Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help w/backdoor.tieserv!inf


  • This topic is locked This topic is locked
41 replies to this topic

#1 shldvebghtaMAC

shldvebghtaMAC

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 08 June 2010 - 07:10 PM

SPELLED MY ISSUE WRONG IT SHOULD SPELL/READ: backdoor.tidserv!inf



So I have been manually cleaning my registry with no issues, but I am still having redirecting issues with my IE web browser. I have read all the posts on bc but sill need help. Today while installing a new version of Norton it popped up saying I have a Backdoor.tieserv!inf virus, but did not give any options on how to clean it.

I have done the hijackthis, combofix, otl you name it and still whatever is on my computer is still present and obviously hiding somehwere.

Combofix allegedly deleted contaminated files but still I'm having redirecting issues crazy.gif

Please help!

My last resort is going to be to reformat my drive which i'm trying to leave as my really last option. Malware bytes claims there is nothing on my computer but that's not true.

Also I deleted this file several times, but then today after I downloaded an updated version of Norton it's now back: rundll32.exe "C:WINDOWSohexaxetetedapes.dll",Startup

it's back in my startup file after I deleted it last night from msconfig.

thx in advance.

here is my hijack this log I still do not know how to read this log and can someone please explain to me what to look for? I have an IT background but not in viruses.

the highlighted file I have deleted in the registry under safe mode several times but it keeps coming back! crazy.gif it's not on my other computer that is running xp so i'm thinking it's only part of the culprit.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:23:45 PM, on 6/8/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesWindows DefenderMsMpEng.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32brsvc01a.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32brss01a.exe
C:Program FilesWIDCOMMBluetooth Softwarebinbtwdins.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesCommon FilesLightScribeLSSrvc.exe
C:Program FilesComcastDesktop Doctorbinsprtsvc.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesHewlett-PackardSharedhpqwmiex.exe
C:WINDOWSExplorer.EXE
C:Program FilesWindows DefenderMSASCui.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesWIDCOMMBluetooth SoftwareBTTray.exe
C:Program FilesTargus BT MouseMulMouse.exe
C:Program FilesTargus BT Mouseosd.exe
C:PROGRA~1WIDCOMMBLUETO~1BTSTAC~1.EXE
C:WINDOWSsystem32wuauclt.exe
C:Program FilesNorton Security SuiteEngine4.0.0.127ccSvcHst.exe
C:Program FilesNorton Security SuiteEngine4.0.0.127ccSvcHst.exe
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:WINDOWSsystem32msiexec.exe
C:WINDOWSsystem32rundll32.exe
C:WINDOWSsystem32wuauclt.exe
C:Program FilesTrend MicroHijackThisHiJackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.comcast.net/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.comcast.net/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpn3yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:Program FilesYahoo!CompanionInstallscpn3yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:Program FilesYahoo!Commonyiesrvc.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:Program FilesNorton Security SuiteEngine4.0.0.127coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:Program FilesNorton Security SuiteEngine4.0.0.127IPSBHO.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:Program FilesYahoo!CompanionInstallscpn3YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpn3yt.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:WINDOWSsystem32TwcToolbarIe7.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:Program FilesNorton Security SuiteEngine4.0.0.127coIEPlg.dll
O4 - HKLM..Run: [Windows Defender] "C:Program FilesWindows DefenderMSASCui.exe" -hide
O4 - HKLM..Run: [Lwerubix] rundll32.exe "C:WINDOWSohexaxetetedapes.dll",Startup
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Targus BT Mouse.lnk = C:Program FilesTargus BT MouseMulMouse.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~4OFFICE11EXCEL.EXE/3000
O8 - Extra context menu item: Open with WordPerfect - C:Program FilesWordPerfect Office X3ProgramsWPLauncher.hta
O8 - Extra context menu item: Send To &Bluetooth - C:Program FilesWIDCOMMBluetooth Softwarebtsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINDOWSsystem32shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINDOWSsystem32shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:Program FilesYahoo!Commonyiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~4OFFICE11REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:Program FilesWIDCOMMBluetooth Softwarebtsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:Program FilesWIDCOMMBluetooth Softwarebtsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6796.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHos...ronGameHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:WINDOWSsystem32browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:WINDOWSsystem32browseui.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:Program FilesHewlett-PackardHP Quick Launch ButtonsAddFiltr.exe
O23 - Service: Apple Mobile Device - Unknown owner - C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:WINDOWSsystem32brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:Program FilesWIDCOMMBluetooth Softwarebinbtwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:Program FilesHewlett-PackardSharedhpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:Program FilesCommon FilesLightScribeLSSrvc.exe
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:Program FilesNorton Security SuiteEngine4.2.0.12ccSvcHst.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:Program FilesComcastDesktop Doctorbinsprtsvc.exe

--
End of file - 8210 bytes

Merged posts and move to log forum. ~ OB

Edited by shldvebghtaMAC, 08 June 2010 - 09:18 PM.
Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~BP


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:58 PM

Posted 12 June 2010 - 10:05 AM

Hi,

ComboFix shouldn't be run without supervision of trained helper. Post back c:\ComboFix.txt log from your earlier running attempt.

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.

  • Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #3 shldvebghtaMAC

    shldvebghtaMAC
    • Topic Starter

    • Members
    • 27 posts
    • OFFLINE
    •  
    • Local time:02:58 PM

    Posted 17 June 2010 - 07:27 PM

    Thx for responding, I had no issues running combofix, i'm normally pretty good with removal with things, but this is just an issue bigger than I can handle.

    combofix log:

    ComboFix 10-06-17.02 - Tatiana 06/17/2010 20:36:05.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.129 [GMT -4:00]
    Running from: c:\documents and settings\Tatiana\Desktop\Combo-Fix.exe
    AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
    FW: Norton Security Suite *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\win.com

    .
    ((((((((((((((((((((((((( Files Created from 2010-05-18 to 2010-06-18 )))))))))))))))))))))))))))))))
    .

    2010-06-13 05:44 . 2010-06-13 05:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
    2010-06-09 00:22 . 2010-06-09 00:22 388096 ----a-r- c:\documents and settings\Tatiana\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-06-08 09:44 . 2010-06-08 09:44 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2010-06-08 09:44 . 2010-06-08 09:44 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-06-08 09:44 . 2010-06-08 09:44 -------- d-----w- c:\program files\Symantec
    2010-06-08 09:43 . 2010-06-10 01:10 -------- d-----w- c:\windows\system32\drivers\N360
    2010-06-08 09:43 . 2010-06-08 09:43 -------- d-----w- c:\program files\Norton Security Suite
    2010-06-08 09:43 . 2010-06-08 09:43 -------- d-----w- c:\program files\NortonInstaller
    2010-06-08 09:30 . 2010-06-08 09:30 -------- d-----w- c:\documents and settings\Tatiana\Application Data\Tific
    2010-06-08 07:12 . 2010-06-08 07:12 -------- d-----w- c:\documents and settings\Tatiana\Local Settings\Application Data\Symantec
    2010-06-07 11:15 . 2010-06-07 11:15 -------- d-----w- c:\windows\system32\CatRoot_bak
    2010-06-07 10:36 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-06-07 10:17 . 2010-06-07 10:25 -------- d-----w- c:\documents and settings\Tatiana\.SunDownloadManager
    2010-06-07 07:16 . 2010-06-07 07:16 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-06-06 08:41 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
    2010-06-06 05:56 . 2010-06-06 05:56 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
    2010-06-03 08:27 . 2010-06-04 02:56 -------- d-----w- c:\documents and settings\Tatiana\Local Settings\Application Data\bxrxyhxba
    2010-06-02 10:14 . 2010-06-15 05:42 0 ----a-w- c:\windows\Fnozolacihir.bin
    2010-06-02 10:14 . 2010-06-15 05:42 120 ----a-w- c:\windows\Hkakobuhuwon.dat
    2010-06-02 10:14 . 2010-06-02 10:14 -------- d-----w- c:\documents and settings\Tatiana\Local Settings\Application Data\{B8E12E11-1520-49F1-BE2C-47A17A5BDE1F}
    2010-05-25 03:47 . 2007-12-03 16:36 25600 ----a-w- c:\windows\system32\TwcToolInstDll.dll
    2010-05-22 05:33 . 2010-05-22 05:33 -------- d-sh--w- c:\documents and settings\Tatiana\IECompatCache

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-06-14 07:57 . 2010-04-06 01:55 -------- d-----w- c:\program files\trademanager
    2010-06-08 09:52 . 2006-09-07 12:36 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2010-06-08 09:44 . 2010-06-08 09:44 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
    2010-06-08 09:44 . 2010-06-08 09:44 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
    2010-06-08 09:43 . 2010-03-12 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2010-06-08 09:34 . 2010-01-28 03:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
    2010-06-07 10:37 . 2006-09-07 11:25 -------- d-----w- c:\program files\Common Files\Java
    2010-06-07 10:36 . 2010-06-07 10:36 0 ----a-w- c:\windows\system32\REN92.tmp
    2010-06-07 10:36 . 2010-06-07 10:36 0 ----a-w- c:\windows\system32\REN91.tmp
    2010-06-07 10:36 . 2010-06-07 10:36 0 ----a-w- c:\windows\system32\REN90.tmp
    2010-06-07 10:36 . 2006-09-07 11:25 -------- d-----w- c:\program files\Java
    2010-06-07 06:39 . 2006-11-02 00:10 1324 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-06-05 22:21 . 2009-09-12 01:52 -------- d-----w- c:\documents and settings\Tatiana\Application Data\SUPERAntiSpyware.com
    2010-06-05 21:58 . 2009-09-12 01:52 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-06-05 06:11 . 2007-03-16 02:43 -------- d-----w- c:\program files\EphPod
    2010-06-04 13:41 . 2007-09-06 00:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
    2010-06-04 13:41 . 2006-09-07 13:09 -------- d-----w- c:\program files\Yahoo!
    2010-06-04 05:27 . 2009-09-11 17:32 -------- d-----w- c:\program files\CCleaner
    2010-06-02 19:28 . 2006-09-07 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
    2010-05-25 03:47 . 2006-12-16 17:35 -------- d-----w- c:\program files\The Weather Channel Toolbar
    2010-05-17 18:54 . 2006-09-14 07:59 88632 -c--a-w- c:\documents and settings\Tatiana\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-05-12 15:21 . 2009-10-03 05:49 221568 ------w- c:\windows\system32\MpSigStub.exe
    2007-01-10 15:18 . 2007-01-10 15:10 88 -csh--r- c:\windows\system32\6C86248E10.sys
    2007-01-10 15:18 . 2007-01-10 15:10 2828 -csha-w- c:\windows\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-06-08_07.25.48 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-06-15 06:27 . 2010-06-15 06:27 16384 c:\windows\temp\Perflib_Perfdata_7f0.dat
    - 2010-03-12 02:22 . 2010-03-12 02:20 26600 c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspiWDM.sys
    + 2010-03-12 02:22 . 2009-05-18 22:17 26600 c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspiWDM.sys
    + 2010-06-08 11:48 . 2010-04-22 02:29 43696 c:\windows\system32\drivers\N360\0402000.00C\srtspx.sys
    + 2008-01-29 16:01 . 2009-05-18 22:17 26600 c:\windows\system32\drivers\GEARAspiWDM.sys
    - 2008-01-29 16:01 . 2010-03-12 02:20 26600 c:\windows\system32\drivers\GEARAspiWDM.sys
    + 2008-01-29 16:02 . 2008-04-17 21:12 107368 c:\windows\system32\GEARAspi.dll
    - 2008-01-29 16:02 . 2010-03-12 02:19 107368 c:\windows\system32\GEARAspi.dll
    - 2010-03-12 02:22 . 2010-03-12 02:19 107368 c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspi.dll
    + 2010-03-12 02:22 . 2008-04-17 21:12 107368 c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspi.dll
    + 2010-06-08 11:48 . 2010-05-06 04:01 339504 c:\windows\system32\drivers\N360\0402000.00C\symtdiv.sys
    + 2010-06-08 11:48 . 2010-05-06 04:01 361904 c:\windows\system32\drivers\N360\0402000.00C\symtdi.sys
    + 2010-06-08 11:48 . 2010-04-22 03:02 173104 c:\windows\system32\drivers\N360\0402000.00C\symefa.sys
    + 2010-06-08 11:48 . 2009-10-15 03:50 328752 c:\windows\system32\drivers\N360\0402000.00C\symds.sys
    + 2010-06-08 11:48 . 2010-04-22 02:29 325680 c:\windows\system32\drivers\N360\0402000.00C\srtsp.sys
    + 2010-06-08 11:48 . 2010-04-29 05:03 116784 c:\windows\system32\drivers\N360\0402000.00C\ironx86.sys
    + 2010-06-08 11:48 . 2010-02-26 00:22 501888 c:\windows\system32\drivers\N360\0402000.00C\cchpx86.sys
    + 2010-06-09 00:22 . 2010-06-09 00:22 1094656 c:\windows\Installer\32629af.msi
    + 2009-09-11 01:08 . 2010-05-28 16:37 32472008 c:\windows\system32\MRT.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-12 581693]
    Targus BT Mouse.lnk - c:\program files\Targus BT Mouse\MulMouse.exe [2007-1-23 253952]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSetActiveDesktop"= 1 (0x1)
    "NoActiveDesktopChanges"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
    2008-04-24 17:25 202560 -c--a-w- c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
    2006-06-23 11:07 61952 ----a-w- c:\windows\system32\CHDAudPropShortcut.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
    2006-05-04 05:58 458752 ----a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
    2006-03-23 12:13 77824 ----a-w- c:\windows\system32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
    2006-03-23 12:17 118784 ----a-w- c:\windows\system32\igfxpers.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
    2006-03-23 12:17 94208 ----a-w- c:\windows\system32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    2005-08-11 23:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    2005-08-11 23:30 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
    2006-06-19 18:33 163840 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
    2006-07-12 04:55 102400 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    2006-06-17 05:22 794713 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
    ipseoute REG_SZ c:\windows\system32\fsutsfc.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\system32\\igfxtray.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    "c:\\Program Files\\trademanager\\AliIM.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\symds.sys [6/8/2010 7:48 AM 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\symefa.sys [6/8/2010 7:48 AM 173104]
    R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [7/3/2008 11:08 PM 149376]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100522.001\BHDrvx86.sys [6/14/2010 1:05 PM 691248]
    R1 BtFltr;WayTechUSBFilterDriver;c:\windows\system32\drivers\BtFltr.sys [1/23/2007 8:14 PM 13849]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\cchpx86.sys [6/8/2010 7:48 AM 501888]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\ironx86.sys [6/8/2010 7:48 AM 116784]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/9/2010 2:08 PM 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100617.001\IDSXpx86.sys [6/17/2010 3:07 PM 331640]
    S2 pciinfo;HP Pci Information;\??\c:\docume~1\Tatiana\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys --> c:\docume~1\Tatiana\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [?]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [7/26/2007 12:08 AM 17920]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [7/26/2007 12:08 AM 7680]
    S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [7/26/2007 12:08 AM 42112]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
    2010-03-11 12:38 124928 ----a-w- c:\windows\system32\advpack.dll
    .
    Contents of the 'Scheduled Tasks' folder

    2010-06-17 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.comcast.net/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uDefault_Search_URL = hxxp://www.google.com/ie
    mStart Page = hxxp://www.comcast.net/
    mWindow Title = Windows Internet Explorer provided by Comcast
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
    IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
    .
    .
    ------- File Associations -------
    .
    .txt=
    .
    - - - - ORPHANS REMOVED - - - -

    MSConfigStartUp-Lwerubix - c:\windows\ohexaxetetedapes.dll



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-06-17 20:53
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
    "ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.2.0.12\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-4079528211-208685911-2209668213-1006\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    @DACL=(02 0000)
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    @DACL=(02 0000)
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    @DACL=(02 0000)
    "Installed"="1"
    .
    Completion time: 2010-06-17 20:59:39
    ComboFix-quarantined-files.txt 2010-06-18 00:59
    ComboFix2.txt 2010-06-08 07:30

    Pre-Run: 8,386,613,248 bytes free
    Post-Run: 8,588,062,720 bytes free

    - - End Of File - - 1C65972838600FE1C3EA1FADED9699B8

    Edited by shldvebghtaMAC, 17 June 2010 - 08:03 PM.


    #4 shldvebghtaMAC

    shldvebghtaMAC
    • Topic Starter

    • Members
    • 27 posts
    • OFFLINE
    •  
    • Local time:02:58 PM

    Posted 17 June 2010 - 08:05 PM

    Also a few days ago windows defender came up with this file name being the problem which I already knew from experience. Problem is the file won't go away even with me logging on under admin and manually editing the registry (I know how to edit registry properly) but still the file keeps reloading somehow. And I cannot not figure out how it's reloading even with my CS background.

    problem file c:\windows\ohexaxetetedapes.dll also runs in partnership with a file named: Lwerubix

    dds log coming in a few mins.

    #5 shldvebghtaMAC

    shldvebghtaMAC
    • Topic Starter

    • Members
    • 27 posts
    • OFFLINE
    •  
    • Local time:02:58 PM

    Posted 17 June 2010 - 10:53 PM

    Ok dds wouldn't open but somehow scanned my computer a few hrs later a log popped up weird.

    here is the dds log:


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by at 23:37:46.01 on Thu 06/17/2010
    Internet Explorer: 7.0.5730.11
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.93 [GMT -4:00]

    AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
    FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
    C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\DOCUME~1\Tatiana\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.comcast.net/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uDefault_Search_URL = hxxp://www.google.com/ie
    mStart Page = hxxp://www.comcast.net/
    mWindow Title = Windows Internet Explorer provided by Comcast
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
    BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.2.0.12\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.2.0.12\IPSBHO.DLL
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
    TB: The Weather Channel Toolbar: {2e5e800e-6ac0-411e-940a-369530a35e43} - c:\windows\system32\TwcToolbarIe7.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.2.0.12\coIEPlg.dll
    TB: {981FE6A8-260C-4930-960F-C3BC82746CB0} - No File
    TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
    mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\targus~1.lnk - c:\program files\targus bt mouse\MulMouse.exe
    dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
    dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
    IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
    IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC}
    IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
    mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

    ============= SERVICES / DRIVERS ===============

    R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0402000.00c\symds.sys [2010-6-8 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0402000.00c\symefa.sys [2010-6-8 173104]
    R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [2008-7-3 149376]
    R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2010-6-6 3968]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100522.001\BHDrvx86.sys [2010-6-14 691248]
    R1 BtFltr;WayTechUSBFilterDriver;c:\windows\system32\drivers\BtFltr.sys [2007-1-23 13849]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0402000.00c\cchpx86.sys [2010-6-8 501888]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0402000.00c\ironx86.sys [2010-6-8 116784]
    R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.2.0.12\ccsvchst.exe [2010-6-8 126392]
    R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-9 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100617.001\IDSXpx86.sys [2010-6-17 331640]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100617.018\NAVENG.SYS [2010-6-17 85552]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100617.018\NAVEX15.SYS [2010-6-17 1347504]
    S2 pciinfo;HP Pci Information;\??\c:\docume~1\tatiana\locals~1\temp\hpispz\hpdom\pciinfo.sys --> c:\docume~1\tatiana\locals~1\temp\hpispz\hpdom\pciinfo.sys [?]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-7-26 17920]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-7-26 7680]
    S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2007-7-26 42112]

    ============== File Associations ===============

    .txt=

    =============== Created Last 30 ================

    2010-06-08 09:44:24 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
    2010-06-08 09:44:24 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
    2010-06-08 09:44:24 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2010-06-08 09:44:24 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-06-08 09:44:22 0 d-----w- c:\program files\Symantec
    2010-06-08 09:43:38 0 d-----w- c:\windows\system32\drivers\N360
    2010-06-08 09:43:35 0 d-----w- c:\program files\Norton Security Suite
    2010-06-08 09:43:26 0 d-----w- c:\program files\NortonInstaller
    2010-06-08 09:30:36 0 d-----w- c:\docume~1\tatiana\applic~1\Tific
    2010-06-07 13:07:39 0 dcsha-r- C:\cmdcons
    2010-06-07 12:02:09 98816 ----a-w- c:\windows\sed.exe
    2010-06-07 12:02:09 77312 ----a-w- c:\windows\MBR.exe
    2010-06-07 12:02:09 256512 ----a-w- c:\windows\PEV.exe
    2010-06-07 12:02:09 161792 ----a-w- c:\windows\SWREG.exe
    2010-06-07 11:15:04 0 d-----w- c:\windows\system32\CatRoot_bak
    2010-06-07 10:36:39 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-06-07 10:36:39 0 ----a-w- c:\windows\system32\REN92.tmp
    2010-06-07 10:36:39 0 ----a-w- c:\windows\system32\REN91.tmp
    2010-06-07 10:36:39 0 ----a-w- c:\windows\system32\REN90.tmp
    2010-06-07 10:17:53 0 d-----w- c:\documents and settings\tatiana\.SunDownloadManager
    2010-06-07 07:16:57 0 d-----w- c:\windows\system32\wbem\Repository
    2010-06-06 08:41:03 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
    2010-06-05 04:35:31 0 ----a-w- c:\documents and settings\tatiana\tasklist
    2010-06-02 10:14:21 0 ----a-w- c:\windows\Fnozolacihir.bin
    2010-06-02 10:14:20 120 ----a-w- c:\windows\Hkakobuhuwon.dat
    2010-05-25 03:47:53 25600 ----a-w- c:\windows\system32\TwcToolInstDll.dll
    2010-05-22 05:33:21 0 d-sh--w- c:\documents and settings\tatiana\IECompatCache

    ==================== Find3M ====================

    2010-05-12 15:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
    2007-01-10 15:18:13 88 -csh--r- c:\windows\system32\6C86248E10.sys
    2007-01-10 15:18:13 2828 -csha-w- c:\windows\system32\KGyGaAvL.sys
    2008-11-15 20:25:22 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111520081116\index.dat

    ============= FINISH: 23:39:08.65 ===============


    #6 shldvebghtaMAC

    shldvebghtaMAC
    • Topic Starter

    • Members
    • 27 posts
    • OFFLINE
    •  
    • Local time:02:58 PM

    Posted 17 June 2010 - 10:54 PM

    I don't have anyway to zip the attach file.

    #7 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:09:58 PM

    Posted 17 June 2010 - 11:36 PM

    QUOTE(shldvebghtaMAC @ Jun 18 2010, 06:54 AM) View Post
    I don't have anyway to zip the attach file.

    Please copy paste attach.txt contents like you did with dds.txt.

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #8 shldvebghtaMAC

    shldvebghtaMAC
    • Topic Starter

    • Members
    • 27 posts
    • OFFLINE
    •  
    • Local time:02:58 PM

    Posted 18 June 2010 - 12:52 AM

    Ok on the attach file it said don't post attach as a zip.

    here it is:



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 9/14/2006 3:58:16 AM
    System Uptime: 6/15/2010 2:25:28 AM (70 hours ago)

    Motherboard: Wistron | | 30B2
    Processor: Intel® Celeron® M CPU 420 @ 1.60GHz | U1 | 1595/667mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 27 GiB total, 7.997 GiB free.
    D: is FIXED (FAT32) - 10 GiB total, 1.488 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {95C7A0A0-3094-11D7-A202-00508B9D7D5A}
    Description: HP Integrated Module with Bluetooth 2.0 Wireless Technology
    Device ID: USB\VID_03F0&PID_171D\5&18FE068B&0&2
    Manufacturer: WIDCOMM
    Name: HP Integrated Module with Bluetooth 2.0 Wireless Technology
    PNP Device ID: USB\VID_03F0&PID_171D\5&18FE068B&0&2
    Service: BTWUSB

    Class GUID: {4D36E970-E325-11CE-BFC1-08002BE10318}
    Description: M-Systems DiskOnChip 2000
    Device ID: ROOT\MTD\0000
    Manufacturer: M-Systems Flash Disk Pioneers
    Name: M-Systems DiskOnChip 2000
    PNP Device ID: ROOT\MTD\0000
    Service: tffsport

    Class GUID: {4D36E977-E325-11CE-BFC1-08002BE10318}
    Description: Cirrus Logic PCIC compatible PCMCIA controller
    Device ID: ROOT\PCMCIA\0000
    Manufacturer: Cirrus Logic
    Name: Cirrus Logic PCIC compatible PCMCIA controller
    PNP Device ID: ROOT\PCMCIA\0000
    Service: pcmcia

    ==== System Restore Points ===================

    RP1267: 5/21/2010 1:55:00 AM - Software Distribution Service 3.0
    RP1268: 5/22/2010 5:51:38 AM - System Checkpoint
    RP1269: 5/23/2010 6:31:30 AM - System Checkpoint
    RP1270: 5/24/2010 8:06:51 AM - System Checkpoint
    RP1271: 5/24/2010 11:47:21 PM - Installed Microsoft Visual C++ 2005 Redistributable
    RP1272: 5/25/2010 1:55:10 AM - Software Distribution Service 3.0
    RP1273: 5/26/2010 6:59:29 AM - System Checkpoint
    RP1274: 5/27/2010 7:53:56 AM - System Checkpoint
    RP1275: 5/28/2010 2:12:35 AM - Software Distribution Service 3.0
    RP1276: 5/29/2010 4:45:30 AM - System Checkpoint
    RP1277: 5/29/2010 5:47:31 AM - Software Distribution Service 3.0
    RP1278: 5/30/2010 6:25:06 AM - System Checkpoint
    RP1279: 5/31/2010 6:55:29 AM - System Checkpoint
    RP1280: 6/1/2010 2:08:04 AM - Software Distribution Service 3.0
    RP1281: 6/2/2010 3:29:32 AM - System Checkpoint
    RP1282: 6/2/2010 4:16:56 PM - Windows Defender Checkpoint
    RP1283: 6/3/2010 11:13:38 PM - System Checkpoint
    RP1284: 6/4/2010 2:16:39 AM - Software Distribution Service 3.0
    RP1285: 6/5/2010 12:53:39 AM - Installed Tweakui Powertoy for Windows XP
    RP1286: 6/5/2010 2:12:25 AM - Removed Tweakui Powertoy for Windows XP
    RP1287: 6/6/2010 3:16:21 AM - june6,2010
    RP1288: 6/6/2010 3:31:52 AM - Restore Operation
    RP1289: 6/6/2010 9:24:20 PM - Norton 360 Registry Clean
    RP1290: 6/6/2010 11:29:12 PM - registry
    RP1291: 6/7/2010 2:33:02 AM - Restore Operation
    RP1292: 6/7/2010 3:16:00 AM - Restore Operation
    RP1293: 6/7/2010 5:12:30 AM - registry
    RP1294: 6/7/2010 6:33:06 AM - Removed Java™ 6 Update 11
    RP1295: 6/7/2010 6:34:58 AM - Removed Java™ SE Runtime Environment 6
    RP1296: 6/7/2010 6:36:22 AM - Installed Java™ 6 Update 20
    RP1297: 6/8/2010 3:58:01 AM - Software Distribution Service 3.0
    RP1298: 6/8/2010 4:43:45 AM - Removed SampleTestInstall
    RP1299: 6/8/2010 5:49:41 AM - June8
    RP1300: 6/8/2010 8:17:52 PM - Installed HiJackThis
    RP1301: 6/8/2010 8:20:53 PM - Removed HiJackThis
    RP1302: 6/8/2010 8:22:15 PM - Installed HiJackThis
    RP1303: 6/9/2010 9:39:33 PM - System Checkpoint
    RP1304: 6/10/2010 10:05:23 PM - System Checkpoint
    RP1305: 6/11/2010 1:47:19 AM - Software Distribution Service 3.0
    RP1306: 6/12/2010 6:22:11 AM - System Checkpoint
    RP1307: 6/13/2010 7:12:40 AM - System Checkpoint
    RP1308: 6/14/2010 8:12:46 AM - System Checkpoint
    RP1309: 6/15/2010 1:45:44 AM - Software Distribution Service 3.0
    RP1310: 6/15/2010 2:20:36 AM - Windows Defender Checkpoint
    RP1311: 6/16/2010 5:06:49 AM - System Checkpoint
    RP1312: 6/17/2010 5:23:40 AM - System Checkpoint

    ==== Installed Programs ======================

    Adobe Color Common Settings
    Adobe Flash Player 10 ActiveX
    Adobe Reader 7.1.0
    Adobe Setup
    Adobe Shockwave Player
    Apple Mobile Device Support
    AutoUpdate
    AVG Anti-Rootkit Free
    BufferChm
    CCleaner
    Comcast High-Speed Internet Install Wizard
    Compatibility Pack for the 2007 Office system
    Conexant HD Audio
    CP_AtenaShokunin1Config
    CP_CalendarTemplates1
    cp_LightScribeConfig
    cp_OnlineProjectsConfig
    CP_Package_Basic1
    CP_Package_Variety1
    CP_Package_Variety2
    CP_Package_Variety3
    CP_Panorama1Config
    cp_PosterPrintConfig
    cp_UpdateProjectsConfig
    CueTour
    Desktop Doctor
    Destinations
    DeviceManagementQFolder
    DivX
    FullDPAppQFolder
    HDAUDIO Soft Data Fax Modem with SmartCP
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows XP (KB954550-v5)
    HP Help and Support
    HP Imaging Device Functions 6.0
    HP Integrated Module with Bluetooth wireless technology
    HP Photosmart Premier Software 6.0
    HP Quick Launch Buttons 6.10 A2
    HP QuickPlay 2.3
    HP Update
    HP User Guides 0027
    HP Wireless Assistant 2.00 G2
    HpSdpAppCoreApp
    InstantShareDevices
    Intel® Graphics Media Accelerator Driver
    Intel® PRO Network Connections Drivers
    iTunes
    Java Auto Updater
    LightScribe 1.4.97.1
    Macromedia Flash Player 8
    Macromedia Shockwave Player
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft Office Project Professional 2003
    Microsoft Office Standard Edition 2003
    Microsoft Office Visio Professional 2003
    Microsoft Office Word 2003 Step by Step
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    muvee autoProducer 5.0
    NetWaiting
    Norton Security Suite
    oDesk MiniCam 2.0.55
    oDesk ScreenSnap 2.0.70
    oDesk Team 2.0.84
    Office 2003 Trial Assistant
    OpenOffice.org Installer 1.0
    OptionalContentQFolder
    PANTECH PC Card Software
    PhotoGallery
    QuickTime
    RandMap
    Security Update for CAPICOM (KB931906)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB923689)
    SkinsHP1
    Sonic Audio Module
    Sonic Copy Module
    Sonic Data Module
    Sonic Express Labeler
    Sonic MyDVD Plus
    Sonic Update Manager
    Sonic_PrimoSDK
    Synaptics Pointing Device Driver
    Targus BT Mouse 1.00
    The Weather Channel Toolbar
    TourSetup
    TradeManager 2009
    Unload
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 7 (KB980182)
    Update Manager
    WebFldrs XP
    Windows Defender
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Live Mail
    Windows Live OneCare safety scanner
    Windows Live Sign-in Assistant
    Windows Media Connect
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    Wireless Home Network Setup
    Yahoo! Browser Services
    Yahoo! Internet Mail
    Yahoo! Toolbar

    ==== Event Viewer Messages From Past Week ========

    6/17/2010 8:58:21 PM, error: Service Control Manager [7016] - The BrSplService service has reported an invalid current state 0.
    6/17/2010 8:35:27 PM, error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    6/17/2010 8:35:26 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Media Player Network Sharing Service service to connect.
    6/17/2010 8:34:55 PM, error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    6/15/2010 2:26:20 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Pcmcia
    6/15/2010 2:26:17 AM, error: Service Control Manager [7002] - The BrPar service depends on the Parallel arbitrator group and no member of this group started.
    6/15/2010 2:26:17 AM, error: Service Control Manager [7000] - The HP Pci Information service failed to start due to the following error: The system cannot find the path specified.
    6/15/2010 2:26:17 AM, error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The system cannot find the file specified.
    6/15/2010 2:20:47 AM, error: WinDefend [1008] - Windows Defender has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=370...threatid=147238 Scan ID: {089BB210-62C6-4E60-A579-89948DFC6885} Scan Type: AntiMalware User: TATI\Tatiana Name: Trojan:Win32/Hiloti.gen!D ID: 147238 Severity: Severe Category: Trojan Path: Action: Remove Error Code: 0x80508022 Error description: To finish removing spyware and other potentially unwanted software, restart the computer.
    6/14/2010 1:27:28 PM, error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.

    ==== End Of File ===========================



    #9 shldvebghtaMAC

    shldvebghtaMAC
    • Topic Starter

    • Members
    • 27 posts
    • OFFLINE
    •  
    • Local time:02:58 PM

    Posted 18 June 2010 - 12:57 AM

    windows defender calls it Hiloti, while my Norton refers to it as: tidserv
    I guess either way they are a nightmare.
    It's interesting to see in the event viewer that so many actions have failed to start or work properly.



    #10 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:09:58 PM

    Posted 18 June 2010 - 11:57 AM

    Hi again,


    Open notepad and copy/paste the text in the quotebox below into it:

    CODE
    http://www.bleepingcomputer.com/forums/t/322779/help-wbackdoortieservinf/
    Collect::
    c:\windows\system32\fsutsfc.dll
    Folder::
    c:\documents and settings\Tatiana\Local Settings\Application Data\bxrxyhxba
    File::
    c:\windows\Fnozolacihir.bin
    c:\windows\Hkakobuhuwon.dat
    Registry::
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
    "ipseoute"=-
    DDS::
    TB: {981FE6A8-260C-4930-960F-C3BC82746CB0} - No File
    TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File



    Save this as
    CFScript

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



    Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log.


    Uninstall old Adobe Reader versions and get the latest one (both 9.3 and update 9.3.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

    Uninstall your current Adobe shockwave player & Macromedia Shockwave Player and get the fresh one here if needed.


    Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    If you use Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    If you use Opera:
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.


    Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


    Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log. Do you still see the alert (does it tell bad item location)?

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #11 shldvebghtaMAC

    shldvebghtaMAC
    • Topic Starter

    • Members
    • 27 posts
    • OFFLINE
    •  
    • Local time:02:58 PM

    Posted 18 June 2010 - 04:36 PM

    Before I copy/paste anything can you please explain to me what this is supposed to do?

    I notice in read it says "not responsible for any damage I may have caused, I haven't caused any damage just want that out there. I know on help sites everyone that posts an issue is sometimes automatically assumed a novice but that's not the case.

    I've never destroyed a computer, i've always successful put them together from scratch software/hardware. So I just need to know what this will do before I do it.

    I like to know what i'm doing and why. If you don't want to post the answer here you can pm me.

    Thanks

    #12 shldvebghtaMAC

    shldvebghtaMAC
    • Topic Starter

    • Members
    • 27 posts
    • OFFLINE
    •  
    • Local time:02:58 PM

    Posted 19 June 2010 - 01:28 AM

    waiting for response.............................to my above questions ^^

    #13 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:09:58 PM

    Posted 19 June 2010 - 01:49 AM

    Hi,

    I won't go into details with the cleaning steps listed there in my previous post. All those are 99% safe (I don't like giving 100% guarantee to anything). if you don't want to follow them then just tell me and we can close the topic.

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #14 shldvebghtaMAC

    shldvebghtaMAC
    • Topic Starter

    • Members
    • 27 posts
    • OFFLINE
    •  
    • Local time:02:58 PM

    Posted 19 June 2010 - 01:54 AM

    QUOTE(Blade81 @ Jun 19 2010, 02:49 AM) View Post
    Hi,

    I won't go into details with the cleaning steps listed there in my previous post. All those are 99% safe (I don't like giving 100% guarantee to anything). if you don't want to follow them then just tell me and we can close the topic.



    Close the topic for what?

    I just want to know why to take the above step your mentioning. I don't see what the problem is. I have waited several weeks for help on here threatening to close the thread is really not nice at all.

    No one said I don't want to follow anything, your making it as if it's wrong for me to ask a question.

    #15 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:09:58 PM

    Posted 19 June 2010 - 02:08 AM

    QUOTE
    I just want to know why to take the above step your mentioning. I don't see what the problem is.

    With ComboFix script we're cleaning some infection related things that other tools you've run didn't catch.

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users