Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

# Found 200+ virus/trojans/spyware ect... and counting

11 replies to this topic

### #1 mmiley86

mmiley86

• Members
• 8 posts
• OFFLINE
•
• Local time:04:53 AM

Posted 09 February 2010 - 02:42 PM

Hello all and I would first like to thank everyone for taking the time to look over my problem. The current desktop that I am having problems with was lent out to someone I knew for several months (6+). After receiving it back it didn't take me long to realize that it was heavily infected with all kinds of nasty stuff. With that said I would like to tell you the anti-virus protection I have on my computer.

Norton 360 -- fully up to date however it is forced to shut down ALOT. Although I can get it to do scans, in normal and safe mode, it picks up nothing. Virus most likely has it blocked or whatever.

Microsoft Malicious Software Removal Tool- Jan. 2010 -- This was my bread and butter this program found 150+ infections on my computer after its scan took place, at which point I thought everything would be alright, I was wrong.

Malwarebytes' Anti-Malware
SUPERAntispyware
Spybot - Search and destroy. These are all the other programs I have downloaded and used, each picking up different infections that the other ones hadn't.

I believe the biggest threat still around is something to do with one of the internets "buy my anti-virus removal program" While surfing the web, rather than the link I choose, something involving this my-pc-security.com comes up.

Thanks again and I hope the information that I have provided helps you out the best I can.

HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:40:55, on 2/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NETGEAR\WNDA3100v2\WifiSvc.exe
C:\Program Files\Common Files\AOL\1135029836\ee\AOLSoftware.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NETGEAR\WNDA3100v2\WNDA3100v2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.8.0.41\IPSBHO.DLL
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135029836\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [] 
O4 - Global Startup: NETGEAR WNDA3100v2 Smart Wizard.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: WSWNDA3100 - Unknown owner - C:\Program Files\NETGEAR\WNDA3100v2\WifiSvc.exe

--
End of file - 5886 bytes

I'd just like to add that I usually don't get rerouted to a bad website if i manually type in an address or use a favorites, it happens a lot however when I use a search engine such as Google and click, or open in new tab for their links. Thanks again so much!

[b]Merged posts. ~ OB

Edited by Orange Blossom, 09 February 2010 - 07:01 PM.

### #2 mmiley86

mmiley86
• Topic Starter

• Members
• 8 posts
• OFFLINE
•
• Local time:04:53 AM

Posted 10 February 2010 - 03:48 PM

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 10 February 2010 - 10:22 PM.

### #3 Blind Faith

Blind Faith

• Malware Response Team
• 4,101 posts
• OFFLINE
•
• Gender:Female
• Local time:12:53 PM

Posted 11 February 2010 - 04:08 PM

Hello and welcome to Bleeping Computer!

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Ki kshama kartè paro
?

If I haven't replied in 48 hours, please feel free to send me a PM.

### #4 mmiley86

mmiley86
• Topic Starter

• Members
• 8 posts
• OFFLINE
•
• Local time:04:53 AM

Posted 14 February 2010 - 11:42 PM

Sorry now I feel bad for the slow response I thought I had subscribed to the post to receive E~Mails about post but i guess I messed that up well here is what you asked for thanks a lot!!!!!

DDS (Ver_09-12-01.01) - NTFSx86
Run by matt at 20:45:31.81 on Sun 02/14/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.421 [GMT -5:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NETGEAR\WNDA3100v2\WNDA3100v2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\NETGEAR\WNDA3100v2\WifiSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe" --force_start_minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mExplorerRun: [<NO NAME>] 1 (0x1)
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wnda3100v2\WNDA3100v2.exe
uPolicies-explorer: DisallowRun = 0 (0x0)
uPolicies-explorer: HideClock = 0 (0x0)
dPolicies-explorer: DisallowRun = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt\applic~1\mozilla\firefox\profiles\pvyspo5s.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-8 64288]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-3 310320]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-2-10 11608]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-3 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-3 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100204.001\IDSXpx86.sys [2010-2-6 329592]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-2-10 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-2-10 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-10 56816]
R2 WSWNDA3100;WSWNDA3100;c:\program files\netgear\wnda3100v2\WifiSvc.exe [2010-2-3 278528]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-3 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100211.002\NAVENG.SYS [2010-2-11 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100211.002\NAVEX15.SYS [2010-2-11 1324720]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-2-3 117640]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 34064]
S3 USBFVNETR;NETGEAR MA101 USB Adapter;c:\windows\system32\drivers\ma101rndxp.sys [2005-12-17 76160]

=============== Created Last 30 ================

2010-02-10 23:05:40 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-10 23:05:33 0 d-----w- c:\program files\Avira
2010-02-10 23:05:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-02-09 19:12:03 0 d-sh--w- c:\documents and settings\matt\PrivacIE
2010-02-09 19:06:59 0 d-----w- c:\program files\TrendMicro
2010-02-09 18:05:00 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-09 18:04:23 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-09 18:04:23 0 d-----w- c:\docume~1\matt\applic~1\SUPERAntiSpyware.com
2010-02-09 05:17:52 0 d-sh--w- c:\documents and settings\matt\IETldCache
2010-02-09 05:10:16 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-09 05:08:16 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-09 05:08:12 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-02-09 05:08:12 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-02-09 05:08:11 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-02-09 05:08:10 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-09 05:08:10 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-02-09 05:05:31 0 dc-h--w- c:\windows\ie8
2010-02-09 04:49:09 0 d-----w- c:\docume~1\alluse~1\applic~1\UAB
2010-02-09 04:49:07 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
2010-02-09 04:47:13 0 d-----w- c:\program files\PC Drivers HeadQuarters
2010-02-08 22:57:42 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-08 20:14:04 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-08 20:03:46 0 d-----w- C:\ProgramData
2010-02-08 19:45:12 0 d-----w- c:\docume~1\matt\applic~1\Malwarebytes
2010-02-08 19:45:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-08 19:45:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-08 19:45:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-08 19:45:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-08 19:44:18 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-08 06:22:19 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-02-08 06:22:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-02-06 20:39:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-02-06 20:39:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-02-03 19:52:58 0 d-----w- c:\program files\SystemRequirementsLab
2010-02-03 19:34:14 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-02-03 19:33:59 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-03 19:33:59 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-03 19:33:59 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-03 19:33:59 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-03 19:33:58 0 d-----w- c:\program files\Symantec
2010-02-03 19:32:32 0 d-----w- c:\windows\system32\drivers\N360
2010-02-03 19:32:24 0 d-----w- c:\program files\Norton 360
2010-02-03 19:22:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-02-03 19:19:26 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-03 18:53:44 0 d-----w- c:\program files\NortonInstaller
2010-02-03 18:53:44 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-02-03 18:43:59 0 d-----w- c:\documents and settings\all users\Symantec Temporary Files
2010-02-03 17:50:26 632576 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys
2010-02-03 17:50:11 499712 ----a-w- c:\windows\system32\msvcec1d.rra
2010-02-03 17:50:11 348160 ----a-w- c:\windows\system32\msvcecf7.rra
2010-02-03 17:50:11 196608 ----a-w- c:\windows\system32\wps_api.dll
2010-02-03 17:50:03 89088 ----a-w- c:\windows\system32\ATL7d0b5.rra
2010-02-03 17:49:56 0 d-----w- c:\program files\NETGEAR

==================== Find3M ====================

2010-02-03 22:30:48 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-02-03 19:33:38 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-02-03 19:33:21 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll

============= FINISH: 20:47:12.31 ===============

### #5 sempai

sempai

noypi

• Malware Response Team
• 5,288 posts
• OFFLINE
•
• Gender:Male
• Location:3 stars and a sun
• Local time:05:53 PM

Posted 15 February 2010 - 08:11 AM

Hello my name is Sempai and welcome to Bleeping Computer.
*We apologize for the delay. Forum have been busy.

* Please stay with me until I declare that your computer is clean as most users don't reply anymore once they found out that their computer is running smoothly, but absence of symptoms does not mean that a computer is free from infection.

*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.

*You must reply within 5 days otherwise this topic will be closed.

1. I do not recommend that you have more than one anti virus product installed and running on your computer at a time (Norton and Avira).
The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Norton or Avira.

Important note: It is important to run the removal tool after you uninstall the AV that you wish to remove.
Avira removal tool --> HERE
Norton removal tool --> HERE

2. Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case bittorrent).
These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

• Temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
• Close any open windows, including this one.
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• If you did not have it installed, you will see the prompt below. Choose YES.

• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

*If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
• When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Warning!
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper, *** If your are not the topic starter DO NOT run this tool as it could cause irreversible damage to your computer.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

~Semp

~Semp

You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators)

### #6 mmiley86

mmiley86
• Topic Starter

• Members
• 8 posts
• OFFLINE
•
• Local time:04:53 AM

Posted 15 February 2010 - 01:39 PM

I was confused with the step involving the removal of one of my anti-virus programs. I removed Avira but wasn't sure if i should then use the avira link you posted or the norton 360 link. So just to be clear I still Have norton 360 on my computer. And on a side note after using combo fix my "NetgearWNDA 3100v2 Smart wizard" does not work. It is the program I use to connect to wireless, ATM I am using windows default service. THANKS again!

ComboFix 10-02-12.01 - matt 02/15/2010 12:53:26.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.455 [GMT -5:00]
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\CyberDefender
c:\program files\CyberDefender\cdinstx.exe
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\INSTALL.LOG
c:\program files\WinPCap\NetMonInstaller.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\program files\WinPCap\Uninstall.exe
c:\windows\system32\2973195295.dat
c:\windows\system32\drivers\npf.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\Packet.dll
c:\windows\system32\Process.exe
c:\windows\system32\SIntf16.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\WS2Fix.exe

Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\ws2_32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2010-01-15 to 2010-02-15 )))))))))))))))))))))))))))))))
.

2010-02-10 23:05 . 2010-02-11 23:07 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-10 03:07 . 2010-02-10 03:07 -------- d-----w- c:\documents and settings\matt\Local Settings\Application Data\Rawr
2010-02-09 19:12 . 2010-02-09 19:12 -------- d-sh--w- c:\documents and settings\matt\PrivacIE
2010-02-09 19:06 . 2010-02-09 19:06 -------- d-----w- c:\program files\TrendMicro
2010-02-09 18:13 . 2010-02-09 18:13 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-02-09 18:05 . 2010-02-09 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-09 18:04 . 2010-02-09 18:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-09 18:04 . 2010-02-09 18:04 -------- d-----w- c:\documents and settings\matt\Application Data\SUPERAntiSpyware.com
2010-02-09 05:50 . 2010-02-09 05:50 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-02-09 05:20 . 2010-02-09 05:20 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-09 05:17 . 2010-02-09 05:17 -------- d-sh--w- c:\documents and settings\matt\IETldCache
2010-02-09 05:10 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-09 05:09 . 2010-02-09 05:09 -------- d-----w- c:\windows\ie8updates
2010-02-09 05:08 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-09 05:08 . 2009-12-21 19:14 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-02-09 05:08 . 2009-12-21 19:14 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-02-09 05:08 . 2009-12-21 19:14 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-02-09 05:08 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-09 05:08 . 2009-12-21 19:14 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-02-09 05:05 . 2010-02-09 05:07 -------- dc-h--w- c:\windows\ie8
2010-02-09 04:49 . 2010-02-09 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\UAB
2010-02-09 04:49 . 2010-02-09 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2010-02-09 04:48 . 2010-02-09 04:48 -------- d-----w- c:\documents and settings\matt\Local Settings\Application Data\PC_Drivers_Headquarters
2010-02-09 04:47 . 2010-02-09 04:47 -------- d-----w- c:\program files\PC Drivers HeadQuarters
2010-02-08 22:57 . 2010-02-08 20:22 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-08 20:14 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-08 20:03 . 2010-02-08 20:03 -------- d-----w- C:\ProgramData
2010-02-08 20:02 . 2010-02-08 20:02 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-08 19:45 . 2010-02-08 19:45 -------- d-----w- c:\documents and settings\matt\Application Data\Malwarebytes
2010-02-08 19:45 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-08 19:45 . 2010-02-08 19:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-08 19:45 . 2010-02-08 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-08 19:45 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-08 19:44 . 2010-02-08 20:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-08 06:22 . 2010-02-08 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-08 06:22 . 2010-02-08 06:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-08 06:08 . 2010-02-08 06:08 -------- d-----w- c:\documents and settings\matt\Local Settings\Application Data\Symantec
2010-02-06 20:39 . 2008-04-13 19:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-02-06 20:39 . 2008-04-13 19:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-02-03 22:37 . 2010-02-03 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2010-02-03 22:30 . 2010-02-03 22:30 -------- d--h--r- c:\documents and settings\matt\Application Data\SecuROM
2010-02-03 22:26 . 2010-02-03 22:26 -------- d-----w- c:\documents and settings\matt\Local Settings\Application Data\Downloaded Installations
2010-02-03 19:52 . 2010-02-03 19:52 -------- d-----w- c:\program files\SystemRequirementsLab
2010-02-03 19:34 . 2010-02-03 19:33 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-02-03 19:33 . 2010-02-03 19:33 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-03 19:33 . 2010-02-03 19:33 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-03 19:33 . 2010-02-03 19:34 -------- d-----w- c:\program files\Symantec
2010-02-03 19:32 . 2010-02-08 06:14 -------- d-----w- c:\windows\system32\drivers\N360
2010-02-03 19:32 . 2010-02-03 19:32 -------- d-----w- c:\program files\Norton 360
2010-02-03 19:32 . 2010-02-03 19:32 -------- d-----w- c:\program files\Windows Sidebar
2010-02-03 19:22 . 2010-02-03 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-03 19:19 . 2010-02-03 19:19 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-03 18:53 . 2010-02-03 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-03 18:53 . 2010-02-03 18:53 -------- d-----w- c:\program files\NortonInstaller
2010-02-03 18:43 . 2010-02-03 18:44 -------- d-----w- c:\documents and settings\All Users\Symantec Temporary Files
2010-02-03 17:50 . 2009-05-05 17:00 632576 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys
2010-02-03 17:50 . 2008-11-14 22:35 196608 ----a-w- c:\windows\system32\wps_api.dll
2010-02-03 17:49 . 2010-02-03 17:49 -------- d-----w- c:\program files\NETGEAR
2010-02-03 17:48 . 2010-02-03 17:48 -------- d-----w- c:\documents and settings\matt\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-15 18:04 . 2005-12-28 02:57 -------- d-----w- c:\program files\Steam
2010-02-09 20:07 . 2009-07-24 01:58 -------- d-----w- c:\program files\Trash
2010-02-09 19:07 . 2010-02-09 19:07 388096 ----a-r- c:\documents and settings\matt\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-09 18:53 . 2010-02-09 18:14 117760 ----a-w- c:\documents and settings\matt\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-09 18:14 . 2010-02-09 18:14 52224 ----a-w- c:\documents and settings\matt\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-09 18:03 . 2006-03-08 15:50 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-09 03:31 . 2006-02-15 18:34 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2010-02-09 00:36 . 2009-07-26 14:58 -------- d-----w- c:\documents and settings\matt\Application Data\Trash
2010-02-08 23:37 . 2005-12-17 08:58 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-08 20:23 . 2010-02-08 20:23 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-02-08 20:14 . 2009-06-30 23:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-08 20:00 . 2010-02-08 20:03 38784 ----a-w- c:\documents and settings\matt\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-08 20:00 . 2010-02-08 20:02 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-07 02:15 . 2009-09-13 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-03 22:37 . 2006-01-17 13:41 35648 ----a-w- c:\documents and settings\matt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-03 22:30 . 2006-09-11 17:42 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-02-03 19:55 . 2009-09-13 17:49 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-03 19:36 . 2009-09-23 21:54 -------- d-----w- c:\program files\World of Warcraft
2010-02-03 19:33 . 2010-02-03 19:33 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-03 19:33 . 2010-02-03 19:33 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-03 19:33 . 2006-09-19 20:44 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-02-03 19:33 . 2010-02-03 19:33 1291104 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2010-02-03 19:33 . 2010-02-03 19:33 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2010-02-03 19:33 . 2010-02-15 18:03 165240 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2010-02-03 19:33 . 2006-10-03 23:47 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-02-03 19:33 . 2010-02-03 19:37 554352 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-02-03 19:33 . 2010-02-03 19:33 771440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2010-02-03 17:43 . 2009-06-23 20:43 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-03 09:26 . 2010-02-15 17:48 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100215.002\NAVENG32.DLL
2010-02-03 09:26 . 2010-02-15 17:48 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100215.002\NAVEX32A.DLL
2010-02-03 09:26 . 2010-02-15 17:48 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100215.002\EECTRL.SYS
2010-02-03 09:26 . 2010-02-15 17:48 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100215.002\CCERASER.DLL
2010-02-03 09:26 . 2010-02-15 17:48 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100215.002\ECMSVR32.DLL
2010-02-03 09:26 . 2010-02-15 17:48 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100215.002\ERASER.SYS
2010-02-03 09:00 . 2010-02-15 17:48 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100215.002\NAVENG.SYS
2010-02-03 09:00 . 2010-02-15 17:48 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100215.002\NAVEX15.SYS
2010-01-11 22:00 . 2010-01-11 22:00 -------- d-----w- c:\program files\MSBuild
2010-01-11 22:00 . 2010-01-11 22:00 -------- d-----w- c:\program files\Reference Assemblies
2009-12-31 16:50 . 2003-07-16 20:46 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2005-10-21 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2005-11-27 07:18 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2003-07-16 20:26 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2003-07-16 20:39 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 01:04 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-07 14:10 . 2010-02-08 20:09 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2009-12-04 18:22 . 2003-07-16 20:34 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2005-12-18 23:53 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11 . 2005-08-30 14:14 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07 . 2003-07-16 20:36 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2003-07-16 20:36 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2003-07-16 20:24 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2001-08-17 22:36 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-21 15:51 . 2003-07-16 20:23 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]
"Steam"="c:\program files\Steam\Steam.exe" [2010-02-10 1217808]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"nwiz"="nwiz.exe" [2003-10-06 741376]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-10-06 49152]

NETGEAR WNDA3100v2 Smart Wizard.lnk - c:\program files\NETGEAR\WNDA3100v2\WNDA3100v2.exe [2010-2-3 3272704]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ 'autocheck autochk *'\0lsdelete

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\SteamApps\\cmiley\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/8/2010 3:14 PM 64288]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/3/2010 9:46 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/3/2010 9:46 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/3/2010 9:46 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100210.001\IDSXpx86.sys [2/15/2010 12:48 PM 329592]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2/3/2010 9:44 PM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/3/2010 4:26 AM 102448]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S3 USBFVNETR;NETGEAR MA101 USB Adapter;c:\windows\system32\drivers\ma101rndxp.sys [12/17/2005 3:58 AM 76160]
.
Contents of the 'Scheduled Tasks' folder

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\matt\Application Data\Mozilla\Firefox\Profiles\pvyspo5s.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
HKCU-Run-BitTorrent - c:\program files\BitTorrent\bittorrent.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-15 13:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk23]
"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk23.drv"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

"datasecu"=hex:62,fb,54,88,3b,0c,de,26,25,77,f0,45,bf,c3,86,6e,af,69,14,68,e5,
82,18,04,58,09,cd,05,86,c5,94,31,d5,59,4b,35,02,ed,5c,fd,86,6a,df,72,64,29,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1452)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2016)
c:\windows\system32\WININET.dll
c:\windows\system32\nView.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2010-02-15 13:18:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-15 18:18

Pre-Run: 15,773,057,024 bytes free
Post-Run: 15,751,237,632 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 37AEF5475E237485F4DBED11A8CD944A

### #7 sempai

sempai

noypi

• Malware Response Team
• 5,288 posts
• OFFLINE
•
• Gender:Male
• Location:3 stars and a sun
• Local time:05:53 PM

Posted 16 February 2010 - 09:29 AM

Hi,

Since you removed Avira, please download and run its removal tool using the provided link. With regards to NetgearWNDA 3100 problem, is it possible for you to reinstall its software? Please follow the instructions below.

• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

2. I'd like us to scan your machine with ESET OnlineScan
1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
2. Click the button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
2. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Check
8. Push the Start button.
10. When the scan completes, push
11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the button.
13. Push

3. Also please post a new DDS log for me. Thanks

~Semp

Edit - typos

Edited by sempai, 16 February 2010 - 09:34 AM.

~Semp

You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators)

### #8 mmiley86

mmiley86
• Topic Starter

• Members
• 8 posts
• OFFLINE
•
• Local time:04:53 AM

Posted 17 February 2010 - 02:40 PM

Malwarebytes' Anti-Malware 1.44
Database version: 3748
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/17/2010 8:00:11 AM
mbam-log-2010-02-17 (08-00-11).txt

Scan type: Full Scan (C:\|)
Objects scanned: 179650
Time elapsed: 2 hour(s), 4 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

DDS (Ver_09-12-01.01) - NTFSx86
Run by matt at 14:36:22.50 on Wed 02/17/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.449 [GMT -5:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NETGEAR\WNDA3100v2\WNDA3100v2.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.8.0.41\IPSBHO.DLL
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wnda3100v2\WNDA3100v2.exe
dPolicies-explorer: DisallowRun = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt\applic~1\mozilla\firefox\profiles\pvyspo5s.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-8 64288]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-3 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-3 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-3 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100210.001\IDSXpx86.sys [2010-2-15 329592]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-2-3 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-3 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100217.005\NAVENG.SYS [2010-2-17 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100217.005\NAVEX15.SYS [2010-2-17 1324720]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S2 WSWNDA3100;WSWNDA3100;c:\program files\netgear\wnda3100v2\WifiSvc.exe [2010-2-3 278528]
S3 USBFVNETR;NETGEAR MA101 USB Adapter;c:\windows\system32\drivers\ma101rndxp.sys [2005-12-17 76160]

=============== Created Last 30 ================

2010-02-17 13:55:22 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2010-02-17 13:55:21 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-02-17 13:55:21 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-02-17 13:55:21 120056 ------w- c:\windows\system32\pxcpyi64.exe
2010-02-17 13:55:20 118520 ------w- c:\windows\system32\pxinsi64.exe
2010-02-17 13:55:17 129784 ------w- c:\windows\system32\pxafs.dll
2010-02-17 13:04:25 0 d-----w- c:\program files\ESET
2010-02-15 17:45:45 0 d-sha-r- C:\cmdcons
2010-02-15 17:44:42 98816 ----a-w- c:\windows\sed.exe
2010-02-15 17:44:42 77312 ----a-w- c:\windows\MBR.exe
2010-02-15 17:44:42 261632 ----a-w- c:\windows\PEV.exe
2010-02-15 17:44:42 161792 ----a-w- c:\windows\SWREG.exe
2010-02-10 23:05:40 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-09 19:12:03 0 d-sh--w- c:\documents and settings\matt\PrivacIE
2010-02-09 19:06:59 0 d-----w- c:\program files\TrendMicro
2010-02-09 18:05:00 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-09 18:04:23 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-09 18:04:23 0 d-----w- c:\docume~1\matt\applic~1\SUPERAntiSpyware.com
2010-02-09 05:17:52 0 d-sh--w- c:\documents and settings\matt\IETldCache
2010-02-09 05:10:16 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-09 05:08:16 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-09 05:08:12 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-02-09 05:08:12 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-02-09 05:08:11 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-02-09 05:08:10 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-09 05:08:10 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-02-09 05:05:31 0 dc-h--w- c:\windows\ie8
2010-02-09 04:49:09 0 d-----w- c:\docume~1\alluse~1\applic~1\UAB
2010-02-09 04:49:07 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
2010-02-09 04:47:13 0 d-----w- c:\program files\PC Drivers HeadQuarters
2010-02-08 22:57:42 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-08 20:14:04 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-08 19:45:12 0 d-----w- c:\docume~1\matt\applic~1\Malwarebytes
2010-02-08 19:45:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-08 19:45:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-08 19:45:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-08 19:45:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-08 19:44:18 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-08 06:22:19 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-02-08 06:22:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-02-06 20:39:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-02-06 20:39:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-02-03 19:52:58 0 d-----w- c:\program files\SystemRequirementsLab
2010-02-03 19:34:14 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-02-03 19:33:59 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-03 19:33:59 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-03 19:33:59 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-03 19:33:59 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-03 19:33:58 0 d-----w- c:\program files\Symantec
2010-02-03 19:32:32 0 d-----w- c:\windows\system32\drivers\N360
2010-02-03 19:32:24 0 d-----w- c:\program files\Norton 360
2010-02-03 19:22:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-02-03 19:19:26 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-03 18:53:44 0 d-----w- c:\program files\NortonInstaller
2010-02-03 18:53:44 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-02-03 18:43:59 0 d-----w- c:\documents and settings\all users\Symantec Temporary Files
2010-02-03 17:50:26 632576 ----a-w- c:\windows\system32\drivers\bcmwlhigh5.sys
2010-02-03 17:50:11 499712 ----a-w- c:\windows\system32\msvcec1d.rra
2010-02-03 17:50:11 348160 ----a-w- c:\windows\system32\msvcecf7.rra
2010-02-03 17:50:11 196608 ----a-w- c:\windows\system32\wps_api.dll
2010-02-03 17:50:03 89088 ----a-w- c:\windows\system32\ATL7d0b5.rra
2010-02-03 17:49:56 0 d-----w- c:\program files\NETGEAR

==================== Find3M ====================

2010-02-03 22:30:48 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-02-03 19:33:38 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-02-03 19:33:21 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll

============= FINISH: 14:37:29.06 ===============

### #9 sempai

sempai

noypi

• Malware Response Team
• 5,288 posts
• OFFLINE
•
• Gender:Male
• Location:3 stars and a sun
• Local time:05:53 PM

Posted 18 February 2010 - 08:30 AM

Hi,

One of the service pack files (ws2_32.dll) was infected and deleted and we will replace it with a clean copy, please do the following:

1. Click on the Start button, then click on Run...
2. In the empty "Open:" box provided, type cmd and press Enter
This will launch a Command Prompt window (looks like DOS).

3. Copy the entire Bold text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).
copy c:\windows\$NtServicePackUninstall$\ws2_32.dll C:\WINDOWS\ServicePackFiles\i386\ /y

4. In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
5. Press Enter.
When successfully, you should get this message within the Command Prompt: "1 file(s) copied"

~Semp

~Semp

You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators)

### #10 mmiley86

mmiley86
• Topic Starter

• Members
• 8 posts
• OFFLINE
•
• Local time:04:53 AM

Posted 18 February 2010 - 05:34 PM

Hey Semp, and friends thank you so much, everything SEEMS to be in good working order. However this weekend I will be away and I do plan on posting late Sunday night, or Monday afternoon to give you guys a finale assessment.

Again I would just like to say thank you to everyone who took the time to help me out, it is much appreciated!!!!!!!

### #11 sempai

sempai

noypi

• Malware Response Team
• 5,288 posts
• OFFLINE
•
• Gender:Male
• Location:3 stars and a sun
• Local time:05:53 PM

Posted 18 February 2010 - 05:38 PM

Hi,

1. Uninstall Combofix
• The following will implement some cleanup procedures as well as reset  System Restore points:
• Click Start > Run  and copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once it's finished it should reboot your machine, if not, do this yourself to ensure a complete clean
Note: TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

3. Your Log is Clean, please take the time to read below to secure your machine and take the necessary steps to keep it Clean
Visit Microsoft's Windows Update Site Frequently
It is important that you visit http://www.windowsupdate.com regularly.  This will ensure your computer has always the latest security updates available installed on your computer.  If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.  Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities.  You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install SpywareBlaster
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

How to prevent Malware: by miekiemoes
How to increase PC speed: by miekiemoes

With regards,
Semp

Edited by sempai, 18 February 2010 - 05:45 PM.

~Semp

You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators)

### #12 sempai

sempai

noypi

• Malware Response Team
• 5,288 posts
• OFFLINE
•
• Gender:Male
• Location:3 stars and a sun
• Local time:05:53 PM

Posted 19 February 2010 - 07:35 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

Everyone else please begin a New Topic.

~Semp

You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators)

#### 0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users