Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Norton 360 Blocking HTTP Tidserv Request and other attacks


  • This topic is locked This topic is locked
18 replies to this topic

#1 Bobski7

Bobski7

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 18 March 2010 - 08:12 AM

I seem to be an ever growing community of people with this problem.

Description of Problem:

I can't recall an action that triggered this problem, but last week I started to receive messages from Norton 360 such as "An intrusion attempt by (various) was blocked blocked Application path\Device\HardDisk Volume1\windows\system32\SVCHOST.exe" The threaths associated with these messages include:

HTTP Tidserv Request
HTTPS Tidserv Request

In addition, I've had some Trojans that have been Quarantined and notified that the risk has been Fully Removed. Yesterday I started to get the following reports from Norton (dectected by SONAR):

"miua.tmp.exe modified your system configuration" followed by a second entry that miua.temp.exe has been Quarantined with the risk Fully Removed. Note that I also got similar messages with names like "miu9.tmp.exe" and "miu11.tmp.exe"

In addition, I've also received a few (perhaps 3 or 4) messages over the last week of "Congratulations you have won..." 2 of these messages referred to the web site that I was visiting at the time e.g. Optimum Online.

I also noticed a slowing down of my internet sessions which I guess can be attributed to a number of things.

Finally, I have run scans with Norton 360 and SpyBot and did not find anything.

Here is my DDS.txt:


DDS (Ver_10-03-17.01) - NTFSx86
Run by HP_Administrator at 21:13:24.07 on Wed 03/17/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.332 [GMT -4:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\Plus\TranscodingService.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Internet Explorer Plugin: {3f7df0a5-ee85-4f8d-bf0d-9a6579e54f66} - zzir.dll
BHO: Internet Explorer Plugin: {51771a02-f117-4917-a014-02db9095f856} - uaihv27.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.8.0.41\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [TivoServer] c:\program files\tivo\desktop\TiVoServer.exe /service /registry /auto:TivoServer
uRun: [TivoTransfer] c:\program files\tivo\desktop\TiVoTransfer.exe
uRun: [TivoNotify] c:\program files\tivo\desktop\TiVoNotify.exe /service /registry /auto:TivoNotify
uRun: [TranscodingService] c:\program files\tivo\desktop\plus\\TranscodingService.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [nwiz] nwiz.exe /install
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\norton~1.lnk - c:\program files\common files\symantec shared\npc\2.0\uiStub2.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
Trusted Zone: trymedia.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {428A9DEF-F057-402B-9F2D-A5887F4544ED} - hxxp://download.microsoft.com/download/f/0/2/f02b515c-7076-4cee-bc08-fd6fea594578/VirtualEarth3D.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {11522865-037B-4E24-99D6-B43A3782302F} - rundll32 uaihv27.dll,laspi
mASetup: {1DFC0CB0-CE09-4E94-BD01-91C2E9D2A7CA} - rundll32 zzir.dll,laspi
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-2 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-2 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-2 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100312.001\IDSXpx86.sys [2010-3-15 329592]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2007-2-16 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2007-2-16 3904]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-2-2 117640]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-16 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-26 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100316.003\NAVENG.SYS [2010-3-16 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100316.003\NAVEX15.SYS [2010-3-16 1324720]
S3 CyUsbNT;Cypress Manufacturing Driver;c:\windows\system32\drivers\CyUsbNT.sys [2005-2-16 28800]
S3 EraserUtilDrvI7;EraserUtilDrvI7;\??\c:\program files\common files\symantec shared\eengine\eraserutildrvi7.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrvI7.sys [?]
S4 TivoBeacon2;TiVo Beacon Service;c:\program files\tivo\desktop\TiVoBeacon.exe [2009-11-2 1098968]

=============== Created Last 30 ================

2010-03-18 01:06:18 0 ----a-w- c:\documents and settings\hp_administrator\defogger_reenable
2010-03-15 16:11:29 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-10 11:27:24 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-05 17:31:24 47104 ----a-w- c:\windows\system32\zzir.dll
2010-03-05 17:23:46 73216 ----a-w- c:\windows\system32\klgd.bmp
2010-03-05 17:23:46 47104 ----a-w- c:\windows\system32\oxia7.dll
2010-03-05 17:23:46 14652 ----a-w- c:\windows\system32\srgzl
2010-03-05 14:42:31 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-03 04:38:34 73216 ----a-w- c:\windows\system32\infkc.bmp
2010-03-03 04:38:34 47104 ----a-w- c:\windows\system32\uaihv27.dll
2010-03-03 04:38:34 14773 ----a-w- c:\windows\system32\tyr
2010-03-01 00:31:48 0 d-----w- C:\Temp
2010-03-01 00:00:37 98816 ----a-w- c:\windows\sed.exe
2010-03-01 00:00:37 77312 ----a-w- c:\windows\MBR.exe
2010-03-01 00:00:37 261632 ----a-w- c:\windows\PEV.exe
2010-03-01 00:00:37 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2010-01-26 02:03:21 120680 ----a-w- c:\docume~1\hp_adm~1\applic~1\GDIPFONTCACHEV1.DAT
2010-01-05 01:44:51 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2006-11-22 18:17:31 565248 --sha-w- c:\program files\ehthumbs.db
2006-05-07 17:47:03 251 ----a-w- c:\program files\wt3d.ini
2006-09-02 03:09:36 22 --sha-w- c:\windows\sminst\HPCD.sys
2008-09-04 12:34:58 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat

============= FINISH: 21:14:55.96 ===============





Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 PM

Posted 18 March 2010 - 10:30 AM

Hello.

It appears you're infected wit the TDL3 infection.

Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you wish to continue, please follow the instructions below please...

Download and Run Combofix

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

Then we will proceed from there. Any problems, please let me know.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Bobski7

Bobski7
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 18 March 2010 - 02:36 PM

Thank you Extremeboy,

I may decide to re-install, but for now I have run ComboFix. I see that a number of items were deleted. Here is the log:

ComboFix 10-03-17.07 - HP_Administrator 03/18/2010 15:07:25.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.635 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Adobe\sp.DLL
c:\windows\system32\ide.txt
c:\windows\system32\lrg.txt
c:\windows\system32\qks.txt
c:\windows\system32\xef.txt
K:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SPService


((((((((((((((((((((((((( Files Created from 2010-02-18 to 2010-03-18 )))))))))))))))))))))))))))))))
.

2010-03-16 02:00 . 2010-03-16 02:00 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-03-15 16:11 . 2010-03-16 20:57 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-10 11:27 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-05 17:31 . 2010-03-05 17:31 47104 ----a-w- c:\windows\system32\zzir.dll
2010-03-05 17:23 . 2010-03-05 17:23 47104 ----a-w- c:\windows\system32\oxia7.dll
2010-03-05 14:42 . 2009-12-17 22:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-03 04:38 . 2010-03-03 04:38 47104 ----a-w- c:\windows\system32\uaihv27.dll
2010-03-01 00:31 . 2010-03-01 00:31 -------- d-----w- C:\Temp
2010-02-21 07:19 . 2010-02-21 07:19 -------- d-----w- c:\documents and settings\HelpAssistant\viewone
2010-02-21 07:19 . 2010-02-21 07:19 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-02-21 07:19 . 2010-02-21 07:19 -------- d-----w- c:\documents and settings\HelpAssistant\RVI
2010-02-21 07:18 . 2010-02-21 07:18 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-02-21 07:04 . 2010-02-21 07:04 -------- d-----w- c:\documents and settings\HelpAssistant\Library
2010-02-21 07:04 . 2010-02-21 07:04 -------- d-----w- c:\documents and settings\HelpAssistant\InstallAnywhere
2010-02-21 07:04 . 2010-02-21 07:04 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2010-02-21 07:04 . 2010-02-21 07:04 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2010-02-20 21:33 . 2010-02-20 21:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2010-02-20 19:49 . 2010-02-20 19:49 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-02-20 15:17 . 2010-02-20 15:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-12 01:00 . 2010-03-05 00:50 439816 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup3.10\setup.exe
2010-03-05 21:09 . 2009-05-15 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-05 14:45 . 2010-03-05 14:45 503808 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-60b7ad4f-n\msvcp71.dll
2010-03-05 14:45 . 2010-03-05 14:45 499712 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-60b7ad4f-n\jmc.dll
2010-03-05 14:45 . 2010-03-05 14:45 348160 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-60b7ad4f-n\msvcr71.dll
2010-03-05 14:45 . 2010-03-05 14:45 61440 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4fd224da-n\decora-sse.dll
2010-03-05 14:45 . 2010-03-05 14:45 12800 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4fd224da-n\decora-d3d.dll
2010-03-05 14:45 . 2006-02-20 22:50 -------- d-----w- c:\program files\Common Files\Java
2010-03-05 14:45 . 2006-02-20 22:50 -------- d-----w- c:\program files\Java
2010-03-05 14:41 . 2010-03-05 14:41 152576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-05 14:41 . 2010-03-05 14:41 79488 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-21 06:49 . 2007-11-21 04:57 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-20 18:33 . 2009-08-23 12:10 -------- d-----w- c:\program files\Symantec
2010-02-19 13:02 . 2010-01-03 18:52 -------- d-----w- c:\program files\Bonjour
2010-02-19 05:09 . 2006-02-20 23:20 -------- d-----w- c:\program files\MSN Encarta Standard
2010-02-12 22:41 . 2010-03-18 19:15 558448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-02-03 09:00 . 2010-03-18 11:53 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100317.051\NAVENG.SYS
2010-02-03 09:00 . 2010-03-18 11:53 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100317.051\NAVEX15.SYS
2010-01-20 10:49 . 2009-03-21 00:41 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-05 01:44 . 2003-02-21 12:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-01-05 01:41 . 2010-01-05 01:41 402952 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\RealPlayer\setup\AU_setup11.exe
2009-12-31 16:50 . 2004-08-09 21:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-29 21:33 . 2006-02-20 23:20 120680 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-25 11:51 . 2009-12-25 11:51 292878 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{A212E6C2-20F7-4A8E-BD8E-DC3EE7483FA2}\ARPPRODUCTICON.exe
2009-12-21 19:14 . 2004-08-09 21:00 916480 ------w- c:\windows\system32\wininet.dll
2006-11-22 18:17 . 2006-11-22 18:17 565248 --sha-w- c:\program files\ehthumbs.db
2006-05-07 17:47 . 2006-05-07 17:47 251 ----a-w- c:\program files\wt3d.ini
2006-09-02 03:09 . 2006-09-02 03:09 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3F7DF0A5-EE85-4F8D-BF0D-9A6579E54F66}]
2010-03-05 17:31 47104 ----a-w- c:\windows\system32\zzir.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2009-11-02 2195160]
"TivoTransfer"="c:\program files\TiVo\Desktop\TiVoTransfer.exe" [2009-11-02 604888]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2009-11-02 430808]
"TranscodingService"="c:\program files\TiVo\Desktop\Plus\\TranscodingService.exe" [2009-11-02 856280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-05-10 1519616]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-10-24 206112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-10 7311360]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 16855552]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-05-10 86016]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-05 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-2-20 27136]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\HP Rhapsody\\rhapsody.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3187:TCP"= 3187:TCP:Services
"3389:TCP"= 3389:TCP:*:Disabled:Remote Desktop

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/2/2010 4:58 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/2/2010 4:58 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/2/2010 4:58 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100312.001\IDSXpx86.sys [3/15/2010 2:34 AM 329592]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2/16/2007 11:58 PM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2/16/2007 11:58 PM 3904]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2/2/2010 4:58 AM 117640]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 7:31 AM 92008]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/16/2008 3:27 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 4:00 AM 102448]
S3 CyUsbNT;Cypress Manufacturing Driver;c:\windows\system32\drivers\CyUsbNT.sys [2/16/2005 8:43 AM 28800]
S3 EraserUtilDrvI7;EraserUtilDrvI7;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys [?]
S4 TivoBeacon2;TiVo Beacon Service;c:\program files\TiVo\Desktop\TiVoBeacon.exe [11/2/2009 2:17 PM 1098968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{11522865-037B-4E24-99D6-B43A3782302F}]
2010-03-03 04:38 47104 ----a-w- c:\windows\system32\uaihv27.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1DFC0CB0-CE09-4E94-BD01-91C2E9D2A7CA}]
2010-03-05 17:31 47104 ----a-w- c:\windows\system32\zzir.dll
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: trymedia.com
.
- - - - ORPHANS REMOVED - - - -

BHO-{51771A02-F117-4917-A014-02DB9095F856} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-18 15:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2812758596-1037099363-3728107167-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3324)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\RTHDCPL.EXE
c:\program files\TiVo\Desktop\Plus\TranscodingService.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
c:\program files\HP\HP Software Update\HPWuSchd2.exe
c:\program files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
**************************************************************************
.
Completion time: 2010-03-18 15:21:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-18 19:21
ComboFix2.txt 2010-03-01 00:23

Pre-Run: 196,284,997,632 bytes free
Post-Run: 196,277,805,056 bytes free

- - End Of File - - B35B6265127D07DCEC1FF2838C239B62

One question, is my risk less if I do not store paswords on the PC? For example if I use on-line banking and have to enter my Id and password each time am I just as vulnerable?

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 PM

Posted 19 March 2010 - 11:36 AM

Combofix fixed the infected file and removed a few more bad entries.

QUOTE
One question, is my risk less if I do not store paswords on the PC? For example if I use on-line banking and have to enter my Id and password each time am I just as vulnerable?

You're just as vulnerable as long as you enter them due to the time of the infection was active.

Let's get a Malwarebytes scan + a new DDS scan.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Bobski7

Bobski7
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 19 March 2010 - 01:28 PM

Extremeboy,

Thanks again. The PC is working fine and I am not getting the messages from Norton 360 (Intrusion Blocked etc.). On a full system scan done after I ran ComboFix Norton did come back with: a notice of "Tidser!inf" and said that I had to clear it manually and it was found at C:\qoobox\quarantine\C\windows\system32\drivers\atapi.vir

Do I need to do anything regarding the Norton message?

Here is the Malwarebytes:

Malwarebytes' Anti-Malware 1.44
Database version: 3885
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/19/2010 2:05:19 PM
mbam-log-2010-03-19 (14-05-19).txt

Scan type: Quick Scan
Objects scanned: 146337
Time elapsed: 5 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

DDS logs are attached.

Let me know what's next.

Thanks again

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 PM

Posted 19 March 2010 - 02:06 PM

Hello again.

QUOTE
Do I need to do anything regarding the Norton message?

No, that's what Combofix quarantined. It will be gone once we uninstall it when we're done. ;)

Remove these older versions of Java by uninstalling them through Add/Remove.

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ SE Runtime Environment 6 Update 1


Let's perform an online scan.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 Bobski7

Bobski7
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 20 March 2010 - 02:13 AM

Hi Again,


Removed the old Java and did the Kaspersky scan (5 hours to scan). Here is the K Report (Can't all believe all this stuff still hanging around):

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, March 20, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, March 19, 2010 22:35:33
Records in database: 3818787
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
K:\
L:\

Scan statistics:
Objects scanned: 180558
Threats found: 14
Infected objects found: 31
Suspicious objects found: 0
Scan duration: 05:14:51


File name / Threat / Threats count
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\0\18dc9740-6e6bfea2 Infected: Trojan-Downloader.Java.Agent.ap 3
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\21\30672ad5-50e757bf Infected: Trojan-Downloader.Java.Agent.ax 3
C:\hp\recovery\wizard\fscommand\AppRecoveryLink_ret.exe Infected: Trojan-Spy.Win32.Agent.beaf 1
C:\hp\recovery\wizard\fscommand\CDLogic_ret.exe Infected: Trojan-Spy.Win32.Agent.bdzz 1
C:\hp\recovery\wizard\fscommand\CreatorLink_ret.exe Infected: Trojan-Spy.Win32.Agent.beaf 1
C:\hp\recovery\wizard\fscommand\RecordnowLink_ret.exe Infected: Trojan-Spy.Win32.Agent.beaf 1
C:\hp\recovery\wizard\fscommand\RestoreLink_ret.exe Infected: Trojan-Spy.Win32.Agent.beaf 1
C:\hp\recovery\wizard\fscommand\RTCDLink_ret.exe Infected: Trojan-Spy.Win32.Agent.beaf 1
C:\hp\recovery\wizard\fscommand\RunLink_ret.exe Infected: Trojan-Spy.Win32.Agent.beaf 1
C:\hp\recovery\wizard\fscommand\SysRecoveryLink_ret.exe Infected: Trojan-Spy.Win32.Agent.beaf 1
C:\hp\recovery\wizard\fscommand\WizardLink_ret.exe Infected: Trojan-Spy.Win32.Agent.beaf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.Tdss.ai 1
C:\WINDOWS\system32\oxia7.dll Infected: Trojan.Win32.Agent2.cpnq 1
C:\WINDOWS\system32\uaihv27.dll Infected: Trojan.Win32.Agent2.cpnp 1
C:\WINDOWS\system32\zzir.dll Infected: Trojan.Win32.Agent2.cpnq 1
C:\WINDOWS\Web\Wallpaper\welcome\AWhelper.dll Infected: not-a-virus:AdWare.Win32.WebHancer.x 1
K:\Retrospect Backup\Backup copy of Drive C ©\Documents and Settings\rmc\Local Settings\Application Data\Microsoft\Outlook\archive.pst Infected: Virus.MSWord.Marker.cx 3
K:\Retrospect Backup\Backup copy of Drive C ©\Documents and Settings\rmc\Local Settings\Application Data\Microsoft\Outlook\outlook.ost Infected: Email-Worm.Win32.Bagle.ai 1
K:\Retrospect Backup\Backup copy of Drive C ©\Documents and Settings\rmc\Local Settings\Application Data\Microsoft\Sept Outlook\Outlook\2001.pst Infected: Virus.MSWord.Ethan 1
K:\Retrospect Backup\Backup copy of Drive C ©\Documents and Settings\rmc\Local Settings\Application Data\Microsoft\Sept Outlook\Outlook\archive.pst Infected: Virus.MSWord.Marker.cx 3
K:\Move to New PC\My Documents\BS226.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
K:\Move to New PC\My Documents\BS226.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bg 1
K:\Move to New PC\My Documents\BS226.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au 1

Selected area has been scanned.

Note that during this process I have the System Restore turned off and have not turned off my PC. When should I turn System Restore back on?

The DDS and Attach logs are attached

The PC seems to be working fine including no warnings from Norton.

Ok, what's next??

Regards

Attached Files



#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 PM

Posted 20 March 2010 - 12:13 PM

Hello. smile.gif

QUOTE
Removed the old Java and did the Kaspersky scan (5 hours to scan). Here is the K Report (Can't all believe all this stuff still hanging around):

No worries, some of them are okay, but thanks for that log, now we need to deal with those and the accompanied entries. I would like to collect those samples.

I do see a few "backup" files that you probably backed up that were detected as bad. I will let you deal with those and delete it. Note that it is considered "not-a-virus" but I would still remove it if not needed/used.

Please continue with the following.

Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    CODE
    http://www.bleepingcomputer.com/forums/t/303337/norton-360-blocking-http-tidserv-request-and-other-attacks/
    Collect::[68]
    C:\WINDOWS\system32\oxia7.dll
    C:\WINDOWS\system32\uaihv27.dll
    C:\WINDOWS\system32\zzir.dll
    C:\WINDOWS\Web\Wallpaper\welcome\AWhelper.dll
    c:\windows\system32\infkc.bmp
    c:\windows\system32\uaihv27.dll
    c:\windows\system32\tyr
    c:\windows\system32\zzir.dll
    c:\windows\system32\klgd.bmp
    c:\windows\system32\oxia7.dll
    c:\windows\system32\srgzl
    File::
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\0\18dc9740-6e6bfea2
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\21\30672ad5-50e757bf
    Registry::
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3f7df0a5-ee85-4f8d-bf0d-9a6579e54f66}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{51771A02-F117-4917-A014-02DB9095F856}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1DFC0CB0-CE09-4E94-BD01-91C2E9D2A7CA}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{11522865-037B-4E24-99D6-B43A3782302F}]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
  • Refering to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
  • Please post the contents of the Combofix log in your next reply.

Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".

**NOTE**
=================
  • IF for some reason Combofix fails to upload anything please do the following:
  • Go to Start >> My Computer > C:\
  • Then Navigate to the C:\Qoobox\Quarantine folder.
  • Find the archive zip file called "[68]-Submit_Date_Time.zip"
  • Simply go to This Channel and upload the submit.zip archive file to me.
  • Follow the instructions on that page to copy/paste/send the requested file.


Let me know how it goes and if the upload went successfully or not in your next reply.


QUOTE
Note that during this process I have the System Restore turned off and have not turned off my PC. When should I turn System Restore back on?

Why? Please turn it on now.

Post the Combofix log once done.

Thanks.

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 Bobski7

Bobski7
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 20 March 2010 - 02:02 PM

Hi Again,

The upload was successful.

Here is the Combofix log post:

ComboFix 10-03-19.08 - HP_Administrator 03/20/2010 14:39:43.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.355 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FILE ::
"c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\0\18dc9740-6e6bfea2"
"c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\21\30672ad5-50e757bf"

file zipped: c:\windows\system32\infkc.bmp
file zipped: c:\windows\system32\klgd.bmp
file zipped: c:\windows\system32\oxia7.dll
file zipped: c:\windows\system32\srgzl
file zipped: c:\windows\system32\tyr
file zipped: c:\windows\system32\uaihv27.dll
file zipped: c:\windows\system32\zzir.dll
file zipped: c:\windows\Web\Wallpaper\welcome\AWhelper.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\0\18dc9740-6e6bfea2
c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\21\30672ad5-50e757bf
c:\windows\system32\ide.txt
c:\windows\system32\infkc.bmp
c:\windows\system32\klgd.bmp
c:\windows\system32\lrg.txt
c:\windows\system32\oxia7.dll
c:\windows\system32\qks.txt
c:\windows\system32\srgzl
c:\windows\system32\tyr
c:\windows\system32\uaihv27.dll
c:\windows\system32\xef.txt
c:\windows\system32\zzir.dll
c:\windows\Web\Wallpaper\welcome\AWhelper.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-20 to 2010-03-20 )))))))))))))))))))))))))))))))
.

2010-03-20 06:49 . 2010-02-03 09:00 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100319.041\NAVENG.SYS
2010-03-20 06:49 . 2010-02-03 09:00 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100319.041\NAVEX15.SYS
2010-03-20 06:49 . 2009-08-25 08:00 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100319.041\NAVENG32.DLL
2010-03-20 06:49 . 2009-08-25 08:00 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100319.041\NAVEX32A.DLL
2010-03-20 06:49 . 2009-12-09 09:00 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100319.041\CCERASER.DLL
2010-03-20 06:49 . 2009-09-22 08:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100319.041\ECMSVR32.DLL
2010-03-20 06:49 . 2009-08-26 08:00 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100319.041\EECTRL.SYS
2010-03-20 06:49 . 2009-08-26 08:00 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100319.041\ERASER.SYS
2010-03-19 17:41 . 2010-03-19 17:41 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2010-03-19 17:41 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-19 17:41 . 2010-03-19 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-19 17:41 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-19 17:41 . 2010-03-19 17:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-19 13:21 . 2010-03-19 13:21 20841968 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-19 13:21 . 2010-03-19 13:21 8405312 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-19 13:20 . 2010-03-19 13:20 149000 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-19 13:20 . 2010-03-19 13:20 10309448 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-19 13:20 . 2010-03-19 13:20 283280 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-19 13:20 . 2010-03-19 13:20 181768 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-19 13:20 . 2010-03-19 13:20 79368 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-19 13:20 . 2010-03-19 13:20 64000 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-19 13:20 . 2010-03-19 13:20 52288 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-19 13:20 . 2010-03-19 13:20 50688 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-19 13:20 . 2010-03-19 13:20 49152 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-19 13:20 . 2010-03-19 13:20 118784 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-18 19:15 . 2010-02-12 22:41 558448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-03-16 02:00 . 2010-03-16 02:00 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-03-15 16:11 . 2010-03-16 20:57 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-15 06:34 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100312.001\IDSvix86.sys
2010-03-15 06:34 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100312.001\IDSXpx86.sys
2010-03-15 06:34 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100312.001\Scxpx86.dll
2010-03-15 06:34 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100312.001\IDSxpx86.dll
2010-03-15 06:34 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100312.001\IDSviA64.sys
2010-03-11 03:32 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\IDSvix86.sys
2010-03-11 03:32 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\IDSXpx86.sys
2010-03-11 03:32 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\Scxpx86.dll
2010-03-11 03:32 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\IDSxpx86.dll
2010-03-11 03:32 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\IDSviA64.sys
2010-03-10 11:27 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-09 01:21 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100305.002\IDSvix86.sys
2010-03-09 01:21 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100305.002\IDSXpx86.sys
2010-03-09 01:21 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100305.002\Scxpx86.dll
2010-03-09 01:21 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100305.002\IDSxpx86.dll
2010-03-09 01:21 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100305.002\IDSviA64.sys
2010-03-05 14:45 . 2010-03-05 14:45 503808 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-60b7ad4f-n\msvcp71.dll
2010-03-05 14:45 . 2010-03-05 14:45 499712 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-60b7ad4f-n\jmc.dll
2010-03-05 14:45 . 2010-03-05 14:45 348160 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-60b7ad4f-n\msvcr71.dll
2010-03-05 14:45 . 2010-03-05 14:45 61440 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4fd224da-n\decora-sse.dll
2010-03-05 14:45 . 2010-03-05 14:45 12800 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4fd224da-n\decora-d3d.dll
2010-03-05 14:42 . 2009-12-17 22:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-05 14:41 . 2010-03-05 14:41 152576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-05 14:41 . 2010-03-05 14:41 79488 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-05 00:50 . 2010-03-20 00:11 439816 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup3.10\setup.exe
2010-03-01 00:31 . 2010-03-01 00:31 -------- d-----w- C:\Temp
2010-02-21 07:19 . 2010-02-21 07:19 -------- d-----w- c:\documents and settings\HelpAssistant\viewone
2010-02-21 07:19 . 2010-02-21 07:19 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-02-21 07:19 . 2010-02-21 07:19 -------- d-----w- c:\documents and settings\HelpAssistant\RVI
2010-02-21 07:18 . 2010-02-21 07:18 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-02-21 07:04 . 2010-02-21 07:04 -------- d-----w- c:\documents and settings\HelpAssistant\Library
2010-02-21 07:04 . 2010-02-21 07:04 -------- d-----w- c:\documents and settings\HelpAssistant\InstallAnywhere
2010-02-21 07:04 . 2010-02-21 07:04 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2010-02-21 07:04 . 2010-02-21 07:04 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2010-02-20 21:33 . 2010-02-20 21:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2010-02-20 19:49 . 2010-02-20 19:49 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-02-20 15:17 . 2010-02-20 15:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-02-19 22:27 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSvix86.sys
2010-02-19 22:27 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSXpx86.sys
2010-02-19 22:27 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\Scxpx86.dll
2010-02-19 22:27 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSxpx86.dll
2010-02-19 22:27 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSviA64.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-20 18:36 . 2009-05-15 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-20 00:21 . 2006-02-20 22:50 -------- d-----w- c:\program files\Common Files\Java
2010-03-05 14:45 . 2006-02-20 22:50 -------- d-----w- c:\program files\Java
2010-02-21 06:49 . 2007-11-21 04:57 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-20 18:33 . 2009-08-23 12:10 -------- d-----w- c:\program files\Symantec
2010-02-19 13:02 . 2010-01-03 18:52 -------- d-----w- c:\program files\Bonjour
2010-02-19 05:09 . 2006-02-20 23:20 -------- d-----w- c:\program files\MSN Encarta Standard
2010-01-20 10:49 . 2009-03-21 00:41 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-05 01:44 . 2003-02-21 12:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-01-05 01:41 . 2010-01-05 01:41 402952 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\RealPlayer\setup\AU_setup11.exe
2009-12-31 16:50 . 2004-08-09 21:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-29 21:33 . 2006-02-20 23:20 120680 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-25 11:51 . 2009-12-25 11:51 292878 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{A212E6C2-20F7-4A8E-BD8E-DC3EE7483FA2}\ARPPRODUCTICON.exe
2009-12-21 19:14 . 2004-08-09 21:00 916480 ------w- c:\windows\system32\wininet.dll
2006-11-22 18:17 . 2006-11-22 18:17 565248 --sha-w- c:\program files\ehthumbs.db
2006-05-07 17:47 . 2006-05-07 17:47 251 ----a-w- c:\program files\wt3d.ini
2006-09-02 03:09 . 2006-09-02 03:09 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-03-01_00.16.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-18 19:17 . 2010-03-18 19:17 16384 c:\windows\Temp\Perflib_Perfdata_1dc.dat
+ 2010-03-18 19:15 . 2010-03-18 19:15 16384 c:\windows\Temp\Perflib_Perfdata_158.dat
- 2005-08-30 21:07 . 2009-12-10 17:49 71936 c:\windows\system32\perfc009.dat
+ 2005-08-30 21:07 . 2010-03-16 12:46 71936 c:\windows\system32\perfc009.dat
+ 2010-03-19 13:58 . 2010-03-19 13:58 84507 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
- 2008-05-29 01:27 . 2010-02-13 17:15 84507 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2004-08-09 21:00 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys
+ 2005-08-30 21:02 . 2010-03-06 07:05 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-08-30 21:02 . 2009-05-15 05:13 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-08-30 13:51 . 2009-05-15 05:13 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-08-30 13:51 . 2010-03-06 07:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-08-20 18:43 . 2010-02-10 08:02 90112 c:\windows\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2006-08-20 18:43 . 2010-03-10 11:39 90112 c:\windows\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2006-08-20 18:43 . 2010-03-10 11:39 45056 c:\windows\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2006-08-20 18:43 . 2010-02-10 08:02 45056 c:\windows\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2006-08-20 18:43 . 2010-03-10 11:39 22528 c:\windows\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2006-08-20 18:43 . 2010-02-10 08:02 22528 c:\windows\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2006-08-20 18:43 . 2010-03-10 11:39 30720 c:\windows\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2006-08-20 18:43 . 2010-02-10 08:02 30720 c:\windows\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2006-08-20 18:43 . 2010-03-10 11:39 16384 c:\windows\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2006-08-20 18:43 . 2010-02-10 08:02 16384 c:\windows\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2006-08-20 18:43 . 2010-02-10 08:02 34304 c:\windows\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2006-08-20 18:43 . 2010-03-10 11:39 34304 c:\windows\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2009-11-11 00:43 . 2009-11-11 00:43 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2010-03-10 11:44 . 2010-03-10 11:44 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2006-08-20 18:43 . 2010-03-10 11:39 3584 c:\windows\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2006-08-20 18:43 . 2010-02-10 08:02 3584 c:\windows\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2006-08-20 18:43 . 2010-02-10 08:02 8192 c:\windows\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2006-08-20 18:43 . 2010-03-10 11:39 8192 c:\windows\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2006-08-20 18:43 . 2010-02-10 08:02 2560 c:\windows\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2006-08-20 18:43 . 2010-03-10 11:39 2560 c:\windows\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2005-08-30 21:07 . 2010-03-16 12:46 442796 c:\windows\system32\perfh009.dat
- 2005-08-30 21:07 . 2009-12-10 17:49 442796 c:\windows\system32\perfh009.dat
+ 2010-03-05 14:45 . 2009-12-17 22:14 153376 c:\windows\system32\javaws.exe
+ 2010-03-05 14:45 . 2009-12-17 22:14 145184 c:\windows\system32\javaw.exe
+ 2010-03-05 14:45 . 2009-12-17 22:14 145184 c:\windows\system32\java.exe
+ 2009-05-05 04:42 . 2010-03-18 19:17 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-05-05 04:42 . 2010-02-28 16:22 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2010-03-05 14:45 . 2010-03-05 14:45 180224 c:\windows\Installer\7dbbb62.msi
+ 2010-03-05 14:41 . 2010-03-05 14:41 537600 c:\windows\Installer\7dbbb52.msi
+ 2006-08-20 18:43 . 2010-03-10 11:39 114688 c:\windows\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2006-08-20 18:43 . 2010-02-10 08:02 114688 c:\windows\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2006-08-20 18:43 . 2010-03-10 11:39 167936 c:\windows\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\accicons.exe
- 2006-08-20 18:43 . 2010-02-10 08:02 167936 c:\windows\Installer\{91110409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2010-02-21 06:00 . 2010-02-21 06:00 8480768 c:\windows\Installer\3b2b01.msp
+ 2006-08-20 05:30 . 2010-03-02 05:30 31648712 c:\windows\system32\MRT.exe
+ 2009-11-21 04:46 . 2009-11-21 04:46 11524608 c:\windows\Installer\3b2b20.msp
+ 2010-01-28 11:17 . 2010-01-28 11:17 17510400 c:\windows\Installer\3b2b16.msp
+ 2009-04-03 22:46 . 2009-04-03 22:46 17314688 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6425\MSO.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2009-11-02 2195160]
"TivoTransfer"="c:\program files\TiVo\Desktop\TiVoTransfer.exe" [2009-11-02 604888]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2009-11-02 430808]
"TranscodingService"="c:\program files\TiVo\Desktop\Plus\\TranscodingService.exe" [2009-11-02 856280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-05-10 1519616]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-10-24 206112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-10 7311360]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 16855552]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-05-10 86016]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-05 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-2-20 27136]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\HP Rhapsody\\rhapsody.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3187:TCP"= 3187:TCP:Services
"3389:TCP"= 3389:TCP:*:Disabled:Remote Desktop

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/2/2010 4:58 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/2/2010 4:58 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/2/2010 4:58 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100312.001\IDSXpx86.sys [3/15/2010 2:34 AM 329592]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2/16/2007 11:58 PM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2/16/2007 11:58 PM 3904]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2/2/2010 4:58 AM 117640]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 7:31 AM 92008]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/16/2008 3:27 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 4:00 AM 102448]
S3 CyUsbNT;Cypress Manufacturing Driver;c:\windows\system32\drivers\CyUsbNT.sys [2/16/2005 8:43 AM 28800]
S3 EraserUtilDrvI7;EraserUtilDrvI7;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys [?]
S4 TivoBeacon2;TiVo Beacon Service;c:\program files\TiVo\Desktop\TiVoBeacon.exe [11/2/2009 2:17 PM 1098968]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GETPLUSHELPER

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: trymedia.com
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-20 14:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2812758596-1037099363-3728107167-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2812758596-1037099363-3728107167-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2812758596-1037099363-3728107167-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a1,a3,6b,13,63,c4,ea,45,9c,97,38,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a1,a3,6b,13,63,c4,ea,45,9c,97,38,\
.
Completion time: 2010-03-20 14:49:25
ComboFix-quarantined-files.txt 2010-03-20 18:49
ComboFix2.txt 2010-03-18 19:22
ComboFix3.txt 2010-03-01 00:23

Pre-Run: 196,693,786,624 bytes free
Post-Run: 196,752,044,032 bytes free

- - End Of File - - 2CE863F38BE320FAA9B5651B23AA9650
Upload was successful


Ok, what is next?

Regards

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 PM

Posted 20 March 2010 - 02:11 PM

That's good.

Please follow/read the steps below to remove the tools we used and for some more information. smile.gif


Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything assoicated with it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.


Congratulations! You now appear clean! specool.gif

Now that you are clean, please follow and read some of the prevention tips below.

Preventing Infections in the Future


Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:

Some of the main things you should consider to perform/read are:
  • Disabling Autorun/Play on Flash-Drive/Removable Drives
  • Avoid gaming sites, underground web pages, pirated software sites, and Peer to Peer Programs
  • Keep Windows Updated through going to Windows Updates
  • Updating Non-Microsoft Programs
  • Keeping Security softwares updated

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck thumbup2.gif


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks smile.gif

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 Bobski7

Bobski7
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 28 March 2010 - 10:00 PM

Hi Extremeboy

I see that I did not confirm that all was ok. Actually the original problems were cleared, but just this evening Norton 360 detected and quarantined a Trojan.Gen. Should I be doing something with that?

Thanks again for your help

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 PM

Posted 29 March 2010 - 07:00 PM

Let me know what entry it quarantined, if possible post a log or screenshot of what it detected.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 Bobski7

Bobski7
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 30 March 2010 - 12:29 AM

There were a few detections within minutes of each other. Here is what was detected and displayed under risk detail.

C:\documents and settings\hp_administrator\local settings\temp\miu9.tmp.exe

HKey_Local_Machine\SYSTEM\Control Set002\Services\SP Service->Image Path

C:\documents and settings\hp_administrator\local settings\temp\miu7.tmp.exe

C:\documents and settings\all users\application data\adobe.dll_

C:\documents and settings\hp_administrator\local settings\temp\miua.tmp.exe

C:\documents and settings\all users\application data\adobe.dll








#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:56 PM

Posted 30 March 2010 - 03:10 PM

Hello again.

Once they are quarantined are they still being detected and you're being alerted from that?
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 Bobski7

Bobski7
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 30 March 2010 - 04:01 PM

Hi,

No, once quarantined they have not been detected and I have not received any alerts.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users