Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Attack being blocked by Norton Internet Security whenever I use a search engine

  • This topic is locked This topic is locked
6 replies to this topic

#1 farakahn


  • Members
  • 3 posts
  • Local time:08:57 PM

Posted 30 May 2010 - 07:41 PM

Hello All,

I am having an issue when I start to use the internet, especially if I use any sort of search engine. If I try a search on google as soon as I enter the search my Norton Internet Security pops up a warning stating, "A recent attempt to attack your computer was blocked". I look at the info on it and the risk name is: HTTP Tidserv Request, and the attacking computer, most of the time, is: m01n83kjf7.com. Sometimes the attacking computer is: j00k877x.cc. Even after I close the browser if I leave the internet connected there are still random attacks being blocked. This happens consistently while I am connected. I am almost to the point where I am going to wipe the computer clean and start from scratch. Please help before I lose it! I have included the DDS log in the post and have attached the attach log and GMER log as attachments. Thank you so much for your help.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Vicki at 22:25:08.25 on Sat 05/29/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1222 [GMT -7:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Norton Internet Security\Engine\\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Norton Internet Security\Engine\\ccSvcHst.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Norton Internet Security\Engine\\MCUI32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Vicki\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.toshiba.com/search
mStart Page = hxxp://search.myheritage.com
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [CeEPOWER] c:\program files\toshiba\power management\CePMTray.exe
mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe
mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [VX6000] c:\windows\vVX6000.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\trojan~1.lnk - c:\program files\trojan guarder\Trojan Guarder.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.geni.com/ImageUploader5.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242423575874
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\vicki\applic~1\mozilla\firefox\profiles\ec9elwv9.default\
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\vicki\local settings\application data\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2004-5-5 10112]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-29 64288]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-5-15 218592]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1107000.00c\symds.sys [2010-5-24 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1107000.00c\symefa.sys [2010-5-24 173104]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-2-24 173328]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1107000.00c\cchpx86.sys [2010-5-24 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1107000.00c\ironx86.sys [2010-5-24 116784]
R1 SymSMR100;SMR Utility Service;c:\windows\system32\drivers\SymSMR100.SYS [2010-5-29 58416]
R2 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [2004-5-5 395008]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1314704]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\\ccsvchst.exe [2010-5-24 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-25 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\ipsdefs\20100520.001\IDSXpx86.sys [2009-10-28 329592]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\virusdefs\20100529.006\NAVENG.SYS [2010-5-29 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\virusdefs\20100529.006\NAVEX15.SYS [2010-5-29 1347504]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2009-12-25 18560]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\9a.tmp --> c:\windows\system32\9A.tmp [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-5-15 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-5-15 1142224]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2010-1-29 2074480]
S4 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-5-15 112592]

=============== Created Last 30 ================

2010-05-30 05:13:21 0 ----a-w- c:\documents and settings\vicki\defogger_reenable
2010-05-30 04:42:12 0 ----a-w- c:\windows\system32\drivers\SymSMR100.dat
2010-05-30 04:42:10 58416 ----a-w- c:\windows\system32\drivers\SymSMR100.SYS
2010-05-30 03:41:48 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-30 03:41:43 110 ---ha-w- C:\aaw7boot.cmd
2010-05-29 19:23:51 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-29 19:23:44 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-29 19:09:18 0 d-----w- c:\program files\Trojan Guarder
2010-05-29 19:08:26 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-29 19:07:29 0 d-----w- c:\program files\Lavasoft
2010-05-29 18:51:15 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-29 18:51:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-25 17:37:19 124688 ----a-w- c:\windows\system32\MSWinSck.ocx
2010-05-25 17:37:16 212240 ----a-w- c:\windows\system32\RichTx32.ocx
2010-05-25 17:37:11 614400 ----a-w- c:\windows\system32\ExButton.dll
2010-05-25 17:37:11 602112 ----a-w- c:\windows\system32\ExMenu.dll
2010-05-25 17:37:11 516096 ----a-w- c:\windows\system32\ExTab.dll
2010-05-25 17:37:11 307200 ----a-w- c:\windows\system32\ExPMenu.dll
2010-05-25 17:37:11 1753088 ----a-w- c:\windows\system32\ExGrid.dll
2010-05-25 17:37:10 356352 ----a-w- c:\windows\system32\eSellerateEngine.dll
2010-05-25 17:37:10 118784 ----a-w- c:\windows\system32\eWebControl.dll
2010-05-25 17:37:10 0 d-----w- c:\program files\common files\eSellerate
2010-05-25 17:37:09 368912 ----a-w- c:\windows\system32\vbar332.dll
2010-05-25 17:37:08 140288 ----a-w- c:\windows\system32\COMDLG32.OCX
2010-05-25 17:37:07 0 d-----w- c:\program files\AnswersThatWork
2010-05-25 17:13:05 47408 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-05-24 01:12:48 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-05-24 01:09:49 0 d-----r- c:\program files\Skype
2010-05-24 00:36:51 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-05-24 00:36:51 215920 ----a-w- c:\windows\system32\muweb.dll
2010-05-24 00:36:51 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-05-24 00:36:28 0 d-----w- c:\program files\Yahoo!
2010-05-24 00:21:19 0 d-----w- c:\documents and settings\vicki\Tracing
2010-05-24 00:17:01 0 d-----w- c:\program files\Microsoft
2010-05-24 00:16:34 0 d-----w- c:\program files\Windows Live SkyDrive
2010-05-24 00:07:08 0 d-----w- c:\program files\common files\Windows Live
2010-05-23 23:55:23 0 d-----w- c:\program files\Microsoft LifeCam
2010-05-23 23:54:46 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2010-05-23 23:54:42 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-05-23 23:54:18 0 d-----w- c:\windows\Logs
2010-05-23 23:39:17 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-05-23 23:39:17 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-05-23 23:38:44 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2010-05-23 23:38:44 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2010-05-17 14:12:27 0 d-----w- c:\docume~1\vicki\applic~1\Malwarebytes
2010-05-17 14:11:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-17 14:11:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-17 14:11:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-17 14:11:29 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-17 07:38:49 0 d-----w- c:\program files\Sophos
2010-05-17 03:21:58 16384 ---ha-w- C:\SZKGFS.dat
2010-05-17 03:20:58 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-05-17 03:19:35 0 d-----w- c:\program files\STOPzilla!
2010-05-17 03:19:33 0 d-----w- c:\program files\common files\iS3
2010-05-17 03:19:32 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-05-16 05:58:47 767952 ----a-w- c:\windows\BDTSupport.dll
2010-05-16 05:58:43 882 ----a-w- c:\windows\RegSDImport.xml
2010-05-16 05:58:42 879 ----a-w- c:\windows\RegISSImport.xml
2010-05-16 05:58:42 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-05-16 05:58:42 131 ----a-w- c:\windows\IDB.zip
2010-05-16 05:58:40 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-05-16 05:58:40 1152444 ----a-w- c:\windows\UDB.zip
2010-05-16 05:58:39 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-05-16 05:47:14 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-05-16 05:47:14 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-05-16 05:46:08 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-05-16 05:46:08 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-05-16 05:46:08 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-05-16 05:46:08 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-05-16 05:45:14 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-05-16 05:45:14 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-05-16 05:44:11 0 d-----w- c:\program files\Spyware Doctor
2010-05-16 05:44:11 0 d-----w- c:\program files\common files\PC Tools
2010-05-16 05:44:11 0 d-----w- c:\docume~1\vicki\applic~1\PC Tools
2010-05-16 05:44:11 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

==================== Find3M ====================

2010-04-17 05:12:18 48464 ----a-w- c:\windows\system32\sirenacm.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 01:16:42 17408 ----a-r- c:\windows\system32\SZIO5.dll
2010-03-06 01:14:16 442368 ----a-r- c:\windows\system32\SZBase5.dll
2010-03-06 01:13:44 540672 ----a-r- c:\windows\system32\SZComp5.dll

============= FINISH: 22:27:17.18 ===============

Attached Files

BC AdBot (Login to Remove)


#2 etavares


    Bleepin' Remover

  • Malware Response Team
  • 15,514 posts
  • Gender:Male
  • Local time:11:57 PM

Posted 02 June 2010 - 06:49 PM

Hello, farakahn.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.
  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as farakahnCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on farakahnCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators

#3 farakahn

  • Topic Starter

  • Members
  • 3 posts
  • Local time:08:57 PM

Posted 06 June 2010 - 01:27 PM

Thank you for the advice. I am in the process of wiping out the computer and reloading the OS. I plan on putting the newest version of Norton 360 on the computer. Is there any other programs you would suggest I use to help prevent this from happening again? I also plan on using Google Chrome as my browser since I have heard it is less likely then Internet Explorer to allow Malware. Is this true? Thanks again for your help.

#4 etavares


    Bleepin' Remover

  • Malware Response Team
  • 15,514 posts
  • Gender:Male
  • Local time:11:57 PM

Posted 06 June 2010 - 07:12 PM

Hello, farakahn.

I've put some 'light' reformatting reading at the bottom of this. Please make sure you reformat, and not just reinstall Windows.

A general security suite should include one (and ONLY one!) from each of the following categories:
  1. Antivirus
  2. Antispyware
  3. Firewall

Norton 360 should cover all three categories. You may want to scan with MBAM once every week or two, but not have it active otherwise.

The general rule of thumb with browsers is that the most popular ones (e.g. IE) gets most of the malware targeted at its exploits since they get the biggest prize for the same effort. But, no browser is 100% safe. For that matter, neither is any antivirus. New threats are constantly emerging. Chrome is a good choice. I prefer Firefox, but both are very good choices.

Here's a good article on how to reformat:
When Should I Format, How Should I Reinstall

Also, to protect yourself against malware and reduce your chance of reinfection in the future, I strongly recommend to have a look at following links (giving some advice and tips):

If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators

#5 farakahn

  • Topic Starter

  • Members
  • 3 posts
  • Local time:08:57 PM

Posted 07 June 2010 - 01:14 AM

Thanks again for the advice. I am re-formating the hard drive first and then re-installing windows. I will be using MBAM on a more consistent basis for sure. I appreciate your time, and no offense, I hope we never have to chat again!


#6 etavares


    Bleepin' Remover

  • Malware Response Team
  • 15,514 posts
  • Gender:Male
  • Local time:11:57 PM

Posted 07 June 2010 - 06:34 PM

no problem...I hope your post count stays at 3..at least in this forum!

If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators

#7 etavares


    Bleepin' Remover

  • Malware Response Team
  • 15,514 posts
  • Gender:Male
  • Local time:11:57 PM

Posted 14 June 2010 - 04:27 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If you are the topic starter, and need this topic reopened, please contact me via PM with the address of this thread.

Everyone else please begin a new topic.

If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users