Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

backdoor.tidserv!inf file name atapi.sys


  • This topic is locked This topic is locked
11 replies to this topic

#1 hannadock

hannadock

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 31 March 2010 - 08:48 AM





DDS (Ver_10-03-17.01) - NTFSx86
Run by D800 at 8:09:58.81 on Wed 03/31/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.462 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\DOCUME~1\D800\LOCALS~1\Temp\Uxx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Uqulob.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\D800\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.weightwatchers.com/plan/jnl/index_week.aspx?date=3/2/2010&viewDay=true
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [YVIBBBHA8C] c:\docume~1\d800\locals~1\temp\Uxx.exe
mRun: [CARPService] carpserv.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [\\D3X8N021\EPSON Stylus CX3800 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiaca.exe /p37 "\\d3x8n021\EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
Trusted Zone: x10.com\www.gate
DPF: {001000AF-2DEF-0202-10B6-DC5BA692C858} - hxxp://www.x10.com/support/netinfo/X10NetTest.cab
DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} - hxxp://www.gate.x10.com/control/xvidnx.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1216963974306
DPF: {64CD313F-F079-4D93-959F-4D28B5519449} - hxxp://www.worldwinner.com/games/v56/jeopardy/jeopardy.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1216963962068
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-mind-medley/gamehouseplayer.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://aolsvc.aol.com/onlinegames/luxor/mjolauncher.cab
DPF: {87587503-20F0-4FF5-8DA3-0107C4C03FDC} - hxxp://downloads.comcast.net/videomail/vmLauncher.cab
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} - hxxp://71.203.213.83:1024/NetCamPlayerWeb11gv2.cab
DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://webgames.d.tmsrv.com/c=6b394d37d9f41253937c225b25391e7b/aff=t_03cm_wg/p/release/tikgames/wg_shapo_gold/shapo_gold/shapo.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://access.utk.edu/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://access.utk.edu/dana-cached/sc/JuniperSetupClient.cab
TCP: NameServer = 93.188.165.131,93.188.161.132
TCP: {7EA08353-3BC8-490B-BB55-63882405F6F2} = 93.188.165.131,93.188.161.132
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\d800\applic~1\mozilla\firefox\profiles\eeym3708.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.motors.ebay.com/|http://knoxville.craigslist.org/|http://www.ebay.com/|http://www.google.com/|http://www.pullapart.com/inventory/Main.aspx
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1799408]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-28 102448]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2003-2-14 59328]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100329.002\naveng.sys [2010-3-30 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100329.002\navex15.sys [2010-3-30 1324720]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys --> c:\windows\system32\drivers\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys --> c:\windows\system32\drivers\motccgpfl.sys [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [2009-8-8 101248]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [2009-8-8 73856]

=============== Created Last 30 ================

2010-03-31 12:08:48 0 ----a-w- c:\documents and settings\d800\defogger_reenable
2010-03-30 23:52:05 0 d-----w- c:\documents and settings\d800\Bluetooth Software
2010-03-30 23:47:48 47272 ----a-w- c:\windows\system32\drivers\btwusb.sys
2010-03-30 23:47:47 89896 ----a-w- c:\windows\system32\drivers\btwsecfl.sys
2010-03-30 23:47:45 57384 ----a-w- c:\windows\system32\drivers\btwhid.sys
2010-03-30 23:47:44 156392 ----a-w- c:\windows\system32\drivers\btwdndis.sys
2010-03-30 23:47:43 106557 ----a-w- c:\windows\system32\btw_ci.dll
2010-03-30 23:47:42 37160 ----a-w- c:\windows\system32\drivers\btport.sys
2010-03-30 23:47:41 990632 ----a-w- c:\windows\system32\drivers\btkrnl.sys
2010-03-30 23:47:39 534440 ----a-w- c:\windows\system32\drivers\btaudio.sys
2010-03-30 23:47:11 0 d-----w- c:\program files\WIDCOMM
2010-03-30 23:44:31 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-03-30 23:44:31 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-03-30 22:33:37 169472 ----a-w- c:\windows\Uqulob.exe
2010-03-30 22:20:05 169472 ----a-w- c:\windows\Uquloa.exe
2010-03-10 17:17:09 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-03-29 09:49:51 11242 ----a-w- c:\windows\system32\nvModes.dat

============= FINISH: 8:10:31.55 ===============




Symantec found a virus called backdoor.tidserv!inf file name atapi.sys. Said it partial removed or left alone. Hasn't popped up in awhile. Need help. Running Win XP Professional on Dell D800. Also would like some idea as to how I may have gotten this.

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:12 PM

Posted 31 March 2010 - 07:29 PM

Hello hannadock,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

QUOTE
Also would like some idea as to how I may have gotten this.

There are many ways. Could have been infected through Email, Bad website., File sharing programs. Those are the main ways, however there are many others.

1.
Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

3.
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

c:\windows\Uqulob.exe
c:\windows\Uquloa.exe

Please post back the results of the scan in your next post.

Things to include in your next reply:
Rkill log
Combofix.txt
Jotti results
How is you machine running now?

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 hannadock

hannadock
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 01 April 2010 - 07:44 AM

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as D800 on 04/01/2010 at 7:48:59.


Processes terminated by Rkill or while it was running:


C:\DOCUME~1\D800\LOCALS~1\Temp\Uxx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\D800\Desktop\rkill.pif


Rkill completed on 04/01/2010 at 7:49:02.


ComboFix 10-03-29.04 - D800 04/01/2010 7:59.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.499 [GMT -4:00]
Running from: c:\documents and settings\D800\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\program files\Adware Pro
c:\program files\Adware Pro\AdWare Pro Setup Log.txt
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\MSVolume.dll
c:\windows\system32\spool\prtprocs\w32x86\00000140.tmp
c:\windows\system32\spool\prtprocs\w32x86\00003a6c.tmp
c:\windows\system32\spool\prtprocs\w32x86\00006a2c.tmp
c:\windows\system32\uninstall.exe
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

.
((((((((((((((((((((((((( Files Created from 2010-03-01 to 2010-04-01 )))))))))))))))))))))))))))))))
.

2010-04-01 11:55 . 2010-04-01 11:55 -------- d-----w- c:\windows\LastGood
2010-03-30 23:52 . 2010-03-30 23:52 -------- d-----w- c:\documents and settings\D800\Bluetooth Software
2010-03-30 23:47 . 2008-03-27 17:18 47272 ----a-w- c:\windows\system32\drivers\btwusb.sys
2010-03-30 23:47 . 2008-03-27 10:17 89896 ----a-w- c:\windows\system32\drivers\btwsecfl.sys
2010-03-30 23:47 . 2008-03-10 18:18 57384 ----a-w- c:\windows\system32\drivers\btwhid.sys
2010-03-30 23:47 . 2007-09-20 11:59 156392 ----a-w- c:\windows\system32\drivers\btwdndis.sys
2010-03-30 23:47 . 2007-09-20 11:59 106557 ----a-w- c:\windows\system32\btw_ci.dll
2010-03-30 23:47 . 2008-02-04 17:57 37160 ----a-w- c:\windows\system32\drivers\btport.sys
2010-03-30 23:47 . 2008-04-15 11:14 990632 ----a-w- c:\windows\system32\drivers\btkrnl.sys
2010-03-30 23:47 . 2008-04-15 11:13 534440 ----a-w- c:\windows\system32\drivers\btaudio.sys
2010-03-30 23:47 . 2010-03-30 23:47 -------- d-----w- c:\program files\WIDCOMM
2010-03-30 23:44 . 2008-04-13 15:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-03-30 23:44 . 2008-04-13 15:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-03-30 22:33 . 2010-03-30 22:23 169472 ----a-w- c:\windows\Uqulob.exe
2010-03-30 22:20 . 2010-03-30 22:19 169472 ----a-w- c:\windows\Uquloa.exe
2010-03-10 17:17 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-01 11:42 . 2008-07-25 04:55 -------- d-----w- c:\program files\Symantec AntiVirus
2010-03-31 01:32 . 2009-12-27 19:48 -------- d-----w- c:\program files\Glary Utilities
2010-03-29 09:49 . 2008-07-24 18:08 11242 ----a-w- c:\windows\system32\nvModes.dat
2010-03-25 22:52 . 2008-08-09 14:46 -------- d-----w- c:\documents and settings\D800\Application Data\ZoomBrowser EX
2010-03-25 22:52 . 2008-08-09 14:46 -------- d-----w- c:\documents and settings\D800\Application Data\CameraWindowDC
2010-03-15 22:23 . 2008-08-08 00:10 1 ----a-w- c:\documents and settings\D800\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-03-15 22:23 . 2008-08-08 00:09 -------- d-----w- c:\documents and settings\D800\Application Data\OpenOffice.org2
2010-03-13 20:18 . 2008-08-08 00:25 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-27 18:20 . 2010-02-27 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\MumboJumbo
2010-02-27 15:19 . 2010-02-27 15:19 -------- d-----w- c:\documents and settings\All Users\Application Data\GameHouse
2010-02-21 16:48 . 2010-02-21 16:47 -------- d-----w- c:\documents and settings\D800\Application Data\Thunderbird
2008-10-14 23:35 . 2008-10-14 23:35 0 --sha-w- c:\windows\SA6FFCDDA.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2002-10-17 4608]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2002-08-23 143360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"nwiz"="nwiz.exe" [2004-10-26 921600]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2003-01-31 364544]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"\\D3X8N021\EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-08 98304]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2009-12-12 5114208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pinpoint 8 Desktop Weather.lnk]
backup=c:\windows\pss\Pinpoint 8 Desktop Weather.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^D800^Start Menu^Programs^Startup^Pinpoint 8 Desktop Weather.lnk]
path=c:\documents and settings\D800\Start Menu\Programs\Startup\Pinpoint 8 Desktop Weather.lnk
backup=c:\windows\pss\Pinpoint 8 Desktop Weather.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]
2009-01-08 12:36 2521464 ----a-w- c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Communicator]
2009-12-12 05:56 5114208 ----a-w- c:\program files\Microsoft Office Communicator\communicator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 03:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" /fromrunkey

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Linksys Driver\\WAP11v28 Setup Wizard 083003\\setup.exe"=
"c:\\Program Files\\Common Files\\Pinpoint 8 Desktop Weather\\TrueWeather.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Canon\\DV Messenger\\DV Messenger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 9:23 PM 102448]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2/14/2003 6:03 PM 59328]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 9:34 AM 115952]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [8/8/2009 3:23 PM 101248]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [8/8/2009 3:22 PM 73856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-01 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-12-27 17:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.weightwatchers.com/plan/jnl/index_week.aspx?date=3/2/2010&viewDay=true
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: x10.com\www.gate
DPF: {001000AF-2DEF-0202-10B6-DC5BA692C858} - hxxp://www.x10.com/support/netinfo/X10NetTest.cab
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-mind-medley/gamehouseplayer.cab
DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} - hxxp://71.203.213.83:1024/NetCamPlayerWeb11gv2.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://access.utk.edu/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\D800\Application Data\Mozilla\Firefox\Profiles\eeym3708.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.motors.ebay.com/|http://knoxville.craigslist.org/|http://www.ebay.com/|http://www.google.com/|http://www.pullapart.com/inventory/Main.aspx
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-YVIBBBHA8C - c:\docume~1\D800\LOCALS~1\Temp\Uxx.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-01 08:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(520)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-04-01 08:09:02
ComboFix-quarantined-files.txt 2010-04-01 12:08

Pre-Run: 33,955,586,048 bytes free
Post-Run: 34,548,969,472 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - F3C2B266EF3F2EAFAFE75D5ABFDB313F


I could find a report from Jotti to post but it showed 6 out of 20

win32:malware-gen
TR/Dldr.reos.KF.981
Trojan.downloader1.4210
win32:malware-gen
win32/trojandownloader.fakealert.AQI
mal/fakeAV-CO

Thanks


as of 619pm 04/01/10 est it's still there

Edited by hannadock, 01 April 2010 - 05:19 PM.


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:12 PM

Posted 01 April 2010 - 07:18 PM

Hello,

Believe it or not we have made progress, but have more work to do.

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
Rootkit::
c:\windows\Uqulob.exe
c:\windows\Uquloa.exe

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"NameServer"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7EA08353-3BC8-490B-BB55-63882405F6F2}]

DDS::
DPF: {001000AF-2DEF-0202-10B6-DC5BA692C858} - hxxp://www.x10.com/support/netinfo/X10NetTest.cab
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-mind-medley/gamehouseplayer.cab
DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} - hxxp://71.203.213.83:1024/NetCamPlayerWeb11gv2.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://access.utk.edu/dana-cached/sc/JuniperSetupClient.cab


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
Please download Malwarebytes Anti-Malware (v1.45) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

3.
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    atapi.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Things to include in your next reply:
Combofix.txt
MBAM log
Systemlook.txt
A new DDS log
No need for Attach.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 hannadock

hannadock
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 02 April 2010 - 09:42 AM

ComboFix 10-03-29.04 - D800 04/02/2010 9:42.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.423 [GMT -4:00]
Running from: c:\documents and settings\D800\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\D800\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((( Files Created from 2010-03-02 to 2010-04-02 )))))))))))))))))))))))))))))))
.

2010-03-30 23:52 . 2010-03-30 23:52 -------- d-----w- c:\documents and settings\D800\Bluetooth Software
2010-03-30 23:47 . 2008-03-27 17:18 47272 ----a-w- c:\windows\system32\drivers\btwusb.sys
2010-03-30 23:47 . 2008-03-27 10:17 89896 ----a-w- c:\windows\system32\drivers\btwsecfl.sys
2010-03-30 23:47 . 2008-03-10 18:18 57384 ----a-w- c:\windows\system32\drivers\btwhid.sys
2010-03-30 23:47 . 2007-09-20 11:59 156392 ----a-w- c:\windows\system32\drivers\btwdndis.sys
2010-03-30 23:47 . 2007-09-20 11:59 106557 ----a-w- c:\windows\system32\btw_ci.dll
2010-03-30 23:47 . 2008-02-04 17:57 37160 ----a-w- c:\windows\system32\drivers\btport.sys
2010-03-30 23:47 . 2008-04-15 11:14 990632 ----a-w- c:\windows\system32\drivers\btkrnl.sys
2010-03-30 23:47 . 2008-04-15 11:13 534440 ----a-w- c:\windows\system32\drivers\btaudio.sys
2010-03-30 23:47 . 2010-03-30 23:47 -------- d-----w- c:\program files\WIDCOMM
2010-03-30 23:44 . 2008-04-13 15:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-03-30 23:44 . 2008-04-13 15:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-03-10 17:17 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-10 04:33 . 2010-03-10 04:33 1025024 -c----w- c:\windows\system32\dllcache\browseui.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-02 13:52 . 2008-07-25 04:55 -------- d-----w- c:\program files\Symantec AntiVirus
2010-03-31 01:32 . 2009-12-27 19:48 -------- d-----w- c:\program files\Glary Utilities
2010-03-29 09:49 . 2008-07-24 18:08 11242 ----a-w- c:\windows\system32\nvModes.dat
2010-03-25 22:52 . 2008-08-09 14:46 -------- d-----w- c:\documents and settings\D800\Application Data\ZoomBrowser EX
2010-03-25 22:52 . 2008-08-09 14:46 -------- d-----w- c:\documents and settings\D800\Application Data\CameraWindowDC
2010-03-15 22:23 . 2008-08-08 00:10 1 ----a-w- c:\documents and settings\D800\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-03-15 22:23 . 2008-08-08 00:09 -------- d-----w- c:\documents and settings\D800\Application Data\OpenOffice.org2
2010-03-13 20:18 . 2008-08-08 00:25 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-27 18:20 . 2010-02-27 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\MumboJumbo
2010-02-27 15:19 . 2010-02-27 15:19 -------- d-----w- c:\documents and settings\All Users\Application Data\GameHouse
2010-02-26 05:43 . 2006-03-04 03:33 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-21 16:48 . 2010-02-21 16:47 -------- d-----w- c:\documents and settings\D800\Application Data\Thunderbird
2008-10-14 23:35 . 2008-10-14 23:35 0 --sha-w- c:\windows\SA6FFCDDA.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2002-10-17 4608]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2002-08-23 143360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"nwiz"="nwiz.exe" [2004-10-26 921600]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2003-01-31 364544]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"\\D3X8N021\EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-08 98304]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2009-12-12 5114208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pinpoint 8 Desktop Weather.lnk]
backup=c:\windows\pss\Pinpoint 8 Desktop Weather.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^D800^Start Menu^Programs^Startup^Pinpoint 8 Desktop Weather.lnk]
path=c:\documents and settings\D800\Start Menu\Programs\Startup\Pinpoint 8 Desktop Weather.lnk
backup=c:\windows\pss\Pinpoint 8 Desktop Weather.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater6]
2009-01-08 12:36 2521464 ----a-w- c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Communicator]
2009-12-12 05:56 5114208 ----a-w- c:\program files\Microsoft Office Communicator\communicator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 03:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" /fromrunkey

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Linksys Driver\\WAP11v28 Setup Wizard 083003\\setup.exe"=
"c:\\Program Files\\Common Files\\Pinpoint 8 Desktop Weather\\TrueWeather.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Canon\\DV Messenger\\DV Messenger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 9:23 PM 102448]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2/14/2003 6:03 PM 59328]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys --> c:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 9:34 AM 115952]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [8/8/2009 3:23 PM 101248]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [8/8/2009 3:22 PM 73856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-02 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-12-27 17:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.weightwatchers.com/plan/jnl/index_week.aspx?date=3/2/2010&viewDay=true
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: x10.com\www.gate
FF - ProfilePath - c:\documents and settings\D800\Application Data\Mozilla\Firefox\Profiles\eeym3708.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.motors.ebay.com/|http://knoxville.craigslist.org/|http://www.ebay.com/|http://www.google.com/|http://www.pullapart.com/inventory/Main.aspx
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-02 09:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2156)
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\carpserv.exe
c:\windows\system32\rundll32.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\MICROS~2\rapimgr.exe
c:\program files\Symantec AntiVirus\DoScan.exe
.
**************************************************************************
.
Completion time: 2010-04-02 09:57:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-02 13:57
ComboFix2.txt 2010-04-01 12:09

Pre-Run: 34,549,125,120 bytes free
Post-Run: 34,511,478,784 bytes free

- - End Of File - - 77BD65110B4C83A86AE38DD0AB80AADC



Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3946

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

4/2/2010 10:17:17 AM
mbam-log-2010-04-02 (10-17-17).txt

Scan type: Quick scan
Objects scanned: 108389
Time elapsed: 8 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 10:23 on 02/04/2010 by D800 (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [06:47 25/07/2008] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [12:07 01/04/2010] [15:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [18:40 13/04/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\dllcache\atapi.sys --a--c 96512 bytes [10:00 04/08/2004] [15:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [10:00 04/08/2004] [15:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys --a--- 95360 bytes [17:58 24/07/2008] [10:00 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/24/2008 1:50:27 PM
System Uptime: 4/2/2010 9:49:20 AM (1 hours ago)

Motherboard: Dell Computer Corporation | |
Processor: Intel® Pentium® M processor 1600MHz | Microprocessor | 1594/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 56 GiB total, 32.184 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\49698614A4FC000
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\49698614A4FC000
Service: NIC1394

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Dell TrueMobile 1300 WLAN Mini-PCI Card
Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_00011028&REV_02\4&39A85202&0&18F0
Manufacturer: Broadcom
Name: Dell TrueMobile 1300 WLAN Mini-PCI Card
PNP Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_00011028&REV_02\4&39A85202&0&18F0
Service: BCM43XX

==== System Restore Points ===================

RP452: 1/2/2010 4:15:37 PM - System Checkpoint
RP453: 1/3/2010 4:44:06 PM - System Checkpoint
RP454: 1/4/2010 6:21:36 PM - System Checkpoint
RP455: 1/6/2010 7:26:14 AM - System Checkpoint
RP456: 1/7/2010 7:47:34 AM - System Checkpoint
RP457: 1/8/2010 9:52:01 AM - System Checkpoint
RP458: 1/10/2010 1:19:08 PM - System Checkpoint
RP459: 1/12/2010 7:22:15 PM - System Checkpoint
RP460: 1/12/2010 8:35:07 PM - Software Distribution Service 3.0
RP461: 1/14/2010 8:08:09 AM - System Checkpoint
RP462: 1/15/2010 9:29:01 AM - System Checkpoint
RP463: 1/16/2010 9:41:42 AM - System Checkpoint
RP464: 1/17/2010 9:59:29 AM - System Checkpoint
RP465: 1/18/2010 10:09:11 AM - System Checkpoint
RP466: 1/20/2010 8:32:23 AM - System Checkpoint
RP467: 1/21/2010 9:39:40 AM - System Checkpoint
RP468: 1/22/2010 10:01:19 AM - System Checkpoint
RP469: 1/23/2010 3:00:21 AM - Software Distribution Service 3.0
RP470: 1/24/2010 11:22:29 AM - System Checkpoint
RP471: 1/26/2010 9:31:02 AM - System Checkpoint
RP472: 1/27/2010 9:10:36 AM - Software Distribution Service 3.0
RP473: 1/28/2010 1:06:49 PM - System Checkpoint
RP474: 1/30/2010 11:39:08 AM - System Checkpoint
RP475: 1/31/2010 12:49:33 PM - System Checkpoint
RP476: 2/1/2010 4:22:59 PM - System Checkpoint
RP477: 2/2/2010 7:21:57 PM - System Checkpoint
RP478: 2/3/2010 7:49:12 PM - System Checkpoint
RP479: 2/5/2010 7:40:30 AM - System Checkpoint
RP480: 2/6/2010 8:38:13 AM - System Checkpoint
RP481: 2/7/2010 9:10:44 AM - System Checkpoint
RP482: 2/8/2010 9:51:21 AM - System Checkpoint
RP483: 2/9/2010 11:14:00 AM - System Checkpoint
RP484: 2/10/2010 3:00:18 AM - Software Distribution Service 3.0
RP485: 2/11/2010 3:24:59 AM - System Checkpoint
RP486: 2/12/2010 5:37:34 AM - System Checkpoint
RP487: 2/13/2010 7:18:53 AM - System Checkpoint
RP488: 2/14/2010 4:29:09 PM - System Checkpoint
RP489: 2/15/2010 5:36:58 PM - System Checkpoint
RP490: 2/16/2010 6:33:39 PM - System Checkpoint
RP491: 2/17/2010 6:42:50 PM - System Checkpoint
RP492: 2/18/2010 7:36:54 PM - System Checkpoint
RP493: 2/20/2010 8:12:16 AM - System Checkpoint
RP494: 2/21/2010 9:50:40 AM - System Checkpoint
RP495: 2/22/2010 11:04:23 AM - System Checkpoint
RP496: 2/23/2010 11:32:59 AM - System Checkpoint
RP497: 2/24/2010 3:00:17 AM - Software Distribution Service 3.0
RP498: 2/25/2010 3:32:59 AM - System Checkpoint
RP499: 2/26/2010 4:32:58 AM - System Checkpoint
RP500: 2/27/2010 11:07:54 AM - System Checkpoint
RP501: 2/28/2010 11:12:31 AM - System Checkpoint
RP502: 3/1/2010 11:24:17 AM - System Checkpoint
RP503: 3/2/2010 5:56:41 PM - System Checkpoint
RP504: 3/3/2010 6:31:59 PM - System Checkpoint
RP505: 3/4/2010 7:43:18 PM - System Checkpoint
RP506: 3/6/2010 7:30:19 AM - System Checkpoint
RP507: 3/7/2010 8:33:24 AM - System Checkpoint
RP508: 3/8/2010 6:21:33 PM - System Checkpoint
RP509: 3/9/2010 7:18:51 PM - System Checkpoint
RP510: 3/10/2010 6:11:53 PM - Software Distribution Service 3.0
RP511: 3/11/2010 6:31:15 PM - System Checkpoint
RP512: 3/12/2010 7:12:56 PM - System Checkpoint
RP513: 3/13/2010 10:40:58 PM - System Checkpoint
RP514: 3/15/2010 7:59:15 AM - System Checkpoint
RP515: 3/16/2010 6:02:35 PM - System Checkpoint
RP516: 3/17/2010 6:39:16 PM - System Checkpoint
RP517: 3/18/2010 8:42:47 PM - System Checkpoint
RP518: 3/20/2010 8:05:26 AM - System Checkpoint
RP519: 3/21/2010 8:47:41 AM - System Checkpoint
RP520: 3/22/2010 10:06:34 AM - System Checkpoint
RP521: 3/23/2010 10:08:29 AM - System Checkpoint
RP522: 3/24/2010 10:41:33 AM - System Checkpoint
RP523: 3/25/2010 11:28:02 AM - System Checkpoint
RP524: 3/29/2010 7:02:35 AM - System Checkpoint
RP525: 3/30/2010 7:35:46 AM - System Checkpoint
RP526: 3/30/2010 7:47:09 PM - Installed WIDCOMM Bluetooth Software
RP527: 4/1/2010 7:51:25 AM - ComboFix created restore point
RP528: 4/1/2010 4:32:23 PM - Software Distribution Service 3.0

==== Installed Programs ======================

3DGreetings Personal Edition
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Reader 9.3.1
ALPS Touch Pad Driver
Apple Software Update
AVI/MPG Screensaver
B57Inst
Broadcom Driver Installer
CalorieKing Nutrition and Exercise Manager (remove only)
Canon Camera Access Library
Canon Camera Support Core Library
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CardBus
Comcast Rhapsody
Conexant D480 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell ResourceCD
Dell Wireless WLAN Card
DrawPlus 3.0
Driver Installer
DTC Library version 2.0
DV Network Software
E-Text Reader IGT
Garmin USB Drivers
Garmin WebUpdater
getPlus® for Adobe
Glary Registry Repair 3.2.0.828
Glary Utilities 2.21.0.863
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Java™ 6 Update 4
Juniper Networks Setup Client
LiveUpdate 3.0 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Communicator 2007 R2
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
Mozilla Firefox (3.6.2)
Nokia Connectivity Adapter Cable DKU-5
NVIDIA Drivers
OpenOffice.org 2.4
PCI 7510 CardBus Controller with SmartCard and Software
Photo Organizer
Pinpoint 8 Desktop Weather
PowerDVD 5.7
QuickSet
QuickTime
SAPI 5.1 Text-to-Speech
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
SigmaTel AC97 Audio Drivers
Sonic DLA
Sonic RecordNow! Plus
Sonic Update Manager
Symantec AntiVirus
Terminal Server Client
The Print Shop
The Print Shop Photo Pro
The Real Yellow Pages v5.1.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Walmart MP3 Music Downloads
Web Games Player Plugin
WebFldrs XP
WIDCOMM Bluetooth Software
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

4/2/2010 10:02:41 AM, error: Dhcp [1002] - The IP address lease 192.168.254.4 for the Network Card with network address 000D56EBDAC4 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
4/1/2010 7:59:05 AM, error: Service Control Manager [7034] - The WLTRYSVC service terminated unexpectedly. It has done this 1 time(s).
4/1/2010 7:49:01 AM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
3/30/2010 9:20:15 PM, information: Windows File Protection [64004] - The protected system file atapi.sys could not be restored to its original, valid version. The file version of the bad file is unknown The specific error code is 0x00000000 [The operation completed successfully. ].
3/30/2010 9:20:15 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file atapi.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
3/30/2010 8:10:18 PM, error: PlugPlayManager [12] - The device 'SAMSUNG CDRW/DVD SN-324B' (IDE\CdRomSAMSUNG_CDRW/DVD_SN-324B________________U102____\5&18c802ac&0&0.0.0) disappeared from the system without first being prepared for removal.
3/30/2010 7:09:31 PM, error: Dhcp [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 00904BB361DE has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
3/30/2010 6:34:47 PM, information: Windows File Protection [64004] - The protected system file atapi.sys could not be restored to its original, valid version. The file version of the bad file is unknown The specific error code is 0x000003e3 [The I/O operation has been aborted because of either a thread exit or an application request. ].
3/30/2010 6:34:03 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd
3/30/2010 6:33:38 PM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
3/29/2010 6:14:08 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer D2SS8Q51 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{7EA08353-3BC8-490B-. The master browser is stopping or an election is being forced.

==== End Of File ===========================


I reran the DDS log again.

The sucker is still there. This time it is show file name A0067665.sys instead of atapi.sys with a partial removal

Edited by hannadock, 02 April 2010 - 11:34 AM.


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:12 PM

Posted 02 April 2010 - 11:46 PM

Hello,
QUOTE
The sucker is still there. This time it is show file name A0067665.sys instead of atapi.sys with a partial removal

That file is a quarantine or systemrestore file it is harmless.We will deal with these once we know the machine is clean.

How is your machine running? Any redirects or signs of malware?

QUOTE
I reran the DDS log again.

You have posted the attach.txt . Can you please post the DDS log.

Things to include in your next reply:
Answer to my above questions
Your DDS log


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 hannadock

hannadock
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 03 April 2010 - 10:26 AM


DDS (Ver_10-03-17.01) - NTFSx86
Run by D800 at 11:23:01.47 on Sat 04/03/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.380 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\D800\My Documents\Downloads\dds(3).scr
C:\Program Files\Symantec AntiVirus\DWHWIZRD.EXE

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.weightwatchers.com/plan/jnl/index_week.aspx?date=3/2/2010&viewDay=true
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [CARPService] carpserv.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [\\D3X8N021\EPSON Stylus CX3800 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiaca.exe /p37 "\\d3x8n021\EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
Trusted Zone: x10.com\www.gate
DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} - hxxp://www.gate.x10.com/control/xvidnx.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1216963974306
DPF: {64CD313F-F079-4D93-959F-4D28B5519449} - hxxp://www.worldwinner.com/games/v56/jeopardy/jeopardy.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1216963962068
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://aolsvc.aol.com/onlinegames/luxor/mjolauncher.cab
DPF: {87587503-20F0-4FF5-8DA3-0107C4C03FDC} - hxxp://downloads.comcast.net/videomail/vmLauncher.cab
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://webgames.d.tmsrv.com/c=6b394d37d9f41253937c225b25391e7b/aff=t_03cm_wg/p/release/tikgames/wg_shapo_gold/shapo_gold/shapo.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://access.utk.edu/dana-cached/setup/JuniperSetupSP1.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\d800\applic~1\mozilla\firefox\profiles\eeym3708.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.motors.ebay.com/|http://knoxville.craigslist.org/|http://www.ebay.com/|http://www.google.com/|http://www.pullapart.com/inventory/Main.aspx
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1799408]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-28 102448]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2003-2-14 59328]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100331.005\naveng.sys [2010-4-1 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100331.005\navex15.sys [2010-4-1 1324720]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys --> c:\windows\system32\drivers\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys --> c:\windows\system32\drivers\motccgpfl.sys [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [2009-8-8 101248]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [2009-8-8 73856]

=============== Created Last 30 ================

2010-04-02 14:07:30 0 d-----w- c:\docume~1\d800\applic~1\Malwarebytes
2010-04-02 14:07:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-02 14:07:08 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-02 14:07:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 14:07:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-01 11:54:20 0 d-sha-r- C:\cmdcons
2010-04-01 11:51:01 98816 ----a-w- c:\windows\sed.exe
2010-04-01 11:51:01 77312 ----a-w- c:\windows\MBR.exe
2010-04-01 11:51:01 261632 ----a-w- c:\windows\PEV.exe
2010-04-01 11:51:01 161792 ----a-w- c:\windows\SWREG.exe
2010-03-31 12:08:48 0 ----a-w- c:\documents and settings\d800\defogger_reenable
2010-03-30 23:52:05 0 d-----w- c:\documents and settings\d800\Bluetooth Software
2010-03-30 23:47:48 47272 ----a-w- c:\windows\system32\drivers\btwusb.sys
2010-03-30 23:47:47 89896 ----a-w- c:\windows\system32\drivers\btwsecfl.sys
2010-03-30 23:47:45 57384 ----a-w- c:\windows\system32\drivers\btwhid.sys
2010-03-30 23:47:44 156392 ----a-w- c:\windows\system32\drivers\btwdndis.sys
2010-03-30 23:47:43 106557 ----a-w- c:\windows\system32\btw_ci.dll
2010-03-30 23:47:42 37160 ----a-w- c:\windows\system32\drivers\btport.sys
2010-03-30 23:47:41 990632 ----a-w- c:\windows\system32\drivers\btkrnl.sys
2010-03-30 23:47:39 534440 ----a-w- c:\windows\system32\drivers\btaudio.sys
2010-03-30 23:47:11 0 d-----w- c:\program files\WIDCOMM
2010-03-30 23:44:31 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-03-30 23:44:31 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-03-10 17:17:09 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-10 04:33:38 1025024 -c----w- c:\windows\system32\dllcache\browseui.dll

==================== Find3M ====================

2010-03-29 09:49:51 11242 ----a-w- c:\windows\system32\nvModes.dat
2010-02-26 05:43:57 667136 ------w- c:\windows\system32\wininet.dll
2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\ieencode.dll

============= FINISH: 11:24:07.05 ===============




seems to be running ok except symatec keeps popping up with that alert several times a day


#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:12 PM

Posted 03 April 2010 - 12:08 PM

Hello,

Let's reset your system restore and empty your temp files and uninstall combofix and see if that don't stop the alerts.
If Norton keeps popping up after all this please note the files location and type of infection. Are the alerts happening while your surfing the net or when your system is idle?

1.
Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall



    <Notice the space between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall


  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".

2.
Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

3.
Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)
    Double-click ATF-Cleaner.exe to run the program.
    Under Main "Select Files to Delete" choose: Select All.
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

4.
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

5.
Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.

Things to include in your next reply:
Eset log
BitDefender log
A new DDS log
How is your machine running now? Norton still popping up with alerts?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 hannadock

hannadock
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 03 April 2010 - 03:08 PM

C:\Documents and Settings\D800\My Documents\Downloads\RegistryEasy.exe Win32/Adware.RegistryEasy application deleted - quarantined

QuickScan Beta 32-bit v0.9.9.15
-------------------------------

Scan date: Sat Apr 03 15:58:17 2010
Machine ID: 2C0E961C



No infection found.
---------------------



Processes
---------
<unsigned> Canon Camera Access Library 8 1776 C:\Program Files\Canon\CAL\CALMAIN.exe
<unsigned> Dell Wireless WLAN Card Wireless Networ 1764 C:\WINDOWS\System32\bcmwltry.exe
<unsigned> Dell Wireless WLAN Card Wireless Networ 2548 C:\WINDOWS\system32\WLTRAY.exe
<unsigned> Drive Letter Access Component 2432 C:\WINDOWS\system32\dla\tfswctrl.exe
<unsigned> EPSON Status Monitor 3 2460 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
<unsigned> QuickSet Application 2424 C:\Program Files\Dell\QuickSet\quickset.exe
<unsigned> wltrysvc.exe 1528 C:\WINDOWS\System32\wltrysvc.exe

<verified> Alps Pointing-device Driver 2380 C:\Program Files\Apoint\Apoint.exe
<verified> Alps Pointing-device Driver for Windows 2948 C:\Program Files\Apoint\Apntex.exe
<verified> Bluetooth Software 1220 C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
<verified> Client and Host Security Platform 2440 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
<verified> Client and Host Security Platform 1820 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
<verified> Client and Host Security Platform 1676 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
<verified> Conexant carpserv 2364 C:\WINDOWS\system32\carpserv.exe
<verified> Firefox 2088 C:\Program Files\Mozilla Firefox\firefox.exe
<verified> Microsoft ActiveSync 3144 C:\Program Files\Microsoft ActiveSync\rapimgr.exe
<verified> Microsoft ActiveSync 2908 C:\Program Files\Microsoft ActiveSync\wcescomm.exe
<verified> Microsoft® Windows® Operating System 1648 C:\WINDOWS\Explorer.EXE
<verified> Microsoft® Windows® Operating System 1544 C:\WINDOWS\System32\alg.exe
<verified> Microsoft® Windows® Operating System 692 C:\WINDOWS\system32\csrss.exe
<verified> Microsoft® Windows® Operating System 772 C:\WINDOWS\system32\lsass.exe
<verified> Microsoft® Windows® Operating System 2804 C:\WINDOWS\system32\rundll32.exe
<verified> Microsoft® Windows® Operating System 984 C:\WINDOWS\System32\SCardSvr.exe
<verified> Microsoft® Windows® Operating System 760 C:\WINDOWS\system32\services.exe
<verified> Microsoft® Windows® Operating System 644 C:\WINDOWS\System32\smss.exe
<verified> Microsoft® Windows® Operating System 2036 C:\WINDOWS\system32\spoolsv.exe
<verified> Microsoft® Windows® Operating System 1380 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1248 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1156 C:\WINDOWS\System32\svchost.exe
<verified> Microsoft® Windows® Operating System 1060 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 976 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 596 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 444 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1408 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 716 C:\WINDOWS\system32\winlogon.exe
<verified> Microsoft® Windows® Operating System 3752 C:\WINDOWS\system32\wscntfy.exe
<verified> NVIDIA Driver Helper Service, Version 6 400 C:\WINDOWS\system32\nvsvc32.exe
<verified> SPBBC 1916 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
<verified> Symantec AntiVirus 516 C:\Program Files\Symantec AntiVirus\DefWatch.exe
<verified> Symantec AntiVirus 3152 C:\Program Files\Symantec AntiVirus\DoScan.exe
<verified> Symantec AntiVirus 1404 C:\Program Files\Symantec AntiVirus\Rtvscan.exe
<verified> Symantec AntiVirus 2448 C:\Program Files\Symantec AntiVirus\VPTray.exe


Network activity
----------------
Process firefox.exe (2088) connected on port 80 (HTTP) - yi-in-f138.1e100.net
Process firefox.exe (2088) connected on port 80 (HTTP) - a184-51-229-115.deploy.akamaitechnologies.com
Process firefox.exe (2088) connected on port 80 (HTTP) - 207.138.234.128
Process firefox.exe (2088) connected on port 80 (HTTP) - CRL.VERISIGN.NET

Process svchost.exe (1060) listens on ports: 135 (RPC)
Process rapimgr.exe (3144) listens on ports: 990 (FTP over SSL)


Autoruns and critical files
---------------------------
<unsigned> Dell Wireless WLAN Card Wireless Networ C:\WINDOWS\system32\WLTRAY.exe
<unsigned> Drive Letter Access Component C:\WINDOWS\system32\dla\tfswctrl.exe
<unsigned> EPSON Status Monitor 3 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
<unsigned> NVIDIA nView Wizard, Version 67.42 C:\WINDOWS\system32\nwiz.exe
<unsigned> QuickSet Application C:\Program Files\Dell\QuickSet\quickset.exe
<unsigned> QuickTime C:\Program Files\QuickTime\qttask.exe
<unsigned> Sonic Update Manager C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

<verified> Alps Pointing-device Driver C:\Program Files\Apoint\Apoint.exe
<verified> Client and Host Security Platform C:\Program Files\Common Files\Symantec Shared\ccApp.exe
<verified> Conexant carpserv C:\WINDOWS\system32\carpserv.exe
<verified> Glary Utilities C:\Program Files\Glary Utilities\initialize.exe
<verified> Microsoft ActiveSync C:\Program Files\Microsoft ActiveSync\wcescomm.exe
<verified> Microsoft Genuine Advantage C:\WINDOWS\system32\WgaLogon.dll
<verified> Microsoft Office Communicator 2007 R2 C:\Program Files\Microsoft Office Communicator\communicator.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\browseui.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\crypt32.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\cscdll.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\dimsntfy.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\logonui.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\sclgntfy.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\shell32.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\stobject.dll
<verified> Microsoft® Windows® Operating System c:\windows\system32\userinit.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\webcheck.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\wlnotify.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\WPDShServiceObj.dll
<verified> NVIDIA Compatible Windows 2000 Display C:\WINDOWS\system32\NvCpl.dll
<verified> Symantec AntiVirus C:\Program Files\Symantec AntiVirus\VPTray.exe
<verified> Symantec AntiVirus C:\WINDOWS\system32\NavLogon.dll


Browser plugins
---------------
<unsigned> Drive Letter Access Component c:\windows\system32\dla\tfswshx.dll
<unsigned> GameHouseGame Dynamic Link Library C:\WINDOWS\Downloaded Program Files\ghgamesplayer.dll
<unsigned> LightSurfUploadControl Module C:\WINDOWS\Downloaded Program Files\VerizonWirelessUploadControl.dll
<unsigned> MJOLauncher Module C:\WINDOWS\Downloaded Program Files\mjolauncher.dll
<unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
<unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
<unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
<unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
<unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
<unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
<unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
<unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
<unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
<unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
<unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
<unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
<unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
<unsigned> QuickTime Plug-in 7.5 (861) C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
<unsigned> Snapfish Activia C:\WINDOWS\Downloaded Program Files\SnapfishActivia1000.ocx
<unsigned> TikGames' Online Game Control C:\WINDOWS\Downloaded Program Files\gpcontrol.dll
<unsigned> X10NetTest C:\WINDOWS\Downloaded Program Files\X10NetTest.dll
<unsigned> Zylom Plugin C:\Documents and Settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
<unsigned> Zylom Plugin C:\Program Files\Mozilla Firefox\plugins\npzylomgamesplayer.dll

<verified> AcroIEHelperShim Library c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll
<verified> Adobe Acrobat C:\Program Files\Internet Explorer\plugins\nppdf32.dll
<verified> Adobe Acrobat C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
<verified> Adobe® Flash® Player ActiveX C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
<verified> BitDefender QuickScan C:\Documents and Settings\D800\Application Data\Mozilla\Firefox\Profiles\eeym3708.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
<verified> BitDefender QuickScan C:\Documents and Settings\D800\Application Data\Mozilla\Firefox\Profiles\eeym3708.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
<verified> Family Feud C:\WINDOWS\Downloaded Program Files\familyfeud.ocx
<verified> Games C:\WINDOWS\Downloaded Program Files\wwlaunch.ocx
<verified> Java™ Platform SE 6 U4 c:\program files\java\jre1.6.0_04\bin\ssv.dll
<verified> Jeopardy C:\WINDOWS\Downloaded Program Files\jeopardy.ocx
<verified> JuniperExt.exe C:\WINDOWS\Downloaded Program Files\JuniperExt.exe
<verified> JuniperSetupClientATL ActiveX Control M C:\WINDOWS\Downloaded Program Files\JuniperSetup.ocx
<verified> JuniperSetupClientATL ActiveX Control M C:\WINDOWS\Downloaded Program Files\JuniperSetupClient.ocx
<verified> Messenger C:\Program Files\Messenger\msmsgs.exe
<verified> Microsoft® Windows Media Player Firefox C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\mswsock.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\shdocvw.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\winrnr.dll
<verified> Mozilla Default Plug-in C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
<verified> NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
<verified> Wheel Of Fortune C:\WINDOWS\Downloaded Program Files\wof.ocx
<verified> Windows Presentation Foundation c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll


Missing files
-------------
File not found: system32\DRIVERS\Lbd.sys
referenced in: HKLM\System\ControlSet001\services\Lbd\"ImagePath"

File not found: system32\DRIVERS\motccgp.sys
referenced in: HKLM\System\ControlSet001\services\motccgp\"ImagePath"

File not found: system32\DRIVERS\motccgpfl.sys
referenced in: HKLM\System\ControlSet001\services\motccgpfl\"ImagePath"


Scan
----
<unsigned> MD5: fc5866f7793af2cbcd425cc4b8d32a9e C:\Documents and Settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
<unsigned> MD5: 8ef654045e518ac00e52e7a1e2d3ad70 C:\Program Files\Canon\CAL\CALMAIN.exe
<unsigned> MD5: 52b80c30225de81d7ac989dfe7311877 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
<unsigned> MD5: a2eca78dc5b436a7cd66a98e2a360b4a C:\Program Files\Dell\QuickSet\dadkeyb.dll
<unsigned> MD5: 7443ab66e4c178a9d73395bf9efb6427 C:\Program Files\Dell\QuickSet\quickset.exe
<unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
<unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
<unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
<unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
<unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
<unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
<unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
<unsigned> MD5: 26b018758226a5dc06de45496c394d40 C:\Program Files\Mozilla Firefox\freebl3.dll
<unsigned> MD5: 9dfb30f203999a3ae0f258a33fa598f9 C:\Program Files\Mozilla Firefox\nssdbm3.dll
<unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
<unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
<unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
<unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
<unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
<unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
<unsigned> MD5: 27f9e0201d27d1c6472285de35898ca1 C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
<unsigned> MD5: fc5866f7793af2cbcd425cc4b8d32a9e C:\Program Files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
<unsigned> MD5: 1fd6c03c0001a5e1eaf61596c2502f0c C:\Program Files\Mozilla Firefox\softokn3.dll
<unsigned> MD5: f34eb5d4f145ed5fe50033ca3a41ed24 C:\Program Files\QuickTime\qttask.exe
<unsigned> MD5: 4b6c008a17d64a10aadf1163cb3aa1ef C:\WINDOWS\Downloaded Program Files\ghgamesplayer.dll
<unsigned> MD5: 35bd60db11e72fbd930a5cde6335f51c C:\WINDOWS\Downloaded Program Files\gpcontrol.dll
<unsigned> MD5: 026e1291e47ae30ebb1d3427b09567aa C:\WINDOWS\Downloaded Program Files\mjolauncher.dll
<unsigned> MD5: f5c79c45f1adf877dc3afdff3565ae7b C:\WINDOWS\Downloaded Program Files\SnapfishActivia1000.ocx
<unsigned> MD5: 4d3867165ceb57e4f707c5ac7e253d05 C:\WINDOWS\Downloaded Program Files\VerizonWirelessUploadControl.dll
<unsigned> MD5: dbfefeeda839903ccf5d56635353eb93 C:\WINDOWS\Downloaded Program Files\X10NetTest.dll
<unsigned> MD5: 8f2097e8b174f38178570c611464935f C:\WINDOWS\system32\atl71.dll
<unsigned> MD5: 6e000ec0096a2a1cf4a31b7393a29ae1 C:\WINDOWS\system32\bcm1xsup.dll
<unsigned> MD5: ee56f213182841bbf333d4ea3db481ef C:\WINDOWS\system32\BCMLogon.dll
<unsigned> MD5: 4df537a09034434ea9481b88ab1d3c25 C:\WINDOWS\system32\bcmwlpkt.dll
<unsigned> MD5: 3118a7345a5c28e8d5c6be7a90aea0a6 C:\WINDOWS\System32\bcmwltry.exe
<unsigned> MD5: 2e230d110d9257bfb3964f6561719da8 C:\WINDOWS\system32\BMAPI.dll
<unsigned> MD5: 2876962da6e83fb265ba40fea951ebd5 C:\WINDOWS\system32\bthcrp.dll
<unsigned> MD5: eb31009c634ed9c712f8fcde6620f2c0 C:\WINDOWS\system32\BTNCopy.dll
<unsigned> MD5: 1d265cd2fb1673a0873bf8cec19ddc7f C:\WINDOWS\system32\dla\tfsnboio.sys
<unsigned> MD5: 62e4901295e0467cac78e5b4b131ae5c C:\WINDOWS\system32\dla\tfsncofs.sys
<unsigned> MD5: a2f380f9252ab3464c859adf91eead9c C:\WINDOWS\system32\dla\tfsndrct.sys
<unsigned> MD5: eee79bbefe9c6a2a3ce6c8753cfea950 C:\WINDOWS\system32\dla\tfsndres.sys
<unsigned> MD5: 9d644eb11fec9487450c4cfcd63a5df4 C:\WINDOWS\system32\dla\tfsnifs.sys
<unsigned> MD5: e656af05c67edb7c0e9230a5df71ed1b C:\WINDOWS\system32\dla\tfsnopio.sys
<unsigned> MD5: 64fccb9cce703ca507dffc3cebf6b2cb C:\WINDOWS\system32\dla\tfsnpool.sys
<unsigned> MD5: 48bc9d8ab4e4b9bff70fb18e55cec3d6 C:\WINDOWS\system32\dla\tfsnudf.sys
<unsigned> MD5: 79f60822224256b49bfc855da8d651d5 C:\WINDOWS\system32\dla\tfsnudfa.sys
<unsigned> MD5: 14c215962679fa00f5869291cbca14f8 C:\WINDOWS\system32\dla\tfswcres.dll
<unsigned> MD5: 790490f273b0e3bcf05dc3c308abcc0b C:\WINDOWS\system32\dla\tfswctrl.exe
<unsigned> MD5: 14eff6496cf0e873f8f7cd930b135cf9 c:\windows\system32\dla\tfswshx.dll
<unsigned> MD5: 84853b3fd012251690570e9e7e43343f C:\WINDOWS\system32\drivers\cercsr6.sys
<unsigned> MD5: b15f9e526ba511a48b1b1b8537815740 C:\WINDOWS\system32\drivers\drvmcdb.sys
<unsigned> MD5: fa4670cae95ae2bb857c68e535661145 C:\WINDOWS\system32\drivers\DRVNDDM.sys
<unsigned> MD5: 53d5f1278d9edb21689bbbcecc09108d C:\WINDOWS\system32\DRIVERS\omci.sys
<unsigned> MD5: 6c1618a07b49e3873582b6449e744088 C:\WINDOWS\system32\drivers\pfc.sys
<unsigned> MD5: 30cbae0a34359f1cd19d1576245149ed C:\WINDOWS\System32\Drivers\PxHelp20.sys
<unsigned> MD5: d7968049be0adbb6a57cee3960320911 C:\WINDOWS\system32\drivers\sscdbhk5.sys
<unsigned> MD5: c3ffd65abfb6441e7606cf74f1155273 C:\WINDOWS\system32\drivers\SSRTLN.sys
<unsigned> MD5: f35a584e947a5b401feb0fe01db4a0d7 C:\WINDOWS\system32\mfc71.dll
<unsigned> MD5: 561fa2abb31dfa8fab762145f81667c2 C:\WINDOWS\system32\msvcp71.dll
<unsigned> MD5: 86f1895ae8c5e8b17d99ece768a70732 C:\WINDOWS\system32\msvcr71.dll
<unsigned> MD5: 0c0c7b1ff49e16a644662ffdd2c67e1d C:\WINDOWS\system32\nview.dll
<unsigned> MD5: 2d0e2ae1f0e5beb542ea5e10d630faca C:\WINDOWS\system32\nvshell.dll
<unsigned> MD5: 0bd6973f95cf3b90dc0cec8a16e2a482 C:\WINDOWS\system32\nwiz.exe
<unsigned> MD5: da36286390b4955b0279180e69694963 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
<unsigned> MD5: f52302769ecaacfcc45a01fc6ee82288 C:\WINDOWS\system32\tfswapi.dll
<unsigned> MD5: 1a1a97fe827354b239cd7d98e6a17c00 C:\WINDOWS\system32\wbtapi.dll
<unsigned> MD5: 5d879252567c1b4b9714197448791ab0 C:\WINDOWS\system32\WidcommSdk.dll
<unsigned> MD5: 234c29a211817b5c69c2e4c4c4f71750 C:\WINDOWS\system32\WLTRAY.exe
<unsigned> MD5: 6c2981657e2d424518de66c786eee672 C:\WINDOWS\system32\wltrynt.dll
<unsigned> MD5: 8e12adcd26a2ac8006e52b74463e9dd1 C:\WINDOWS\System32\wltrysvc.exe


No file uploaded.

Scan finished - communication took 4 sec
Total traffic - 0.06 MB sent, 2.99 KB recvd
Scanned 1072 files and modules - 113 seconds


DDS (Ver_10-03-17.01) - NTFSx86
Run by D800 at 16:02:56.17 on Sat 04/03/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.394 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\D800\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.weightwatchers.com/plan/jnl/index_week.aspx?date=3/2/2010&viewDay=true
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [CARPService] carpserv.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [\\D3X8N021\EPSON Stylus CX3800 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiaca.exe /p37 "\\d3x8n021\EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
Trusted Zone: x10.com\www.gate
DPF: {001000AF-2DEF-0206-10B6-DC5BA692C858} - hxxp://www.gate.x10.com/control/xvidnx.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1216963974306
DPF: {64CD313F-F079-4D93-959F-4D28B5519449} - hxxp://www.worldwinner.com/games/v56/jeopardy/jeopardy.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1216963962068
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://aolsvc.aol.com/onlinegames/luxor/mjolauncher.cab
DPF: {87587503-20F0-4FF5-8DA3-0107C4C03FDC} - hxxp://downloads.comcast.net/videomail/vmLauncher.cab
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://webgames.d.tmsrv.com/c=6b394d37d9f41253937c225b25391e7b/aff=t_03cm_wg/p/release/tikgames/wg_shapo_gold/shapo_gold/shapo.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://access.utk.edu/dana-cached/setup/JuniperSetupSP1.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\d800\applic~1\mozilla\firefox\profiles\eeym3708.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.motors.ebay.com/|http://knoxville.craigslist.org/|http://www.ebay.com/|http://www.google.com/|http://www.pullapart.com/inventory/Main.aspx
FF - component: c:\documents and settings\d800\application data\mozilla\firefox\profiles\eeym3708.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\documents and settings\d800\application data\mozilla\firefox\profiles\eeym3708.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1799408]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-28 102448]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2003-2-14 59328]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100402.004\naveng.sys [2010-4-3 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100402.004\navex15.sys [2010-4-3 1324720]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys --> c:\windows\system32\drivers\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys --> c:\windows\system32\drivers\motccgpfl.sys [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [2009-8-8 101248]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [2009-8-8 73856]

=============== Created Last 30 ================

2010-04-03 19:58:08 0 d-----w- c:\docume~1\d800\applic~1\QuickScan
2010-04-03 18:19:03 0 d-----w- c:\program files\ESET
2010-04-02 14:07:30 0 d-----w- c:\docume~1\d800\applic~1\Malwarebytes
2010-04-02 14:07:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-02 14:07:08 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-02 14:07:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 14:07:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-01 11:54:20 0 d-sha-r- C:\cmdcons
2010-03-31 12:08:48 0 ----a-w- c:\documents and settings\d800\defogger_reenable
2010-03-30 23:52:05 0 d-----w- c:\documents and settings\d800\Bluetooth Software
2010-03-30 23:47:48 47272 ----a-w- c:\windows\system32\drivers\btwusb.sys
2010-03-30 23:47:47 89896 ----a-w- c:\windows\system32\drivers\btwsecfl.sys
2010-03-30 23:47:45 57384 ----a-w- c:\windows\system32\drivers\btwhid.sys
2010-03-30 23:47:44 156392 ----a-w- c:\windows\system32\drivers\btwdndis.sys
2010-03-30 23:47:43 106557 ----a-w- c:\windows\system32\btw_ci.dll
2010-03-30 23:47:42 37160 ----a-w- c:\windows\system32\drivers\btport.sys
2010-03-30 23:47:41 990632 ----a-w- c:\windows\system32\drivers\btkrnl.sys
2010-03-30 23:47:39 534440 ----a-w- c:\windows\system32\drivers\btaudio.sys
2010-03-30 23:47:11 0 d-----w- c:\program files\WIDCOMM
2010-03-30 23:44:31 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-03-30 23:44:31 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-03-10 17:17:09 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-10 04:33:38 1025024 -c----w- c:\windows\system32\dllcache\browseui.dll

==================== Find3M ====================

2010-03-29 09:49:51 11242 ----a-w- c:\windows\system32\nvModes.dat
2010-02-26 05:43:57 667136 ------w- c:\windows\system32\wininet.dll
2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\ieencode.dll

============= FINISH: 16:03:22.99 ===============


It seems to running ok. No symantec notifications. It seems to happen when idle.

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:12 PM

Posted 03 April 2010 - 04:31 PM

Congradulations your log is clean!

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.
Please also have a look at the following links, giving some advice and suggestions for preventing future infections:Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
I recommend you regularly visit the Windows Update Site , you where lagging behind on a few of them!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache!
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Another recommend, is to download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  1. Double-click the Downloaded installer and install the tool to a location of your choice
  2. Via the Startmenu, navigate to HostsMan and run the program.
    1. Click "Hosts" in the menu
    2. Click "Manage Updates" in the submenu
    3. Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    4. Click "Add Update." After that you will only need to click on the following button to retrieve updates:
  3. Click the X to exit the program.
  4. Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 hannadock

hannadock
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 03 April 2010 - 05:04 PM

Thanks for all the help

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:12 PM

Posted 03 April 2010 - 06:36 PM

No problem glad I could help!

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send a Private Message to any one of the moderating team member or myself. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users