcache\lsasrv.dll
2010-01-13 19:13 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2010-01-13 19:13 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2010-01-13 19:11 . 2008-10-24 11:21 455296 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-13 19:11 . 2008-12-11 10:57 333952 ------w- c:\windows\system32\dllcache\srv.sys
2010-01-13 19:11 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2010-01-13 19:10 . 2009-08-04 15:13 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-01-13 19:10 . 2009-08-04 14:20 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-01-13 19:10 . 2009-08-04 14:20 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-01-13 19:10 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2010-01-13 19:09 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-01-13 19:09 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-01-13 02:40 . 2010-01-13 02:41 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Local Settings\Application Data\Adobe
2010-01-13 02:33 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-12 22:01 . 2010-01-14 21:12 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-12 20:51 . 2009-10-29 02:31 784752 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn\components\coFFPlgn.dll
2010-01-12 20:51 . 2009-10-01 09:19 164216 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\IPSFFPlgn\components\IPSFFPl.dll
2010-01-12 20:50 . 2010-01-12 20:50 -------- d-----w- c:\program files\Symantec
2010-01-12 20:50 . 2010-01-12 20:50 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-01-12 20:50 . 2010-01-12 20:50 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-01-12 20:50 . 2009-10-05 17:34 929648 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\OCS\hsplayer.dll
2010-01-12 20:50 . 2009-11-07 01:08 893296 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\CLT\cltLMSx.dll
2010-01-12 20:49 . 2010-01-12 20:49 -------- d-----w- c:\windows\system32\drivers\NIS
2010-01-12 20:48 . 2010-01-12 20:49 -------- d-----w- c:\program files\Norton Internet Security
2010-01-12 20:40 . 2010-01-12 20:40 -------- d-----w- c:\program files\NortonInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-15 20:20 . 2009-11-10 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-15 06:07 . 2010-01-15 06:06 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-01-15 05:49 . 2005-11-25 22:38 -------- d-----w- c:\program files\Common Files\Real
2010-01-15 04:53 . 2009-11-18 23:51 -------- d-----w- c:\program files\Speccy
2010-01-15 02:30 . 2005-11-25 22:37 87984 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-15 01:56 . 2005-11-25 22:49 -------- d-----w- c:\program files\Microsoft Works
2010-01-15 01:08 . 2005-08-31 12:01 92947 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-15 01:07 . 2010-01-15 01:07 61440 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2010-01-15 01:07 . 2010-01-15 01:07 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2010-01-15 01:07 . 2010-01-15 01:07 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2010-01-15 01:07 . 2010-01-15 01:07 40960 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2010-01-15 01:07 . 2010-01-15 01:07 341048 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2010-01-15 01:07 . 2010-01-15 01:07 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2010-01-15 01:07 . 2010-01-15 01:07 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2010-01-15 01:07 . 2010-01-15 01:07 163840 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2010-01-14 02:36 . 2005-11-25 22:51 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-01-14 00:54 . 2009-11-30 23:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-12 21:51 . 2005-11-25 23:04 -------- d-----w- c:\program files\PC-Doctor 5 for Windows
2010-01-12 20:52 . 2005-11-25 23:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-12 20:50 . 2010-01-12 20:50 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-01-12 20:50 . 2010-01-12 20:50 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-01-12 20:48 . 2009-02-05 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-01-12 20:45 . 2005-11-25 23:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-12 20:32 . 2009-02-05 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-01-12 20:11 . 2005-11-25 22:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-12 17:34 . 2005-11-25 22:29 112954 ----a-w- c:\windows\hpoins07.dat
2010-01-12 17:21 . 2010-01-12 17:21 1865 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_EL453AA-ABA a1320n_YC_0Pavi_QCNN551_E61NAemMPC1_48_IAsterope_SHewleet-Packard_V1.0_B3.03_T051118_WXP2_L409_M960_J200_7Intel_8Pentium 4_93.06_#060907_N_Z_G10025A61_OTSSTcorp CD DVDW TS-H552L_DEPI7750.MRK
2010-01-07 23:56 . 2009-12-08 02:35 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-06 22:53 . 2007-07-10 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-05 18:00 . 2010-01-15 06:06 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-12-24 01:53 . 2007-07-10 22:28 -------- d-----w- c:\program files\Common Files\Apple
2009-12-21 23:24 . 2008-10-24 03:25 -------- d-----w- c:\program files\Innovative Solutions
2009-12-12 14:15 . 2010-01-15 06:06 178176 ----a-w- c:\windows\system32\unrar.dll
2009-12-05 04:54 . 2009-12-05 04:54 529456 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091205.001\BHDrvx86.sys
2009-12-05 04:54 . 2009-12-05 04:54 201616 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091205.001\BHRules.dll
2009-12-05 04:54 . 2009-12-05 04:54 1405840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091205.001\BHEngine.dll
2009-12-05 04:54 . 2009-12-05 04:54 668720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091205.001\BHDrvx64.sys
2009-12-05 04:54 . 2009-12-05 04:54 610704 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091205.001\bbRGen.dll
2009-12-04 07:00 . 2009-12-04 07:00 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2009-11-30 23:50 . 2009-11-30 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-21 15:51 . 2004-08-10 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 07:45 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-28 22:37 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-10-28 22:37 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\IDSXpx86.sys
2009-10-28 22:37 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\IDSxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\IDSviA64.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DriverMax_RESTART"="c:\program files\Innovative Solutions\DriverMax\devices.exe" [2010-01-11 9068960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-08 429392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1101000.013\SymDS.sys [1/12/2010 10:50 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1101000.013\SymEFA.sys [1/12/2010 10:50 AM 171056]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091205.001\BHDrvx86.sys [12/4/2009 6:54 PM 529456]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1101000.013\cchpx86.sys [1/12/2010 10:50 AM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1101000.013\Ironx86.sys [1/12/2010 10:50 AM 114736]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/30/2009 1:50 PM 236368]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe [1/12/2010 10:49 AM 126392]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/12/2010 10:50 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100119.001\IDSXpx86.sys [1/19/2010 2:31 PM 329592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/13/2010 2:54 PM 19160]
.
Contents of the 'Scheduled Tasks' folder

2010-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 22:34]

2010-01-12 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Hewlett-Packard\SDP\HPSdpApp.exe [2005-09-09 03:23]

2010-01-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 04:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hawaiitheatre.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\HP_Administrator.HTC-PRODMGR\Application Data\Mozilla\Firefox\Profiles\vdsgg78d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.hawaiitheatre.com/
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-19 17:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.1.0.19\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2792)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ARPWRMSG.EXE
c:\windows\eHome\ehmsas.exe
c:\program files\DISC\DiscGui.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\DISC\DiscStreamHub.exe
c:\windows\system32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2010-01-19 17:43:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-20 03:43

Pre-Run: 119,369,736,192 bytes free
Post-Run: 119,517,118,464 bytes free

- - End Of File - - 4782B8A19EF9AF3799A1D006C3898AD0

Of note: when I disabled Norton's virus protection and firewall, I set them both to "restore at system restart", not knowing that ComboFix would resume its process after initiating its own reboot. I caught it as my system was starting and immediately right-clicked the Norton icon to disable both again. This did not seem to affect the log generating process...at least, not that I could tell.

I did not disable Malwarebytes Anti-malware program at all.

Once the system completed its reboot, I noticed a couple of odd things:

- An Internet Explorer icon was installed on my desktop; it wasn't there before.
- My default web browser was set to Internet Explorer from Firefox.

Are these actions normal?

I'm looking forward to hearing what you find in my log.

#11 taro_boy

taro_boy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Honolulu, Hawaii
  • Local time:11:54 AM

Posted 20 January 2010 - 12:02 AM

Hey m0le-

No, I don't think you're a computer guru that never sleeps. It's only 7:01 pm here in Hawaii. whistling.gif

Just wanted to ask if you think I should run ComboFix again after making sure Norton remains disabled through the built-in Windows reboot process...? I want to make sure you have an accurate log to review.

Seeing as how the program ran without any issues (i.e. TDSS didn't interfere with the scan process) and was able to produce a log, am I safe to assume that everything ran properly and thoroughly?

I'm still curious about the Internet Explorer icon than was installed on my desktop and why IE8 was changed to my default web browser when I had it set to Firefox prior to running ComboFix.

Thanks again, and see you tomorrow.

#12 taro_boy

taro_boy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Honolulu, Hawaii
  • Local time:11:54 AM

Posted 20 January 2010 - 01:32 PM

Good Morning m0le-

So, my paranoia got the best of me. I ran ComboFix again this morning, making sure that Norton Internet Security, Windows Defender, and Malwarebyte's Anti-Malware were all turned off until I manually turned them back on. Once again, the scan seemed to run smoothly. At the conclusion of the scan process and upon the program-initiated reboot, the Internet Explorer icon was back on my desktop and IE was again set as my default web browser. Since this is consistent with the first run, I'm assuming this is part of the process. No biggie.

Here are the results from the second "clean" scan:

ComboFix 10-01-19.08 - HP_Administrator 01/20/2010 7:52.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.346 [GMT -10:00]
Running from: c:\documents and settings\HP_Administrator.HTC-PRODMGR\Desktop\comfix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2009-12-20 to 2010-01-20 )))))))))))))))))))))))))))))))
.

2010-01-20 17:27 . 2010-01-13 00:31 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100119.051\NAVENG.SYS
2010-01-20 17:27 . 2010-01-13 00:31 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100119.051\NAVENG32.DLL
2010-01-20 17:27 . 2010-01-13 00:31 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100119.051\NAVEX32A.DLL
2010-01-20 17:27 . 2010-01-13 00:31 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100119.051\NAVEX15.SYS
2010-01-20 17:27 . 2010-01-13 00:31 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100119.051\EECTRL.SYS
2010-01-20 17:27 . 2010-01-13 00:31 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100119.051\CCERASER.DLL
2010-01-20 17:27 . 2010-01-13 00:31 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100119.051\ECMSVR32.DLL
2010-01-20 17:27 . 2010-01-13 00:31 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100119.051\ERASER.SYS
2010-01-20 00:31 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100119.001\Scxpx86.dll
2010-01-20 00:31 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100119.001\IDSXpx86.sys
2010-01-20 00:31 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100119.001\IDSxpx86.dll
2010-01-20 00:31 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100119.001\IDSvix86.sys
2010-01-20 00:31 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100119.001\IDSviA64.sys
2010-01-17 01:18 . 2001-08-18 08:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-01-17 01:18 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-01-16 18:35 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100116.002\IDSvix86.sys
2010-01-16 18:35 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100116.002\IDSXpx86.sys
2010-01-16 18:35 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100116.002\Scxpx86.dll
2010-01-16 18:35 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100116.002\IDSxpx86.dll
2010-01-16 18:35 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100116.002\IDSviA64.sys
2010-01-16 04:05 . 2010-01-16 04:05 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Local Settings\Application Data\iRinger
2010-01-15 21:26 . 2010-01-15 21:26 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\TOSHIBA
2010-01-15 21:26 . 2009-02-18 17:41 303104 ----a-r- c:\windows\system32\eST3snm.dll
2010-01-15 20:58 . 2010-01-15 20:58 0 ----a-w- c:\windows\ativpsrm.bin
2010-01-15 20:55 . 2009-07-22 04:55 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-01-15 20:55 . 2009-07-22 04:44 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-01-15 20:55 . 2009-07-22 04:01 49664 ----a-w- c:\windows\system32\amdpcom32.dll
2010-01-15 20:55 . 2009-07-22 03:53 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-01-15 20:55 . 2009-07-22 03:52 3227648 ----a-w- c:\windows\system32\aticaldd.dll
2010-01-15 20:55 . 2009-04-28 17:08 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-01-15 20:55 . 2008-10-22 06:51 118784 ----a-w- c:\windows\system32\atibrtmon.exe
2010-01-15 20:55 . 2009-07-22 03:55 126976 ----a-w- c:\windows\system32\atiadlxx.dll
2010-01-15 20:55 . 2009-07-22 03:53 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-01-15 20:55 . 2009-07-22 03:52 290816 ----a-w- c:\windows\system32\atiok3x2.dll
2010-01-15 20:55 . 2009-04-28 17:08 3107788 ----a-w- c:\windows\system32\ativva5x.dat
2010-01-15 10:40 . 2010-01-15 10:40 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-01-15 09:12 . 2010-01-15 09:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Innovative Solutions
2010-01-15 09:06 . 2010-01-15 09:06 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Local Settings\Application Data\Innovative Solutions
2010-01-15 08:54 . 2010-01-15 08:54 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Application Data\Foxit Software
2010-01-15 08:53 . 2010-01-15 08:53 -------- d-----w- c:\program files\foxit software
2010-01-15 08:51 . 2010-01-15 08:51 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Local Settings\Application Data\WMTools Downloaded Files
2010-01-15 06:36 . 2010-01-19 17:43 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Application Data\Apple Computer
2010-01-15 06:36 . 2009-05-19 00:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-01-15 06:36 . 2008-04-17 23:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-01-15 06:30 . 2010-01-15 06:30 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Local Settings\Application Data\Apple
2010-01-15 06:30 . 2010-01-15 20:55 -------- dc----w- c:\windows\system32\DRVSTORE
2010-01-15 06:30 . 2009-08-29 05:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-01-15 06:30 . 2009-08-29 05:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-01-15 06:24 . 2010-01-15 06:46 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Local Settings\Application Data\Apple Computer
2010-01-15 05:58 . 2010-01-15 05:58 -------- d-sh--w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\IECompatCache
2010-01-15 05:57 . 2010-01-15 05:57 -------- d-sh--w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\PrivacIE
2010-01-15 05:28 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-01-15 05:28 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2010-01-15 04:42 . 2010-01-15 04:42 -------- d-sh--w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\IETldCache
2010-01-15 04:28 . 2009-10-29 07:45 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-01-15 04:28 . 2009-10-29 07:45 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-15 04:28 . 2009-10-02 04:44 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-01-15 04:14 . 2010-01-15 04:14 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Application Data\Media Player Classic
2010-01-15 02:18 . 2009-10-29 07:45 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-01-15 02:18 . 2009-10-29 07:45 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-01-15 02:18 . 2009-10-29 07:45 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-01-15 02:18 . 2009-10-28 14:36 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-01-15 02:18 . 2009-10-29 07:45 11069952 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-01-15 02:18 . 2009-03-08 14:11 445952 ----a-w- c:\windows\system32\dllcache\ieapfltr.dll
2010-01-15 02:18 . 2009-03-08 14:31 59904 ----a-w- c:\windows\system32\dllcache\icardie.dll
2010-01-15 02:18 . 2009-02-07 07:07 3698584 ----a-w- c:\windows\system32\dllcache\ieapfltr.dat
2010-01-15 02:12 . 2010-01-15 02:12 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Application Data\AdobeUM
2010-01-14 20:28 . 2010-01-14 20:28 -------- d-----w- c:\program files\Microsoft.NET
2010-01-14 20:25 . 2010-01-14 20:29 -------- d-----w- c:\windows\SHELLNEW
2010-01-14 17:57 . 2010-01-14 17:57 0 ----a-w- c:\windows\nsreg.dat
2010-01-14 17:57 . 2010-01-14 17:57 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Local Settings\Application Data\Mozilla
2010-01-14 13:31 . 2010-01-14 13:31 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-01-14 04:14 . 2010-01-14 13:56 -------- d-----w- C:\06e32448d15c97f70820e70b5538d8
2010-01-14 04:07 . 2010-01-14 04:07 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Local Settings\Application Data\Help
2010-01-14 03:55 . 2009-12-23 00:38 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-01-14 03:24 . 2009-08-07 05:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-01-14 03:24 . 2009-08-07 05:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-14 02:53 . 2010-01-14 02:53 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Local Settings\Application Data\Microsoft Help
2010-01-14 01:51 . 2010-01-15 01:02 -------- d-----w- c:\windows\system32\scripting
2010-01-14 01:51 . 2010-01-15 01:02 -------- d-----w- c:\windows\system32\en
2010-01-14 01:51 . 2010-01-15 01:02 -------- d-----w- c:\windows\system32\bits
2010-01-14 01:41 . 2009-06-21 22:04 153088 ----a-w- c:\windows\system32\dllcache\triedit.dll
2010-01-14 01:40 . 2009-09-11 14:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2010-01-14 01:28 . 2008-04-14 00:12 53248 ------w- c:\windows\system32\tsgqec.dll
2010-01-14 01:27 . 2008-04-14 00:12 33792 ------w- c:\windows\system32\mmcperf.exe
2010-01-14 01:26 . 2008-04-14 00:11 12800 ------w- c:\windows\system32\credssp.dll
2010-01-14 00:54 . 2010-01-14 00:54 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Application Data\Malwarebytes
2010-01-14 00:54 . 2010-01-08 02:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-14 00:54 . 2010-01-08 02:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-13 20:26 . 2010-01-13 20:26 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Application Data\TeamViewer
2010-01-13 20:26 . 2010-01-13 20:26 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\temp
2010-01-13 19:14 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-01-13 19:13 . 2009-10-15 16:28 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2010-01-13 19:13 . 2009-10-15 16:28 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2010-01-13 19:13 . 2009-03-06 14:22 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2010-01-13 19:13 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2010-01-13 19:13 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-01-13 19:13 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2010-01-13 19:13 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe
2010-01-13 19:13 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2010-01-13 19:13 . 2009-06-25 08:25 730112 ------w- c:\windows\system32\dllcache\lsasrv.dll
2010-01-13 19:13 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2010-01-13 19:13 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2010-01-13 19:11 . 2008-10-24 11:21 455296 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-13 19:11 . 2008-12-11 10:57 333952 ------w- c:\windows\system32\dllcache\srv.sys
2010-01-13 19:11 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2010-01-13 19:10 . 2009-08-04 15:13 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-01-13 19:10 . 2009-08-04 14:20 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-01-13 19:10 . 2009-08-04 14:20 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-01-13 19:10 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2010-01-13 19:09 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-01-13 19:09 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-01-13 02:40 . 2010-01-13 02:41 -------- d-----w- c:\documents and settings\HP_Administrator.HTC-PRODMGR\Local Settings\Application Data\Adobe
2010-01-13 02:33 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-12 22:01 . 2010-01-14 21:12 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-12 20:51 . 2009-10-29 02:31 784752 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn\components\coFFPlgn.dll
2010-01-12 20:51 . 2009-10-01 09:19 164216 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\IPSFFPlgn\components\IPSFFPl.dll
2010-01-12 20:50 . 2010-01-12 20:50 -------- d-----w- c:\program files\Symantec
2010-01-12 20:50 . 2010-01-12 20:50 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-01-12 20:50 . 2010-01-12 20:50 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-01-12 20:50 . 2009-10-05 17:34 929648 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\OCS\hsplayer.dll
2010-01-12 20:50 . 2009-11-07 01:08 893296 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\CLT\cltLMSx.dll
2010-01-12 20:49 . 2010-01-12 20:49 -------- d-----w- c:\windows\system32\drivers\NIS
2010-01-12 20:48 . 2010-01-12 20:49 -------- d-----w- c:\program files\Norton Internet Security
2010-01-12 20:40 . 2010-01-12 20:40 -------- d-----w- c:\program files\NortonInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-15 20:20 . 2009-11-10 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-15 06:07 . 2010-01-15 06:06 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-01-15 05:49 . 2005-11-25 22:38 -------- d-----w- c:\program files\Common Files\Real
2010-01-15 04:53 . 2009-11-18 23:51 -------- d-----w- c:\program files\Speccy
2010-01-15 02:30 . 2005-11-25 22:37 87984 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-15 01:56 . 2005-11-25 22:49 -------- d-----w- c:\program files\Microsoft Works
2010-01-15 01:08 . 2005-08-31 12:01 92947 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-15 01:07 . 2010-01-15 01:07 61440 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2010-01-15 01:07 . 2010-01-15 01:07 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2010-01-15 01:07 . 2010-01-15 01:07 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2010-01-15 01:07 . 2010-01-15 01:07 40960 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2010-01-15 01:07 . 2010-01-15 01:07 341048 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2010-01-15 01:07 . 2010-01-15 01:07 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2010-01-15 01:07 . 2010-01-15 01:07 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2010-01-15 01:07 . 2010-01-15 01:07 163840 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2010-01-14 02:36 . 2005-11-25 22:51 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-01-14 00:54 . 2009-11-30 23:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-12 21:51 . 2005-11-25 23:04 -------- d-----w- c:\program files\PC-Doctor 5 for Windows
2010-01-12 20:52 . 2005-11-25 23:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-12 20:50 . 2010-01-12 20:50 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-01-12 20:50 . 2010-01-12 20:50 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-01-12 20:48 . 2009-02-05 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-01-12 20:45 . 2005-11-25 23:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-12 20:32 . 2009-02-05 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-01-12 20:11 . 2005-11-25 22:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-12 17:34 . 2005-11-25 22:29 112954 ----a-w- c:\windows\hpoins07.dat
2010-01-12 17:21 . 2010-01-12 17:21 1865 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_EL453AA-ABA a1320n_YC_0Pavi_QCNN551_E61NAemMPC1_48_IAsterope_SHewleet-Packard_V1.0_B3.03_T051118_WXP2_L409_M960_J200_7Intel_8Pentium 4_93.06_#060907_N_Z_G10025A61_OTSSTcorp CD DVDW TS-H552L_DEPI7750.MRK
2010-01-07 23:56 . 2009-12-08 02:35 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-06 22:53 . 2007-07-10 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-05 18:00 . 2010-01-15 06:06 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-12-24 01:53 . 2007-07-10 22:28 -------- d-----w- c:\program files\Common Files\Apple
2009-12-21 23:24 . 2008-10-24 03:25 -------- d-----w- c:\program files\Innovative Solutions
2009-12-12 14:15 . 2010-01-15 06:06 178176 ----a-w- c:\windows\system32\unrar.dll
2009-12-05 04:54 . 2009-12-05 04:54 529456 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091205.001\BHDrvx86.sys
2009-12-05 04:54 . 2009-12-05 04:54 201616 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091205.001\BHRules.dll
2009-12-05 04:54 . 2009-12-05 04:54 1405840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091205.001\BHEngine.dll
2009-12-05 04:54 . 2009-12-05 04:54 668720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091205.001\BHDrvx64.sys
2009-12-05 04:54 . 2009-12-05 04:54 610704 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091205.001\bbRGen.dll
2009-12-04 07:00 . 2009-12-04 07:00 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2009-11-30 23:50 . 2009-11-30 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-21 15:51 . 2004-08-10 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 07:45 . 2004-08-10 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-10-28 22:37 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-10-28 22:37 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\IDSXpx86.sys
2009-10-28 22:37 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\IDSxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\IDSviA64.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DriverMax_RESTART"="c:\program files\Innovative Solutions\DriverMax\devices.exe" [2010-01-11 9068960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-08 429392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1101000.013\SymDS.sys [1/12/2010 10:50 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1101000.013\SymEFA.sys [1/12/2010 10:50 AM 171056]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091205.001\BHDrvx86.sys [12/4/2009 6:54 PM 529456]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1101000.013\cchpx86.sys [1/12/2010 10:50 AM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1101000.013\Ironx86.sys [1/12/2010 10:50 AM 114736]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/30/2009 1:50 PM 236368]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe [1/12/2010 10:49 AM 126392]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/12/2010 10:50 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100119.001\IDSXpx86.sys [1/19/2010 2:31 PM 329592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/13/2010 2:54 PM 19160]
.
Contents of the 'Scheduled Tasks' folder

2010-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 22:34]

2010-01-12 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Hewlett-Packard\SDP\HPSdpApp.exe [2005-09-09 03:23]

2010-01-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 04:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hawaiitheatre.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\HP_Administrator.HTC-PRODMGR\Application Data\Mozilla\Firefox\Profiles\vdsgg78d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.hawaiitheatre.com/
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-20 08:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.1.0.19\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1996)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-01-20 08:05:14
ComboFix-quarantined-files.txt 2010-01-20 18:05
ComboFix2.txt 2010-01-20 03:43

Pre-Run: 119,418,335,232 bytes free
Post-Run: 119,379,795,968 bytes free

- - End Of File - - 5EC4890E1A0B309C73523FAFF791D548

Hope this helps. Looking forward to hearing back from you when you have the time.

As always, thanks again for your continued efforts and assistance.

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:54 PM

Posted 20 January 2010 - 07:47 PM

taro_boy,

There was no need to run Combofix again - and it could have killed your system. poster_oops.gif

Nothing was picked up on that run as the program ran fine.

Combofix does reset some settings to the default so that may be what has happened there. As you found it, nothing to worry about.


Let's just do an online scan

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#14 taro_boy

taro_boy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Honolulu, Hawaii
  • Local time:11:54 AM

Posted 21 January 2010 - 02:31 PM

Good Morning m0le-

Thanks for your ongoing assistance with my computer.

I ran the ESET Online Scanner (3 hours, 43 minutes to complete a scan of 116025 files); the program came back with having found no threats. It did not give me an option of exporting any text to a file, which I assume is because there was nothing found. I took a screenshot of the scan results if you need to see it.

Are there any other steps you'd like me to follow before declaring my post-virus/ malware infection recovery a success??

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:54 PM

Posted 21 January 2010 - 04:20 PM

That's what I was expecting....

You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it taro_boy, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users