Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Repeated Malware infections, Trouble removing Vista Guardian


  • This topic is locked This topic is locked
67 replies to this topic

#31 Mom2four

Mom2four
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 11 March 2010 - 02:17 PM

I got it to move past setting a system restore point. Now says it's scanning. I went about it a slightly unorthodox manner. The ComboFix saved to my destktop was not working nor could I get anything to show up in Taskmgr. That and the CF icon on the desktop has the Windows security icon attached to it, so does the OTL and MBAM for that matter. It made me suspicious so I dug out the flash drive I was using the other day which had CF on it, no security icon attached and tried running it from there. It's now on stage 5 which makes me think there is something preventing CF from running off the desktop. I will post the CF scan as soon as it is done.

BC AdBot (Login to Remove)

 


#32 Mom2four

Mom2four
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 11 March 2010 - 02:37 PM

Here is the CF log. As CF completed my desktop is clear of all icons and there are no Windows prompts. Should I restart?


ComboFix 10-03-11.02 - John Cornelisen 03/11/2010 13:13:02.1.2 - x86
MicrosoftÆ Windows Vistaô Home Premium 6.0.6001.1.1252.1.1033.18.2045.961 [GMT -6:00]
Running from: K:\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
/wow section - STAGE 1

/wow section - STAGE 41


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\data\Data\Users\Lesley\AP\_DESKTOP.INI
c:\data\Data\Users\Lesley\User Manual\_DESKTOP.INI
c:\data\Data\Users\Lesley\Win98 Driver\_DESKTOP.INI
c:\programdata\Microsoft\Windows\Start Menu\Programs\Security Tool.lnk
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\Downloaded Program Files\CpnMgr.dll
c:\windows\jestertb.dll
J:\AUTORUN.INF
j:\data\Data\Users\Lesley\AP\_DESKTOP.INI
j:\data\Data\Users\Lesley\User Manual\_DESKTOP.INI
j:\data\Data\Users\Lesley\Win98 Driver\_DESKTOP.INI

.
((((((((((((((((((((((((( Files Created from 2010-02-11 to 2010-03-11 )))))))))))))))))))))))))))))))
.

2010-03-11 19:27 . 2010-03-11 19:28 -------- d-----w- c:\users\John Cornelisen\AppData\Local\temp
2010-03-11 19:27 . 2010-03-11 19:27 -------- d-----w- c:\users\little ones\AppData\Local\temp
2010-03-11 19:27 . 2010-03-11 19:27 -------- d-----w- c:\users\Lesley Cornelisen\AppData\Local\temp
2010-03-11 19:27 . 2010-03-11 19:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-11 19:27 . 2010-03-11 19:27 -------- d-----w- c:\users\cscontrol\AppData\Local\temp
2010-03-11 19:27 . 2010-03-11 19:27 -------- d-----w- c:\users\boys\AppData\Local\temp
2010-03-11 19:27 . 2010-03-11 19:27 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-03-11 19:11 . 2010-03-11 19:11 -------- d-----w- C:\32788R22FWJFW
2010-03-11 17:27 . 2010-02-03 09:00 84912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100311.002\NAVENG.SYS
2010-03-11 17:27 . 2010-02-03 09:00 1324720 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100311.002\NAVEX15.SYS
2010-03-11 17:27 . 2010-01-27 01:43 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100311.002\NAVENG32.DLL
2010-03-11 17:27 . 2010-01-27 01:43 1647984 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100311.002\NAVEX32A.DLL
2010-03-11 17:27 . 2010-01-27 01:43 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100311.002\EECTRL.SYS
2010-03-11 17:27 . 2010-01-27 01:43 2747440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100311.002\CCERASER.DLL
2010-03-11 17:27 . 2010-01-27 01:43 259440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100311.002\ECMSVR32.DLL
2010-03-11 17:27 . 2010-01-27 01:43 102448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100311.002\ERASER.SYS
2010-03-10 22:46 . 2010-03-10 22:46 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-10 22:46 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-10 22:46 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 20:12 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\IDSvix86.sys
2010-03-10 20:12 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\IDSXpx86.sys
2010-03-10 20:12 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\Scxpx86.dll
2010-03-10 20:12 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\IDSxpx86.dll
2010-03-10 20:12 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\IDSviA64.sys
2010-03-10 05:27 . 2010-03-10 05:27 -------- d-----w- c:\program files\ESET
2010-03-10 03:17 . 2010-02-12 23:41 558448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-03-09 06:17 . 2010-03-09 06:17 -------- d-----w- c:\program files\Microsoft
2010-03-09 06:17 . 2010-03-09 06:17 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-09 05:46 . 2010-03-09 05:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-09 03:33 . 2010-03-10 23:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-09 02:11 . 2010-03-09 02:11 55184 ----a-w- c:\windows\system32\PxSecure.dll
2010-03-09 02:11 . 2010-03-09 02:11 50504 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-03-09 02:11 . 2010-03-09 02:11 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-03-09 02:11 . 2010-03-11 17:30 -------- d-----w- c:\programdata\PrevxCSI
2010-03-09 02:11 . 2010-03-09 02:11 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-03-09 02:11 . 2010-03-09 02:11 -------- d-----w- c:\program files\Prevx
2010-03-08 23:25 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100305.002\IDSvix86.sys
2010-03-08 23:25 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100305.002\IDSXpx86.sys
2010-03-08 23:25 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100305.002\Scxpx86.dll
2010-03-08 23:25 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100305.002\IDSxpx86.dll
2010-03-08 23:25 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100305.002\IDSviA64.sys
2010-03-08 23:09 . 2010-03-08 23:09 -------- d-----w- c:\users\little ones\AppData\Local\Symantec
2010-03-08 22:30 . 2010-03-08 22:30 -------- d-----w- c:\users\little ones\AppData\Roaming\Malwarebytes
2010-03-08 13:02 . 2010-03-08 13:02 552 ----a-w- c:\users\little ones\AppData\Local\d3d8caps.dat
2010-03-08 13:01 . 2010-03-08 13:01 680 ----a-w- c:\users\little ones\AppData\Local\d3d9caps.dat
2010-03-07 17:47 . 2010-03-07 17:47 93056 ----a-w- C:\fwlyapow.sys
2010-03-07 13:59 . 2010-03-07 13:59 -------- d-----r- c:\program files\Norton Support
2010-03-05 11:58 . 2010-03-05 11:58 20829680 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-05 11:58 . 2010-03-05 11:58 8405312 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-05 11:57 . 2010-03-05 11:57 149000 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-05 11:57 . 2010-03-05 11:57 10309448 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-05 11:57 . 2010-03-05 11:57 283280 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-05 11:57 . 2010-03-05 11:57 181768 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-05 11:57 . 2010-03-05 11:57 79368 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\RUP\vista.exe
2010-03-05 11:57 . 2010-03-05 11:57 64000 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-05 11:57 . 2010-03-05 11:57 52288 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-05 11:57 . 2010-03-05 11:57 50688 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-05 11:57 . 2010-03-05 11:57 49152 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-05 11:57 . 2010-03-05 11:57 118784 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-05 06:33 . 2010-03-05 06:33 125952 ----a-w- c:\programdata\ParetoLogic\UUS2\Temp\Update.exe
2010-03-05 03:57 . 2010-03-05 03:57 439816 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-03-05 03:56 . 2010-03-06 09:15 -------- d-----w- c:\users\John Cornelisen\AppData\Roaming\DriverCure
2010-03-05 03:55 . 2010-03-07 14:13 -------- d-----w- c:\programdata\DriverCure
2010-03-05 03:55 . 2010-03-05 03:55 -------- d-----w- c:\programdata\ParetoLogic
2010-02-28 23:22 . 2010-02-28 23:22 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\IsolatedStorage
2010-02-25 20:07 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\Scxpx86.dll
2010-02-25 20:07 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSvix86.sys
2010-02-25 20:07 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSXpx86.sys
2010-02-25 20:07 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSxpx86.dll
2010-02-25 20:07 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSviA64.sys
2010-02-24 02:01 . 2010-02-24 02:01 -------- d-----w- c:\users\boys\AppData\Local\Yahoo
2010-02-23 22:35 . 2010-01-23 09:44 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-23 22:34 . 2010-01-25 12:48 472576 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-23 22:34 . 2010-01-25 12:48 472064 ----a-w- c:\windows\system32\secproc.dll
2010-02-23 22:34 . 2010-01-25 08:35 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-23 22:34 . 2010-01-25 08:35 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-23 22:34 . 2010-01-25 08:34 511488 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-23 22:34 . 2010-01-25 08:34 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-23 22:34 . 2010-01-25 12:48 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-23 22:34 . 2010-01-25 12:48 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-23 22:34 . 2010-01-25 12:45 329216 ----a-w- c:\windows\system32\msdrm.dll
2010-02-23 01:41 . 2010-02-23 01:41 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Google
2010-02-22 02:30 . 2010-02-22 02:31 -------- d-----w- c:\program files\Common Files\Apple
2010-02-22 02:25 . 2010-02-22 02:25 -------- d-----w- c:\users\boys\AppData\Local\Apple
2010-02-13 20:46 . 2010-02-13 20:46 -------- d-----w- c:\program files\Common Files\Scanner
2010-02-13 20:46 . 2010-02-13 20:48 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2010-02-11 22:15 . 2010-02-11 22:15 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-02-10 21:01 . 2009-12-08 20:52 3597912 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-10 21:01 . 2009-12-08 20:52 3546200 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-10 21:01 . 2009-12-11 12:07 301568 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-10 21:01 . 2009-12-11 12:07 98304 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-10 21:01 . 2009-12-08 20:52 897624 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-10 21:00 . 2009-12-28 12:35 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-02-10 21:00 . 2009-12-28 12:35 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-10 21:00 . 2009-12-28 12:32 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-02-10 21:00 . 2009-12-28 12:32 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-10 21:00 . 2009-12-28 12:32 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-02-10 21:00 . 2009-12-28 12:31 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-10 21:00 . 2009-12-28 12:32 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-02-10 21:00 . 2009-12-28 12:31 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-02-10 21:00 . 2009-12-28 12:28 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-02-10 21:00 . 2009-12-28 12:28 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-02-10 21:00 . 2009-12-04 16:12 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-10 21:00 . 2009-12-04 16:12 105472 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-10 12:32 . 2010-03-08 13:00 680 ----a-w- c:\users\John Cornelisen\AppData\Local\d3d9caps.dat
2010-02-10 12:11 . 2010-02-10 12:11 -------- d-----w- c:\users\John Cornelisen\AppData\Local\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-10 06:36 . 2009-12-02 20:22 -------- d-----w- c:\program files\PlaySushi
2010-03-09 05:47 . 2007-01-03 16:08 -------- d-----w- c:\program files\Common Files\Java
2010-03-09 05:45 . 2007-01-03 16:08 -------- d-----w- c:\program files\Java
2010-03-08 13:01 . 2008-02-29 22:31 140888 ----a-w- c:\users\little ones\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-07 15:01 . 2007-01-03 16:23 -------- d-----w- c:\program files\Google
2010-03-07 14:13 . 2010-02-05 22:54 -------- d-----w- c:\program files\Panda Security
2010-03-07 14:13 . 2007-01-27 16:41 -------- d-----w- c:\users\John Cornelisen\AppData\Roaming\Juniper Networks
2010-03-05 05:05 . 2010-01-01 19:16 -------- d-----w- c:\program files\123Movies2PSP 2009
2010-03-01 14:27 . 2010-02-06 02:14 423464 ----a-w- c:\users\John Cornelisen\AppData\Roaming\E-centives\BSTIEPrintCtl1.dll
2010-03-01 14:12 . 2010-02-06 02:14 443944 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\E-centives\UninstallCouponActivator.exe
2010-02-28 23:06 . 2007-02-15 18:44 -------- d-----w- c:\program files\TurboTax
2010-02-25 02:25 . 2007-04-11 23:20 140888 ----a-w- c:\users\John Cornelisen\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 15:16 . 2009-10-03 06:14 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 02:26 . 2008-06-18 15:48 -------- d-----w- c:\users\boys\AppData\Roaming\Symantec
2010-02-22 03:59 . 2008-06-18 14:35 -------- d-----w- c:\users\John Cornelisen\AppData\Roaming\Symantec
2010-02-22 02:47 . 2007-04-09 01:38 -------- d-----w- c:\programdata\Microsoft Help
2010-02-11 09:26 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-07 10:24 . 2010-01-19 10:03 439816 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.09\setup.exe
2010-02-07 10:24 . 2009-11-19 10:02 439816 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\recsetup\setup.exe
2010-02-07 10:24 . 2009-11-19 10:02 118784 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\recsetup\install.dll
2010-02-06 02:14 . 2010-02-06 02:14 -------- d-----w- c:\users\John Cornelisen\AppData\Roaming\E-centives
2010-02-06 00:03 . 2010-02-06 00:03 -------- d-----w- c:\users\John Cornelisen\AppData\Roaming\Malwarebytes
2010-02-06 00:03 . 2010-02-06 00:03 -------- d-----w- c:\programdata\Malwarebytes
2010-01-30 18:43 . 2008-11-26 21:01 -------- d-----w- c:\program files\Coupons
2010-01-27 19:39 . 2007-01-03 16:20 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-27 19:34 . 2010-01-27 19:20 -------- d-----w- c:\programdata\Norton
2010-01-27 19:33 . 2010-01-27 19:32 -------- d-----w- c:\program files\Symantec
2010-01-27 19:32 . 2010-01-27 19:33 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-01-27 19:32 . 2010-01-27 19:33 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-01-27 19:32 . 2010-01-27 19:33 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-01-27 19:32 . 2010-01-27 19:33 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-01-27 19:32 . 2010-01-27 19:33 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-01-27 19:32 . 2010-01-27 19:32 1291104 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2010-01-27 19:32 . 2010-01-27 19:32 136840 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2010-01-27 19:32 . 2010-01-27 19:33 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-01-27 19:32 . 2010-01-27 19:32 771440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2010-01-27 19:32 . 2010-01-27 19:31 -------- d-----w- c:\program files\Norton 360
2010-01-27 19:31 . 2010-01-27 19:19 -------- d-----w- c:\programdata\NortonInstaller
2010-01-27 19:28 . 2008-06-18 14:42 -------- d-----w- c:\programdata\Symantec
2010-01-27 19:21 . 2010-01-27 19:21 -------- d-----w- c:\programdata\PCSettings
2010-01-27 19:19 . 2010-01-27 19:19 -------- d-----w- c:\program files\NortonInstaller
2010-01-27 19:19 . 2010-01-27 19:17 82952744 ----a-w- c:\programdata\Symantec Temporary Files\N360S300EN.exe
2010-01-27 19:17 . 2008-06-18 14:31 -------- d-----w- c:\programdata\Symantec Temporary Files
2010-01-27 18:19 . 2007-01-18 03:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-27 18:19 . 2007-01-18 03:30 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-25 19:35 . 2009-01-22 18:07 -------- d-----w- c:\program files\Quicken
2010-01-25 19:33 . 2010-01-25 19:33 6725632 ----a-w- c:\programdata\Intuit\Quicken\Inet\Common\patch\Update\181625-18178.dll
2010-01-25 19:31 . 2010-01-25 19:31 2904064 ----a-w- c:\programdata\Intuit\Quicken\Inet\Common\patch\Update\18154-181625.dll
2010-01-25 19:31 . 2010-01-25 19:31 1536000 ----a-w- c:\programdata\Intuit\Quicken\Inet\Common\patch\Update\181414-18154.dll
2010-01-25 19:31 . 2009-01-22 18:10 245760 ----a-w- c:\programdata\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2010-01-02 06:38 . 2010-02-22 02:45 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-02-22 02:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-02-22 02:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-02-22 02:45 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2007-01-05 20:20 . 2007-01-05 20:20 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
2006-11-02 12:34 . 2006-11-02 12:34 397312 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6000.16386_none_ef216b8c52ca2227\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-08 185896]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2007-03-05 28672]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
forteManager.lnk - c:\program files\LG Soft India\forteManager\bin\Monitor.exe [2009-11-29 1687552]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
NaturalColorLoad.lnk - c:\program files\SEC\Natural Color\NaturalColorLoad.exe [2007-1-7 155715]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=""
"FirewallOverride"=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-23 135664]
R3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [2008-12-12 14336]
R3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [2008-12-12 18432]
R3 OlyUsbCam;OLYMPUS USB Camera;c:\windows\system32\DRIVERS\OlyUsbCam.sys [2007-01-12 21952]
R3 SNL320XP;SONIX MULTIMEDIA USB DEVICE DRIVER;c:\windows\system32\DRIVERS\9kdUSBXP.sys [2006-12-28 16000]
R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]
S0 amacpi;Microsoft Away Mode System;c:\windows\system32\DRIVERS\null.sys [2008-01-19 4608]
S0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [2010-03-09 30280]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS [2010-01-27 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\N360\0308000.029\BHDrvx86.sys [2010-01-27 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\N360\0308000.029\ccHPx86.sys [2010-01-27 482432]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100310.001\IDSvix86.sys [2009-10-28 343088]
S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2010-03-09 6300592]
S2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [2008-11-07 25824]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2010-01-27 117640]
S2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-03-09 50504]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-01-27 102448]
S3 IntelDH;IntelDH Driver;c:\windows\system32\Drivers\IntelDH.sys [2007-04-12 5504]
S3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-03-09 24368]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [2010-01-27 48688]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - HP_PORT_RESOLVER
*NewlyCreated* - KLMD21
*Deregistered* - HP Port Resolver
*Deregistered* - klmd21

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2010-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-23 01:41]

2010-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-23 01:41]

2010-03-11 c:\windows\Tasks\User_Feed_Synchronization-{49FDB5C0-6CFA-4CB2-A424-DFC6F3D68E67}.job
- c:\windows\system32\msfeedssync.exe [2010-02-22 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://m.www.yahoo.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} - file:///E:/LTOCX14N.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)
AddRemove-Playsushi - c:\program files\PlaySushi\psuninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-11 13:28
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\clsid\{3da165b6-cc41-11d2-bdc6-00c04f79ec6b}\ProgID]
@Denied: (A) (Everyone)
@="{CB7435BA-CF76-403B-93DF-BE847070A327}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\clsid\{3da165b6-cc41-11d2-bdc6-00c04f79ec6b}\Version]
@Denied: (A) (Everyone)
@="{CB7435BA-CF76-403B-93DF-BE847070A327}"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-03-11 13:33:08
ComboFix-quarantined-files.txt 2010-03-11 19:33

Pre-Run: 124,292,194,304 bytes free
Post-Run: 124,258,004,992 bytes free

- - End Of File - - 30B681BF7E44A9BABE3B762F3AE7C368


#33 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:17 PM

Posted 11 March 2010 - 02:49 PM

Yes, reboot and let me know if they come back. They should.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#34 Mom2four

Mom2four
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 11 March 2010 - 03:29 PM

Actually didn't need to reboot, just CTL ALT Del and then logged back into my user. I can restart if needed but all is back up on the desktop without restarting.


Next? red_bandana.gif

#35 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:17 PM

Posted 11 March 2010 - 03:45 PM

Good news there. By the way that was good thinking on how you went about running CF.

Question: It looks like K: is your flash drive. What is the J: drive?

The reason I ask is you can look at the deletions in the ComboFix log and see there was infections on it just like the C: and I am wondering what the drive is.


I also need for you to upload a file for me to check. Most sites say it is OK and part of Prevx but Prevx says it's a rootkit and since you stated you had some issues with similar files in post #3 I want to take a look.

  • Submit file sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    CODE
    http://www.bleepingcomputer.com/forums/topic300947-30.html
  • Click Browse and select the c:\windows\system32\drivers\pxkbf.sys
  • Under the comments section, say that thewall asked for the submission.
  • Then select Send File to send it
  • After that you should get a confirmation if it was uploaded successfully.
Let me know when you have uploaded the log.




If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#36 Mom2four

Mom2four
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 11 March 2010 - 04:00 PM

I have sent the submission as you requested. The K drive was the flash drive, we have a D-Link multi USB port hooked up and the J drive is an external hard drive to back up the system and pictures for the most part.

#37 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:17 PM

Posted 11 March 2010 - 04:32 PM

The file checked out OK. Seems you had some infected files on your external drive which were the same as the ones on your C: drive.

There is something we need to script out which is showing up. Let's do this and then give me an overview of how your computer is running now.



Special ComboFix script made for this computer only

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#38 Mom2four

Mom2four
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 11 March 2010 - 06:04 PM

It took me multiple attempt to get it to run and I needed to download a new CF b/c the one I used before which was on my flash drive had the Window security shielf imbeded on the CF icon.

I would not be surprised if the external drive is infected with something. I also suspect there is something linked up with the Windows updater. But here is the log from the new run. I am also going to attach a copy of my desktop screen so you can have a visual about what I am seeing.


ComboFix 10-03-11.02 - John Cornelisen 03/11/2010 16:35:02.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.865 [GMT -6:00]
Running from: K:\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
/wow section - STAGE 1


((((((((((((((((((((((((( Files Created from 2010-02-11 to 2010-03-11 )))))))))))))))))))))))))))))))
.

2010-03-11 22:44 . 2010-03-11 22:44 -------- d-----w- c:\users\John Cornelisen\AppData\Local\temp
2010-03-11 22:44 . 2010-03-11 22:44 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-03-11 22:44 . 2010-03-11 22:44 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-11 22:44 . 2010-03-11 22:44 -------- d-----w- c:\users\little ones\AppData\Local\temp
2010-03-11 22:44 . 2010-03-11 22:44 -------- d-----w- c:\users\Lesley Cornelisen\AppData\Local\temp
2010-03-11 22:44 . 2010-03-11 22:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-11 22:44 . 2010-03-11 22:44 -------- d-----w- c:\users\cscontrol\AppData\Local\temp
2010-03-11 22:44 . 2010-03-11 22:44 -------- d-----w- c:\users\boys\AppData\Local\temp
2010-03-11 22:44 . 2010-03-11 22:44 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-03-11 22:33 . 2010-03-11 22:34 -------- d-----w- C:\32788R22FWJFW
2010-03-11 17:27 . 2010-02-03 09:00 84912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100311.002\NAVENG.SYS
2010-03-11 17:27 . 2010-02-03 09:00 1324720 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100311.002\NAVEX15.SYS
2010-03-11 17:27 . 2010-01-27 01:43 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100311.002\NAVENG32.DLL
2010-03-11 17:27 . 2010-01-27 01:43 1647984 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100311.002\NAVEX32A.DLL
2010-03-11 17:27 . 2010-01-27 01:43 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100311.002\EECTRL.SYS
2010-03-11 17:27 . 2010-01-27 01:43 2747440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100311.002\CCERASER.DLL
2010-03-11 17:27 . 2010-01-27 01:43 259440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100311.002\ECMSVR32.DLL
2010-03-11 17:27 . 2010-01-27 01:43 102448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100311.002\ERASER.SYS
2010-03-10 22:46 . 2010-03-10 22:46 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-10 22:46 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-10 22:46 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 20:12 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\IDSvix86.sys
2010-03-10 20:12 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\IDSXpx86.sys
2010-03-10 20:12 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\Scxpx86.dll
2010-03-10 20:12 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\IDSxpx86.dll
2010-03-10 20:12 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\IDSviA64.sys
2010-03-10 05:27 . 2010-03-10 05:27 -------- d-----w- c:\program files\ESET
2010-03-10 03:17 . 2010-02-12 23:41 558448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-03-09 06:17 . 2010-03-09 06:17 -------- d-----w- c:\program files\Microsoft
2010-03-09 06:17 . 2010-03-09 06:17 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-09 05:46 . 2010-03-09 05:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-09 03:33 . 2010-03-10 23:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-09 02:11 . 2010-03-09 02:11 55184 ----a-w- c:\windows\system32\PxSecure.dll
2010-03-09 02:11 . 2010-03-09 02:11 50504 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-03-09 02:11 . 2010-03-09 02:11 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-03-09 02:11 . 2010-03-11 21:01 -------- d-----w- c:\programdata\PrevxCSI
2010-03-09 02:11 . 2010-03-09 02:11 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-03-09 02:11 . 2010-03-09 02:11 -------- d-----w- c:\program files\Prevx
2010-03-08 23:25 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100305.002\IDSvix86.sys
2010-03-08 23:25 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100305.002\IDSXpx86.sys
2010-03-08 23:25 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100305.002\Scxpx86.dll
2010-03-08 23:25 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100305.002\IDSxpx86.dll
2010-03-08 23:25 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100305.002\IDSviA64.sys
2010-03-08 23:09 . 2010-03-08 23:09 -------- d-----w- c:\users\little ones\AppData\Local\Symantec
2010-03-08 22:30 . 2010-03-08 22:30 -------- d-----w- c:\users\little ones\AppData\Roaming\Malwarebytes
2010-03-08 13:02 . 2010-03-08 13:02 552 ----a-w- c:\users\little ones\AppData\Local\d3d8caps.dat
2010-03-08 13:01 . 2010-03-08 13:01 680 ----a-w- c:\users\little ones\AppData\Local\d3d9caps.dat
2010-03-07 17:47 . 2010-03-07 17:47 93056 ----a-w- C:\fwlyapow.sys
2010-03-07 13:59 . 2010-03-07 13:59 -------- d-----r- c:\program files\Norton Support
2010-03-05 11:58 . 2010-03-05 11:58 20829680 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-05 11:58 . 2010-03-05 11:58 8405312 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-05 11:57 . 2010-03-05 11:57 149000 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-05 11:57 . 2010-03-05 11:57 10309448 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-05 11:57 . 2010-03-05 11:57 283280 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-05 11:57 . 2010-03-05 11:57 181768 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-05 11:57 . 2010-03-05 11:57 79368 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\RUP\vista.exe
2010-03-05 11:57 . 2010-03-05 11:57 64000 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-05 11:57 . 2010-03-05 11:57 52288 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-05 11:57 . 2010-03-05 11:57 50688 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-05 11:57 . 2010-03-05 11:57 49152 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-05 11:57 . 2010-03-05 11:57 118784 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-05 06:33 . 2010-03-05 06:33 125952 ----a-w- c:\programdata\ParetoLogic\UUS2\Temp\Update.exe
2010-03-05 03:57 . 2010-03-05 03:57 439816 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-03-05 03:56 . 2010-03-06 09:15 -------- d-----w- c:\users\John Cornelisen\AppData\Roaming\DriverCure
2010-03-05 03:55 . 2010-03-07 14:13 -------- d-----w- c:\programdata\DriverCure
2010-03-05 03:55 . 2010-03-05 03:55 -------- d-----w- c:\programdata\ParetoLogic
2010-02-28 23:22 . 2010-02-28 23:22 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\IsolatedStorage
2010-02-25 20:07 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\Scxpx86.dll
2010-02-25 20:07 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSvix86.sys
2010-02-25 20:07 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSXpx86.sys
2010-02-25 20:07 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSxpx86.dll
2010-02-25 20:07 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSviA64.sys
2010-02-24 02:01 . 2010-02-24 02:01 -------- d-----w- c:\users\boys\AppData\Local\Yahoo
2010-02-23 22:35 . 2010-01-23 09:44 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-23 22:34 . 2010-01-25 12:48 472576 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-23 22:34 . 2010-01-25 12:48 472064 ----a-w- c:\windows\system32\secproc.dll
2010-02-23 22:34 . 2010-01-25 08:35 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-23 22:34 . 2010-01-25 08:35 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-23 22:34 . 2010-01-25 08:34 511488 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-23 22:34 . 2010-01-25 08:34 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-23 22:34 . 2010-01-25 12:48 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-23 22:34 . 2010-01-25 12:48 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-23 22:34 . 2010-01-25 12:45 329216 ----a-w- c:\windows\system32\msdrm.dll
2010-02-23 01:41 . 2010-02-23 01:41 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Google
2010-02-22 02:30 . 2010-02-22 02:31 -------- d-----w- c:\program files\Common Files\Apple
2010-02-22 02:25 . 2010-02-22 02:25 -------- d-----w- c:\users\boys\AppData\Local\Apple
2010-02-13 20:46 . 2010-02-13 20:46 -------- d-----w- c:\program files\Common Files\Scanner
2010-02-13 20:46 . 2010-02-13 20:48 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2010-02-11 22:15 . 2010-02-11 22:15 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-02-10 21:01 . 2009-12-08 20:52 3597912 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-10 21:01 . 2009-12-08 20:52 3546200 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-10 21:01 . 2009-12-11 12:07 301568 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-10 21:01 . 2009-12-11 12:07 98304 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-10 21:01 . 2009-12-08 20:52 897624 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-10 21:00 . 2009-12-28 12:35 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-02-10 21:00 . 2009-12-28 12:35 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-10 21:00 . 2009-12-28 12:32 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-02-10 21:00 . 2009-12-28 12:32 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-10 21:00 . 2009-12-28 12:32 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-02-10 21:00 . 2009-12-28 12:31 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-10 21:00 . 2009-12-28 12:32 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-02-10 21:00 . 2009-12-28 12:31 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-02-10 21:00 . 2009-12-28 12:28 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-02-10 21:00 . 2009-12-28 12:28 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-02-10 21:00 . 2009-12-04 16:12 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-10 21:00 . 2009-12-04 16:12 105472 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-10 12:32 . 2010-03-08 13:00 680 ----a-w- c:\users\John Cornelisen\AppData\Local\d3d9caps.dat
2010-02-10 12:11 . 2010-02-10 12:11 -------- d-----w- c:\users\John Cornelisen\AppData\Local\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-10 06:36 . 2009-12-02 20:22 -------- d-----w- c:\program files\PlaySushi
2010-03-09 05:47 . 2007-01-03 16:08 -------- d-----w- c:\program files\Common Files\Java
2010-03-09 05:45 . 2007-01-03 16:08 -------- d-----w- c:\program files\Java
2010-03-08 13:01 . 2008-02-29 22:31 140888 ----a-w- c:\users\little ones\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-07 15:01 . 2007-01-03 16:23 -------- d-----w- c:\program files\Google
2010-03-07 14:13 . 2010-02-05 22:54 -------- d-----w- c:\program files\Panda Security
2010-03-07 14:13 . 2007-01-27 16:41 -------- d-----w- c:\users\John Cornelisen\AppData\Roaming\Juniper Networks
2010-03-05 05:05 . 2010-01-01 19:16 -------- d-----w- c:\program files\123Movies2PSP 2009
2010-03-01 14:27 . 2010-02-06 02:14 423464 ----a-w- c:\users\John Cornelisen\AppData\Roaming\E-centives\BSTIEPrintCtl1.dll
2010-03-01 14:12 . 2010-02-06 02:14 443944 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\E-centives\UninstallCouponActivator.exe
2010-02-28 23:06 . 2007-02-15 18:44 -------- d-----w- c:\program files\TurboTax
2010-02-25 02:25 . 2007-04-11 23:20 140888 ----a-w- c:\users\John Cornelisen\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 15:16 . 2009-10-03 06:14 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 02:26 . 2008-06-18 15:48 -------- d-----w- c:\users\boys\AppData\Roaming\Symantec
2010-02-22 03:59 . 2008-06-18 14:35 -------- d-----w- c:\users\John Cornelisen\AppData\Roaming\Symantec
2010-02-22 02:47 . 2007-04-09 01:38 -------- d-----w- c:\programdata\Microsoft Help
2010-02-11 09:26 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-07 10:24 . 2010-01-19 10:03 439816 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\setup3.09\setup.exe
2010-02-07 10:24 . 2009-11-19 10:02 439816 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\recsetup\setup.exe
2010-02-07 10:24 . 2009-11-19 10:02 118784 ----a-w- c:\users\John Cornelisen\AppData\Roaming\Real\Update\recsetup\install.dll
2010-02-06 02:14 . 2010-02-06 02:14 -------- d-----w- c:\users\John Cornelisen\AppData\Roaming\E-centives
2010-02-06 00:03 . 2010-02-06 00:03 -------- d-----w- c:\users\John Cornelisen\AppData\Roaming\Malwarebytes
2010-02-06 00:03 . 2010-02-06 00:03 -------- d-----w- c:\programdata\Malwarebytes
2010-01-30 18:43 . 2008-11-26 21:01 -------- d-----w- c:\program files\Coupons
2010-01-27 19:39 . 2007-01-03 16:20 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-27 19:34 . 2010-01-27 19:20 -------- d-----w- c:\programdata\Norton
2010-01-27 19:33 . 2010-01-27 19:32 -------- d-----w- c:\program files\Symantec
2010-01-27 19:32 . 2010-01-27 19:33 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-01-27 19:32 . 2010-01-27 19:33 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-01-27 19:32 . 2010-01-27 19:33 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-01-27 19:32 . 2010-01-27 19:33 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-01-27 19:32 . 2010-01-27 19:33 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-01-27 19:32 . 2010-01-27 19:32 1291104 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2010-01-27 19:32 . 2010-01-27 19:32 136840 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2010-01-27 19:32 . 2010-01-27 19:33 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-01-27 19:32 . 2010-01-27 19:32 771440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2010-01-27 19:32 . 2010-01-27 19:31 -------- d-----w- c:\program files\Norton 360
2010-01-27 19:31 . 2010-01-27 19:19 -------- d-----w- c:\programdata\NortonInstaller
2010-01-27 19:28 . 2008-06-18 14:42 -------- d-----w- c:\programdata\Symantec
2010-01-27 19:21 . 2010-01-27 19:21 -------- d-----w- c:\programdata\PCSettings
2010-01-27 19:19 . 2010-01-27 19:19 -------- d-----w- c:\program files\NortonInstaller
2010-01-27 19:19 . 2010-01-27 19:17 82952744 ----a-w- c:\programdata\Symantec Temporary Files\N360S300EN.exe
2010-01-27 19:17 . 2008-06-18 14:31 -------- d-----w- c:\programdata\Symantec Temporary Files
2010-01-27 18:19 . 2007-01-18 03:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-27 18:19 . 2007-01-18 03:30 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-25 19:35 . 2009-01-22 18:07 -------- d-----w- c:\program files\Quicken
2010-01-25 19:33 . 2010-01-25 19:33 6725632 ----a-w- c:\programdata\Intuit\Quicken\Inet\Common\patch\Update\181625-18178.dll
2010-01-25 19:31 . 2010-01-25 19:31 2904064 ----a-w- c:\programdata\Intuit\Quicken\Inet\Common\patch\Update\18154-181625.dll
2010-01-25 19:31 . 2010-01-25 19:31 1536000 ----a-w- c:\programdata\Intuit\Quicken\Inet\Common\patch\Update\181414-18154.dll
2010-01-25 19:31 . 2009-01-22 18:10 245760 ----a-w- c:\programdata\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2010-01-02 06:38 . 2010-02-22 02:45 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-02-22 02:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-02-22 02:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-02-22 02:45 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2007-01-05 20:20 . 2007-01-05 20:20 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
2006-11-02 12:34 . 2006-11-02 12:34 397312 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6000.16386_none_ef216b8c52ca2227\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-08 185896]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2007-03-05 28672]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
forteManager.lnk - c:\program files\LG Soft India\forteManager\bin\Monitor.exe [2009-11-29 1687552]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
NaturalColorLoad.lnk - c:\program files\SEC\Natural Color\NaturalColorLoad.exe [2007-1-7 155715]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=""
"FirewallOverride"=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-23 135664]
R3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [2008-12-12 14336]
R3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [2008-12-12 18432]
R3 OlyUsbCam;OLYMPUS USB Camera;c:\windows\system32\DRIVERS\OlyUsbCam.sys [2007-01-12 21952]
R3 SNL320XP;SONIX MULTIMEDIA USB DEVICE DRIVER;c:\windows\system32\DRIVERS\9kdUSBXP.sys [2006-12-28 16000]
R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]
S0 amacpi;Microsoft Away Mode System;c:\windows\system32\DRIVERS\null.sys [2008-01-19 4608]
S0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [2010-03-09 30280]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS [2010-01-27 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\N360\0308000.029\BHDrvx86.sys [2010-01-27 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\N360\0308000.029\ccHPx86.sys [2010-01-27 482432]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100310.001\IDSvix86.sys [2009-10-28 343088]
S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2010-03-09 6300592]
S2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [2008-11-07 25824]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2010-01-27 117640]
S2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-03-09 50504]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-01-27 102448]
S3 IntelDH;IntelDH Driver;c:\windows\system32\Drivers\IntelDH.sys [2007-04-12 5504]
S3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-03-09 24368]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [2010-01-27 48688]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - HP_PORT_RESOLVER
*NewlyCreated* - KLMD21
*Deregistered* - HP Port Resolver
*Deregistered* - klmd21

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2010-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-23 01:41]

2010-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-23 01:41]

2010-03-11 c:\windows\Tasks\User_Feed_Synchronization-{49FDB5C0-6CFA-4CB2-A424-DFC6F3D68E67}.job
- c:\windows\system32\msfeedssync.exe [2010-02-22 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://m.www.yahoo.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} - file:///E:/LTOCX14N.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-11 16:44
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\clsid\{3da165b6-cc41-11d2-bdc6-00c04f79ec6b}\ProgID]
@Denied: (A) (Everyone)
@="{CB7435BA-CF76-403B-93DF-BE847070A327}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM\clsid\{3da165b6-cc41-11d2-bdc6-00c04f79ec6b}\Version]
@Denied: (A) (Everyone)
@="{CB7435BA-CF76-403B-93DF-BE847070A327}"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(7056)
c:\windows\System32\SyncCenter.dll
.
Completion time: 2010-03-11 16:48:24
ComboFix-quarantined-files.txt 2010-03-11 22:48
ComboFix2.txt 2010-03-11 19:33

Pre-Run: 124,306,407,424 bytes free
Post-Run: 124,251,848,704 bytes free

- - End Of File - - B72E7980BA1A33B2861B44EB7D953842

Attached Files


Edited by Mom2four, 11 March 2010 - 06:17 PM.


#39 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:17 PM

Posted 11 March 2010 - 08:39 PM

It appears our script didn't work. Did you save it to your flash drive and try dragging it into CF from there?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#40 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:17 PM

Posted 11 March 2010 - 10:32 PM

Just in case you try running CF again I would like you to try the instructions below for disabling Windows Defender. It's not I don't believe you did it before but it concerns me the CF log is still showing it as enabled.


Windows Defender

Please disable your Windows Defender Real-time Protection
  • Launch Windows Defender, right click on the System Tray icon, select Open.
  • Click on Tools>Options.
  • Scroll down and uncheck "Use real-time protection (recommended)".
  • Scroll down further, and uncheck "Use Windows Defender"
  • After you uncheck these, click on the Save button, approve the UAC prompt, and close Windows Defender.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#41 Mom2four

Mom2four
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 11 March 2010 - 11:37 PM

I did drag the script into CF and opened it all from the flash drive. The directions you listed for disabling Window Defender are what I have done; as well as Norton's anti virus and spyware and Prevx. The only thing left up was the Firewall. I also disabled User Account Control before running the CF. I can get clean drive and try it all again.

#42 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:17 PM

Posted 12 March 2010 - 12:15 AM

As I stated I wasn't doubting what you said but for some reason it is still showing as being enabled so I needed to check. We know something is interfering with it and I am trying to figure out what it can be.

Maybe you can try once more to load it onto your Desktop and run it from there. When you do put the following script in and the added directive may help us:


QUOTE
KillAll::
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>

Edited by thewall, 12 March 2010 - 12:16 AM.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#43 Mom2four

Mom2four
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 12 March 2010 - 01:12 PM

I attempted to load the script in the CF file on the desktop but received an Error.

!!ALERT!! It is NOT SAFE to continue!

The contents of ComboFix package has been compromised.
Please download a fresh copy from:

www.bleepingcomputer..

Note: you may be infected with file patching virus 'Virut"


I am going to find a new flash drive and download a new CF onto it and try to run it with the new script.



#44 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:17 PM

Posted 12 March 2010 - 01:34 PM

If you haven't done so yet just hold up. I have another way of doing this. Let me know if you haven't tried to run it yet.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#45 Mom2four

Mom2four
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 12 March 2010 - 01:38 PM

Nope have not yet. I will wait for your instructions




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users