Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HTTPS Tidserv Request 2 Infection


  • This topic is locked This topic is locked
18 replies to this topic

#1 Tenny3

Tenny3

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 07 June 2010 - 05:41 AM

I would greatly appreciate any assistance in removing this virus. Also, does it pose any threat to my security at present i.e. should I change all passwords, etc?

I got the Blue Screen when running GMER with the message PFN_LIST_CORRUPT.

Following is the dds.txt and the attachement file is attached.

DS (Ver_10-03-17.01) - NTFSx86
Run by Joe at 19:17:48.33 on Sun 06/06/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1048 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Joe\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en&source=mpes
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Connection Wizard,ShellNext = hxxp://support.dell.com/support/topics/global.aspx/support/dsn/document?c=us&l=en&s=gen&docid=359495
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: ?S - No File
BHO: @?S - No File
BHO: {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.2.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.2.0.12\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: ?S - No File
BHO: S - No File
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.2.0.12\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SigmatelSysTrayApp] "c:\program files\sigmatel\c-major audio\wdm\stsystra.exe"
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_4.cab
DPF: {531C8059-ED3C-481E-B46C-558CF2862F6B} - hxxp://imgweb.charlestoncounty.org/AppNet/activex/OBXWebSelect.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1253883700031
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D53C7B6F-E402-4AD9-A4A7-4ED69437300F} - hxxp://imgweb.charlestoncounty.org/AppNet/activex/OBXWebViewer.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0402000.00c\symds.sys [2010-6-5 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0402000.00c\symefa.sys [2010-6-5 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0402000.00c\cchpx86.sys [2010-6-5 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0402000.00c\ironx86.sys [2010-6-5 116784]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.2.0.12\ccsvchst.exe [2010-6-5 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-5 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100528.003\IDSXpx86.sys [2010-5-28 331640]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100606.003\NAVENG.SYS [2010-6-6 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100606.003\NAVEX15.SYS [2010-6-6 1347504]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-10 135664]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-8-29 30192]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [2010-1-6 57856]

=============== Created Last 30 ================

2010-06-06 23:14:15 0 ----a-w- c:\documents and settings\joe\defogger_reenable
2010-06-06 14:49:42 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-06 14:48:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-06-06 14:48:51 0 d-----w- c:\program files\Hitman Pro 3.5
2010-06-05 15:35:26 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-05 15:35:26 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-05 15:35:26 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-05 15:35:26 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-05 15:35:26 0 d-----w- c:\program files\Symantec
2010-06-05 15:33:41 0 d-----w- c:\program files\Norton Security Suite
2010-06-05 14:51:30 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-04 17:31:43 0 d-----w- c:\docume~1\joe\applic~1\Malwarebytes
2010-06-04 17:11:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-04 17:11:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-25 18:02:01 1054 ----a-w- C:\SentriLockCardUtil.err
2010-05-25 17:48:25 0 d-----w- c:\docume~1\joe\applic~1\SentriLock
2010-05-25 17:47:25 0 d-----w- c:\program files\SentrilockCardUtility
2010-05-25 17:43:12 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-25 17:43:12 0 d-----w- c:\docume~1\alluse~1\applic~1\SentriLock
2010-05-13 20:23:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Nuance
2010-05-13 20:21:24 95 ----a-w- c:\windows\QBChanUtil_Trigger.ini
2010-05-13 20:21:23 0 d-----w- c:\docume~1\alluse~1\applic~1\SQL Anywhere 11
2010-05-13 20:21:19 0 d-----w- c:\docume~1\alluse~1\applic~1\COMMON FILES
2010-05-13 19:46:31 0 d-----w- c:\program files\Akamai
2010-05-13 17:08:54 4194304 ----a-w- c:\windows\system32\cdintf400.dll
2010-05-10 20:44:39 0 d-----w- c:\windows\system32\drivers\N360
2010-05-10 20:44:31 0 d-----w- c:\program files\Norton 360(2)
2010-05-10 17:38:16 0 d-----w- c:\docume~1\alluse~1\applic~1\PCSettings
2010-05-10 17:34:32 0 d-----w- c:\program files\NortonInstaller
2010-05-10 17:34:32 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-05-10 12:14:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton

==================== Find3M ====================

2010-06-06 21:25:38 54275 ----a-w- c:\windows\system32\nvModes.dat
2010-06-04 20:27:23 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2007-06-07 02:42:48 1494 ----a-w- c:\program files\19865333.vcs
2007-04-04 18:44:32 1837280 ----a-w- c:\program files\snpvw.exe
2006-09-14 21:31:51 88 --sh--r- c:\windows\system32\82AA460BA0.sys
2006-09-14 21:31:52 3974 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-09-09 16:59:27 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090920080910\index.dat

============= FINISH: 19:20:17.15 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:38 AM

Posted 10 June 2010 - 06:39 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.



===============================


Please run GMER in safe mode.
How to boot in safe mode => http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/


Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Unchecked the following checkboxes:
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
  • Post the contents of that report when you reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 Tenny3

Tenny3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 10 June 2010 - 11:56 AM

Thanks for your reply, Sempei. Scan has been running for a fewl hours now after one memory dump, so hopefully it will finish properly. I will post it as soon as it completes.

#4 Tenny3

Tenny3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 10 June 2010 - 02:03 PM

I have finished the scan, but due to the low resolution in safe mode I cannot see the "save" button - is there a keystroke that will get me there?

#5 Tenny3

Tenny3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 10 June 2010 - 10:12 PM

Finally got gmer to run. Following is the result:

MER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-10 23:07:37
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Joe\LOCALS~1\Temp\kwryifob.sys


---- Kernel code sections - GMER 1.0.15 ----

? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device B9BEBD20
Device B9C03631

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:38 AM

Posted 11 June 2010 - 04:54 AM

Hi,

Viewpoint Warning:
I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player




=====================================



Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 Tenny3

Tenny3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 11 June 2010 - 10:21 AM

Thanks again - following is the combofix log:
ComboFix 10-06-10.04 - Joe 06/11/2010 10:11:18.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1215 [GMT -4:00]
Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\david\g2mdlhlpx.exe
c:\documents and settings\david\GoToAssistDownloadHelper.exe
c:\windows\system32\bszip.dll
c:\windows\system32\Data
c:\windows\system32\raddrv.dll
c:\windows\system32\st325602.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_USBAAPL


((((((((((((((((((((((((( Files Created from 2010-05-11 to 2010-06-11 )))))))))))))))))))))))))))))))
.

2010-06-11 13:37 . 2010-06-11 13:38 -------- d-----w- C:\32788R22FWJFW
2010-06-11 13:36 . 2010-06-11 13:36 -------- d-----w- c:\documents and settings\Joe\Application Data\Tific
2010-06-06 14:49 . 2010-06-08 11:00 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-06 14:48 . 2010-06-06 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-06-06 14:48 . 2010-06-06 14:48 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-06-05 15:35 . 2010-06-05 15:35 -------- d-----w- c:\program files\Symantec
2010-06-05 15:35 . 2010-06-05 15:35 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-05 15:35 . 2010-06-05 15:35 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-05 15:33 . 2010-06-05 15:33 -------- d-----w- c:\program files\Norton Security Suite
2010-06-05 14:51 . 2010-06-05 14:51 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-04 17:31 . 2010-06-04 17:31 -------- d-----w- c:\documents and settings\Joe\Application Data\Malwarebytes
2010-06-04 17:15 . 2010-06-04 17:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-04 17:11 . 2010-06-04 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-04 17:11 . 2010-06-05 14:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-25 17:48 . 2010-05-25 17:48 -------- d-----w- c:\documents and settings\Joe\Application Data\SentriLock
2010-05-25 17:47 . 2010-05-25 17:47 -------- d-----w- c:\program files\SentrilockCardUtility
2010-05-25 17:43 . 2010-05-25 17:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-25 17:43 . 2010-05-25 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SentriLock
2010-05-17 16:03 . 2010-05-17 16:03 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Intuit
2010-05-13 20:23 . 2010-05-13 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance
2010-05-13 20:21 . 2010-05-14 11:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 11
2010-05-13 20:21 . 2010-05-13 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\COMMON FILES
2010-05-13 19:46 . 2010-05-13 19:54 -------- d-----w- c:\documents and settings\Joe\Application Data\Download Manager
2010-05-13 19:46 . 2010-05-13 19:46 -------- d-----w- c:\program files\Akamai
2010-05-13 17:08 . 2009-06-22 13:14 4194304 ----a-w- c:\windows\system32\cdintf400.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-11 13:19 . 2006-08-29 16:06 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-06-11 11:49 . 2006-08-29 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-06-08 19:07 . 2006-08-29 15:41 54194 ----a-w- c:\windows\system32\nvModes.dat
2010-06-08 10:52 . 2008-10-15 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-07 15:20 . 2009-09-24 21:11 -------- d-----w- c:\documents and settings\Joe\Application Data\Apple Computer
2010-06-06 14:12 . 2009-12-23 12:11 420592 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-05 15:57 . 2006-09-06 21:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-05 15:35 . 2010-06-05 15:35 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-05 15:35 . 2010-06-05 15:35 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-05 15:21 . 2006-09-06 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-05 15:20 . 2009-09-24 21:16 -------- d-----w- c:\documents and settings\Joe\Application Data\Symantec
2010-06-05 15:16 . 2010-05-10 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-28 16:43 . 2008-01-17 23:36 256 ----a-w- c:\windows\system32\pool.bin
2010-05-17 16:03 . 2006-08-29 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2010-05-15 09:54 . 2006-08-29 16:22 -------- d-----w- c:\program files\Google
2010-05-13 20:31 . 2006-08-29 16:14 -------- d-----w- c:\program files\Common Files\Intuit
2010-05-13 20:23 . 2006-08-29 16:13 -------- d-----w- c:\program files\Intuit
2010-05-13 17:20 . 2008-01-03 21:27 -------- d-----w- c:\program files\Quicken
2010-05-13 07:10 . 2009-09-25 11:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-12 12:42 . 2010-05-10 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-05-12 12:39 . 2010-05-10 20:44 -------- d-----w- c:\program files\Norton 360(2)
2010-05-10 17:39 . 2010-05-10 17:39 -------- d-----w- c:\documents and settings\Joe\Application Data\ScanSoft
2010-05-10 17:38 . 2010-05-10 17:38 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2010-05-10 17:34 . 2010-05-10 17:34 -------- d-----w- c:\program files\NortonInstaller
2007-06-07 02:42 . 2007-06-07 02:42 1494 ----a-w- c:\program files\19865333.vcs
2007-04-04 18:44 . 2007-04-04 18:40 1837280 ----a-w- c:\program files\snpvw.exe
2010-02-13 15:36 . 2009-09-28 17:32 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2006-09-14 21:31 . 2006-09-08 15:58 88 --sh--r- c:\windows\system32\82AA460BA0.sys
2006-09-14 21:31 . 2006-09-08 15:58 3974 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-06-22 1384448]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-02-13 30192]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-22 7557120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-3-24 1154848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2007-12-17 02:12 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll
path=
backup=

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^david^Start Menu^Programs^Startup^Desktop Manager.lnk]
backup=c:\windows\pss\Desktop Manager.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCameraAssistant
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideo[inspector]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AndreaVC]
2006-02-16 14:20 1118208 ------w- c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2009-11-20 03:29 623960 ----a-w- c:\program files\Common Files\Research in Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2006-11-07 23:03 65536 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector U]
2005-12-27 16:23 110592 ------w- c:\program files\Creative\MediaSource5\CTDetctu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2006-06-02 16:05 1032192 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 15:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2008-08-13 22:32 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
2007-03-15 22:16 454784 ----a-w- c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-02-13 15:36 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitmanPro35]
2010-06-06 14:47 5937984 ----a-w- c:\program files\Hitman Pro 3.5\HitmanPro35.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 19:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 01:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpcmpmgr]
2004-05-12 19:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2006-07-07 23:15 600896 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2010-01-27 01:04 1337608 ----a-w- c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2008-10-24 14:14 206112 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2008-10-24 14:14 206112 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2008-10-24 14:14 79136 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 18:20 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-02-08 06:12 488984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-02-08 06:13 774168 ----a-w- c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
2006-06-29 04:12 1355042 ----a-w- c:\windows\system32\CTMBHA.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetct]
2005-07-13 00:05 1117184 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-07-13 00:05 1117184 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-03-22 00:03 7557120 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2006-03-22 00:03 73728 ----a-w- c:\windows\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-03-22 00:03 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2007-01-30 01:12 30248 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPort11reminder]
2007-02-01 17:46 255528 ----a-w- c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 15:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-08-29 16:13 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2009-07-08 17:31 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
2004-12-22 09:40 24576 ----a-w- c:\windows\MIDIDEF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 15:22 405504 ----a-w- c:\program files\Sigmatel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 13:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-14 07:43 83608 ----a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-10-15 17:21 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
2008-04-14 00:12 143360 ----a-w- c:\windows\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
2006-02-16 14:20 1118208 ------w- c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FLEXnet Licensing Service"=3 (0x3)
"DSBrokerService"=3 (0x3)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\symds.sys [6/5/2010 2:46 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\symefa.sys [6/5/2010 2:46 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [4/29/2010 1:44 PM 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\cchpx86.sys [6/5/2010 2:46 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\ironx86.sys [6/5/2010 2:46 PM 116784]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.2.0.12\ccsvchst.exe [6/5/2010 2:43 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/9/2010 8:54 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100604.004\IDSXpx86.sys [6/8/2010 6:34 PM 331640]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/10/2010 10:25 PM 135664]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/29/2006 12:22 PM 30192]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [1/6/2010 11:19 PM 57856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-11 02:24]

2010-06-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-11 02:24]

2010-06-11 c:\windows\Tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_TERMINALS_david.job
- c:\windows\system32\mobsync.exe [2004-08-11 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en&amp;source=mpes
uInternet Connection Wizard,ShellNext = hxxp://support.dell.com/support/topics/global.aspx/support/dsn/document?c=us&l=en&s=gen&docid=359495
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: intuit.com\ttlc
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
DPF: {531C8059-ED3C-481E-B46C-558CF2862F6B} - hxxp://imgweb.charlestoncounty.org/AppNet/activex/OBXWebSelect.cab
DPF: {D53C7B6F-E402-4AD9-A4A7-4ED69437300F} - hxxp://imgweb.charlestoncounty.org/AppNet/activex/OBXWebViewer.cab
FF - ProfilePath - c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\oj21d870.default\
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
BHO-{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-Zune Launcher - c:\program files\Zune\ZuneLauncher.exe
MSConfigStartUp-ZuneLauncher - c:\program files\Zune\ZuneLauncher.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-11 10:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A298EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f11852
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.2.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1112)
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll

- - - - - - - > 'lsass.exe'(1172)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2480)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\stacsv.exe
.
**************************************************************************
.
Completion time: 2010-06-11 10:51:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-11 14:51

Pre-Run: 30,539,919,360 bytes free
Post-Run: 31,319,326,720 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 343BCB27FC6FA5353374DE563E33A374


#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:38 AM

Posted 12 June 2010 - 01:32 AM

Hi,

Please do the following:


1. Please download DeFogger to your desktop.
Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.




2. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
File::
c:\windows\system32\drivers\lvuvc.hs

DirLook::
C:\32788R22FWJFW

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000

DDS::
uURLSearchHooks: H - No File
BHO: ?S - No File
BHO: @?S - No File
BHO: ?S - No File
BHO: S - No File


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 Tenny3

Tenny3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 12 June 2010 - 05:06 AM

ComboFix 10-06-10.04 - Joe 06/12/2010 5:40.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1590 [GMT -4:00]
Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Joe\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\tcpip.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-12 to 2010-06-12 )))))))))))))))))))))))))))))))
.

2010-06-11 13:36 . 2010-06-11 13:36 -------- d-----w- c:\documents and settings\Joe\Application Data\Tific
2010-06-10 07:02 . 2010-06-10 07:02 44832 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch.exe
2010-06-06 14:49 . 2010-06-08 11:00 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-06 14:48 . 2010-06-06 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-06-06 14:48 . 2010-06-06 14:48 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-06-05 18:46 . 2010-05-06 04:01 361904 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-06-05 18:46 . 2010-04-22 03:02 173104 ----a-w- c:\windows\system32\drivers\symefa.sys
2010-06-05 18:46 . 2009-10-15 03:50 328752 ----a-r- c:\windows\system32\drivers\symds.sys
2010-06-05 18:46 . 2010-04-22 02:29 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-06-05 18:46 . 2010-04-29 05:03 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
2010-06-05 18:46 . 2010-02-26 00:22 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys
2010-06-05 15:35 . 2010-06-05 15:35 -------- d-----w- c:\program files\Symantec
2010-06-05 15:35 . 2010-06-05 15:35 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-05 15:35 . 2010-06-05 15:35 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-05 15:33 . 2010-06-05 15:33 -------- d-----w- c:\program files\Norton Security Suite
2010-06-05 14:51 . 2010-06-05 14:51 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-04 17:31 . 2010-06-04 17:31 -------- d-----w- c:\documents and settings\Joe\Application Data\Malwarebytes
2010-06-04 17:15 . 2010-06-04 17:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-04 17:11 . 2010-06-04 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-04 17:11 . 2010-06-05 14:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-25 17:48 . 2010-05-25 17:48 -------- d-----w- c:\documents and settings\Joe\Application Data\SentriLock
2010-05-25 17:47 . 2010-05-25 17:47 -------- d-----w- c:\program files\SentrilockCardUtility
2010-05-25 17:43 . 2010-05-25 17:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-25 17:43 . 2010-05-25 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SentriLock
2010-05-17 16:03 . 2010-05-17 16:03 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Intuit
2010-05-14 13:45 . 2010-06-10 07:02 975136 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch2.exe
2010-05-14 13:45 . 2010-05-14 13:44 348160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcr71.dll
2010-05-14 13:45 . 2010-05-14 13:44 499712 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcp71.dll
2010-05-14 11:21 . 2010-06-06 12:55 3182 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\qbbackup.sys
2010-05-13 20:23 . 2010-05-13 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance
2010-05-13 20:21 . 2010-05-14 11:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 11
2010-05-13 20:21 . 2010-05-13 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\COMMON FILES
2010-05-13 19:46 . 2010-05-13 19:54 -------- d-----w- c:\documents and settings\Joe\Application Data\Download Manager
2010-05-13 19:46 . 2010-05-13 19:46 -------- d-----w- c:\program files\Akamai
2010-05-13 17:16 . 2010-05-13 17:16 5487616 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\19188-191916.dll
2010-05-13 17:15 . 2010-05-13 17:15 5686272 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\19153-191714.dll
2010-05-13 17:15 . 2010-05-13 17:15 2776576 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191429-19153.dll
2010-05-13 17:14 . 2010-05-13 17:14 7032320 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191222-191319.dll
2010-05-13 17:14 . 2010-05-13 17:14 7410688 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191319-191429.dll
2010-05-13 17:14 . 2010-05-13 17:14 6301696 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191127-191222.dll
2010-05-13 17:12 . 2010-05-13 17:12 2844160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191714-19188.dll
2010-05-13 17:11 . 2010-05-13 17:11 243048 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2010-05-13 17:11 . 2010-05-13 17:11 230752 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\patchw32.dll
2010-05-13 17:11 . 2010-05-13 17:11 956 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\rebase.cmd
2010-05-13 17:08 . 2009-06-22 13:14 4194304 ----a-w- c:\windows\system32\cdintf400.dll
2010-05-13 17:08 . 2010-02-17 17:35 26472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Sku\RPM\Custom\billmind.exe
2010-05-13 17:08 . 2010-02-17 17:35 26472 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Sku\Hab\Custom\billmind.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-12 09:09 . 2006-08-29 16:06 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-06-11 11:49 . 2006-08-29 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-06-08 19:07 . 2006-08-29 15:41 54194 ----a-w- c:\windows\system32\nvModes.dat
2010-06-08 10:52 . 2008-10-15 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-07 15:20 . 2009-09-24 21:11 -------- d-----w- c:\documents and settings\Joe\Application Data\Apple Computer
2010-06-06 14:12 . 2009-12-23 12:11 420592 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-05 15:57 . 2006-09-06 21:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-05 15:35 . 2010-06-05 15:35 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-05 15:35 . 2010-06-05 15:35 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-05 15:21 . 2006-09-06 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-05 15:20 . 2009-09-24 21:16 -------- d-----w- c:\documents and settings\Joe\Application Data\Symantec
2010-06-05 15:16 . 2010-05-10 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-28 16:43 . 2008-01-17 23:36 256 ----a-w- c:\windows\system32\pool.bin
2010-05-17 16:03 . 2006-08-29 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2010-05-15 09:54 . 2006-08-29 16:22 -------- d-----w- c:\program files\Google
2010-05-13 20:31 . 2006-08-29 16:14 -------- d-----w- c:\program files\Common Files\Intuit
2010-05-13 20:23 . 2006-08-29 16:13 -------- d-----w- c:\program files\Intuit
2010-05-13 17:20 . 2008-01-03 21:27 -------- d-----w- c:\program files\Quicken
2010-05-13 07:10 . 2009-09-25 11:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-12 12:42 . 2010-05-10 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-05-12 12:39 . 2010-05-10 20:44 -------- d-----w- c:\program files\Norton 360(2)
2010-05-10 17:39 . 2010-05-10 17:39 -------- d-----w- c:\documents and settings\Joe\Application Data\ScanSoft
2010-05-10 17:38 . 2010-05-10 17:38 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2010-05-10 17:34 . 2010-05-10 17:34 -------- d-----w- c:\program files\NortonInstaller
2007-06-07 02:42 . 2007-06-07 02:42 1494 ----a-w- c:\program files\19865333.vcs
2007-04-04 18:44 . 2007-04-04 18:40 1837280 ----a-w- c:\program files\snpvw.exe
2010-02-13 15:36 . 2009-09-28 17:32 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2006-09-14 21:31 . 2006-09-08 15:58 88 --sh--r- c:\windows\system32\82AA460BA0.sys
2006-09-14 21:31 . 2006-09-08 15:58 3974 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-06-22 1384448]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-02-13 30192]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-22 7557120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-3-24 1154848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2007-12-17 02:12 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll
path=
backup=

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^david^Start Menu^Programs^Startup^Desktop Manager.lnk]
backup=c:\windows\pss\Desktop Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AndreaVC]
2006-02-16 14:20 1118208 ------w- c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2009-11-20 03:29 623960 ----a-w- c:\program files\Common Files\Research in Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2006-11-07 23:03 65536 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector U]
2005-12-27 16:23 110592 ------w- c:\program files\Creative\MediaSource5\CTDetctu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2006-06-02 16:05 1032192 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 15:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2008-08-13 22:32 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
2007-03-15 22:16 454784 ----a-w- c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-02-13 15:36 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitmanPro35]
2010-06-06 14:47 5937984 ----a-w- c:\program files\Hitman Pro 3.5\HitmanPro35.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 19:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 01:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpcmpmgr]
2004-05-12 19:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2006-07-07 23:15 600896 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2010-01-27 01:04 1337608 ----a-w- c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2008-10-24 14:14 206112 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2008-10-24 14:14 206112 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2008-10-24 14:14 79136 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 18:20 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-02-08 06:12 488984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-02-08 06:13 774168 ----a-w- c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
2006-06-29 04:12 1355042 ----a-w- c:\windows\system32\CTMBHA.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetct]
2005-07-13 00:05 1117184 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-07-13 00:05 1117184 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-03-22 00:03 7557120 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2006-03-22 00:03 73728 ----a-w- c:\windows\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-03-22 00:03 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2007-01-30 01:12 30248 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPort11reminder]
2007-02-01 17:46 255528 ----a-w- c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 15:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-08-29 16:13 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2009-07-08 17:31 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
2004-12-22 09:40 24576 ----a-w- c:\windows\MIDIDEF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 15:22 405504 ----a-w- c:\program files\Sigmatel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 13:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-14 07:43 83608 ----a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-10-15 17:21 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
2008-04-14 00:12 143360 ----a-w- c:\windows\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
2006-02-16 14:20 1118208 ------w- c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FLEXnet Licensing Service"=3 (0x3)
"DSBrokerService"=3 (0x3)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\symds.sys [6/5/2010 2:46 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\symefa.sys [6/5/2010 2:46 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [4/29/2010 1:44 PM 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\cchpx86.sys [6/5/2010 2:46 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\ironx86.sys [6/5/2010 2:46 PM 116784]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.2.0.12\ccsvchst.exe [6/5/2010 2:43 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/9/2010 8:54 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100604.004\IDSXpx86.sys [6/8/2010 6:34 PM 331640]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/10/2010 10:25 PM 135664]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/29/2006 12:22 PM 30192]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [1/6/2010 11:19 PM 57856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-01 13:11]

2010-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-11 02:24]

2010-06-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-11 02:24]

2010-06-11 c:\windows\Tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_TERMINALS_david.job
- c:\windows\system32\mobsync.exe [2004-08-11 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en&amp;source=mpes
uInternet Connection Wizard,ShellNext = hxxp://support.dell.com/support/topics/global.aspx/support/dsn/document?c=us&l=en&s=gen&docid=359495
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: intuit.com\ttlc
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
DPF: {531C8059-ED3C-481E-B46C-558CF2862F6B} - hxxp://imgweb.charlestoncounty.org/AppNet/activex/OBXWebSelect.cab
DPF: {D53C7B6F-E402-4AD9-A4A7-4ED69437300F} - hxxp://imgweb.charlestoncounty.org/AppNet/activex/OBXWebViewer.cab
FF - ProfilePath - c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\oj21d870.default\
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-12 05:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

*

*************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.2.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1092)
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
.
Completion time: 2010-06-12 06:00:24
ComboFix-quarantined-files.txt 2010-06-12 10:00
ComboFix2.txt 2010-06-11 14:51

Pre-Run: 31,275,687,936 bytes free
Post-Run: 31,260,835,840 bytes free

- - End Of File - - F159C53F1EDAC5FC5E5D9E7C084AB7D4


#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:38 AM

Posted 12 June 2010 - 05:57 AM

Hi,

How's the computer running now?


===============================


1. Another ComboFix script please.

We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
KillAll::

Rootkit::
c:\windows\system32\drivers\lvuvc.hs

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




2. I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push



~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 Tenny3

Tenny3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 14 June 2010 - 05:48 AM

Sorry for the delay - I thought I had posted this already. Following are the logs from the combofix and eset scans:

omboFix 10-06-10.04 - Joe 06/12/2010 7:32.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1513 [GMT -4:00]
Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Joe\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-05-12 to 2010-06-12 )))))))))))))))))))))))))))))))
.

2010-06-11 13:36 . 2010-06-11 13:36 -------- d-----w- c:\documents and settings\Joe\Application Data\Tific
2010-06-06 14:49 . 2010-06-08 11:00 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-06 14:48 . 2010-06-06 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-06-06 14:48 . 2010-06-06 14:48 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-06-05 18:46 . 2010-05-06 04:01 361904 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-06-05 18:46 . 2010-04-22 03:02 173104 ----a-w- c:\windows\system32\drivers\symefa.sys
2010-06-05 18:46 . 2009-10-15 03:50 328752 ----a-r- c:\windows\system32\drivers\symds.sys
2010-06-05 18:46 . 2010-04-22 02:29 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-06-05 18:46 . 2010-04-29 05:03 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
2010-06-05 18:46 . 2010-02-26 00:22 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys
2010-06-05 15:35 . 2010-06-05 15:35 -------- d-----w- c:\program files\Symantec
2010-06-05 15:35 . 2010-06-05 15:35 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-05 15:35 . 2010-06-05 15:35 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-05 15:33 . 2010-06-05 15:33 -------- d-----w- c:\program files\Norton Security Suite
2010-06-05 14:51 . 2010-06-05 14:51 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-04 17:31 . 2010-06-04 17:31 -------- d-----w- c:\documents and settings\Joe\Application Data\Malwarebytes
2010-06-04 17:15 . 2010-06-04 17:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-04 17:11 . 2010-06-04 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-04 17:11 . 2010-06-05 14:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-25 17:48 . 2010-05-25 17:48 -------- d-----w- c:\documents and settings\Joe\Application Data\SentriLock
2010-05-25 17:47 . 2010-05-25 17:47 -------- d-----w- c:\program files\SentrilockCardUtility
2010-05-25 17:43 . 2010-05-25 17:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-25 17:43 . 2010-05-25 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SentriLock
2010-05-17 16:03 . 2010-05-17 16:03 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Intuit
2010-05-13 20:23 . 2010-05-13 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance
2010-05-13 20:21 . 2010-05-14 11:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 11
2010-05-13 20:21 . 2010-05-13 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\COMMON FILES
2010-05-13 19:46 . 2010-05-13 19:54 -------- d-----w- c:\documents and settings\Joe\Application Data\Download Manager
2010-05-13 19:46 . 2010-05-13 19:46 -------- d-----w- c:\program files\Akamai
2010-05-13 17:08 . 2009-06-22 13:14 4194304 ----a-w- c:\windows\system32\cdintf400.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-11 11:49 . 2006-08-29 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-06-10 07:02 . 2010-06-10 07:02 44832 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch.exe
2010-06-10 07:02 . 2010-05-14 13:45 975136 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch2.exe
2010-06-08 19:07 . 2006-08-29 15:41 54194 ----a-w- c:\windows\system32\nvModes.dat
2010-06-08 10:52 . 2008-10-15 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-07 15:20 . 2009-09-24 21:11 -------- d-----w- c:\documents and settings\Joe\Application Data\Apple Computer
2010-06-06 14:12 . 2009-12-23 12:11 420592 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-06 12:55 . 2010-05-14 11:21 3182 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\qbbackup.sys
2010-06-05 15:57 . 2006-09-06 21:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-05 15:35 . 2010-06-05 15:35 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-05 15:35 . 2010-06-05 15:35 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-05 15:21 . 2006-09-06 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-05 15:20 . 2009-09-24 21:16 -------- d-----w- c:\documents and settings\Joe\Application Data\Symantec
2010-06-05 15:16 . 2010-05-10 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-28 16:43 . 2008-01-17 23:36 256 ----a-w- c:\windows\system32\pool.bin
2010-05-17 16:03 . 2006-08-29 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2010-05-15 09:54 . 2006-08-29 16:22 -------- d-----w- c:\program files\Google
2010-05-14 13:44 . 2010-05-14 13:45 348160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcr71.dll
2010-05-14 13:44 . 2010-05-14 13:45 499712 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcp71.dll
2010-05-13 20:31 . 2006-08-29 16:14 -------- d-----w- c:\program files\Common Files\Intuit
2010-05-13 20:23 . 2006-08-29 16:13 -------- d-----w- c:\program files\Intuit
2010-05-13 17:20 . 2008-01-03 21:27 -------- d-----w- c:\program files\Quicken
2010-05-13 17:16 . 2010-05-13 17:16 5487616 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\19188-191916.dll
2010-05-13 17:15 . 2010-05-13 17:15 5686272 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\19153-191714.dll
2010-05-13 17:15 . 2010-05-13 17:15 2776576 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191429-19153.dll
2010-05-13 17:14 . 2010-05-13 17:14 7032320 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191222-191319.dll
2010-05-13 17:14 . 2010-05-13 17:14 7410688 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191319-191429.dll
2010-05-13 17:14 . 2010-05-13 17:14 6301696 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191127-191222.dll
2010-05-13 17:12 . 2010-05-13 17:12 2844160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191714-19188.dll
2010-05-13 17:11 . 2010-05-13 17:11 243048 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2010-05-13 17:11 . 2010-05-13 17:11 230752 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\patchw32.dll
2010-05-13 17:11 . 2010-05-13 17:11 956 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\rebase.cmd
2010-05-13 07:10 . 2009-09-25 11:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-12 12:42 . 2010-05-10 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-05-12 12:39 . 2010-05-10 20:44 -------- d-----w- c:\program files\Norton 360(2)
2010-05-10 17:39 . 2010-05-10 17:39 -------- d-----w- c:\documents and settings\Joe\Application Data\ScanSoft
2010-05-10 17:38 . 2010-05-10 17:38 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2010-05-10 17:34 . 2010-05-10 17:34 -------- d-----w- c:\program files\NortonInstaller
2007-06-07 02:42 . 2007-06-07 02:42 1494 ----a-w- c:\program files\19865333.vcs
2007-04-04 18:44 . 2007-04-04 18:40 1837280 ----a-w- c:\program files\snpvw.exe
2010-02-13 15:36 . 2009-09-28 17:32 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2006-09-14 21:31 . 2006-09-08 15:58 88 --sh--r- c:\windows\system32\82AA460BA0.sys
2006-09-14 21:31 . 2006-09-08 15:58 3974 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-15 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-06-22 1384448]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-02-13 30192]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-22 7557120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-3-24 1154848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2007-12-17 02:12 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll
path=
backup=

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^david^Start Menu^Programs^Startup^Desktop Manager.lnk]
backup=c:\windows\pss\Desktop Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AndreaVC]
2006-02-16 14:20 1118208 ------w- c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2009-11-20 03:29 623960 ----a-w- c:\program files\Common Files\Research in Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2006-11-07 23:03 65536 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector U]
2005-12-27 16:23 110592 ------w- c:\program files\Creative\MediaSource5\CTDetctu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2006-06-02 16:05 1032192 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 15:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2008-08-13 22:32 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
2007-03-15 22:16 454784 ----a-w- c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-02-13 15:36 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitmanPro35]
2010-06-06 14:47 5937984 ----a-w- c:\program files\Hitman Pro 3.5\HitmanPro35.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 19:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 01:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpcmpmgr]
2004-05-12 19:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2006-07-07 23:15 600896 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2010-01-27 01:04 1337608 ----a-w- c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2008-10-24 14:14 206112 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2008-10-24 14:14 206112 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2008-10-24 14:14 79136 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 18:20 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-02-08 06:12 488984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-02-08 06:13 774168 ----a-w- c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBMon]
2006-06-29 04:12 1355042 ----a-w- c:\windows\system32\CTMBHA.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetct]
2005-07-13 00:05 1117184 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-07-13 00:05 1117184 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-03-22 00:03 7557120 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2006-03-22 00:03 73728 ----a-w- c:\windows\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-03-22 00:03 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2007-01-30 01:12 30248 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPort11reminder]
2007-02-01 17:46 255528 ----a-w- c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 15:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-08-29 16:13 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2009-07-08 17:31 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
2004-12-22 09:40 24576 ----a-w- c:\windows\MIDIDEF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 15:22 405504 ----a-w- c:\program files\Sigmatel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 13:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-14 07:43 83608 ----a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-10-15 17:21 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
2008-04-14 00:12 143360 ----a-w- c:\windows\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
2006-02-16 14:20 1118208 ------w- c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FLEXnet Licensing Service"=3 (0x3)
"DSBrokerService"=3 (0x3)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\symds.sys [6/5/2010 2:46 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\symefa.sys [6/5/2010 2:46 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [4/29/2010 1:44 PM 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\cchpx86.sys [6/5/2010 2:46 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\ironx86.sys [6/5/2010 2:46 PM 116784]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.2.0.12\ccsvchst.exe [6/5/2010 2:43 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/9/2010 8:54 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100604.004\IDSXpx86.sys [6/8/2010 6:34 PM 331640]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/10/2010 10:25 PM 135664]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/29/2006 12:22 PM 30192]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [1/6/2010 11:19 PM 57856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-01 13:11]

2010-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-11 02:24]

2010-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-11 02:24]

2010-06-12 c:\windows\Tasks\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_TERMINALS_david.job
- c:\windows\system32\mobsync.exe [2004-08-11 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en&source=mpes
uInternet Connection Wizard,ShellNext = hxxp://support.dell.com/support/topics/global.aspx/support/dsn/document?c=us&l=en&s=gen&docid=359495
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: intuit.com\ttlc
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
DPF: {531C8059-ED3C-481E-B46C-558CF2862F6B} - hxxp://imgweb.charlestoncounty.org/AppNet/activex/OBXWebSelect.cab
DPF: {D53C7B6F-E402-4AD9-A4A7-4ED69437300F} - hxxp://imgweb.charlestoncounty.org/AppNet/activex/OBXWebViewer.cab
FF - ProfilePath - c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\oj21d870.default\
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-12 07:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.2.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1112)
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(7136)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\stacsv.exe
.
**************************************************************************
.
Completion time: 2010-06-12 08:03:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-12 12:02
ComboFix2.txt 2010-06-12 10:00
ComboFix3.txt 2010-06-11 14:51

Pre-Run: 31,285,972,992 bytes free
Post-Run: 31,247,126,528 bytes free

- - End Of File - - A05C1DAE20F1214F922ED52AAA9F5302

ESET:

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\tcpip.sys.vir Win32/Olmarik.ZC trojan cleaned - quarantined


#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:38 AM

Posted 14 June 2010 - 07:52 AM

Hi Tenny3,

Everything looks good. How's the computer running now?


================================


Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version.



================================



Please run another DDS scan and post the latest DDS report for my final review. thumbup2.gif


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 Tenny3

Tenny3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 14 June 2010 - 11:31 AM

Running much better. I greatly appreciate your help and will be making a donation. I'm still having typical problems such as Outlook crashing, but no indication of virus and related symptoms. following is dds.txt and I am attaching attach.txt in cas you want to look at that.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Joe at 12:19:19.07 on Mon 06/14/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1345 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Joe\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Connection Wizard,ShellNext = hxxp://support.dell.com/support/topics/global.aspx/support/dsn/document?c=us&l=en&s=gen&docid=359495
BHO: ?S - No File
BHO: @?S - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.2.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.2.0.12\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ?S - No File
BHO: S - No File
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.2.0.12\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SigmatelSysTrayApp] "c:\program files\sigmatel\c-major audio\wdm\stsystra.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_4.cab
DPF: {531C8059-ED3C-481E-B46C-558CF2862F6B} - hxxp://imgweb.charlestoncounty.org/AppNet/activex/OBXWebSelect.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1253883700031
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D53C7B6F-E402-4AD9-A4A7-4ED69437300F} - hxxp://imgweb.charlestoncounty.org/AppNet/activex/OBXWebViewer.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joe\applic~1\mozilla\firefox\profiles\oj21d870.default\
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0402000.00c\symds.sys [2010-6-5 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0402000.00c\symefa.sys [2010-6-5 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0402000.00c\cchpx86.sys [2010-6-5 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0402000.00c\ironx86.sys [2010-6-5 116784]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.2.0.12\ccsvchst.exe [2010-6-5 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-9 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100604.004\IDSXpx86.sys [2010-6-8 331640]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100613.018\NAVENG.SYS [2010-6-13 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100613.018\NAVEX15.SYS [2010-6-13 1347504]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-10 135664]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-8-29 30192]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [2010-1-6 57856]

=============== Created Last 30 ================

2010-06-14 15:28:35 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-06-14 13:43:54 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-12 14:36:38 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-12 12:09:08 0 d-----w- c:\program files\ESET
2010-06-11 13:56:01 0 d-sha-r- C:\cmdcons
2010-06-11 13:39:07 98816 ----a-w- c:\windows\sed.exe
2010-06-11 13:39:07 77312 ----a-w- c:\windows\MBR.exe
2010-06-11 13:39:07 256512 ----a-w- c:\windows\PEV.exe
2010-06-11 13:39:07 161792 ----a-w- c:\windows\SWREG.exe
2010-06-11 13:36:11 0 d-----w- c:\docume~1\joe\applic~1\Tific
2010-06-06 23:14:15 0 ----a-w- c:\documents and settings\joe\defogger_reenable
2010-06-06 14:49:42 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-06 14:48:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-06-06 14:48:51 0 d-----w- c:\program files\Hitman Pro 3.5
2010-06-05 18:46:21 361904 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-06-05 18:46:18 173104 ----a-w- c:\windows\system32\drivers\symefa.sys
2010-06-05 18:46:17 328752 ----a-r- c:\windows\system32\drivers\symds.sys
2010-06-05 18:46:15 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-06-05 18:46:05 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
2010-06-05 18:46:03 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys
2010-06-05 15:35:26 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-05 15:35:26 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-05 15:35:26 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-05 15:35:26 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-05 15:35:26 0 d-----w- c:\program files\Symantec
2010-06-05 15:33:41 0 d-----w- c:\program files\Norton Security Suite
2010-06-05 14:51:30 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-04 17:31:43 0 d-----w- c:\docume~1\joe\applic~1\Malwarebytes
2010-06-04 17:11:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-04 17:11:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-25 18:02:01 1054 ----a-w- C:\SentriLockCardUtil.err
2010-05-25 17:48:25 0 d-----w- c:\docume~1\joe\applic~1\SentriLock
2010-05-25 17:47:25 0 d-----w- c:\program files\SentrilockCardUtility
2010-05-25 17:43:12 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-25 17:43:12 0 d-----w- c:\docume~1\alluse~1\applic~1\SentriLock

==================== Find3M ====================

2010-06-08 19:07:32 54194 ----a-w- c:\windows\system32\nvModes.dat
2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-06 08:52:46 2462720 ----a-w- c:\windows\system32\dllcache\WMVCore.dll
2007-06-07 02:42:48 1494 ----a-w- c:\program files\19865333.vcs
2007-04-04 18:44:32 1837280 ----a-w- c:\program files\snpvw.exe
2006-09-14 21:31:51 88 --sh--r- c:\windows\system32\82AA460BA0.sys
2006-09-14 21:31:52 3974 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-09-09 16:59:27 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090920080910\index.dat

============= FINISH: 12:20:37.15 ===============

Attached Files



#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:11:38 AM

Posted 15 June 2010 - 08:41 AM

Hi,

Thanks for the donation.

Do you receive any error message when Outlook is crashing?


============================


Log is clean, just need to remove a few orphans.
  1. Please run your Spybot - Search & Destroy
  2. Click on Mode tab and choose Advanced Mode and click Yes.
  3. Go to Tools and click BHO
  4. Please remove entries with no File, no CLSID entry or no Name.


============================


Please run another DDS scan, no need to attach Attach.txt. Thanks for your patience.



~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 Tenny3

Tenny3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 15 June 2010 - 10:39 AM

Semp-

Below is the dds log.

Outlook usually just locks up and I get the MS Office message that Outlook has encountered an error. I have been having these issues since I upgraded to 2007.

Thanks again for all your help. clapping.gif

Joe



DDS (Ver_10-03-17.01) - NTFSx86
Run by Joe at 11:30:40.34 on Tue 06/15/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1217 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Common Files\Microsoft Shared\office12\offlb.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Documents and Settings\Joe\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Connection Wizard,ShellNext = hxxp://support.dell.com/support/topics/global.aspx/support/dsn/document?c=us&l=en&s=gen&docid=359495
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.2.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.2.0.12\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.2.0.12\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SigmatelSysTrayApp] "c:\program files\sigmatel\c-major audio\wdm\stsystra.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_4.cab
DPF: {531C8059-ED3C-481E-B46C-558CF2862F6B} - hxxp://imgweb.charlestoncounty.org/AppNet/activex/OBXWebSelect.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1253883700031
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D53C7B6F-E402-4AD9-A4A7-4ED69437300F} - hxxp://imgweb.charlestoncounty.org/AppNet/activex/OBXWebViewer.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joe\applic~1\mozilla\firefox\profiles\oj21d870.default\
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0402000.00c\symds.sys [2010-6-5 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0402000.00c\symefa.sys [2010-6-5 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100522.001\BHDrvx86.sys [2010-5-22 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0402000.00c\cchpx86.sys [2010-6-5 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0402000.00c\ironx86.sys [2010-6-5 116784]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.2.0.12\ccsvchst.exe [2010-6-5 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-9 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100604.004\IDSXpx86.sys [2010-6-8 331640]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100614.040\NAVENG.SYS [2010-6-15 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100614.040\NAVEX15.SYS [2010-6-15 1347504]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-10 135664]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-8-29 30192]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [2010-1-6 57856]

=============== Created Last 30 ================

2010-06-14 15:28:35 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-06-14 13:43:54 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-12 14:36:38 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-12 12:09:08 0 d-----w- c:\program files\ESET
2010-06-11 13:56:01 0 d-sha-r- C:\cmdcons
2010-06-11 13:39:07 98816 ----a-w- c:\windows\sed.exe
2010-06-11 13:39:07 77312 ----a-w- c:\windows\MBR.exe
2010-06-11 13:39:07 256512 ----a-w- c:\windows\PEV.exe
2010-06-11 13:39:07 161792 ----a-w- c:\windows\SWREG.exe
2010-06-11 13:36:11 0 d-----w- c:\docume~1\joe\applic~1\Tific
2010-06-06 23:14:15 0 ----a-w- c:\documents and settings\joe\defogger_reenable
2010-06-06 14:49:42 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-06 14:48:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-06-06 14:48:51 0 d-----w- c:\program files\Hitman Pro 3.5
2010-06-05 18:46:21 361904 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-06-05 18:46:18 173104 ----a-w- c:\windows\system32\drivers\symefa.sys
2010-06-05 18:46:17 328752 ----a-r- c:\windows\system32\drivers\symds.sys
2010-06-05 18:46:15 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-06-05 18:46:05 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
2010-06-05 18:46:03 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys
2010-06-05 15:35:26 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-05 15:35:26 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-05 15:35:26 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-05 15:35:26 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-05 15:35:26 0 d-----w- c:\program files\Symantec
2010-06-05 15:33:41 0 d-----w- c:\program files\Norton Security Suite
2010-06-05 14:51:30 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-04 17:31:43 0 d-----w- c:\docume~1\joe\applic~1\Malwarebytes
2010-06-04 17:11:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-04 17:11:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-25 18:02:01 1054 ----a-w- C:\SentriLockCardUtil.err
2010-05-25 17:48:25 0 d-----w- c:\docume~1\joe\applic~1\SentriLock
2010-05-25 17:47:25 0 d-----w- c:\program files\SentrilockCardUtility
2010-05-25 17:43:12 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-25 17:43:12 0 d-----w- c:\docume~1\alluse~1\applic~1\SentriLock

==================== Find3M ====================

2010-06-08 19:07:32 54194 ----a-w- c:\windows\system32\nvModes.dat
2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-06 08:52:46 2462720 ----a-w- c:\windows\system32\dllcache\WMVCore.dll
2007-06-07 02:42:48 1494 ----a-w- c:\program files\19865333.vcs
2007-04-04 18:44:32 1837280 ----a-w- c:\program files\snpvw.exe
2006-09-14 21:31:51 88 --sh--r- c:\windows\system32\82AA460BA0.sys
2006-09-14 21:31:52 3974 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-09-09 16:59:27 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090920080910\index.dat

============= FINISH: 11:31:57.78 ===============




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users