Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Microsoft Edge's XSS Filter Appears to Be Broken

Featured Deal: Get 98% off the Ultimate Cisco Certification Bundle: Lifetime Access Deal

Photo

HTTP Tidserv Request

Started by DrEvil , May 31 2010 02:35 PM

  • This topic is locked This topic is locked
16 replies to this topic

#1 DrEvil

DrEvil

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:07:34 PM

Posted 31 May 2010 - 02:35 PM

Problem:
Every time I do a search using google, yahoo, etc. my Norton blocks an intrusion attempt by HTTP Tidserv Request or HTTP Tidserv Request 2. I am also prevented from shutting down/restarting windows.

Attempted Fixes:
I've run Norton Full system scan in and not in safe mode as well as malwarebytes, they each removed some files, but the infection still remains. I have turned off system restore, run the diskcleanup tool on windows. The scans, using either program (even in safe mode) now come up clean, however, I'm still receiving messages from Norton.


DDS Report:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Jason at 2:07:22.53 on Sun 05/30/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2497 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\MCUI32.EXE
C:\Documents and Settings\Jason\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearch Page = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.7.0.12\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: musicmatch.com\online
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jason\applic~1\mozilla\firefox\profiles\4m5uodjr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1107000.00c\symds.sys [2010-5-29 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1107000.00c\symefa.sys [2010-5-29 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-5-29 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1107000.00c\cchpx86.sys [2010-5-29 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1107000.00c\ironx86.sys [2010-5-29 116784]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.7.0.12\ccsvchst.exe [2010-5-29 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-29 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\ipsdefs\20100520.001\IDSXpx86.sys [2009-10-28 329592]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\virusdefs\20100529.006\NAVENG.SYS [2010-5-29 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\virusdefs\20100529.006\NAVEX15.SYS [2010-5-29 1347504]
S3 yeddef;YEDDEF driver;c:\windows\system32\drivers\yeddef.sys --> c:\windows\system32\drivers\yeddef.sys [?]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]

=============== Created Last 30 ================

2030-06-16 07:07:16 0 ----a-w- c:\windows\KGOleSrv.INI
2030-06-16 07:05:44 0 d-----w- c:\docume~1\jason\applic~1\Synergy Software
2030-06-16 07:05:01 0 d-----w- c:\program files\KaleidaGraph 4.0 Demo
2010-05-30 06:03:59 0 ----a-w- c:\documents and settings\jason\defogger_reenable
2010-05-30 03:09:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-29 20:21:05 0 d-----w- c:\program files\Norton Internet Security
2010-05-29 20:17:59 0 d-----w- c:\docume~1\alluse~1\applic~1\PCSettings
2010-05-25 20:23:04 0 d-----w- c:\docume~1\jason\applic~1\Malwarebytes
2010-05-25 20:22:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-25 20:22:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-25 20:22:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-25 20:22:04 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-25 20:15:19 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-05-25 19:42:02 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-21 16:29:36 1071 ----a-w- c:\windows\AWMODEM.INF
2010-05-04 00:46:58 130 ----a-w- c:\documents and settings\jason\webct_upload_applet.properties
2010-05-01 22:38:03 48884 ---ha-w- c:\windows\system32\mlfcache.dat

==================== Find3M ====================

2010-05-29 20:22:05 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-29 20:22:05 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-29 20:22:05 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-05-29 20:22:05 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-23 21:22:12 77335 ----a-w- c:\windows\War3Unin.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2007-05-29 20:31:34 1996288 ----a-w- c:\program files\Theory chart.doc
2007-01-24 21:55:07 251 ----a-w- c:\program files\wt3d.ini
2009-07-01 03:53:44 88 --sh--r- c:\windows\system32\D1484E1279.sys
2009-07-01 03:53:46 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-09-13 03:41:47 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091220080913\index.dat

============= FINISH: 2:08:57.96 ===============

Attached Files


BC AdBot (Login to Remove)

 

#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:07:34 PM

Posted 02 June 2010 - 03:04 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log. I apologize for the delay.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 DrEvil

DrEvil
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:07:34 PM

Posted 03 June 2010 - 02:03 PM

Hi EB,

Thanks for replying and thanks for the help! I am currently out of town for work and unable to access my machine at home. I wont be back until 6/6 (about 3 days from today (6/3) I will run and post the logs ASAP.

I have one quick question. I noticed something weird when I ran GMER (had to run it a couple of times because the computer locked up and had to redo the scan). If I run the GMER without opening firefox, the firefox files do not appear in the log. However, if I open firefox, then run the scan, GMER picks up the files posted in the log above.

Therefore, should I open firefox so the scan will pick up those files? I'm obviously not an expert, but those files it found seem suspicious.

Again, thank you very much for your help! And, I apologize for the delay in running the scans sad.gif

- Jason

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:07:34 PM

Posted 03 June 2010 - 04:27 PM

No problem. That's fine, thanks for letting me know.

Leave FireFox closed when you have the time to run GMER once more, we'll look into that once I see the logs.

Thanks.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 DrEvil

DrEvil
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:07:34 PM

Posted 06 June 2010 - 08:44 PM

The remaining problem is that anytime I use a search engine to search the web, I get a message from my AV program (Norton Internet Seq. 2010) that an intrusion attempt was blocked, Risk Name: HTTP Tidserv Request, sometimes its Tidserv Request 2.

DDS Log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Jason at 17:35:01.59 on Sun 06/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2785 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Jason\Desktop\Defogger.exe
C:\Documents and Settings\Jason\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearch Page = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.7.0.12\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: musicmatch.com\online
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jason\applic~1\mozilla\firefox\profiles\4m5uodjr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1107000.00c\symds.sys [2010-5-29 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1107000.00c\symefa.sys [2010-5-29 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-5-29 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1107000.00c\cchpx86.sys [2010-5-29 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1107000.00c\ironx86.sys [2010-5-29 116784]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.7.0.12\ccsvchst.exe [2010-5-29 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-29 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\ipsdefs\20100520.001\IDSXpx86.sys [2009-10-28 329592]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\virusdefs\20100531.003\NAVENG.SYS [2010-5-31 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\virusdefs\20100531.003\NAVEX15.SYS [2010-5-31 1347504]
S3 yeddef;YEDDEF driver;c:\windows\system32\drivers\yeddef.sys --> c:\windows\system32\drivers\yeddef.sys [?]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]

=============== Created Last 30 ================

2030-06-16 07:07:16 0 ----a-w- c:\windows\KGOleSrv.INI
2030-06-16 07:05:44 0 d-----w- c:\docume~1\jason\applic~1\Synergy Software
2030-06-16 07:05:01 0 d-----w- c:\program files\KaleidaGraph 4.0 Demo
2010-06-06 21:33:54 0 ----a-w- c:\documents and settings\jason\defogger_reenable
2010-06-01 02:26:55 0 d-----w- c:\docume~1\jason\applic~1\Tific
2010-06-01 02:26:41 47408 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-05-30 03:09:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-29 20:21:05 0 d-----w- c:\program files\Norton Internet Security
2010-05-29 20:17:59 0 d-----w- c:\docume~1\alluse~1\applic~1\PCSettings
2010-05-25 20:23:04 0 d-----w- c:\docume~1\jason\applic~1\Malwarebytes
2010-05-25 20:22:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-25 20:22:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-25 20:22:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-25 20:22:04 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-25 20:15:19 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-05-25 19:42:02 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-21 16:29:36 1071 ----a-w- c:\windows\AWMODEM.INF

==================== Find3M ====================

2010-05-29 20:22:05 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-29 20:22:05 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-29 20:22:05 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-05-29 20:22:05 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-23 21:22:12 77335 ----a-w- c:\windows\War3Unin.dat
2010-05-01 22:38:03 48884 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2007-05-29 20:31:34 1996288 ----a-w- c:\program files\Theory chart.doc
2007-01-24 21:55:07 251 ----a-w- c:\program files\wt3d.ini
2009-07-01 03:53:44 88 --sh--r- c:\windows\system32\D1484E1279.sys
2009-07-01 03:53:46 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-09-13 03:41:47 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091220080913\index.dat

============= FINISH: 17:36:57.59 ===============


GMER Log (Attached as ark):

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-06 21:29:43
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Jason\LOCALS~1\Temp\awryqaoc.sys


---- System - GMER 1.0.15 ----

SSDT 8AF913F8 ZwAlertResumeThread
SSDT 8AF90990 ZwAlertThread
SSDT 8AFA58E0 ZwAllocateVirtualMemory
SSDT 8AEAC110 ZwAssignProcessToJobObject
SSDT 8AD67820 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA7153210]
SSDT 8AFB1438 ZwCreateMutant
SSDT 8AF901E0 ZwCreateSymbolicLinkObject
SSDT 8AC2D350 ZwCreateThread
SSDT 8AF8A790 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA7153490]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA71539F0]
SSDT 8AF87C18 ZwDuplicateObject
SSDT 8B0DF260 ZwFreeVirtualMemory
SSDT 8AFB1528 ZwImpersonateAnonymousToken
SSDT 8AF91318 ZwImpersonateThread
SSDT 8ACEFA58 ZwLoadDriver
SSDT 8ADE4BA8 ZwMapViewOfSection
SSDT 8AFC88F0 ZwOpenEvent
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwOpenKey [0xA71537A0]
SSDT 8B141350 ZwOpenProcess
SSDT 8AFA59B0 ZwOpenProcessToken
SSDT 8AFB6F10 ZwOpenSection
SSDT 8B141260 ZwOpenThread
SSDT 8AF902D0 ZwProtectVirtualMemory
SSDT 8AF9ED20 ZwResumeThread
SSDT 8AFA54E8 ZwSetContextThread
SSDT 8AFA55C8 ZwSetInformationProcess
SSDT 8AFC6F48 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA7153C40]
SSDT 8AFB6FD0 ZwSuspendProcess
SSDT 8AF9EE00 ZwSuspendThread
SSDT 8AFC5428 ZwTerminateProcess
SSDT 8AFA5218 ZwTerminateThread
SSDT 8AEF30A8 ZwUnmapViewOfSection
SSDT 8B0DF330 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2F24 805047C0 4 Bytes CALL 16DB4219
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB5C7D360, 0x3CEED5, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1460] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:\WINDOWS\System32\svchost.exe[1460] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0270000A
.text C:\WINDOWS\Explorer.EXE[1956] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[1956] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[1956] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \FileSystem\Fastfat \Fat A47EDD20
Device \FileSystem\Fastfat \Fat A4805631

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

Attached Files


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:07:34 PM

Posted 07 June 2010 - 07:41 PM

Hello again,

Do you have a log to post on what your Norton detected?

Then, let's start with Combofix...

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 DrEvil

DrEvil
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:07:34 PM

Posted 07 June 2010 - 10:28 PM

Here's a log of what Norton has been blocking, I set it off with spaces and bold to make it easier to spot. I've attached a recent activity log as well. I censored it somewhat to cut out a lot of redundant activity. I set off what I thought was the interesting activity with spaces to make it easier to spot. I also attached the MalwareBytes log of the infected files it quarantined (all subsequent scans are clean). Unfortunately, Norton does not have a log of the infected files it quarantined. I deleted the files it quarantined, which I guess, also deleted the log.

I'll run combofix and post the log in the next reply.

Category: Intrusion Prevention
Date & Time,Risk,Activity,Status,Recommended Action,Category,Risk Name,Attacking Computer,Attacker URL,Destination Address,Source Address,Traffic Description
6/7/2010 10:35 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
6/7/2010 10:35 PM,Info,Intrusion Prevention Engine version: 4.6.0.26 Definitions Set version: 20100528.003,Detected,No Action Required,Intrusion Prevention,,,,,,
6/7/2010 10:35 PM,Info,Intrusion Prevention is monitoring 1541 signatures. Driver version: 9.2.0.98,Detected,No Action Required,Intrusion Prevention,,,,,,
6/7/2010 6:17 PM,Info,Intrusion Prevention Engine version: 4.6.0.26 Definitions Set version: 20100528.003,Detected,No Action Required,Intrusion Prevention,,,,,,
6/7/2010 6:17 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
6/7/2010 6:17 PM,Info,Intrusion Prevention is monitoring 1541 signatures. Driver version: 9.2.0.98,Detected,No Action Required,Intrusion Prevention,,,,,,
6/7/2010 11:26 AM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
6/7/2010 11:26 AM,Info,Intrusion Prevention Engine version: 4.6.0.26 Definitions Set version: 20100528.003,Detected,No Action Required,Intrusion Prevention,,,,,,
6/7/2010 11:26 AM,Info,Intrusion Prevention is monitoring 1541 signatures. Driver version: 9.2.0.98,Detected,No Action Required,Intrusion Prevention,,,,,,

6/6/2010 9:38 PM,High,An intrusion attempt by 85.12.46.159 was blocked.,Blocked,No Action Required,,HTTP Tidserv Request,"85.12.46.159, 80","7gafd33ja90a.com/xkp1RSXp7a6YvGU5dmVyPTMuNyZiaWQ9MjRhZGY4MjItNzZmNy00NDgxLWIzMGItZmYxYjQwZjg2ODdmJmFpZD0yMDA4NiZzaWQ9MSZyZD0yNS41LjIwMTAmZW5nPXNlYXJjaC55YWhvby5jb20mcT0=15x","192.168.1.7, 1148",85.12.46.159,"TCP, www-http"
6/6/2010 9:37 PM,High,An intrusion attempt by 91.212.226.178 was blocked.,Blocked,No Action Required,,HTTP Tidserv Request,"91.212.226.178, 80","30xc1cjh91.com/okU0QZpd7C3YnoS3dmVyPTMuNyZiaWQ9MjRhZGY4MjItNzZmNy00NDgxLWIzMGItZmYxYjQwZjg2ODdmJmFpZD0yMDA4NiZzaWQ9MSZyZD0yNS41LjIwMTAmZW5nPXd3dy5nb29nbGUuY29tJnE9aGk=06x","192.168.1.7, 1126",91.212.226.178,"TCP, www-http"
6/6/2010 9:37 PM,High,An intrusion attempt by 85.12.46.159 was blocked.,Blocked,No Action Required,,HTTP Tidserv Request,"85.12.46.159, 80","7gafd33ja90a.com/okU0QZpd7C3YnoS3dmVyPTMuNyZiaWQ9MjRhZGY4MjItNzZmNy00NDgxLWIzMGItZmYxYjQwZjg2ODdmJmFpZD0yMDA4NiZzaWQ9MSZyZD0yNS41LjIwMTAmZW5nPXd3dy5nb29nbGUuY29tJnE9aGk=06x","192.168.1.7, 1122",85.12.46.159,"TCP, www-http"

6/6/2010 9:35 PM,Info,Intrusion Prevention Engine version: 4.6.0.26 Definitions Set version: 20100528.003,Detected,No Action Required,Intrusion Prevention,,,,,,
6/6/2010 9:35 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
6/6/2010 9:35 PM,Info,Intrusion Prevention is monitoring 1541 signatures. Driver version: 9.2.0.98,Detected,No Action Required,Intrusion Prevention,,,,,,
6/6/2010 9:33 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
6/6/2010 9:33 PM,Info,Intrusion Prevention is monitoring 1555 signatures. Driver version: 9.1.2.5,Detected,No Action Required,Intrusion Prevention,,,,,,
6/6/2010 9:33 PM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100520.001,Detected,No Action Required,Intrusion Prevention,,,,,,
6/6/2010 5:32 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
6/6/2010 5:32 PM,Info,Intrusion Prevention is monitoring 1555 signatures. Driver version: 9.1.2.5,Detected,No Action Required,Intrusion Prevention,,,,,,
6/6/2010 5:32 PM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100520.001,Detected,No Action Required,Intrusion Prevention,,,,,,
6/2/2010 12:14 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
6/2/2010 12:14 PM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100520.001,Detected,No Action Required,Intrusion Prevention,,,,,,
6/2/2010 12:14 PM,Info,Intrusion Prevention is monitoring 1555 signatures. Driver version: 9.1.2.5,Detected,No Action Required,Intrusion Prevention,,,,,,
6/1/2010 9:06 PM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100520.001,Detected,No Action Required,Intrusion Prevention,,,,,,
6/1/2010 9:06 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
6/1/2010 9:06 PM,Info,Intrusion Prevention is monitoring 1555 signatures. Driver version: 9.1.2.5,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 10:29 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 10:29 PM,Info,Intrusion Prevention is monitoring 1555 signatures. Driver version: 9.1.2.5,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 10:29 PM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100520.001,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 10:20 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 10:20 PM,Info,Intrusion Prevention is monitoring 1555 signatures. Driver version: 9.1.2.5,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 10:20 PM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100520.001,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 5:10 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 5:10 PM,Info,Intrusion Prevention is monitoring 1555 signatures. Driver version: 9.1.2.5,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 5:10 PM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100520.001,Detected,No Action Required,Intrusion Prevention,,,,,,

5/31/2010 3:22 PM,High,An intrusion attempt by 85.12.46.159 was blocked.,Blocked,No Action Required,,HTTP Tidserv Request,"85.12.46.159, 80","7gafd33ja90a.com/ozX3RiCe5c4juwO5dmVyPTMuNyZiaWQ9MjRhZGY4MjItNzZmNy00NDgxLWIzMGItZmYxYjQwZjg2ODdmJmFpZD0yMDA4NiZzaWQ9MSZyZD0yNS41LjIwMTAmZW5nPXd3dy5nb29nbGUuY29tJnE9aGk=26k","192.168.1.7, 1057",85.12.46.159,"TCP, www-http"

5/31/2010 3:21 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 3:21 PM,Info,Intrusion Prevention is monitoring 1555 signatures. Driver version: 9.1.2.5,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 3:21 PM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100520.001,Detected,No Action Required,Intrusion Prevention,,,,,,

5/31/2010 11:25 AM,High,An intrusion attempt by 91.212.226.178 was blocked.,Blocked,No Action Required,,HTTP Tidserv Request,"91.212.226.178, 80","30xc1cjh91.com/IaW1uwce653q7ac1dmVyPTMuNyZiaWQ9MjRhZGY4MjItNzZmNy00NDgxLWIzMGItZmYxYjQwZjg2ODdmJmFpZD0yMDA4NiZzaWQ9MSZyZD0yNS41LjIwMTAmZW5nPXd3dy5nb29nbGUuY29tJnE9aGk=26h","192.168.1.7, 1093",91.212.226.178,"TCP, www-http"
5/31/2010 11:25 AM,High,An intrusion attempt by 85.12.46.159 was blocked.,Blocked,No Action Required,,HTTP Tidserv Request,"85.12.46.159, 80","7gafd33ja90a.com/IaW1uwce653q7ac1dmVyPTMuNyZiaWQ9MjRhZGY4MjItNzZmNy00NDgxLWIzMGItZmYxYjQwZjg2ODdmJmFpZD0yMDA4NiZzaWQ9MSZyZD0yNS41LjIwMTAmZW5nPXd3dy5nb29nbGUuY29tJnE9aGk=26h","192.168.1.7, 1088",85.12.46.159,"TCP, www-http"

5/31/2010 11:23 AM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 11:23 AM,Info,Intrusion Prevention is monitoring 1555 signatures. Driver version: 9.1.2.5,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 11:23 AM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100520.001,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 5:31 AM,High,An intrusion attempt by 85.12.46.159 was blocked.,Blocked,No Action Required,,HTTP Tidserv Request,"85.12.46.159, 80","m01n83kjf7.com/3aD3gvKL5Z5Jx9C1dmVyPTMuNyZiaWQ9MjRhZGY4MjItNzZmNy00NDgxLWIzMGItZmYxYjQwZjg2ODdmJmFpZD0yMDA4NiZzaWQ9MSZyZD0yNS41LjIwMTAmZW5nPXd3dy5nb29nbGUuY29tJnE9Z28=17x","192.168.1.7, 1072",85.12.46.159,"TCP, www-http"
5/31/2010 5:31 AM,High,An intrusion attempt by 85.12.46.159 was blocked.,Blocked,No Action Required,,HTTP Tidserv Request,"85.12.46.159, 80","7gafd33ja90a.com/3aD3gvKL5Z5Jx9C1dmVyPTMuNyZiaWQ9MjRhZGY4MjItNzZmNy00NDgxLWIzMGItZmYxYjQwZjg2ODdmJmFpZD0yMDA4NiZzaWQ9MSZyZD0yNS41LjIwMTAmZW5nPXd3dy5nb29nbGUuY29tJnE9Z28=17x","192.168.1.7, 1066",85.12.46.159,"TCP, www-http"

5/31/2010 5:29 AM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 5:29 AM,Info,Intrusion Prevention is monitoring 1555 signatures. Driver version: 9.1.2.5,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 5:29 AM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100520.001,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 5:20 AM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 5:20 AM,Info,Intrusion Prevention is monitoring 1555 signatures. Driver version: 9.1.2.5,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 5:20 AM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100520.001,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 1:40 AM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 1:40 AM,Info,Intrusion Prevention is monitoring 1555 signatures. Driver version: 9.1.2.5,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 1:40 AM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100520.001,Detected,No Action Required,Intrusion Prevention,,,,,,

5/31/2010 1:29 AM,High,An intrusion attempt by 85.12.46.159 was blocked.,Blocked,No Action Required,,HTTP Tidserv Request,"85.12.46.159, 80","7gafd33ja90a.com/BKK1JbuL5I4XwNO6dmVyPTMuNyZiaWQ9MjRhZGY4MjItNzZmNy00NDgxLWIzMGItZmYxYjQwZjg2ODdmJmFpZD0yMDA4NiZzaWQ9MSZyZD0yNS41LjIwMTAmZW5nPXd3dy5nb29nbGUuY29tJnE9aGk=06k","192.168.1.7, 1102",85.12.46.159,"TCP, www-http"

5/31/2010 1:27 AM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 1:27 AM,Info,Intrusion Prevention is monitoring 1555 signatures. Driver version: 9.1.2.5,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 1:27 AM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100520.001,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 1:20 AM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 1:20 AM,Info,Intrusion Prevention is monitoring 1555 signatures. Driver version: 9.1.2.5,Detected,No Action Required,Intrusion Prevention,,,,,,
5/31/2010 1:20 AM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100520.001,Detected,No Action Required,Intrusion Prevention,,,,,,

5/30/2010 2:02 PM,High,An intrusion attempt by 85.12.46.159 was blocked.,Blocked,No Action Required,,HTTP Tidserv Request,"85.12.46.159, 80","7gafd33ja90a.com/gKK1ua7E7e5qZSO4dmVyPTMuNyZiaWQ9MjRhZGY4MjItNzZmNy00NDgxLWIzMGItZmYxYjQwZjg2ODdmJmFpZD0yMDA4NiZzaWQ9MSZyZD0yNS41LjIwMTAmZW5nPXd3dy5nb29nbGUuY29tJnE9aGk=15h","192.168.1.7, 1137",85.12.46.159,"TCP, www-http"

5/30/2010 1:57 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
5/30/2010 1:57 PM,Info,Intrusion Prevention is monitoring 1555 signatures. Driver version: 9.1.2.5,Detected,No Action Required,Intrusion Prevention,,,,,,
5/30/2010 1:57 PM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100520.001,Detected,No Action Required,Intrusion Prevention,,,,,,
5/30/2010 4:07 AM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
5/30/2010 4:07 AM,Info,Intrusion Prevention is monitoring 1555 signatures. Driver version: 9.1.2.5,Detected,No Action Required,Intrusion Prevention,,,,,,
5/30/2010 4:07 AM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100520.001,Detected,No Action Required,Intrusion Prevention,,,,,,
5/30/2010 3:09 AM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
5/30/2010 3:09 AM,Info,Intrusion Prevention is monitoring 1555 signatures. Driver version: 9.1.2.5,Detected,No Action Required,Intrusion Prevention,,,,,,
5/30/2010 3:09 AM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100520.001,Detected,No Action Required,Intrusion Prevention,,,,,,

5/30/2010 2:03 AM,High,An intrusion attempt by 202.157.171.207 was blocked.,Blocked,No Action Required,,HTTPS Tidserv Request 2,"202.157.171.207, 443",,"192.168.1.7, 2060",202.157.171.207,"TCP, https"
5/30/2010 12:10 AM,High,An intrusion attempt by 85.12.46.159 was blocked.,Blocked,No Action Required,,HTTP Tidserv Request,"85.12.46.159, 80","7gafd33ja90a.com/kKy0CNCe5d5qmkU3dmVyPTMuNyZiaWQ9MjRhZGY4MjItNzZmNy00NDgxLWIzMGItZmYxYjQwZjg2ODdmJmFpZD0yMDA4NiZzaWQ9MSZyZD0yNS41LjIwMTAmZW5nPXd3dy5nb29nbGUuY29tJnE9aHR0cCt0aWRzZXJ2K3JlcXVlc3Q=25g","192.168.1.7, 1494",85.12.46.159,"TCP, www-http"
5/30/2010 12:09 AM,High,An intrusion attempt by 85.12.46.159 was blocked.,Blocked,No Action Required,,HTTP Tidserv Request,"85.12.46.159, 80","m01n83kjf7.com/3Aq2ocIP7r6MgOC7dmVyPTMuNyZiaWQ9MjRhZGY4MjItNzZmNy00NDgxLWIzMGItZmYxYjQwZjg2ODdmJmFpZD0yMDA4NiZzaWQ9MSZyZD0yNS41LjIwMTAmZW5nPXd3dy5nb29nbGUuY29tJnE9aGk=06k","192.168.1.7, 1492",85.12.46.159,"TCP, www-http"
5/30/2010 12:09 AM,High,An intrusion attempt by 85.12.46.159 was blocked.,Blocked,No Action Required,,HTTP Tidserv Request,"85.12.46.159, 80","7gafd33ja90a.com/3Aq2ocIP7r6MgOC7dmVyPTMuNyZiaWQ9MjRhZGY4MjItNzZmNy00NDgxLWIzMGItZmYxYjQwZjg2ODdmJmFpZD0yMDA4NiZzaWQ9MSZyZD0yNS41LjIwMTAmZW5nPXd3dy5nb29nbGUuY29tJnE9aGk=06k","192.168.1.7, 1485",85.12.46.159,"TCP, www-http"

5/29/2010 11:58 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
5/29/2010 11:58 PM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100520.001,Detected,No Action Required,Intrusion Prevention,,,,,,
5/29/2010 11:58 PM,Info,Intrusion Prevention is monitoring 1555 signatures. Driver version: 9.1.2.5,Detected,No Action Required,Intrusion Prevention,,,,,,
5/29/2010 8:39 PM,Info,Intrusion Prevention is monitoring 1555 signatures. Driver version: 9.1.2.5,Detected,No Action Required,Intrusion Prevention,,,,,,
5/29/2010 8:39 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
5/29/2010 8:39 PM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100520.001,Detected,No Action Required,Intrusion Prevention,,,,,,

5/29/2010 8:35 PM,High,An intrusion attempt by 91.212.226.130 was blocked.,Blocked,No Action Required,,HTTP Tidserv Request,"91.212.226.130, 80","j00k877x.cc/iAo0wVrd7E4Yfco3dmVyPTMuNyZiaWQ9MjRhZGY4MjItNzZmNy00NDgxLWIzMGItZmYxYjQwZjg2ODdmJmFpZD0yMDA4NiZzaWQ9MSZyZD0yNS41LjIwMTAmZW5nPXd3dy5nb29nbGUuY29tJnE9dGVzdA==05x","192.168.1.7, 1129",91.212.226.130,"TCP, www-http"
5/29/2010 8:35 PM,High,An intrusion attempt by 85.12.46.159 was blocked.,Blocked,No Action Required,,HTTP Tidserv Request,"85.12.46.159, 80","7gafd33ja90a.com/iAo0wVrd7E4Yfco3dmVyPTMuNyZiaWQ9MjRhZGY4MjItNzZmNy00NDgxLWIzMGItZmYxYjQwZjg2ODdmJmFpZD0yMDA4NiZzaWQ9MSZyZD0yNS41LjIwMTAmZW5nPXd3dy5nb29nbGUuY29tJnE9dGVzdA==05x","192.168.1.7, 1124",85.12.46.159,"TCP, www-http"

5/29/2010 4:28 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
5/29/2010 4:28 PM,Info,Intrusion Prevention is monitoring 1555 signatures. Driver version: 9.1.2.5,Detected,No Action Required,Intrusion Prevention,,,,,,
5/29/2010 4:28 PM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100520.001,Detected,No Action Required,Intrusion Prevention,,,,,,
5/29/2010 4:24 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
5/29/2010 4:24 PM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100520.001,Detected,No Action Required,Intrusion Prevention,,,,,,
5/29/2010 4:24 PM,Info,Intrusion Prevention is monitoring 1555 signatures. Driver version: 9.1.2.5,Detected,No Action Required,Intrusion Prevention,,,,,,
5/29/2010 4:22 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,,,,,,
5/29/2010 4:22 PM,Info,Intrusion Prevention is monitoring 1501 signatures. Driver version: 9.1.2.5,Detected,No Action Required,Intrusion Prevention,,,,,,
5/29/2010 4:22 PM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20091105.001,Detected,No Action Required,Intrusion Prevention,,,,,,


Attached Files


#8 DrEvil

DrEvil
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:07:34 PM

Posted 08 June 2010 - 12:43 AM

Hi again!

I ran Combofix, followed the instructions exactly as listed. However, it seems to have frozen.

I only clicked an "OK" dialog box to confirm a restart, it restarted, and combofix started to scan again. I assume the scan completed (left the room to avoid any temptation to touch anything) and my screen shows

The blue combofix box which says
"Preparing log report"
"Please do not run any other programs"
There is no cursor in the combofix box.

I can see my desktop wallpaper in the background, but there are no icons. There is also no bottom bar. The mouse seems to work, I can move the cursor, but haven't tried to click anything. I also have not tried keyboard.

Not sure what to do next. As of posting, its been this way for approximately 1.5 hours.

update: I've tried CTL+ALT+DEL to bring up the task manager - nothing, also tried closing combofix - nothing, looks like I need to do a hard restart

Edited by DrEvil, 08 June 2010 - 04:19 PM.

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:07:34 PM

Posted 09 June 2010 - 06:00 PM

Try, running Combofix in Safe Mode...

How to Boot into Safe Mode

I suggest you read over the instructions on how to boot into Safe Mode and then print these instructions out or save them in Notepad because you won't have access to this page while in Safe Mode.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use your arrow keys to navigate and highlight Safe Mode.
  • Hit Enter.
  • You will now be asked to choose your operating system. Again, use the arrow keys to select Microsoft Windows XP.
  • Hit Enter.
Your computer will proceed to booting into Safe Mode. During the boot process, you may see random code go past your screen. Simply wait for it to pass. Your computer should boot like usually, except with Safe Mode written in the corners of your screen. Your screen may also appear to be a different size because the video drivers are not loaded properly in Safe Mode.

After the boot, you will be asked whether you wish to use system restore, or to continue to Safe Mode. Select OK to choose Safe mode.

Additional instructions on booting into Safe Mode can be found here

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 DrEvil

DrEvil
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:07:34 PM

Posted 09 June 2010 - 08:00 PM

Thanks, Combofix ran fine. Although, it didn't seem to find anything. I think it may have ran successfully the first time, but froze before it could create a log.
In addition, the warnings from Norton have disappeared when using a web search engine.

Combofix log is pasted below. Attached a new GMER log as ark.txt


Combofix log:

ComboFix 10-06-07.03 - Jason 06/08/2010 22:09:35.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2852 [GMT -4:00]
Running from: c:\documents and settings\Jason\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

.
((((((((((((((((((((((((( Files Created from 2010-05-09 to 2010-06-09 )))))))))))))))))))))))))))))))
.

2030-06-16 07:05 . 2030-06-16 07:05 -------- d-----w- c:\documents and settings\Jason\Application Data\Synergy Software
2030-06-16 07:05 . 2008-06-18 13:15 -------- d-----w- c:\program files\KaleidaGraph 4.0 Demo
2010-06-01 02:26 . 2010-06-01 02:26 -------- d-----w- c:\documents and settings\Jason\Application Data\Tific
2010-06-01 02:26 . 2010-05-06 04:01 47408 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-05-30 03:09 . 2010-05-30 03:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-29 20:26 . 2010-05-06 04:01 361904 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-05-29 20:26 . 2010-04-22 03:02 173104 ----a-w- c:\windows\system32\drivers\symefa.sys
2010-05-29 20:26 . 2010-04-22 02:29 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-05-29 20:26 . 2010-02-04 01:40 328752 ----a-r- c:\windows\system32\drivers\symds.sys
2010-05-29 20:26 . 2010-04-29 05:03 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
2010-05-29 20:26 . 2010-02-26 00:22 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys
2010-05-29 20:21 . 2010-05-29 20:21 -------- d-----w- c:\program files\Norton Internet Security
2010-05-29 20:21 . 2010-05-29 20:21 -------- d-----w- c:\program files\Windows Sidebar
2010-05-29 20:17 . 2010-05-29 20:17 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2010-05-25 20:23 . 2010-05-25 20:23 -------- d-----w- c:\documents and settings\Jason\Application Data\Malwarebytes
2010-05-25 20:22 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-25 20:22 . 2010-05-25 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-25 20:22 . 2010-05-25 20:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-25 20:22 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-25 20:12 . 2010-05-25 20:12 -------- d-----w- c:\program files\Common Files\Java
2010-05-25 19:42 . 2010-05-25 19:42 61440 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4480cbac-n\decora-sse.dll
2010-05-25 19:42 . 2010-05-25 19:42 503808 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2a9b968f-n\msvcp71.dll
2010-05-25 19:42 . 2010-05-25 19:42 499712 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2a9b968f-n\jmc.dll
2010-05-25 19:42 . 2010-05-25 19:42 348160 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2a9b968f-n\msvcr71.dll
2010-05-25 19:42 . 2010-05-25 19:42 12800 ----a-w- c:\documents and settings\Jason\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4480cbac-n\decora-d3d.dll
2010-05-25 19:42 . 2010-05-25 20:14 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-24 21:30 . 2010-05-24 21:30 -------- d-----w- c:\documents and settings\Jason\Local Settings\Application Data\DOSBox
2010-05-18 06:41 . 2010-05-18 06:42 38784 ----a-w- c:\documents and settings\Jason\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-05-18 06:41 . 2010-05-18 06:42 -------- d-----w- c:\program files\Common Files\Adobe AIR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-29 20:30 . 2009-06-09 01:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-29 20:22 . 2009-06-09 01:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-29 20:22 . 2009-06-09 01:11 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-29 20:22 . 2009-06-09 01:11 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-29 20:22 . 2009-06-09 01:11 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-05-29 20:22 . 2009-06-09 01:11 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-29 20:22 . 2009-06-09 01:11 -------- d-----w- c:\program files\Symantec
2010-05-29 20:17 . 2009-06-09 01:07 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-05-25 22:29 . 2006-06-02 04:49 -------- d-----w- c:\program files\Bethesda Softworks
2010-05-25 20:14 . 2006-05-30 15:20 -------- d-----w- c:\program files\Java
2010-05-24 07:29 . 2007-08-11 23:01 -------- d-----w- c:\program files\Warcraft III
2010-05-23 21:22 . 2007-08-11 23:05 77335 ----a-w- c:\windows\War3Unin.dat
2010-05-23 13:31 . 2006-06-12 00:48 -------- d-----w- c:\program files\World of Warcraft
2010-05-18 23:52 . 2008-07-03 03:15 -------- d-----w- c:\program files\Diablo II
2010-05-18 06:42 . 2009-07-07 17:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2010-05-14 21:40 . 2008-09-07 21:39 -------- d-----w- c:\documents and settings\Jason\Application Data\SPORE
2010-05-01 22:38 . 2010-05-01 22:38 48884 ---ha-w- c:\windows\system32\mlfcache.dat
2007-05-29 20:31 . 2007-05-29 20:31 1996288 ----a-w- c:\program files\Theory chart.doc
2007-01-24 21:55 . 2007-01-24 21:55 251 ----a-w- c:\program files\wt3d.ini
2009-07-01 03:53 . 2006-07-15 15:14 88 --sh--r- c:\windows\system32\D1484E1279.sys
2009-07-01 03:53 . 2006-07-15 15:14 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"nwiz"="nwiz.exe" [2009-02-18 1657376]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-30 24576]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jason^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\Jason\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2008-08-13 22:32 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2006-09-21 10:20 127036 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2006-05-03 07:12 98304 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-10-09 23:57 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2006-02-22 23:00 49152 ----a-w- c:\dell\E-Center\GTB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 14:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 14:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-05-08 14:35 2780432 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2008-10-28 20:42 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-01-26 20:31 2144088 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MskService"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McDetect.exe"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=3 (0x3)
"Bonjour Service"=2 (0x2)
"aawservice"=2 (0x2)
"MBackMonitor"=2 (0x2)
"UpdateCenterService"=2 (0x2)
"sprtsvc_dellsupportcenter"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"FreeAgentGoNext Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\symds.sys [5/29/2010 4:26 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\symefa.sys [5/29/2010 4:26 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [5/29/2010 4:24 PM 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\cchpx86.sys [5/29/2010 4:26 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\ironx86.sys [5/29/2010 4:26 PM 116784]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe [5/29/2010 4:26 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/29/2010 4:24 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\IPSDefs\20100528.003\IDSXpx86.sys [5/28/2010 3:33 PM 331640]
S3 yeddef;YEDDEF driver;c:\windows\system32\Drivers\yeddef.sys --> c:\windows\system32\Drivers\yeddef.sys [?]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 4:42 PM 156968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Jason\Application Data\Mozilla\Firefox\Profiles\4m5uodjr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
MSConfigStartUp-EmailScan - c:\program files\mcafee.com\antivirus\mcvsescn.exe
MSConfigStartUp-EPSON Stylus CX4800 Series - c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
MSConfigStartUp-McAfee Backup - c:\program files\McAfee\MBK\McAfeeDataBackup.exe
MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe
MSConfigStartUp-MPFExe - c:\program files\mcafee.com\personal firewall\MPfTray.exe
MSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe
MSConfigStartUp-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe
MSConfigStartUp-OASClnt - c:\program files\mcafee.com\antivirus\oasclnt.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_03\bin\jusched.exe
MSConfigStartUp-Windows Defender - c:\program files\Windows Defender\MSASCui.exe
AddRemove-AOLAntivirus - c:\program files\mcafee.com\antivirus\uninst.exe
AddRemove-FreeUndelete - j:\program files\FreeUndelete\GLF3FF.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-08 22:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3990702668-1057175237-675285069-1005\Software\SecuROM\License information*]
"datasecu"=hex:2d,ab,39,f3,6c,a1,cd,fb,d1,0a,78,6f,d8,20,c7,30,dc,6d,de,c6,6c,
7d,93,7d,20,91,de,38,d2,20,5a,86,eb,60,6a,6c,e9,b2,0d,c1,f7,54,85,59,6a,e2,\
"rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1044)
c:\windows\system32\iphlpapi.dll
.
Completion time: 2010-06-08 22:18:46
ComboFix-quarantined-files.txt 2010-06-09 02:18

Pre-Run: 78,389,788,672 bytes free
Post-Run: 78,348,443,648 bytes free

- - End Of File - - 3E617DA5FC33BB2E854364D0C910E4A9

Attached Files

  • Attached File  ark.txt   9.05KB   5 downloads

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:07:34 PM

Posted 10 June 2010 - 02:45 PM

That's good.

Let's continue with another scan followed by another scan of your system.

Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Download and run OTL
  1. Download OTL by OldTimer and save it to your desktop.
  2. Double click on the icon on your desktop. If you are using Vista, please right-click and select run as administrator
  3. Click the "Scan All Users" checkbox.
  4. Push the button.
  5. It will now begin to scan, please be paitent while it scans.
  6. Two reports will open once it's done.
  7. Please copy and paste them in your next reply:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized


Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 DrEvil

DrEvil
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:07:34 PM

Posted 10 June 2010 - 09:34 PM

The Kaspersky d/l is taking quite a while to d/l all the updates (been several hours). I'll let it d/l overnight an run the scan in the morning. In the meantime, I thought I'd give a small update as it seems Norton finally did its job. It ran an idle time scan and found something:

Category: Unresolved Security Risks
Date & Time,Risk,Activity,Status,Recommended Action
6/10/2010 9:10 PM,High,isapnp.sys.vir (Backdoor.Tidserv!inf) detected by Virus scanner,Manual Removal Required,Review risk details on Symantec Web site.

Although the file location is in c:\Qoobox\quarantine\c\windows\system32\drivers\isapnp.sys.vir
Not sure if that's a result from combofix? I did find it amusing that Norton's recommended action was: Get help

Note that Norton found the problem AFTER the OTL logs were created, so I'm not sure if I need to start back at running combofix again?

Here's the logs from OTL:


OTL logfile created on: 6/10/2010 4:41:59 PM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\Jason\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 84.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.31 Gb Total Space | 72.36 Gb Free Space | 50.14% Space Free | Partition Type: NTFS
Drive D: | 4.18 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JASONSDESKTOP
Current User Name: Jason
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/10 16:38:13 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jason\Desktop\OTL.exe
PRC - [2010/02/25 20:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe
PRC - [2009/01/06 15:52:02 | 000,174,624 | ---- | M] (NVIDIA) -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/03/22 18:20:44 | 000,339,968 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2003/10/29 03:06:00 | 000,024,576 | R--- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe


========== Modules (SafeList) ==========

MOD - [2010/06/10 16:38:13 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jason\Desktop\OTL.exe
MOD - [2010/05/14 01:35:01 | 000,415,088 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.7.0.12\asoehook.dll
MOD - [2009/07/12 03:02:02 | 000,653,120 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.7.0.12\microsoft.vc90.crt\msvcr90.dll
MOD - [2009/07/12 03:02:00 | 000,569,664 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.7.0.12\microsoft.vc90.crt\msvcp90.dll
MOD - [2009/02/18 14:44:00 | 001,507,328 | ---- | M] () -- C:\WINDOWS\system32\nview.dll
MOD - [2009/02/18 14:44:00 | 000,081,920 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvwddi.dll
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/02/25 20:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe -- (NIS)
SRV - [2009/04/30 16:01:10 | 000,154,136 | ---- | M] (Logitech Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2009/01/07 16:20:18 | 000,121,376 | ---- | M] (NVIDIA) [Disabled | Stopped] -- C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe -- (UpdateCenterService)
SRV - [2009/01/06 15:52:02 | 000,174,624 | ---- | M] (NVIDIA) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe -- (nTuneService)
SRV - [2008/10/28 16:42:30 | 000,156,968 | ---- | M] (Seagate Technology LLC) [Disabled | Stopped] -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service)
SRV - [2008/08/13 18:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Disabled | Stopped] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2008/04/13 20:12:02 | 000,105,472 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\p2pgasvc.dll -- (p2pgasvc)


========== Driver Services (SafeList) ==========

DRV - [2010/05/29 16:24:08 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\VirusDefs\20100609.022\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/05/29 16:24:08 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\VirusDefs\20100609.022\NAVENG.SYS -- (NAVENG)
DRV - [2010/05/29 16:24:07 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/05/29 16:24:07 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/05/29 16:22:05 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/05/28 15:33:19 | 000,331,640 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\IPSDefs\20100604.004\IDSXpx86.sys -- (IDSxpx86)
DRV - [2010/05/06 00:01:59 | 000,361,904 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1107000.00C\SYMTDI.SYS -- (SYMTDI)
DRV - [2010/05/06 00:01:43 | 000,047,408 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIMMP)
DRV - [2010/05/06 00:01:43 | 000,047,408 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIM)
DRV - [2010/04/29 13:44:04 | 000,537,136 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\BASHDefs\20100429.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2010/04/29 01:03:51 | 000,116,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1107000.00C\Ironx86.SYS -- (SymIRON)
DRV - [2010/04/21 23:02:20 | 000,173,104 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1107000.00C\SYMEFA.SYS -- (SymEFA)
DRV - [2010/04/21 22:29:50 | 000,325,680 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1107000.00C\SRTSP.SYS -- (SRTSP)
DRV - [2010/04/21 22:29:50 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1107000.00C\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2010/02/25 20:22:57 | 000,501,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1107000.00C\ccHPx86.sys -- (ccHP)
DRV - [2010/02/11 08:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2010/02/03 21:40:47 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1107000.00C\SYMDS.SYS -- (SymDS)
DRV - [2009/04/30 22:02:00 | 008,055,584 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009/04/30 19:03:28 | 000,023,832 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvcflt.sys -- (FilterService)
DRV - [2009/04/30 19:03:06 | 006,754,712 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC) QuickCam Orbit/Sphere AF(UVC)
DRV - [2009/04/30 19:01:46 | 000,066,456 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvselsus.sys -- (lvselsus)
DRV - [2009/04/30 19:01:34 | 000,265,496 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
DRV - [2009/04/30 16:00:12 | 000,025,624 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2009/01/07 16:20:16 | 000,036,896 | ---- | M] (NVIDIA Corp.) [Kernel | Auto | Running] -- C:\WINDOWS\nvflash.sys -- (NVR0FLASHDev)
DRV - [2009/01/06 15:51:58 | 000,036,640 | ---- | M] (NVIDIA Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\nvoclock.sys -- (NVR0Dev)
DRV - [2008/07/26 11:26:22 | 000,041,752 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2008/04/13 14:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 14:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 14:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2006/09/21 06:20:00 | 000,094,460 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/09/21 06:20:00 | 000,088,476 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/09/21 06:20:00 | 000,087,004 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/09/21 06:20:00 | 000,026,044 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/09/21 06:20:00 | 000,015,068 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/09/21 06:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/09/21 06:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2006/08/18 04:30:00 | 000,089,456 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2006/05/30 11:28:47 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2006/03/17 09:35:24 | 000,005,660 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/03/17 09:34:46 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2006/03/17 06:20:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2005/11/16 16:36:00 | 001,047,816 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2003/11/17 16:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 16:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 16:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2001/08/17 14:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 14:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 14:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 14:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 14:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 13:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 13:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 13:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 13:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 13:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 13:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 13:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 13:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cl...&channel=us
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://www.google.com/ig/dell?hl=en&cl...&channel=us


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cl...&channel=us
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cl...&channel=us
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3990702668-1057175237-675285069-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/dell?hl=en&cl...&channel=us
IE - HKU\S-1-5-21-3990702668-1057175237-675285069-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3990702668-1057175237-675285069-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:4.6


FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\IPSFFPlgn\ [2010/05/29 16:30:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\coFFPlgn\ [2010/05/29 16:22:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/14 15:55:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/25 18:23:16 | 000,000,000 | ---D | M]

[2008/06/22 03:34:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jason\Application Data\Mozilla\Extensions
[2010/06/09 21:01:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\4m5uodjr.default\extensions
[2009/07/30 23:50:05 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\4m5uodjr.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/06/09 21:01:22 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/25 16:15:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/05/25 16:14:50 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/06/07 23:58:09 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ipsbho.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.7.0.12\coieplg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-3990702668-1057175237-675285069-1005\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3990702668-1057175237-675285069-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3990702668-1057175237-675285069-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3990702668-1057175237-675285069-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3990702668-1057175237-675285069-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: musicmatch.com ([online] https in Trusted sites)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} http://i.dell.com/images/global/js/scanner/SysProExe.cab (Scanner.SysScanner)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flash...ent/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jason\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 04:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2005/11/21 13:26:21 | 000,000,057 | R--- | M] () - D:\autorun.inf -- [ UDF ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2030/06/16 03:05:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jason\Application Data\Synergy Software
[2030/06/16 03:05:01 | 000,000,000 | ---D | C] -- C:\Program Files\KaleidaGraph 4.0 Demo
[2010/06/10 16:38:11 | 000,572,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jason\Desktop\OTL.exe
[2010/06/10 16:37:45 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Jason\Desktop\ATF-Cleaner.exe
[2010/06/09 20:52:32 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2010/06/08 22:29:35 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/06/07 23:43:15 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/06/07 23:40:02 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/06/07 23:40:02 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/06/07 23:40:02 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/06/07 23:40:02 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/06/07 23:39:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/06/07 23:39:03 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/31 22:26:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jason\Application Data\Tific
[2010/05/31 22:26:41 | 000,047,408 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SymIM.sys
[2010/05/30 02:15:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jason\Desktop\GMER
[2010/05/30 02:15:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jason\My Documents\New Folder
[2010/05/29 16:26:22 | 000,361,904 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\symtdi.sys
[2010/05/29 16:26:22 | 000,328,752 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\symds.sys
[2010/05/29 16:26:22 | 000,173,104 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\symefa.sys
[2010/05/29 16:26:22 | 000,043,696 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\srtspx.sys
[2010/05/29 16:26:21 | 000,501,888 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\cchpx86.sys
[2010/05/29 16:26:21 | 000,116,784 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\ironx86.sys
[2010/05/29 16:22:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jason\My Documents\Symantec
[2010/05/29 16:21:05 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Sidebar
[2010/05/29 16:21:05 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Internet Security
[2010/05/29 16:17:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PCSettings
[2010/05/29 16:05:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Norton
[2010/05/29 16:04:35 | 000,407,944 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Jason\Desktop\NISDownloader.exe
[2010/05/25 16:23:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jason\Application Data\Malwarebytes
[2010/05/25 16:22:06 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/25 16:22:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/25 16:22:04 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/25 16:22:04 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/25 16:15:19 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/05/25 16:15:18 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/05/25 16:15:18 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/05/25 16:15:18 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/05/25 16:12:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/25 16:12:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/25 16:12:09 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/05/25 16:04:05 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Jason\Desktop\mbam-setup-1.46.exe
[2010/05/25 15:42:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/05/25 15:42:02 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/05/24 17:30:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jason\Local Settings\Application Data\DOSBox
[2010/05/21 12:28:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jason\My Documents\Fax
[2010/05/18 02:41:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Jason\Desktop\*.tmp files -> C:\Documents and Settings\Jason\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2030/06/16 03:07:16 | 000,000,000 | ---- | M] () -- C:\WINDOWS\KGOleSrv.INI
[2010/06/10 16:38:13 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jason\Desktop\OTL.exe
[2010/06/10 16:37:46 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Jason\Desktop\ATF-Cleaner.exe
[2010/06/10 16:36:37 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/10 16:36:04 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/10 16:35:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/10 16:35:56 | 3487,715,328 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/10 13:38:30 | 008,126,464 | -H-- | M] () -- C:\Documents and Settings\Jason\NTUSER.DAT
[2010/06/10 13:38:26 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Jason\ntuser.ini
[2010/06/10 13:38:07 | 000,000,023 | ---- | M] () -- C:\WINDOWS\BlendSettings.ini
[2010/06/10 03:55:22 | 000,229,592 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/10 03:18:14 | 000,666,814 | ---- | M] () -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\Cat.DB
[2010/06/10 03:18:02 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/10 03:06:04 | 000,503,304 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/10 03:06:04 | 000,442,466 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/10 03:06:04 | 000,071,732 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/09 14:16:00 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Jason\defogger_reenable
[2010/06/09 04:33:00 | 003,929,298 | -H-- | M] () -- C:\Documents and Settings\Jason\Local Settings\Application Data\IconCache.db
[2010/06/08 22:16:14 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/06/07 23:58:09 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/06/07 23:43:23 | 000,000,279 | RHS- | M] () -- C:\boot.ini
[2010/06/07 23:29:24 | 003,704,271 | R--- | M] () -- C:\Documents and Settings\Jason\Desktop\ComboFix.exe
[2010/05/30 02:04:41 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\dds.scr
[2010/05/30 02:03:20 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\Defogger.exe
[2010/05/29 23:09:10 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/29 16:28:09 | 000,001,973 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton Internet Security.LNK
[2010/05/29 16:22:05 | 000,124,976 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/05/29 16:22:05 | 000,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/05/29 16:22:05 | 000,007,443 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/05/29 16:22:05 | 000,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/05/29 16:20:32 | 000,000,775 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\Norton Installation Files.lnk
[2010/05/29 16:04:35 | 000,407,944 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Jason\Desktop\NISDownloader.exe
[2010/05/25 16:22:09 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/25 16:14:49 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/05/25 16:14:49 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/05/25 16:14:48 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/05/25 16:14:48 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/05/25 16:14:48 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/05/25 16:03:48 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Jason\Desktop\mbam-setup-1.46.exe
[2010/05/23 17:22:12 | 000,077,335 | ---- | M] () -- C:\WINDOWS\War3Unin.dat
[2010/05/23 09:31:08 | 000,000,799 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\World of Warcraft.lnk
[2010/05/21 12:30:16 | 000,210,092 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\transcript 2042.pdf
[2010/05/21 12:29:36 | 000,001,071 | ---- | M] () -- C:\WINDOWS\AWMODEM.INF
[2010/05/21 12:25:29 | 000,211,807 | ---- | M] () -- C:\Documents and Settings\Jason\Desktop\transcript 1041.pdf
[2010/05/18 02:42:04 | 000,001,907 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\EA Download Manager.lnk
[2010/05/14 02:32:01 | 000,000,172 | ---- | M] () -- C:\WINDOWS\System32\drivers\NIS\1107000.00C\isolate.ini
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Jason\Desktop\*.tmp files -> C:\Documents and Settings\Jason\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2030/06/16 03:07:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\KGOleSrv.INI
[2010/06/09 14:16:00 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Jason\defogger_reenable
[2010/06/07 23:43:22 | 000,000,209 | ---- | C] () -- C:\Boot.bak
[2010/06/07 23:43:17 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/06/07 23:40:02 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/06/07 23:40:02 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/06/07 23:40:02 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/06/07 23:40:02 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/06/07 23:40:02 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/06/07 23:29:22 | 003,704,271 | R--- | C] () -- C:\Documents and Settings\Jason\Desktop\ComboFix.exe
[2010/05/30 02:04:41 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Jason\Desktop\dds.scr
[2010/05/30 02:03:18 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Jason\Desktop\Defogger.exe
[2010/05/29 23:58:23 | 3487,715,328 | -HS- | C] () -- C:\hiberfil.sys
[2010/05/29 23:09:10 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/29 16:21:58 | 000,001,973 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Norton Internet Security.LNK
[2010/05/29 16:05:12 | 000,000,775 | ---- | C] () -- C:\Documents and Settings\Jason\Desktop\Norton Installation Files.lnk
[2010/05/25 16:22:09 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/21 12:30:16 | 000,210,092 | ---- | C] () -- C:\Documents and Settings\Jason\Desktop\transcript 2042.pdf
[2010/05/21 12:29:36 | 000,001,071 | ---- | C] () -- C:\WINDOWS\AWMODEM.INF
[2010/05/21 12:25:29 | 000,211,807 | ---- | C] () -- C:\Documents and Settings\Jason\Desktop\transcript 1041.pdf
[2010/05/18 02:42:04 | 000,001,907 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\EA Download Manager.lnk
[2009/06/21 05:00:20 | 000,082,289 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2009/05/08 10:13:04 | 000,013,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\iKeyLFT2.dll
[2009/05/01 00:31:06 | 001,507,328 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/05/01 00:31:06 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/04/30 16:00:12 | 000,025,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2009/02/18 14:44:00 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/02/18 14:44:00 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/12/21 14:31:54 | 000,876,544 | ---- | C] () -- C:\WINDOWS\System32\TEACico2.dll
[2008/11/22 02:47:35 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2008/01/18 22:56:25 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2007/01/23 09:57:26 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2006/11/15 17:01:35 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2006/11/15 16:36:58 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2006/10/21 22:51:19 | 000,000,028 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/09/23 21:53:47 | 000,000,164 | ---- | C] () -- C:\WINDOWS\System32\psyswin32.dll
[2006/07/22 01:34:15 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/07/15 11:14:11 | 000,003,350 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/07/15 11:14:11 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\D1484E1279.sys
[2006/06/02 05:40:47 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2006/06/02 00:32:23 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/05/30 11:42:39 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/05/30 11:36:00 | 000,000,710 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/05/30 11:03:24 | 000,000,392 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/05/18 10:56:21 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/05/18 10:56:20 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2005/11/10 08:56:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/16 04:37:24 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/05 14:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
< End of report >

OTL Extras logfile created on: 6/10/2010 4:41:59 PM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\Jason\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 84.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.31 Gb Total Space | 72.36 Gb Free Space | 50.14% Space Free | Partition Type: NTFS
Drive D: | 4.18 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JASONSDESKTOP
Current User Name: Jason
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-3990702668-1057175237-675285069-1005\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3587:TCP" = 3587:TCP:*:Enabled:Windows Peer-to-Peer Grouping
"3540:UDP" = 3540:UDP:*:Enabled:Peer Name Resolution Protocol (PNRP)
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"3587:TCP" = 3587:TCP:*:Enabled:Windows Peer-to-Peer Grouping
"3540:UDP" = 3540:UDP:*:Enabled:Peer Name Resolution Protocol (PNRP)
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\World of Warcraft\BackgroundDownloader.exe" = C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe" = C:\Program Files\World of Warcraft\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\Repair.exe" = C:\Program Files\World of Warcraft\Repair.exe:*:Enabled:Blizzard Repair Utility -- (Blizzard Entertainment, Inc.)
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe" = C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4 -- (Firaxis Games)
"C:\Program Files\World of Warcraft\WoW-2.0.3-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-2.0.3-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\Ventrilo\Ventrilo.exe" = C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- ()
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{0DD140D3-9563-481E-AA75-BA457CBDAEF2}" = PC Inspector File Recovery
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Roxio MyDVD LE
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer
"{4667B940-BB01-428B-986E-A0CC46497BF7}" = ELIcon
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{53735ECE-E461-4FD0-B742-23A352436D3A}" = Logitech Updater
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module
"{629F65FB-7F3C-4D66-A1C0-20722744B7B6}" = Star Wars® Knights of the Old Republic® II: The Sith Lords™
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{63CEA2E4-4FE7-4F2C-B388-C1313D24157C}" = SPORE™ Galactic Adventures
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}" = Digital Content Portal
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{6EECB283-E65F-40EF-86D3-D51BF02A8D43}" = Microsoft Office Converter Pack
"{6F69C969-2942-4E7B-B594-75B37664B8BA}" = NVIDIA System Update
"{71883667-71F2-48A1-AB72-28D518D8AC4A}" = Seagate Manager Installer
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}" = NVIDIA Performance
"{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}" = Intel® PROSet for Wired Connections
"{84F1DE76-C48C-4281-87A0-CC9548D1E7F9}" = Rhapsody Player Engine
"{85D3CC30-8859-481A-9654-FD9B74310BEF}" = Musicmatch® Jukebox
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90260409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Web Components
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9DF0196F-B6B8-4C3A-8790-DE42AA530101}" = SPORE™
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A683A2C0-821C-486F-858C-FA634DB5E864}" = EducateU
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{AC96671C-2001-432C-9826-5266D84EF1DC}" = Logitech Webcam Software
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{B0DF58A2-40DF-4465-AA56-38623EC9938C}" = Documentation & Support Launcher
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4E03835-FB8B-458A-A1FB-8CDE5424BE66}" = Sid Meier's Civilization 4
"{B6884A07-0305-47AE-9969-8F26FADC17DE}" = Games, Music, & Photos Launcher
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{C07F8D75-7A8D-400E-A8F9-A3F396B49BB1}" = SPORE™ Creepy & Cute Parts Pack
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE6DEE87-1C87-42ED-A108-7369BFE9076F}" = 32 bit Windows Card Reader Driver
"{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}" = Sid Meier's Civilization 4
"{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU
"{D5A9DA4B-E4F9-FB49-017D-769FC540F1F0}" = EA Download Manager UI
"{DF6A589A-7A1A-430C-9FF2-A0BDB42669DC}" = Search Assist
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{E51B4CD9-A0A6-4324-B26A-31B3F2DE26CE}" = Black and White
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E9CFBE78-ED91-4FCF-9E6F-210E477E527D}" = NVIDIA System Monitor
"{EF7E931D-DC84-471B-8DB6-A83358095474}" = EA Download Manager
"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"BitTorrent" = BitTorrent
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"com.ea.Vault.919CACB699904AC5D41B606703500DD39747C02D.1" = EA Download Manager UI
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"Diablo II" = Diablo II
"DivX Content Uploader" = DivX Content Uploader
"doPDF 6 printer_is1" = doPDF 6.3 printer
"DVD Photo Slideshow Professional" = DVD Photo Slideshow Pro 7.50
"EA Download Manager" = EA Download Manager
"EmeraldQFE2" = Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
"EPSON Printer and Utilities" = EPSON Printer Software
"EPSON Scanner" = EPSON Scan
"ESPNMotion" = ESPNMotion
"Expstudio Audio Editor FREE" = Expstudio Audio Editor FREE
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{6F69C969-2942-4E7B-B594-75B37664B8BA}" = NVIDIA System Update
"InstallShield_{71883667-71F2-48A1-AB72-28D518D8AC4A}" = Seagate Manager Installer
"InstallShield_{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}" = NVIDIA Performance
"InstallShield_{E9CFBE78-ED91-4FCF-9E6F-210E477E527D}" = NVIDIA System Monitor
"lvdrivers_12.0" = Logitech Webcam Software Driver Package
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.9)" = Mozilla Firefox (3.5.9)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NIS" = Norton Internet Security
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PROSet" = Intel® PRO Network Connections Drivers
"RealPlayer 6.0" = RealPlayer Basic
"StreetPlugin" = Learn2 Player (Uninstall Only)
"Switch" = Switch Uninstall
"SystemRequirementsLab" = System Requirements Lab
"ViewpointMediaPlayer" = Viewpoint Media Player
"Warcraft II BNE" = Warcraft II BNE
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"World of Warcraft" = World of Warcraft
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3990702668-1057175237-675285069-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Warcraft III" = Warcraft III: All Products

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/10/2010 1:47:08 AM | Computer Name = JASONSDESKTOP | Source = Application Error | ID = 1000
Description = Faulting application oblivion.exe, version 1.2.0.416, faulting module
l3codecx.ax, version 1.6.0.51, fault address 0x000017de.

Error - 6/10/2010 2:10:38 AM | Computer Name = JASONSDESKTOP | Source = Application Error | ID = 1000
Description = Faulting application oblivion.exe, version 1.2.0.416, faulting module
l3codecx.ax, version 1.6.0.51, fault address 0x000017de.

Error - 6/10/2010 2:28:27 AM | Computer Name = JASONSDESKTOP | Source = Application Error | ID = 1000
Description = Faulting application oblivion.exe, version 1.2.0.416, faulting module
l3codecx.ax, version 1.6.0.51, fault address 0x000017de.

Error - 6/10/2010 2:50:09 AM | Computer Name = JASONSDESKTOP | Source = Application Error | ID = 1000
Description = Faulting application oblivion.exe, version 1.2.0.416, faulting module
l3codecx.ax, version 1.6.0.51, fault address 0x000017de.

Error - 6/10/2010 3:00:35 AM | Computer Name = JASONSDESKTOP | Source = Application Error | ID = 1000
Description = Faulting application oblivion.exe, version 1.2.0.416, faulting module
l3codecx.ax, version 1.6.0.51, fault address 0x000017de.

Error - 6/10/2010 4:17:39 AM | Computer Name = JASONSDESKTOP | Source = Application Error | ID = 1000
Description = Faulting application oblivion.exe, version 1.2.0.416, faulting module
l3codecx.ax, version 1.6.0.51, fault address 0x000017de.

Error - 6/10/2010 4:25:39 AM | Computer Name = JASONSDESKTOP | Source = Application Error | ID = 1000
Description = Faulting application oblivion.exe, version 1.2.0.416, faulting module
l3codecx.ax, version 1.6.0.51, fault address 0x000017de.

Error - 6/10/2010 12:55:10 PM | Computer Name = JASONSDESKTOP | Source = Application Error | ID = 1000
Description = Faulting application oblivion.exe, version 1.2.0.416, faulting module
l3codecx.ax, version 1.6.0.51, fault address 0x000017de.

Error - 6/10/2010 1:06:28 PM | Computer Name = JASONSDESKTOP | Source = Application Error | ID = 1000
Description = Faulting application oblivion.exe, version 1.2.0.416, faulting module
l3codecx.ax, version 1.6.0.51, fault address 0x000017de.

Error - 6/10/2010 1:24:04 PM | Computer Name = JASONSDESKTOP | Source = Application Error | ID = 1000
Description = Faulting application oblivion.exe, version 1.2.0.416, faulting module
l3codecx.ax, version 1.6.0.51, fault address 0x000017de.

[ System Events ]
Error - 6/6/2010 9:33:40 PM | Computer Name = JASONSDESKTOP | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 6/7/2010 11:25:55 AM | Computer Name = JASONSDESKTOP | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 6/7/2010 11:25:55 AM | Computer Name = JASONSDESKTOP | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 6/7/2010 6:17:06 PM | Computer Name = JASONSDESKTOP | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 6/7/2010 6:17:06 PM | Computer Name = JASONSDESKTOP | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 6/7/2010 10:35:50 PM | Computer Name = JASONSDESKTOP | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 6/7/2010 10:35:50 PM | Computer Name = JASONSDESKTOP | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 6/7/2010 11:11:24 PM | Computer Name = JASONSDESKTOP | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 6/7/2010 11:11:24 PM | Computer Name = JASONSDESKTOP | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 6/8/2010 10:08:41 PM | Computer Name = JASONSDESKTOP | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.


< End of report >


#13 DrEvil

DrEvil
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:07:34 PM

Posted 11 June 2010 - 02:08 AM

Kaspersky Report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, June 11, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, June 11, 2010 01:30:41
Records in database: 4254216
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Objects scanned: 126786
Threats found: 3
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 02:37:48


File name / Threat / Threats count
C:\Documents and Settings\Jason\Application Data\Sun\Java\Deployment\cache\6.0\42\58c5086a-70d18810 Infected: Exploit.Java.Agent.a 1
C:\Documents and Settings\Jason\Application Data\Sun\Java\Deployment\cache\6.0\42\58c5086a-70d18810 Infected: Exploit.Java.CVE-2009-3867.a 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\isapnp.sys.vir Infected: Rootkit.Win32.TDSS.ap 1

Selected area has been scanned.

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:07:34 PM

Posted 14 June 2010 - 07:11 PM

Hello.

I apologize for the delay and to others I am helping with, I was sick recently and had some other personal work that had to be done. Sorry. sad.gif

Let's continue here...

QUOTE
Not sure if that's a result from combofix? I did find it amusing that Norton's recommended action was: Get help

Yes, that's part of what we already disinfected. It's under quarantine. NO need to worry about that.

Why run Combofix again? Please do not run it again, it is not needed.

How's your computer running now? Logs are looking clean.

Just clear your Java caches...

Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.


Kind Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 DrEvil

DrEvil
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:07:34 PM

Posted 14 June 2010 - 09:41 PM

Thanks for taking the time help me. I know ya'll do this in your spare time, so no need to apologize for the delay.

Computer is running fine!

Ran ATF Cleaner as you instructed. Is there anyway to delete the quarantined file so it stops showing up on scans?

Thanks again for the help smile.gif
Back to Virus, Trojan, Spyware, and Malware Removal Help


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·