Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tidserve requests and google redirect


  • This topic is locked This topic is locked
13 replies to this topic

#1 mmilligan

mmilligan

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 09 June 2010 - 12:13 PM

Hi - first off I have to say I am amazed you all do this without pay. I've been reading many, many posts about this problem and am just stunned at the help you give. I thank you in advance!
clapping.gif


Ok - I have a Netbook w/no CD, but defogged anyway, 'cause you never know...

Ran DDS, got the 2 logs.

Had problems with GMER:

#1 - First time it ran, it locked up. Couldn't even CTRL-ALT-DEL. Had to turn off netbook and and turn it on again. I had the DLink wireless USB unconnected - so no internet connection.

#2 - Second time it ran, I looked away - next thing I know it's restarted the PC. After everything reloaded there was no GMER log window - no ability to save log. So I re-started GMER. Again, I had the DLink wireless USB unconnected - so no internet connection...

#3 - It locked up again. Same steps as #1. I had the DLink wireless USB unconnected - so no internet connection.

#4 - This time I put the DLink USB wireless in, restarted, re-ran GMER. It ran for a looooong time - it was actually scanning - I could see all the files it was scanning in the app's window. Went to bed (seriously it was from probably 1am to at least 6am, then I just fell asleep.) When I woke up, PC had restarted again - with no ability to save a GMER log. All that for nothing. So I decided to just contact you and get the ball rolling. I did make sure to have the right things unchecked/checked in GMER each time.

Issues - having problems with repeated attacks from TIDSERVE - seems to be 1 and 2. Maybe 3, also? And occasionally I do have the wacky google redirect which is always so fun. And on top of that, IE also seems to want to open/load its own instances on its own every now and again.

Never any problems unless I have IE open - that is, I have to be actively browsing. I have not, to my knowledge, had an intrusion attempt without being on Internet Explorer. I would also like to know if Norton is actually really blocking this, or if my PC is actually being attacked.

Seems to be a LOT of people reporting this lately - has someone developed a "super" Tidserve?

I should mention that I've run:

Spybot, Spy Sweeper, and Spyware Doctor, which all only found the odd cookie or advertising junk.

Also did a complete Norton Antivirus scan - clean except for another cookie/ad type thing.

Registry Mechanic (from the makers of Spyware Doctor) - had many issues - 5 could not be resolved. Reran it - still just those 5 uncleanable ones.

Malware's Anti-Malware, CLEAN

SuperAntiSpyware, CLEAN.

Microsoft's Security Essentials (which will NOT let me update it - times out, I think, then gives me a popup window.) Based on the definitions it comes with (since it won't let me update them) it says I am CLEAN.

And AVG's antirootkit...ran it 3-4 times, but on the 1st "deep" search, it DID find 2 rootkits within Norton's Application Data folder - in the new virus definition subfolders. I took a chance and deleted them. And no change.

FYI, I spend the better part of the first 5 minutes of every PC restart ending TSRs in the task window. If for some reason you need me to redo my logs with all that running, let me know.

EDIT - ADDED - I should also add I cannot get onto Microsoft's Windows Update site or its Backup for XP site. Neither IE nor Firefox will let me access them.

DDS is inline, Attach.txt uploaded. Sorry, no Ark.txt since GMER wouldn't play along. THANK you in advance for your help!!

Here's my DDS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Mel at 23:29:10.68 on Tue 06/08/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1295 [GMT -4:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\AirPort\APAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Documents and Settings\Mel\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File
BHO: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~1\tools\iesdsg.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll
BHO: SafeOnline BHO: {69d72956-317c-44bd-b369-8e44d4ef9801} - c:\windows\system32\PxSecure.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.8.0.41\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - Google Toolbar Notifier BHO
BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spywar~1\tools\iesdpb.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - Google Dictionary Compression sdch
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [Zinio DLM] "c:\program files\zinio\ZinioReader.exe" /autostart
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [EPSON Stylus Photo R1800] "c:\windows\system32\spool\drivers\w32x86\3\e_fati9la.exe" /fu "c:\windows\temp\E_S5B1.tmp" /EF "HKCU"
uRun: [Spyware Doctor] "c:\program files\spyware doctor\swdoctor.exe" /Q
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe"
uRun: [SUPERAntiSpyware] "c:\program files\superantispyware\SUPERAntiSpyware.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [SUPBackGround] "c:\program files\samsung\samsung update plus\SUPBackGround.exe"
mRun: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [<NO NAME>]
mRun: [DMHotKey] "c:\program files\samsung\easy display manager\DMLoader.exe"
mRun: [ANIWZCS2Service] "c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe"
mRun: [D-Link D-Link RangeBooster N DWA-140] "c:\program files\d-link\d-link rangebooster n dwa-140\AirNCFG.exe"
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [Nikon Transfer Monitor] "c:\program files\common files\nikon\monitor\NkMonitor.exe"
mRun: [KernelFaultCheck] "%systemroot%\system32\dumprep" 0 -k
mRun: [Kernel and Hardware Abstraction Layer] "KHALMNPR.EXE"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
dRun: [Spyware Doctor]
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\3.1.5.7617\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\3.1.5.7617\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
uPolicies-explorer: NoLogoff = 00000000
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - c:\progra~1\spywar~1\tools\iesdpb.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install-ie/alttiff.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233281160093
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {89242969-422B-46BF-B0D5-6A7B7DC4D0E0} - file:///C:/Documents%20and%20Settings/Mel/Desktop/NASFinder-050809/html/nafcom.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.8.0.41\CoIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: MCPClient - c:\program files\common files\stardock\mcpstub.dll
Notify: WBSrv - c:\progra~1\stardock\object~1\window~1\wbsrv.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - c:\progra~1\common~1\stardock\mcpcore.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - c:\program files\stardock\object desktop\iconpackager\iprepair.dll
SSODL: gusayokuz - {6acaa1ad-0287-428e-b43f-f28559b224e7} -
SSODL: suradefom - {e1ae29ac-60c1-4500-a6b8-a8ecad98e6ec} -
SSODL: nibefewuv - {229f6dd6-0d40-4867-a00f-b2fa520bc6b9} -
SSODL: hifufihor - {3f90613e-26b2-455c-8873-07757ec035a9} -
SSODL: dibudohaf - {69bd97c3-d0af-4c7a-b082-e6663fcb3238} -
SSODL: nihomugok - {ad97b6c5-fa1e-40fc-803a-17ce952bc55e} -
STS: {6acaa1ad-0287-428e-b43f-f28559b224e7}: kupuhivus
STS: {e1ae29ac-60c1-4500-a6b8-a8ecad98e6ec}: kupuhivus
STS: {229f6dd6-0d40-4867-a00f-b2fa520bc6b9}: gahurihor
STS: {3f90613e-26b2-455c-8873-07757ec035a9}: gahurihor
STS: {69bd97c3-d0af-4c7a-b082-e6663fcb3238}: gahurihor
STS: {ad97b6c5-fa1e-40fc-803a-17ce952bc55e}: gahurihor
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli sujujosa.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mel\applic~1\mozilla\firefox\profiles\2gve4s6c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\mel\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPOJI610.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-12-31 30320]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-11-6 29808]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1008000.029\SymEFA.sys [2010-2-2 310320]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2010-6-8 3968]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1008000.029\BHDrvx86.sys [2010-2-2 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1008000.029\cchpx86.sys [2010-2-2 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100604.004\IDSXpx86.sys [2010-6-8 331640]
R1 ikhfile;File Security Kernel Anti-Spyware Driver;c:\windows\system32\drivers\ikhfile.sys [2009-3-29 30592]
R1 ikhlayer;Kernel Anti-Spyware Driver;c:\windows\system32\drivers\ikhlayer.sys [2009-3-29 51072]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2008-10-28 4300]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-10-12 54752]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.8.0.41\ccSvcHst.exe [2010-2-2 117640]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2009-12-31 61624]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2009-1-30 1251720]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-11-6 4048240]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-1-14 30208]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]
R3 JakNDis;Jaksta Service;c:\windows\system32\drivers\JakNDis.sys [2008-8-4 26656]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100608.032\NAVENG.SYS [2010-6-8 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100608.032\NAVEX15.SYS [2010-6-8 1347504]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2009-12-31 24400]
R3 rt2870;D-Link dnetr28u USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\Drt2870.sys [2009-8-3 724736]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2008-10-28 238464]
S2 AGCoreService;AG Core Services;c:\program files\agi\core\4.2.0.10753\AGCoreService.exe [2010-6-1 20480]
S2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2009-12-31 6377352]
S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-5-24 1373480]
S2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2010-1-29 1201640]
S3 ADDMEM;ADDMEM;\??\c:\docume~1\mel\locals~1\temp\__samsung_update\addmem.sys --> c:\docume~1\mel\locals~1\temp\__samsung_update\ADDMEM.SYS [?]
S3 DlinkUDSMBus;DlinkUDSMBus;c:\windows\system32\drivers\dlinkudsmbus.sys --> c:\windows\system32\drivers\DlinkUDSMBus.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [2006-10-30 19840]

=============== Created Last 30 ================

2010-06-09 01:23:43 0 ----a-w- c:\documents and settings\mel\defogger_reenable
2010-06-08 13:07:30 0 d-----w- c:\program files\Microsoft Security Essentials
2010-06-08 11:30:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-06-08 11:30:09 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-08 09:36:37 921 ----a-w- c:\windows\win.tmp
2010-06-08 09:36:37 231 ----a-w- c:\windows\system.tmp
2010-06-08 06:02:05 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-06-08 06:01:54 0 d-----w- c:\docume~1\mel\applic~1\SUPERAntiSpyware.com
2010-06-08 06:01:54 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-06-08 06:01:27 0 d-----w- c:\program files\SUPERAntiSpyware
2010-06-08 01:25:58 0 d-----w- c:\docume~1\mel\applic~1\Malwarebytes
2010-06-08 01:25:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-08 01:25:49 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-08 01:25:49 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-08 01:25:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-16 01:10:34 0 d-----w- c:\program files\Keepsake Countdown

==================== Find3M ====================

2010-06-07 18:32:51 61952 ----a-w- c:\windows\system32\PxSecure.dll
2010-06-07 18:32:50 61624 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-06-07 18:32:50 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-06-07 18:32:50 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-11-06 23:15:23 217073 --sha-r- c:\windows\meta4.exe
2005-07-14 16:31:20 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 19:32:28 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 02:37:42 45568 --sha-r- c:\windows\system32\cygz.dll
2006-05-03 10:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2004-01-25 04:00:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2007-02-21 11:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-02-04 19:26:34 151040 --sh--w- c:\windows\system32\VistaUltm.dll
2005-02-28 17:16:22 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 04:00:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll

============= FINISH: 23:33:05.40 ===============

Attached Files


Edited by mmilligan, 09 June 2010 - 12:25 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:09 PM

Posted 13 June 2010 - 03:54 PM

Hi mmilligan,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes.
  1. Please update me on the current condition of your computer. Do you still have redirection problem? If yes please proceed with the next steps.

  2. Run GMER, uncheck all boxes except the box next to Sections (C drive should remain checked), click Scan.
    When it finished press Save to save the log and post it to your reply. It will not take more than a minute.

  3. Run GMER, uncheck all boxes except the box next to Registry (C drive should remain checked), click Scan.
    When it finished press Save to save the log and post it to your reply. It will not take more than a minute.

  4. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    CODE
    @echo off
    if exist mbr.log del mbr.log
    mbr.exe -t
    ping 1.1.1.1 -n 1 -w 1000 >nul
    start mbr.log

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A notepad opens, copy and paste the content (log.txt) to your reply.




#3 mmilligan

mmilligan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 13 June 2010 - 10:38 PM

Hi - yes I am still experiencing all the problems I mentioned.

I ran GMER like you said, and saved the sections log. That was not quite a minute to run, but close.

The registry log I had problems getting.

GMER is not taking a minute to run it - more like several hours. First time I ran it, it hung and I had to do a cold reboot. Second time, I gave up after more than 2 hours. This can't be right, especially if you are saying it will take only a minute. That's quite a disparity in time frames...a minute vs. several hours.

Figuring you wanted me to do the steps you gave me in order, I did not download MBR or create/run the bat file yet.

I would like to see what you have to say about GMER taking so long to run the registry scan. Let me know what you would like me to do. Is there any way of getting it that won't take all night?

I fear that I'm going to end up with the same problem running GMER as the first time - it'll take more than all night and then restart the PC automatically, without giving an opportunity to save the log file.

Please advise.

GMER sections log attached.

Thanks -

Melissa

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:09 PM

Posted 14 June 2010 - 12:50 AM

Hi Melissa,

GMER can't run to completion on some systems and this is known to us. For the same reason I wanted you to do two scans independently instead of simultaneously to get at least the Sections log.

If none of them had run I would have needed mbr.exe and now we don't need that too.
  1. Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.
    • Disable real-time protection of your security software and make sure it will not run at startup after reboot. They may otherwise interfere with the tool. (Information on A/V control HERE)
    • Close all the open windows.
    • Double-click TDLfix.exe to run the tool, a command window opens.
    • Type (or copy the following and right-click to paste) in the command window and press Enter:

      pci
    • The application shall restart the computer immediately and runs after restart.
    • Tell me if the computer rebooted and ran to completion.


  2. Tell me if the issue is resolved.


#5 mmilligan

mmilligan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 14 June 2010 - 01:28 PM

Hey there -

thanks!

Ok - some info:

#1 - after I wrote you last night, telling you I couldn't get GMER to finish scanning the registry, I decided to try GMER registry scan in safe mode. It found nothing. Then I restarted in normal mode and ran it again, let it go all night, and it also found nothing. So no registry changes in GMER in safe or normal mode.

#2 - I followed your latest instructions and ran TDLfix and it seemed to do the trick. So my PCI driver was corrupted, changed, hijacked (what's the term?)

#3 - I tried going to the microsoft update website (which, if you recall, I could not before) and it's working.

#4 - Hibernation is working.

#5 - Browser redirects - not happening.

#6 - Tidserve attempts - non-existent.

So - all in all - I'd say everything is back up and running as it should be!!

PS - Would you be so kind as to let me know what the problem was? PCI.sys was hijacked or changed? I'd like to make a note of it for future reference. If you could be specific, I'd appreciate it. Was it a virus? How do you think it happened, how did I get it? What can I do in the future to prevent it?

Thank you VERY VERY much!

specool.gif

PS - I'm now going offline to change every password I have. :::sigh:::

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:09 PM

Posted 14 June 2010 - 02:21 PM

Great and you are most welcome. thumbup2.gif

Let's finish up the job first.
  1. We need to repair a security related registry item altered by the malware. Open a notepad (Start > Run and type in Notepad ) make sure the wordwrap under Format menu is not selected.
    Copy and paste the text in code box into it.

    CODE
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "Notification Packages"=hex(7):73,63,65,63,6C,69,00,00

    • Save the file to the desktop as regfix.reg
    • Make sure the Save as type field says All files.
    • Locate regfix.reg on the desktop and double-click on it and confirm.
    • A window pops up asking if you are sure to add the file to the registry. Click Yes.
    • You get another window popup saying that regfix.reg successfully added to the registry.

    Note: You have to turn off any registry protector software you have in order the changes to be taken place.

  2. Run TDLfix, type del and press Enter. This will delete the quarantined infected file and mbr.exe. Delete the tool from your desktop.

  3. This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

  4. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 20 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

  5. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  6. Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt


#7 mmilligan

mmilligan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 14 June 2010 - 04:18 PM

Hey there

Ok, did all as requested.

Malwarebytes' Anti-Malware did not find any problems. Log pasted below, anyway.

DDS attached, also.

How do I look now?

Thanks again!

-----

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4198

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/14/2010 5:06:48 PM
mbam-log-2010-06-14 (17-06-48).txt

Scan type: Quick scan
Objects scanned: 128472
Time elapsed: 15 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files

  • Attached File  DDS.txt   24.94KB   4 downloads


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:09 PM

Posted 14 June 2010 - 04:27 PM

There are many orphans and leftovers.
  1. You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    1. First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup
      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
    2. Then download ResetTeaTimer.exe to your desktop.
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.

  2. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • You will get a warning about the not trusted download sites for ComboFix, click Yes.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#9 mmilligan

mmilligan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 14 June 2010 - 08:50 PM

Hello again, and thank you for working on this!

Here's the combofix log.


ComboFix 10-06-14.02 - Mel 06/14/2010 21:08:58.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1452 [GMT -4:00]
Running from: c:\documents and settings\Mel\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mel\System
c:\documents and settings\Mel\System\win_qs8.jqx
c:\windows\SEC
c:\windows\SEC\DelMt.cmd
c:\windows\SEC\JRE150.exe
c:\windows\SEC\Marker.exe
c:\windows\SEC\MEMIO.sys
c:\windows\SEC\MEMIO.vxd
c:\windows\SEC\MP10ENG.exe
c:\windows\SEC\Region.vbs
c:\windows\SEC\SECINSTALL.EXE
c:\windows\SEC\SECINSTALL.INI
c:\windows\SEC\StartMem.exe

.
((((((((((((((((((((((((( Files Created from 2010-05-15 to 2010-06-15 )))))))))))))))))))))))))))))))
.

2010-06-14 20:44 . 2010-06-14 20:44 -------- d-----w- c:\program files\Common Files\Java
2010-06-14 20:23 . 2010-06-14 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-06-14 20:23 . 2010-06-14 20:23 -------- d-----w- c:\documents and settings\Mel\Application Data\Yahoo!
2010-06-14 20:23 . 2010-06-14 20:24 -------- d-----w- c:\program files\CCleaner
2010-06-14 19:25 . 2010-05-21 18:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-14 18:40 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-14 18:04 . 2010-06-14 18:04 -------- d-----w- C:\backup
2010-06-13 23:27 . 2010-06-13 23:27 -------- d-----w- C:\WTablet
2010-06-11 17:43 . 2010-06-11 17:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-06-11 02:14 . 2010-06-11 02:14 71680 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-06-11 02:14 . 2010-06-11 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-10 05:08 . 2010-06-10 05:08 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-08 19:08 . 2010-06-08 19:08 -------- d-----w- c:\documents and settings\Mel\Local Settings\Application Data\PCHealth
2010-06-08 19:08 . 2010-06-08 19:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2010-06-08 11:30 . 2010-06-08 11:30 12800 ----a-w- c:\documents and settings\Mel\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-513b673f-n\decora-d3d.dll
2010-06-08 11:30 . 2010-06-08 11:30 61440 ----a-w- c:\documents and settings\Mel\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-513b673f-n\decora-sse.dll
2010-06-08 11:30 . 2010-06-08 11:30 503808 ----a-w- c:\documents and settings\Mel\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-144a703e-n\msvcp71.dll
2010-06-08 11:30 . 2010-06-08 11:30 499712 ----a-w- c:\documents and settings\Mel\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-144a703e-n\jmc.dll
2010-06-08 11:30 . 2010-06-08 11:30 348160 ----a-w- c:\documents and settings\Mel\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-144a703e-n\msvcr71.dll
2010-06-08 11:30 . 2010-06-14 20:49 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-08 06:02 . 2010-06-08 06:02 63488 ----a-w- c:\documents and settings\Mel\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-08 06:02 . 2010-06-08 06:02 52224 ----a-w- c:\documents and settings\Mel\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-08 06:02 . 2010-06-08 06:02 117760 ----a-w- c:\documents and settings\Mel\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-08 06:02 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-06-08 06:01 . 2010-06-08 06:01 -------- d-----w- c:\documents and settings\Mel\Application Data\SUPERAntiSpyware.com
2010-06-08 06:01 . 2010-06-08 06:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-08 06:01 . 2010-06-08 06:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-08 01:25 . 2010-06-08 01:25 -------- d-----w- c:\documents and settings\Mel\Application Data\Malwarebytes
2010-06-08 01:25 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-08 01:25 . 2010-06-08 01:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-08 01:25 . 2010-06-08 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-08 01:25 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-15 00:42 . 2009-01-30 03:44 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-15 00:33 . 2009-12-31 10:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2010-06-15 00:30 . 2009-12-31 21:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-14 20:49 . 2008-10-29 01:59 -------- d-----w- c:\program files\Java
2010-06-14 20:39 . 2009-05-24 19:08 -------- d-----w- c:\documents and settings\Mel\Application Data\WTablet
2010-06-14 20:23 . 2009-01-30 04:15 -------- d-----w- c:\program files\Yahoo!
2010-06-14 19:54 . 2009-01-30 03:34 -------- d-----w- c:\program files\Google
2010-06-14 18:47 . 2010-06-08 09:36 921 ----a-w- c:\windows\win.tmp
2010-06-14 18:41 . 2009-02-13 03:19 -------- d-----w- c:\program files\Microsoft
2010-06-13 02:34 . 2009-03-26 23:53 -------- d-----w- c:\program files\Big Kahuna Reef 2
2010-06-11 02:18 . 2008-10-29 02:05 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-11 02:15 . 2009-06-01 14:29 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-06-09 17:19 . 2009-01-30 00:49 -------- d-----w- c:\program files\Eastsea Outlook Backup
2010-06-08 23:02 . 2009-02-11 00:01 -------- d-----w- c:\documents and settings\NetworkService\Application Data\agi
2010-06-08 23:02 . 2009-02-06 10:05 -------- d-----w- c:\program files\Apple Software Update
2010-06-07 18:32 . 2009-12-31 10:39 61952 ----a-w- c:\windows\system32\PxSecure.dll
2010-06-07 18:32 . 2009-12-31 10:39 61624 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-06-07 18:32 . 2009-12-31 10:39 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-06-07 18:32 . 2009-12-31 10:39 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-06-07 18:32 . 2009-12-31 10:39 -------- d-----w- c:\program files\Prevx
2010-06-07 18:32 . 2010-01-13 20:33 934832 ----a-w- c:\documents and settings\All Users\Application Data\PrevxCSI\~PrevxCSIUpdate.exe
2010-06-07 18:17 . 2009-01-30 02:37 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-02 01:08 . 2009-02-02 23:47 -------- d-----w- c:\documents and settings\Mel\Application Data\agi
2010-06-02 00:52 . 2009-02-02 23:49 -------- d-----w- c:\program files\Webshots
2010-06-02 00:52 . 2009-02-02 23:46 -------- d-----w- c:\program files\AGI
2010-05-23 03:47 . 2009-10-17 20:33 60 ----a-w- c:\windows\popcinfot.dat
2010-05-23 03:47 . 2009-10-17 20:33 134 ---h--w- c:\windows\popcreg.dat
2010-05-16 01:10 . 2010-05-16 01:10 -------- d-----w- c:\program files\Keepsake Countdown
2010-05-06 10:41 . 2008-10-28 22:06 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 23:41 . 2010-05-04 23:39 -------- d-----w- c:\program files\iTunes
2010-05-04 23:39 . 2010-05-04 23:39 -------- d-----w- c:\program files\iPod
2010-05-04 23:39 . 2009-02-06 10:04 -------- d-----w- c:\program files\Common Files\Apple
2010-05-04 23:27 . 2009-02-06 10:20 -------- d-----w- c:\program files\Bonjour
2010-05-04 23:26 . 2010-05-04 23:26 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-03 22:13 . 2009-03-29 22:56 -------- d-----w- c:\program files\Spyware Doctor
2010-05-02 05:22 . 2008-10-28 22:06 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 03:32 . 2010-04-29 03:32 -------- d-----w- c:\program files\Phoenix Technologies
2010-04-27 23:33 . 2009-05-06 14:05 -------- d-----w- c:\documents and settings\Mel\Application Data\Move Networks
2010-04-20 05:30 . 2008-10-28 22:05 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-11-06 23:15 . 2005-05-13 21:12 217073 --sha-r- c:\windows\meta4.exe
2005-07-14 16:31 . 2005-07-14 16:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 19:32 . 2005-06-26 19:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 02:37 . 2005-06-22 02:37 45568 --sha-r- c:\windows\system32\cygz.dll
2006-05-03 10:06 . 2009-11-06 23:14 163328 --sh--r- c:\windows\system32\flvDX.dll
2004-01-25 04:00 . 2004-01-25 04:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2007-02-21 11:47 . 2009-11-06 23:14 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-02-04 19:26 . 2009-11-06 23:14 151040 --sh--w- c:\windows\system32\VistaUltm.dll
2005-02-28 17:16 . 2005-02-28 17:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 04:00 . 2004-01-25 04:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "mscoree.dll" [2008-07-25 282112]

[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_CLASSES_ROOT\agihelper.AGUtils]
[HKEY_CLASSES_ROOT\TypeLib\{647B16D8-AD7B-4983-82D7-82A270FC9E6D}]
[HKEY_CLASSES_ROOT\agcutils.AGSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2008-07-25 16:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zinio DLM"="c:\program files\Zinio\ZinioReader.exe" [2008-10-29 2699334]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-09 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-18 2397424]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2010-04-08 3233752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bluetooth Connection Assistant"="LBTWIZ.EXE -silent" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"SUPBackGround"="c:\program files\Samsung\Samsung Update Plus\SUPBackGround.exe" [2010-04-20 300912]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"D-Link D-Link RangeBooster N DWA-140"="c:\program files\D-Link\D-Link RangeBooster N DWA-140\AirNCFG.exe" [2007-08-20 1671168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-18 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-18 137752]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-01-08 451896]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-12-16 479232]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-11-11 771360]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Gloss Burgundy Clock.lnk - c:\program files\Stardock\DesktopGadgets\Gloss Burgundy Clock\Gloss Burgundy Clock.exe [2009-6-27 828664]
Gloss Burgundy Weather.lnk - c:\program files\Stardock\DesktopGadgets\Gloss Burgundy Weather\Gloss Burgundy Weather.exe [2009-6-27 713728]
IconPackager.lnk - c:\program files\Stardock\Object Desktop\IconPackager\IconPackager.exe [2008-9-23 984480]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-1 568176]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-3-6 813584]
Webshots.lnk - c:\program files\Webshots\3.1.5.7617\Launcher.exe [2010-6-1 157088]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 00000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 17:28 72208 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 19:13 49152 ----a-w- c:\program files\Common Files\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2010-02-03 21:11 172336 ----a-w- c:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour
"9303:UDP"= 9303:UDP:SharePort Network USB Utility UDP Port
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [12/31/2009 6:39 AM 30320]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/6/2009 1:00 PM 29808]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SymEFA.sys [2/2/2010 4:20 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1008000.029\BHDrvx86.sys [2/2/2010 4:20 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1008000.029\cchpx86.sys [2/2/2010 4:19 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100604.004\IDSXpx86.sys [6/8/2010 7:17 PM 331640]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [10/28/2008 10:00 PM 4300]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2/2/2010 4:19 AM 117640]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [12/31/2009 6:39 AM 61624]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [1/14/2008 11:01 PM 30208]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 9:23 PM 102448]
R3 JakNDis;Jaksta Service;c:\windows\system32\drivers\JakNDis.sys [8/4/2008 9:34 AM 26656]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [12/31/2009 6:39 AM 24400]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [10/28/2008 10:04 PM 238464]
S2 AGCoreService;AG Core Services;c:\program files\AGI\core\4.2.0.10753\AGCoreService.exe [6/1/2010 8:50 PM 20480]
S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [12/31/2009 6:39 AM 6377352]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [6/10/2010 1:08 AM 632792]
S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [5/24/2009 3:07 PM 1373480]
S2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [1/29/2010 7:53 PM 1201640]
S3 ADDMEM;ADDMEM;\??\c:\docume~1\Mel\LOCALS~1\Temp\__Samsung_Update\ADDMEM.SYS --> c:\docume~1\Mel\LOCALS~1\Temp\__Samsung_Update\ADDMEM.SYS [?]
S3 DlinkUDSMBus;DlinkUDSMBus;c:\windows\system32\Drivers\DlinkUDSMBus.sys --> c:\windows\system32\Drivers\DlinkUDSMBus.sys [?]
S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [10/30/2006 6:29 PM 19840]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2010-06-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-06-11 c:\windows\Tasks\Norton Security Scan for Mel.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-11 04:04]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {89242969-422B-46BF-B0D5-6A7B7DC4D0E0} - file:///C:/Documents%20and%20Settings/Mel/Desktop/NASFinder-050809/html/nafcom.cab
FF - ProfilePath - c:\documents and settings\Mel\Application Data\Mozilla\Firefox\Profiles\2gve4s6c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\Mel\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Spyware Doctor - (no file)
SharedTaskScheduler-{6acaa1ad-0287-428e-b43f-f28559b224e7} - (no file)
SharedTaskScheduler-{e1ae29ac-60c1-4500-a6b8-a8ecad98e6ec} - (no file)
SharedTaskScheduler-{229f6dd6-0d40-4867-a00f-b2fa520bc6b9} - (no file)
SharedTaskScheduler-{3f90613e-26b2-455c-8873-07757ec035a9} - (no file)
SharedTaskScheduler-{69bd97c3-d0af-4c7a-b082-e6663fcb3238} - (no file)
SharedTaskScheduler-{ad97b6c5-fa1e-40fc-803a-17ce952bc55e} - (no file)
SSODL-gusayokuz-{6acaa1ad-0287-428e-b43f-f28559b224e7} - (no file)
SSODL-suradefom-{e1ae29ac-60c1-4500-a6b8-a8ecad98e6ec} - (no file)
SSODL-nibefewuv-{229f6dd6-0d40-4867-a00f-b2fa520bc6b9} - (no file)
SSODL-hifufihor-{3f90613e-26b2-455c-8873-07757ec035a9} - (no file)
SSODL-dibudohaf-{69bd97c3-d0af-4c7a-b082-e6663fcb3238} - (no file)
SSODL-nihomugok-{ad97b6c5-fa1e-40fc-803a-17ce952bc55e} - (no file)



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3913947399-528437137-2292011657-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1800)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\Common Files\Stardock\mcpstub.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
.
Completion time: 2010-06-14 21:40:11
ComboFix-quarantined-files.txt 2010-06-15 01:40

Pre-Run: 214,649,802,752 bytes free
Post-Run: 214,628,352,000 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 16C0E809593BD1F67408A9B7A85FE3F7


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:09 PM

Posted 15 June 2010 - 03:22 AM

We are almost there. The next post we round off.

Close any open browsers.

Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

CODE
RegLock::
[HKEY_USERS\S-1-5-21-3913947399-528437137-2292011657-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:0
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:0
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:0
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
SkipFix::


Save this as CFScript.txt, in the same location as ComboFix.exe




Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#11 mmilligan

mmilligan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 15 June 2010 - 11:40 AM

Hello again and thanks for continuing to help me with this.

I had a couple of issues when running this last fix, but I *think* it worked. You tell me, when you look at the log.

The problems I had were

1 - when first running the script, it gave me an error dialog box about not being able to run PEV. Unfortunately, I clicked OK before getting a screen capture.

2 - then combo fix just stalled. So I tried to close it in task manager, but it wouldn't let me. I saw that PEV was still running so I closed that and combofix also closed.

3 - I then disabled my wireless connection and shut down Norton AV and IS.

4 - reran combofix. Got the dialog box again - but this time I got a screen capture (attached.) I also clicked on CANCEL instead of OK and it continued to run and complete. So the log is enclosed below.

Let me know what you think...

THanks

-----------------

ComboFix 10-06-14.03 - Mel 06/15/2010 12:22:39.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1289 [GMT -4:00]
Running from: c:\documents and settings\Mel\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mel\Desktop\CFScript.txt
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2010-05-15 to 2010-06-15 )))))))))))))))))))))))))))))))
.

2010-06-14 20:44 . 2010-06-14 20:44 -------- d-----w- c:\program files\Common Files\Java
2010-06-14 20:23 . 2010-06-14 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-06-14 20:23 . 2010-06-14 20:23 -------- d-----w- c:\documents and settings\Mel\Application Data\Yahoo!
2010-06-14 20:23 . 2010-06-14 20:24 -------- d-----w- c:\program files\CCleaner
2010-06-14 19:25 . 2010-05-21 18:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-14 18:40 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-14 18:04 . 2010-06-14 18:04 -------- d-----w- C:\backup
2010-06-13 23:27 . 2010-06-13 23:27 -------- d-----w- C:\WTablet
2010-06-11 17:43 . 2010-06-11 17:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-06-11 02:14 . 2010-06-11 02:14 71680 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-06-11 02:14 . 2010-06-11 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-10 05:08 . 2010-06-10 05:08 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-08 19:08 . 2010-06-08 19:08 -------- d-----w- c:\documents and settings\Mel\Local Settings\Application Data\PCHealth
2010-06-08 19:08 . 2010-06-08 19:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2010-06-08 11:30 . 2010-06-08 11:30 12800 ----a-w- c:\documents and settings\Mel\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-513b673f-n\decora-d3d.dll
2010-06-08 11:30 . 2010-06-08 11:30 61440 ----a-w- c:\documents and settings\Mel\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-513b673f-n\decora-sse.dll
2010-06-08 11:30 . 2010-06-08 11:30 503808 ----a-w- c:\documents and settings\Mel\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-144a703e-n\msvcp71.dll
2010-06-08 11:30 . 2010-06-08 11:30 499712 ----a-w- c:\documents and settings\Mel\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-144a703e-n\jmc.dll
2010-06-08 11:30 . 2010-06-08 11:30 348160 ----a-w- c:\documents and settings\Mel\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-144a703e-n\msvcr71.dll
2010-06-08 11:30 . 2010-06-14 20:49 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-08 06:02 . 2010-06-08 06:02 63488 ----a-w- c:\documents and settings\Mel\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-08 06:02 . 2010-06-08 06:02 52224 ----a-w- c:\documents and settings\Mel\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-08 06:02 . 2010-06-08 06:02 117760 ----a-w- c:\documents and settings\Mel\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-08 06:02 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-06-08 06:01 . 2010-06-08 06:01 -------- d-----w- c:\documents and settings\Mel\Application Data\SUPERAntiSpyware.com
2010-06-08 06:01 . 2010-06-08 06:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-08 06:01 . 2010-06-08 06:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-08 01:25 . 2010-06-08 01:25 -------- d-----w- c:\documents and settings\Mel\Application Data\Malwarebytes
2010-06-08 01:25 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-08 01:25 . 2010-06-08 01:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-08 01:25 . 2010-06-08 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-08 01:25 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-15 00:42 . 2009-01-30 03:44 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-15 00:33 . 2009-12-31 10:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2010-06-15 00:30 . 2009-12-31 21:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-14 20:49 . 2008-10-29 01:59 -------- d-----w- c:\program files\Java
2010-06-14 20:39 . 2009-05-24 19:08 -------- d-----w- c:\documents and settings\Mel\Application Data\WTablet
2010-06-14 20:23 . 2009-01-30 04:15 -------- d-----w- c:\program files\Yahoo!
2010-06-14 19:54 . 2009-01-30 03:34 -------- d-----w- c:\program files\Google
2010-06-14 18:47 . 2010-06-08 09:36 921 ----a-w- c:\windows\win.tmp
2010-06-14 18:41 . 2009-02-13 03:19 -------- d-----w- c:\program files\Microsoft
2010-06-13 02:34 . 2009-03-26 23:53 -------- d-----w- c:\program files\Big Kahuna Reef 2
2010-06-11 02:18 . 2008-10-29 02:05 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-11 02:15 . 2009-06-01 14:29 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-06-09 17:19 . 2009-01-30 00:49 -------- d-----w- c:\program files\Eastsea Outlook Backup
2010-06-08 23:02 . 2009-02-11 00:01 -------- d-----w- c:\documents and settings\NetworkService\Application Data\agi
2010-06-08 23:02 . 2009-02-06 10:05 -------- d-----w- c:\program files\Apple Software Update
2010-06-07 18:32 . 2009-12-31 10:39 61952 ----a-w- c:\windows\system32\PxSecure.dll
2010-06-07 18:32 . 2009-12-31 10:39 61624 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-06-07 18:32 . 2009-12-31 10:39 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-06-07 18:32 . 2009-12-31 10:39 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-06-07 18:32 . 2009-12-31 10:39 -------- d-----w- c:\program files\Prevx
2010-06-07 18:32 . 2010-01-13 20:33 934832 ----a-w- c:\documents and settings\All Users\Application Data\PrevxCSI\~PrevxCSIUpdate.exe
2010-06-07 18:17 . 2009-01-30 02:37 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-02 01:08 . 2009-02-02 23:47 -------- d-----w- c:\documents and settings\Mel\Application Data\agi
2010-06-02 00:52 . 2009-02-02 23:49 -------- d-----w- c:\program files\Webshots
2010-06-02 00:52 . 2009-02-02 23:46 -------- d-----w- c:\program files\AGI
2010-05-23 03:47 . 2009-10-17 20:33 60 ----a-w- c:\windows\popcinfot.dat
2010-05-23 03:47 . 2009-10-17 20:33 134 ---h--w- c:\windows\popcreg.dat
2010-05-16 01:10 . 2010-05-16 01:10 -------- d-----w- c:\program files\Keepsake Countdown
2010-05-06 10:41 . 2008-10-28 22:06 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 23:41 . 2010-05-04 23:39 -------- d-----w- c:\program files\iTunes
2010-05-04 23:39 . 2010-05-04 23:39 -------- d-----w- c:\program files\iPod
2010-05-04 23:39 . 2009-02-06 10:04 -------- d-----w- c:\program files\Common Files\Apple
2010-05-04 23:27 . 2009-02-06 10:20 -------- d-----w- c:\program files\Bonjour
2010-05-04 23:26 . 2010-05-04 23:26 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-03 22:13 . 2009-03-29 22:56 -------- d-----w- c:\program files\Spyware Doctor
2010-05-02 05:22 . 2008-10-28 22:06 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 03:32 . 2010-04-29 03:32 -------- d-----w- c:\program files\Phoenix Technologies
2010-04-27 23:33 . 2009-05-06 14:05 -------- d-----w- c:\documents and settings\Mel\Application Data\Move Networks
2010-04-20 05:30 . 2008-10-28 22:05 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-11-06 23:15 . 2005-05-13 21:12 217073 --sha-r- c:\windows\meta4.exe
2005-07-14 16:31 . 2005-07-14 16:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 19:32 . 2005-06-26 19:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 02:37 . 2005-06-22 02:37 45568 --sha-r- c:\windows\system32\cygz.dll
2006-05-03 10:06 . 2009-11-06 23:14 163328 --sh--r- c:\windows\system32\flvDX.dll
2004-01-25 04:00 . 2004-01-25 04:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2007-02-21 11:47 . 2009-11-06 23:14 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-02-04 19:26 . 2009-11-06 23:14 151040 --sh--w- c:\windows\system32\VistaUltm.dll
2005-02-28 17:16 . 2005-02-28 17:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 04:00 . 2004-01-25 04:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "mscoree.dll" [2008-07-25 282112]

[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_CLASSES_ROOT\agihelper.AGUtils]
[HKEY_CLASSES_ROOT\TypeLib\{647B16D8-AD7B-4983-82D7-82A270FC9E6D}]
[HKEY_CLASSES_ROOT\agcutils.AGSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2008-07-25 16:16 282112 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zinio DLM"="c:\program files\Zinio\ZinioReader.exe" [2008-10-29 2699334]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-09 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-18 2397424]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2010-04-08 3233752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bluetooth Connection Assistant"="LBTWIZ.EXE -silent" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"SUPBackGround"="c:\program files\Samsung\Samsung Update Plus\SUPBackGround.exe" [2010-04-20 300912]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"D-Link D-Link RangeBooster N DWA-140"="c:\program files\D-Link\D-Link RangeBooster N DWA-140\AirNCFG.exe" [2007-08-20 1671168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-18 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-18 137752]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-01-08 451896]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-12-16 479232]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-11-11 771360]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Gloss Burgundy Clock.lnk - c:\program files\Stardock\DesktopGadgets\Gloss Burgundy Clock\Gloss Burgundy Clock.exe [2009-6-27 828664]
Gloss Burgundy Weather.lnk - c:\program files\Stardock\DesktopGadgets\Gloss Burgundy Weather\Gloss Burgundy Weather.exe [2009-6-27 713728]
IconPackager.lnk - c:\program files\Stardock\Object Desktop\IconPackager\IconPackager.exe [2008-9-23 984480]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-1 568176]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-3-6 813584]
Webshots.lnk - c:\program files\Webshots\3.1.5.7617\Launcher.exe [2010-6-1 157088]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 00000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 17:28 72208 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 19:13 49152 ----a-w- c:\program files\Common Files\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2010-02-03 21:11 172336 ----a-w- c:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour
"9303:UDP"= 9303:UDP:SharePort Network USB Utility UDP Port
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [12/31/2009 6:39 AM 30320]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/6/2009 1:00 PM 29808]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SymEFA.sys [2/2/2010 4:20 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1008000.029\BHDrvx86.sys [2/2/2010 4:20 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1008000.029\cchpx86.sys [2/2/2010 4:19 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100604.004\IDSXpx86.sys [6/8/2010 7:17 PM 331640]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [10/28/2008 10:00 PM 4300]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2/2/2010 4:19 AM 117640]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [12/31/2009 6:39 AM 61624]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [1/14/2008 11:01 PM 30208]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 9:23 PM 102448]
R3 JakNDis;Jaksta Service;c:\windows\system32\drivers\JakNDis.sys [8/4/2008 9:34 AM 26656]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [12/31/2009 6:39 AM 24400]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [10/28/2008 10:04 PM 238464]
S2 AGCoreService;AG Core Services;c:\program files\AGI\core\4.2.0.10753\AGCoreService.exe [6/1/2010 8:50 PM 20480]
S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [12/31/2009 6:39 AM 6377352]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [6/10/2010 1:08 AM 632792]
S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [5/24/2009 3:07 PM 1373480]
S2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [1/29/2010 7:53 PM 1201640]
S3 ADDMEM;ADDMEM;\??\c:\docume~1\Mel\LOCALS~1\Temp\__Samsung_Update\ADDMEM.SYS --> c:\docume~1\Mel\LOCALS~1\Temp\__Samsung_Update\ADDMEM.SYS [?]
S3 DlinkUDSMBus;DlinkUDSMBus;c:\windows\system32\Drivers\DlinkUDSMBus.sys --> c:\windows\system32\Drivers\DlinkUDSMBus.sys [?]
S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [10/30/2006 6:29 PM 19840]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2010-06-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-06-11 c:\windows\Tasks\Norton Security Scan for Mel.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-11 04:04]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {89242969-422B-46BF-B0D5-6A7B7DC4D0E0} - file:///C:/Documents%20and%20Settings/Mel/Desktop/NASFinder-050809/html/nafcom.cab
FF - ProfilePath - c:\documents and settings\Mel\Application Data\Mozilla\Firefox\Profiles\2gve4s6c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-15 12:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1800)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\Common Files\Stardock\mcpstub.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

- - - - - - - > 'explorer.exe'(29332)
c:\windows\system32\WININET.dll
c:\windows\system32\addressbar.dll
c:\windows\system32\ieframe.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\progra~1\Google\GGTASK~1.DLL
c:\progra~1\COMMON~1\Stardock\mcpcore.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Stardock\Object Desktop\IconPackager\iprepair.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-15 12:34:25
ComboFix-quarantined-files.txt 2010-06-15 16:34
ComboFix2.txt 2010-06-15 01:40

Pre-Run: 214,606,245,888 bytes free
Post-Run: 214,609,408,000 bytes free

- - End Of File - - 0B77EC682FA556E857BF44EE5BC00E13

Attached Files



#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:09 PM

Posted 15 June 2010 - 01:35 PM

You are very welcome.

Thanks for the detailed feedback and well done. thumbup2.gif

The error had no effect on the working of the tool and everything looks good. thumbup2.gif
  1. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  2. You delete any tool or log we used from your computer.


Recommendations:
  1. I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  2. I recommend installing this small application for safe surfing: Javacools© SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
    • Download and install it.
    • Update it manually by clicking on Updates in the left pane and then Check for Updates.
    • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
    • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.

********

You asked about the nature of the infection and how did you get it.

I can't say how you got it. Many users get infected when using p2p programs, a bad download, visiting a bad site, opening an email with an infected attachment, etc.

It looked your computer was once heavily infected but the main infection now was TDL/TDSS rootkit infection.
These are some readings about TDL/TDSS:
Tdss rootkit silently owns the net
BackDoor.Tdss.565 and its modifications (aka TDL3)
detection of TDL3 rootkit
[Rootkit] TDL3 – “Why so serious? Let’s put a smile..”
Tidserv and MS10-015


Happy Surfing mmilligan. smile.gif

#13 mmilligan

mmilligan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 15 June 2010 - 07:23 PM

Hi Farbar and thanks - it's been a pleasure having you on my side! thumbup.gif

Thank you also for the info. I do already have Norton's SiteAdvisor installed on both IE and Firefox. I'm sure I stupidly ventured onto an unsafe site once - and once is all it takes. Never again.

Yes, I did have a trojan of some sort about 6 months ago and Prevx took care of that.

Thanks also for the links - I will take a look at those asap.

Hope you got my donation thru Paypal - and again, THANK YOU!!

Best -

Melissa (aka mmilligan).

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:09 PM

Posted 15 June 2010 - 07:31 PM

You are most welcome and thank you for the donation, which I indeed received. Also thanks for your kind words smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users