Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Http Tideserv Request..in my computer?!!?


  • This topic is locked This topic is locked
26 replies to this topic

#1 blueprint

blueprint

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 14 June 2010 - 03:33 AM

Hello, I'm new to this place. I was advised from a freind to come here to this forum for help with my problem. Just recently I've been getting frequent pop ups pop ups from my norton anti virus that a computer threat has been blocked. I ran a full system scan with my nortoan anti virus and that was able to take away a few things but I consistantly still get the pop ups. The risk name is "Http Tideserv Request". I even called norton for assistance and they even told me to run the Norton Power Eraser from their website. It showed no detected viruses. I also ran Malwarebytes and that just took off a few things but nothing too big. I really believe I have some sort of Malware or virus in my computer even though the norton assistant suggested I didnt have any. I would truly appreciate some sort of reesolution for my problem...many thanks!!!!!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Luis at 21:19:59.27 on Sun 06/13/2010
Internet Explorer: 8.0.6001.18928
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.617 [GMT -10:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\atashost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\MCUI32.EXE
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\MCUI32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Luis\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.7.0.12\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn4\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [Aim6]
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\luis\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: wedisk.co.kr
Trusted Zone: wedisk.net
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxps://h20364.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/VistaMSNPUplden-us.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {7513B187-5954-4C64-ABF4-E652FE899F24} - hxxp://global.wedisk.co.kr/app/WeDisk.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1107000.00c\symds.sys [2010-6-8 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1107000.00c\symefa.sys [2010-6-8 173104]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1107000.00c\cchpx86.sys [2010-6-8 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20100604.004\IDSvix86.sys [2010-6-8 344112]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1107000.00c\ironx86.sys [2010-6-8 116784]
R1 SymSMR100;SMR Utility Service;c:\windows\system32\drivers\SymSMR100.SYS [2010-6-13 58928]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1107000.00c\symtdiv.sys [2010-6-8 339504]
R2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2010-2-8 20376]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.7.0.12\ccsvchst.exe [2010-6-8 126392]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-1-3 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-8 102448]
R3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\drivers\R5U870FLx86.sys [2006-12-18 73472]
R3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\drivers\R5U870FUx86.sys [2006-12-18 43904]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-23 21504]
S3 rcmirror;rcmirror;c:\windows\system32\drivers\rcmirror.sys [2007-12-14 5120]

=============== Created Last 30 ================

2010-06-14 07:15:27 0 ----a-w- c:\users\luis\defogger_reenable
2010-06-14 06:27:40 0 d-----w- c:\users\luis\appdata\roaming\Malwarebytes
2010-06-14 06:27:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-14 06:27:04 0 d-----w- c:\programdata\Malwarebytes
2010-06-14 06:27:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-14 06:27:00 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-14 05:36:09 58928 ----a-w- c:\windows\system32\drivers\SymSMR100.SYS
2010-06-14 05:36:09 0 ----a-w- c:\windows\system32\drivers\SymSMR100.dat
2010-06-11 00:19:57 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-06-08 13:59:48 2048 ----a-w- c:\windows\system32\tzres.dll

==================== Find3M ====================

2010-06-13 03:44:38 41520 ----a-w- c:\programdata\nvModes.dat
2010-05-26 17:06:41 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47:41 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-22 00:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 05:59:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55:42 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 02:42:39 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-01 02:42:39 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-08 23:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 23:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-05 17:01:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-04-03 06:34:02 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-12 06:21:15 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-09-24 10:08:56 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-12-21 11:01:25 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\cookies\index.dat
2009-12-21 11:01:25 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\history\history.ie5\index.dat
2009-12-21 11:01:25 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
2010-01-22 19:46:39 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-30 01:40:42 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-03-03 21:59:00 22 --sha-w- c:\windows\sminst\HPCD.sys
2009-10-22 10:33:55 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 21:23:39.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:55 AM

Posted 19 June 2010 - 04:22 AM

Hi blueprint,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum and apologies for the delay. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

If the issue is not resolved please update me on the current condition of your computer.

#3 blueprint

blueprint
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 19 June 2010 - 04:52 AM

Farbar,

Thank you so much for helping me out! I was really getting worried about my computer. Unfortunately my computer still experiences the same problems with continuous pop ups from norton that there has been an attack on my computer which has been blocked. It usually comes up when I'm on explorer. I do agree with your previous post. Thanks again for your help =)

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:55 AM

Posted 19 June 2010 - 04:57 AM

  1. Download the GMER Rootkit Scanner exe file from here and save it to your desktop.
    Run GMER, uncheck all boxes except the box next to Sections (C drive should remain checked), click Scan.
    When it finished press Save to save the log and post it to your reply. It will not take more than a minute.

  2. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    CODE
    @ECHO OFF
    if exist mbr.log del mbr.log
    mbr.exe -t
    ping 1.1.1.1 -n 1 -w 1500 >nul
    start mbr.log

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Right-click to run it as administrator.
    • A notepad opens, copy and paste the content (log.txt) to your reply.


#5 blueprint

blueprint
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 19 June 2010 - 09:52 AM

Farbar,

This is what has happened so far. I was able to download the gmer program but whenI tried running it, I was sent to the blue screen. I then ran my computer in safemode and was able to effectively run the program. I then went back to normal mode where I was prompted to update my adobe flashplayer. I did not update it. This is my sticking point right now...I sound stupid, so my apologies in advance. I tried downloading the MBR program and saving it to my (C:\WINDOWS) I get this pop up that says:

"You dont have permission to save in this location. Contact the administrator to obtain permission. Would you like to save it in the Luis folder instead? Yes, No"

Is there a way for me to override it or obtain permission? or do I save it in the Luis folder instead. thanks

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-19 03:55:25
Windows 6.0.6002 Service Pack 2
Running: q871rhnh.exe; Driver: C:\Users\Luis\AppData\Local\Temp\pxldapoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\Windows\System32\drivers\mountmgr.sys entry point in ".rsrc" section [0x82720014]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[900] ntdll.dll!NtProtectVirtualMemory 77DB4D34 5 Bytes JMP 001E000A
.text C:\Windows\system32\svchost.exe[900] ntdll.dll!NtWriteVirtualMemory 77DB5674 5 Bytes JMP 001F000A
.text C:\Windows\system32\svchost.exe[900] ntdll.dll!KiUserExceptionDispatcher 77DB5DC8 5 Bytes JMP 001D000A
.text C:\Windows\system32\svchost.exe[900] ole32.dll!CoCreateInstance 77A19EA6 5 Bytes JMP 0089000A
.text C:\Windows\Explorer.EXE[1216] ntdll.dll!NtProtectVirtualMemory 77DB4D34 5 Bytes JMP 004A000A
.text C:\Windows\Explorer.EXE[1216] ntdll.dll!NtWriteVirtualMemory 77DB5674 5 Bytes JMP 0170000A
.text C:\Windows\Explorer.EXE[1216] ntdll.dll!KiUserExceptionDispatcher 77DB5DC8 5 Bytes JMP 0049000A

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\drivers\mountmgr.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files



#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:55 AM

Posted 19 June 2010 - 10:07 AM

Well done and thanks for the detailed feedback. thumbup2.gif

No need for the other log.

Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.
  • Disable real-time protection of your security software and make sure it will not run at startup after reboot. They may otherwise interfere with the tool. (Information on A/V control HERE)
  • Close all the open windows.
  • Right-click TDLfix.exe and run the tool as administrator, a command window opens.
  • Type (or copy the following and right-click to paste) in the command window and press Enter:

    mountmgr

  • The application shall restart the computer immediately and runs after restart.
  • Tell me if the computer rebooted and the tool ran to completion.


#7 blueprint

blueprint
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 19 June 2010 - 10:29 AM

Farbar,

I downloaded the program and it restarted my computer. However, my computer took a while to load back up. I dont know if this normal or not. But when I was able to see my desktop, the program had the following in its blue box. "This window will close shortly" then underneath it is said "Access denied" multiple times. Then the small blue window disappeared. Was the program suppose to do that?

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:55 AM

Posted 19 June 2010 - 10:39 AM

Those access denied are unusual.

Are you logging to Windows with an account with administrator privileges?
Did you run the tool as administrator?
Did you disable Norton in order not to run at start up?

Reboot your computer once.
Please download mbr.exe from the link given in previous post. This time save it in the same place as TDLFix.exe.
Run TDLFix.exe as administrator, type mbr and press Enter. Post the log please.

#9 blueprint

blueprint
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 19 June 2010 - 11:08 AM

Farbar,

1. I honestly dont know if I'm running an account with special privialges how do i find that out?
2. Yes i did run tool as administrator. I right clicked the icon and and clicked on run as administrator. then i typed the code key in the blue box that pops up
3. Yes i did disable norton. i disabled the anti virus auto protect and put it in to enable after 5 hrs and i disabled the smart firewall and put it to enable after 5 hours.

I rebooted my computer as instructed and when i reached my desktop screen the TDLfix blue box came on again and did the "This window will close shortly" then access denied.
I downloaded the MBR program on and saved it on my desk top exactly where the TDLfix program is saved. I once again right click the TDLfix program and click on run as administrator. I then type in "mbr" in the blue box then i get a rectangular box that says " Windows cannot find "mbr.log" Make sure you type the name correctly and then try again."

I'm so sorry if this is making your job harder =(

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:55 AM

Posted 19 June 2010 - 11:17 AM

Thanks for the feedback blueprint, no need to apologize. You have done well. Can you run GMER again with the same setting again. It will give us the log we need to confirm if the rootkit is gone.

#11 blueprint

blueprint
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 19 June 2010 - 11:22 AM

Farbar,

I ran gmer here is the log. i hope you can confirm that its gone.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-19 06:20:41
Windows 6.0.6002 Service Pack 2
Running: q871rhnh.exe; Driver: C:\Users\Luis\AppData\Local\Temp\pxldapoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 13D 820B48A0 4 Bytes [E0, 18, C3, 86]
.text ntkrnlpa.exe!KeSetEvent + 37D 820B4AE0 4 Bytes [50, 11, C3, 86]
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8C406340, 0x3FA057, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[4900] USER32.dll!CreateWindowExW 76971305 5 Bytes JMP 6BEFDB1C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4900] USER32.dll!DialogBoxParamW 769910B0 5 Bytes JMP 6BE254C5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4900] USER32.dll!DialogBoxIndirectParamW 76992EF5 5 Bytes JMP 6BFF480F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4900] USER32.dll!DialogBoxParamA 769A8152 5 Bytes JMP 6BFF47AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4900] USER32.dll!DialogBoxIndirectParamA 769A847D 5 Bytes JMP 6BFF4872 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4900] USER32.dll!MessageBoxIndirectA 769BD4D9 5 Bytes JMP 6BFF4741 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4900] USER32.dll!MessageBoxIndirectW 769BD5D3 5 Bytes JMP 6BFF46D6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4900] USER32.dll!MessageBoxExA 769BD639 5 Bytes JMP 6BFF4674 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4900] USER32.dll!MessageBoxExW 769BD65D 5 Bytes JMP 6BFF4612 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] ntdll.dll!RtlEncodeSystemPointer + 873 76DF938B 4 Bytes JMP 073B003A
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] ntdll.dll!LdrLoadDll 76DF9390 5 Bytes [EB, F9, 90, 90, 90] {JMP 0xfffffffffffffffb; NOP ; NOP ; NOP }
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!CreateDialogParamW 769672A2 5 Bytes JMP 6BEFDEA8 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!GetAsyncKeyState 7696863C 5 Bytes JMP 6BE18EFF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!SetWindowsHookExW 769687AD 5 Bytes JMP 6BEF9AC9 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!CallNextHookEx 76968E3B 5 Bytes JMP 6BEED0ED C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!UnhookWindowsHookEx 769698DB 5 Bytes JMP 6BE6467C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!EnableWindow 7696CD8B 5 Bytes JMP 6BEFDD35 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!CreateWindowExW 76971305 5 Bytes JMP 6BEFDB1C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!GetKeyState 76978CB1 5 Bytes JMP 6BEFD2E3 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!IsDialogMessageW 76980745 5 Bytes JMP 6BE259D7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!CreateDialogParamA 769817AA 5 Bytes JMP 6BFF547B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!IsDialogMessage 76981847 5 Bytes JMP 6BFF4D17 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!CreateDialogIndirectParamA 769826F1 5 Bytes JMP 6BFF54B2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!CreateDialogIndirectParamW 76989A62 5 Bytes JMP 6BFF54E9 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!SetKeyboardState 76990987 5 Bytes JMP 6BFF5086 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!DialogBoxParamW 769910B0 5 Bytes JMP 6BE254C5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!DialogBoxIndirectParamW 76992EF5 5 Bytes JMP 6BFF480F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!SendInput 76992F75 5 Bytes JMP 6BFF5C43 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!EndDialog 7699326E 5 Bytes JMP 6BE27E7E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!SetCursorPos 769A6FB2 5 Bytes JMP 6BFF5C97 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!DialogBoxParamA 769A8152 5 Bytes JMP 6BFF47AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!DialogBoxIndirectParamA 769A847D 5 Bytes JMP 6BFF4872 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!MessageBoxIndirectA 769BD4D9 5 Bytes JMP 6BFF4741 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!MessageBoxIndirectW 769BD5D3 5 Bytes JMP 6BFF46D6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!MessageBoxExA 769BD639 5 Bytes JMP 6BFF4674 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!MessageBoxExW 769BD65D 5 Bytes JMP 6BFF4612 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] USER32.dll!keybd_event 769BD972 5 Bytes JMP 6BFF5FC7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] SHELL32.dll!SHRestricted + D95 75D28988 4 Bytes [4D, 30, 53, 6A] {DEC EBP; XOR [EBX+0x6a], DL}
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] SHELL32.dll!SHRestricted + D9D 75D28990 8 Bytes [57, 2F, 53, 6A, 9C, 5B, 52, ...]
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] ole32.dll!OleLoadFromStream 75811E12 5 Bytes JMP 6BFF4B77 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] ole32.dll!CoGetTreatAsClass + D2F 7582FAB7 7 Bytes JMP 073B01A9
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] ole32.dll!CoCreateInstance 75849EA6 5 Bytes JMP 6BEFDB78 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4984] ole32.dll!CoCreateInstance + 3E 75849EE4 7 Bytes JMP 073B00F3

---- EOF - GMER 1.0.15 ----

Attached Files



#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:55 AM

Posted 19 June 2010 - 12:00 PM

The rootkit is taken care of. thumbup2.gif

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#13 blueprint

blueprint
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 19 June 2010 - 01:18 PM

Farbar,

Here is the log. I was wondering what is the purpose of a combofix?

ComboFix 10-06-18.03 - Luis 06/19/2010 7:39.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.1170 [GMT -10:00]
Running from: c:\users\Luis\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\%appdata%
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((( Files Created from 2010-05-19 to 2010-06-19 )))))))))))))))))))))))))))))))
.

2010-06-19 17:54 . 2010-06-19 17:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-19 15:22 . 2010-06-19 15:22 -------- d-----w- C:\vir
2010-06-19 15:17 . 2010-06-19 15:17 5988 ----a-w- C:\finibleep.bat
2010-06-19 15:17 . 2010-06-19 15:17 1452 ----a-w- C:\mountmgr.reg
2010-06-19 15:17 . 2010-06-19 15:17 -------- d-----w- C:\backup
2010-06-19 15:17 . 2010-06-19 12:12 57400 ----a-w- c:\windows\system32\drivers\tmpmountmgr.sys
2010-06-14 06:27 . 2010-06-14 06:27 -------- d-----w- c:\users\Luis\AppData\Roaming\Malwarebytes
2010-06-14 06:27 . 2010-04-30 01:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-14 06:27 . 2010-06-14 06:27 -------- d-----w- c:\programdata\Malwarebytes
2010-06-14 06:27 . 2010-04-30 01:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-14 06:27 . 2010-06-14 06:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-14 05:35 . 2010-06-14 05:55 -------- d-----w- c:\users\Luis\AppData\Local\NPE
2010-06-14 03:21 . 2010-06-17 11:14 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\CrashDumps
2010-06-13 07:22 . 2010-06-13 07:22 -------- d-----w- c:\windows\Sun
2010-06-11 00:19 . 2010-05-01 14:13 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-06-08 13:59 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-19 17:54 . 2007-08-17 13:36 12 ----a-w- c:\windows\bthservsdp.dat
2010-06-19 17:06 . 2009-02-09 22:57 41520 ----a-w- c:\programdata\nvModes.dat
2010-06-19 12:12 . 2008-09-24 09:14 57400 ----a-w- c:\windows\system32\drivers\mountmgr.sys
2010-06-14 05:36 . 2009-10-28 05:38 -------- d-----w- c:\programdata\Norton
2010-06-14 05:14 . 2007-04-20 07:35 -------- d-----w- c:\programdata\Symantec
2010-06-14 05:14 . 2007-04-20 07:34 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-12 01:29 . 2007-04-20 07:48 -------- d-----w- c:\programdata\Microsoft Help
2010-06-11 02:46 . 2009-02-09 22:38 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-11 02:44 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-11 02:27 . 2009-01-17 04:10 -------- d-----w- c:\users\Luis\AppData\Roaming\Skype
2010-06-11 02:05 . 2009-01-17 04:13 -------- d-----w- c:\users\Luis\AppData\Roaming\skypePM
2010-05-26 17:06 . 2010-06-11 00:20 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-11 00:20 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-22 00:14 . 2009-10-02 19:59 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-11 01:24 . 2009-10-08 07:24 -------- d-----w- c:\users\Luis\AppData\Roaming\BitTorrent
2010-05-04 05:59 . 2010-06-11 00:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-11 00:20 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 05:55 . 2010-06-11 00:20 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 04:31 . 2010-06-11 00:20 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 02:50 . 2010-05-01 02:48 -------- d-----w- c:\program files\iTunes
2010-05-01 02:48 . 2010-05-01 02:48 -------- d-----w- c:\program files\iPod
2010-05-01 02:48 . 2008-11-02 04:09 -------- d-----w- c:\program files\Common Files\Apple
2010-05-01 02:41 . 2010-05-01 02:41 -------- d-----w- c:\program files\Bonjour
2010-04-08 23:20 . 2010-04-08 23:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 23:20 . 2010-04-08 23:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-05 17:01 . 2010-06-11 00:20 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-03-27 20:00 . 2010-03-27 20:01 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2008-03-03 21:59 . 2008-03-03 21:59 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-07-11 03:28 1174920 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-11 1174920]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-11 1174920]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-04 480560]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-04-08 642856]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-04-08 467240]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-29 142120]
"temp0"="C:\finibleep.bat" [2010-06-19 5988]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

c:\users\Luis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-12-20 719664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:31,ed,15,a5,75,3a,ca,01

R3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys [2007-12-14 5120]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\SYMDS.SYS [2009-08-30 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\SYMEFA.SYS [2010-04-22 173104]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100522.001\BHDrvx86.sys [2010-05-22 691248]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\ccHPx86.sys [2010-02-26 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100604.004\IDSvix86.sys [2010-05-28 344112]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\Ironx86.SYS [2010-04-29 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NIS\1107000.00C\SYMTDIV.SYS [2010-05-06 339504]
S2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2009-03-06 20376]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe [2010-02-26 126392]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-06-08 102448]
S3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\Drivers\R5U870FLx86.sys [2006-12-18 73472]
S3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\Drivers\R5U870FUx86.sys [2006-12-18 43904]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-08 c:\windows\Tasks\HPCeeScheduleForLuis.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2007-04-20 21:23]

2010-06-15 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Luis.job
- c:\program files\Norton Internet Security\Engine\17.7.0.12\navw32.exe [2010-06-08 05:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: wedisk.co.kr
Trusted Zone: wedisk.net
DPF: {7513B187-5954-4C64-ABF4-E652FE899F24} - hxxp://global.wedisk.co.kr/app/WeDisk.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-19 07:59
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5024)
c:\program files\Pure Networks\Network Magic\nmrsrc.dll
c:\windows\system32\nvcpl.dll
c:\windows\system32\nvapi.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\HP\QuickPlay\Kernel\TV\CLSched.exe
c:\windows\system32\DllHost.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-06-19 08:14:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-19 18:14

Pre-Run: 52,189,597,696 bytes free
Post-Run: 53,011,345,408 bytes free

- - End Of File - - 3B73DF8105D6D196E8B383115CB64B50

Attached Files



#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:55 AM

Posted 19 June 2010 - 01:56 PM

Well done. thumbup2.gif

QUOTE
I was wondering what is the purpose of a combofix?

Remind me to answer this question at the end.

You don't need to attach the log when you copy and paste it.


Open notepad and copy/paste the text in the code box below into it:

CODE
http://www.bleepingcomputer.com/forums/t/324270/http-tideserv-requestin-my-computer/

Collect::[66]
C:\finibleep.bat
Folder::
C:\vir

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:0
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:0
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:0
RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]


Save this as CFScript.txt





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Please copy and paste that log in your next reply.

**Important Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

#15 blueprint

blueprint
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:55 PM

Posted 19 June 2010 - 10:27 PM

Farbar,

Here is the updated log with the CFScript.




ComboFix 10-06-18.03 - Luis 06/19/2010 16:53:43.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.667 [GMT -10:00]
Running from: c:\users\Luis\Desktop\ComboFix.exe
Command switches used :: c:\users\Luis\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\vir

.
((((((((((((((((((((((((( Files Created from 2010-05-20 to 2010-06-20 )))))))))))))))))))))))))))))))
.

2010-06-20 03:08 . 2010-06-20 03:08 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-06-20 03:08 . 2010-06-20 03:08 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-20 03:08 . 2010-06-20 03:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-19 15:17 . 2010-06-19 15:17 5988 ----a-w- C:\finibleep.bat
2010-06-19 15:17 . 2010-06-19 15:17 1452 ----a-w- C:\mountmgr.reg
2010-06-19 15:17 . 2010-06-19 15:17 -------- d-----w- C:\backup
2010-06-19 15:17 . 2010-06-19 12:12 57400 ----a-w- c:\windows\system32\drivers\tmpmountmgr.sys
2010-06-14 06:27 . 2010-06-14 06:27 -------- d-----w- c:\users\Luis\AppData\Roaming\Malwarebytes
2010-06-14 06:27 . 2010-04-30 01:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-14 06:27 . 2010-06-14 06:27 -------- d-----w- c:\programdata\Malwarebytes
2010-06-14 06:27 . 2010-04-30 01:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-14 06:27 . 2010-06-14 06:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-14 05:35 . 2010-06-14 05:55 -------- d-----w- c:\users\Luis\AppData\Local\NPE
2010-06-14 03:21 . 2010-06-17 11:14 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\CrashDumps
2010-06-13 07:22 . 2010-06-13 07:22 -------- d-----w- c:\windows\Sun
2010-06-11 00:19 . 2010-05-01 14:13 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-06-08 13:59 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-19 17:54 . 2007-08-17 13:36 12 ----a-w- c:\windows\bthservsdp.dat
2010-06-19 17:06 . 2009-02-09 22:57 41520 ----a-w- c:\programdata\nvModes.dat
2010-06-19 12:12 . 2008-09-24 09:14 57400 ----a-w- c:\windows\system32\drivers\mountmgr.sys
2010-06-14 05:36 . 2009-10-28 05:38 -------- d-----w- c:\programdata\Norton
2010-06-14 05:14 . 2007-04-20 07:35 -------- d-----w- c:\programdata\Symantec
2010-06-14 05:14 . 2007-04-20 07:34 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-12 01:29 . 2007-04-20 07:48 -------- d-----w- c:\programdata\Microsoft Help
2010-06-11 02:46 . 2009-02-09 22:38 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-11 02:44 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-11 02:27 . 2009-01-17 04:10 -------- d-----w- c:\users\Luis\AppData\Roaming\Skype
2010-06-11 02:05 . 2009-01-17 04:13 -------- d-----w- c:\users\Luis\AppData\Roaming\skypePM
2010-05-27 00:24 . 2010-04-22 07:44 18488 ----a-w- c:\windows\Help\OEM\scripts\HPHC_BUY_BATTERY.exe
2010-05-26 17:06 . 2010-06-11 00:20 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-11 00:20 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-22 00:14 . 2009-10-02 19:59 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-11 01:24 . 2009-10-08 07:24 -------- d-----w- c:\users\Luis\AppData\Roaming\BitTorrent
2010-05-04 05:59 . 2010-06-11 00:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-11 00:20 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 05:55 . 2010-06-11 00:20 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 04:31 . 2010-06-11 00:20 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 02:50 . 2010-05-01 02:48 -------- d-----w- c:\program files\iTunes
2010-05-01 02:48 . 2010-05-01 02:48 -------- d-----w- c:\program files\iPod
2010-05-01 02:48 . 2008-11-02 04:09 -------- d-----w- c:\program files\Common Files\Apple
2010-05-01 02:41 . 2010-05-01 02:41 -------- d-----w- c:\program files\Bonjour
2010-05-01 02:39 . 2010-05-01 02:39 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-04-16 03:49 . 2010-03-04 05:56 1335048 ----a-w- c:\windows\Help\OEM\scripts\SamsungHDDFW1HC.exe
2010-04-09 01:48 . 2010-04-02 01:38 17160 ----a-w- c:\windows\Help\OEM\scripts\HPHCDisableObject.exe
2010-04-08 23:20 . 2010-04-08 23:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 23:20 . 2010-04-08 23:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-07 02:52 . 2010-04-22 07:44 18184 ----a-w- c:\windows\Help\OEM\scripts\HC_Launch.exe
2010-04-05 17:01 . 2010-06-11 00:20 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-03-27 20:00 . 2010-03-27 20:01 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2008-03-03 21:59 . 2008-03-03 21:59 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-07-11 03:28 1174920 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-11 1174920]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-11 1174920]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-04 480560]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-04-08 642856]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-04-08 467240]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-29 142120]
"temp0"="C:\finibleep.bat" [2010-06-19 5988]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

c:\users\Luis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-12-20 719664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:31,ed,15,a5,75,3a,ca,01

R3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys [2007-12-14 5120]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\SYMDS.SYS [2009-08-30 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\SYMEFA.SYS [2010-04-22 173104]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100522.001\BHDrvx86.sys [2010-05-22 691248]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\ccHPx86.sys [2010-02-26 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100604.004\IDSvix86.sys [2010-05-28 344112]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\Ironx86.SYS [2010-04-29 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NIS\1107000.00C\SYMTDIV.SYS [2010-05-06 339504]
S2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2009-03-06 20376]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe [2010-02-26 126392]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-06-08 102448]
S3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\Drivers\R5U870FLx86.sys [2006-12-18 73472]
S3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\Drivers\R5U870FUx86.sys [2006-12-18 43904]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-08 c:\windows\Tasks\HPCeeScheduleForLuis.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2007-04-20 21:23]

2010-06-15 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Luis.job
- c:\program files\Norton Internet Security\Engine\17.7.0.12\navw32.exe [2010-06-08 05:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: wedisk.co.kr
Trusted Zone: wedisk.net
DPF: {7513B187-5954-4C64-ABF4-E652FE899F24} - hxxp://global.wedisk.co.kr/app/WeDisk.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-19 17:08
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1336)
c:\program files\Pure Networks\Network Magic\nmrsrc.dll
.
Completion time: 2010-06-19 17:19:20
ComboFix-quarantined-files.txt 2010-06-20 03:19
ComboFix2.txt 2010-06-19 18:14

Pre-Run: 52,846,419,968 bytes free
Post-Run: 53,477,543,936 bytes free

- - End Of File - - B3ED62D57B518F2311F83C8FC73639A4





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users