Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Norton Intrusion Attempt Was Blocked


  • This topic is locked This topic is locked
14 replies to this topic

#1 kray931

kray931

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 22 June 2010 - 05:49 PM

My Norton360 program is fequently detecting and blocking intrusion attempts on my computer.

Below is a sample of one of the attacks recorded by my Norton Internet Security Alert Summary:

Severity: High

Activity: An intrusion attempt by 91.212.226.67 was blocked. Application path \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SVCHOST.EXE

Status: Blocked

Recommended Action: No Action Required
----------------------------------------------------
Under the Advanced Details heading we have:

Risk Name: HTTPS Tidserv Request 2

Severity: High

Attacking Computer: 91.212.226.67, 443

Destination Address: DELL2 (192.168.1.168, 1076)

Source Address: 91.212.226.67

Traffic Description: TCP, https

----------------------------------------------------

AV Security Suite was taking over everything yesterday, so i ran Malwarebytes to remove it. It came back later that day though. I removed again with Malwarebytes and tried to run windows update. Whatever is on my computer is preventing me from updating windows. If I try through IE Tools/Windows Update, I get "IE cannot display the page" error, even though I can access other websites. If I try to access through Microsoft Updates website, I get "The website has encountered a problem and cannot display the page you are trying to view".

Windows Security Center is constantly displaying a balloon that says "Your computer might be at risk. Norton 360 might be out of date". This error will not go away even after I run LiveUpdate in Norton.

As of right now, I get clean scans from Malwarebytes, Norton, and Windows Malicious Software Removal Tool, but something is obviously still infected.

----------------------------------------------------

I was not able to run GMER as it kept causing my computer to lock-up and the last time it went to blue screen (I was not able to write down the file name that caused the problem when it went to blue screen as the computer automatically restarted after about 30 seconds).

DDS scan is below:

----------------------------------------------------


DDS (Ver_10-03-17.01) - NTFSx86
Run by kevin ray at 15:42:32.68 on Tue 06/22/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1113 [GMT -5:00]

AV: Norton 360 *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Norton 360\AddOns\Norton AddOn Pack\Engine\3.8.0.5\ccProxy.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\kevin ray\Desktop\Malware\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3061204
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.8.0.41\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Nero Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
TB: Nero Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: MasterCook Bar: {c92041c1-6d22-4069-ba0e-66246aa752b0} - c:\windows\system32\shdocvw.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [CAHeadless] d:\program files\adobe\elements organizer 8.0\caheadless\ElementsAutoAnalyzer.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB6.4; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; Media Center PC 3.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; WinTSI 26.10.2009; AskTB5.5)" -"http://www.cartoonnetwork.com/games/teentitans/battleblitz/index.html"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [USBToolTip] c:\progra~1\pinnacle\shared~1\programs\usbtip\USBTip.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: MasterCook: Select Image - c:\program files\mastercook 9\web\MCIEContext.hta
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E6EF5071-7647-4E85-9785-87B6CF5CB561} - {C92041C1-6D22-4069-BA0E-66246AA752B0} - c:\windows\system32\shdocvw.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.7.1/GarminAxControl.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://sigmarus.sial.com/,DanaInfo=stlln06.sial.com,CT=java+iNotes6W.cab
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1277171368671
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://appliedbiosystems.webex.com/client/v_mywebex-t20/event/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://sigmarus.sial.com/dana-cached/setup/JuniperSetupSP1.cab
Filter: text/html - {d460982b-b0d1-4a74-9ca8-b72ba7caa8a8} -
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WpqnwkOlsvAixyg - {F443A17B-5EE9-0BD1-97CF-6CE6C3B7D38F} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kevinr~1\applic~1\mozilla\firefox\profiles\yk3vxknt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\kevin ray\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\kevin ray\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {FEF30DD4-32BB-4AE9-A67A-5A821CF810EE} - c:\documents and settings\kevin ray\local settings\application data\{FEF30DD4-32BB-4AE9-A67A-5A821CF810EE}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-2 310320]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-6-22 11608]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-2 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-2 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100617.005\IDSXpx86.sys [2010-6-18 331640]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-6-22 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-6-22 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-6-22 60936]
R2 ccProxy;Symantec Network Proxy;c:\program files\norton 360\addons\norton addon pack\engine\3.8.0.5\ccProxy.exe [2010-2-18 186744]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-2-2 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-31 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100622.003\NAVENG.SYS [2010-6-22 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100622.003\NAVEX15.SYS [2010-6-22 1347504]
S0 Winfo33;Winfo33;c:\windows\system32\drivers\winfo33.sys --> c:\windows\system32\drivers\Winfo33.sys [?]
S0 Wingh77;Wingh77;c:\windows\system32\drivers\wingh77.sys --> c:\windows\system32\drivers\Wingh77.sys [?]
S0 Wingl85;Wingl85;c:\windows\system32\drivers\wingl85.sys --> c:\windows\system32\drivers\Wingl85.sys [?]
S0 Winly52;Winly52;c:\windows\system32\drivers\winly52.sys --> c:\windows\system32\drivers\Winly52.sys [?]
S0 Winmn44;Winmn44;c:\windows\system32\drivers\winmn44.sys --> c:\windows\system32\drivers\Winmn44.sys [?]
S0 Winov25;Winov25;c:\windows\system32\drivers\winov25.sys --> c:\windows\system32\drivers\Winov25.sys [?]
S0 Winro13;Winro13;c:\windows\system32\drivers\winro13.sys --> c:\windows\system32\drivers\Winro13.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]
S3 SDSTOR2K;SanDisk USB ImageMate/SecureMate Mass Storage Driver;c:\windows\system32\drivers\SDSTOR2K.SYS [2008-2-4 37781]

=============== Created Last 30 ================

2010-06-22 20:41:03 0 ----a-w- c:\documents and settings\kevin ray\defogger_reenable
2010-06-22 13:35:04 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-06-22 13:35:03 0 d-----w- c:\program files\Avira
2010-06-22 13:35:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-06-22 12:24:55 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-22 04:06:44 767952 ----a-w- c:\windows\BDTSupport.dll.old
2010-06-22 04:06:43 1652688 ----a-w- c:\windows\PCTBDCore.dll.old
2010-06-22 04:03:06 0 d-----w- c:\program files\Spyware Doctor
2010-06-21 22:39:56 2523 ----a-w- c:\windows\iwaqifih.dll
2010-06-21 20:37:56 2523 ----a-w- c:\windows\ebociwiqu.dll
2010-06-21 18:38:36 2523 ----a-w- c:\windows\itifikaha.dll
2010-06-21 16:48:06 2523 ----a-w- c:\windows\exiyupunep.dll
2010-06-19 11:49:17 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-19 11:29:55 120 ----a-w- c:\windows\Ngotukak.dat
2010-06-19 11:29:55 0 ----a-w- c:\windows\Bzivalep.bin
2010-06-14 16:38:39 518656 ----a-w- C:\ss_cle_0907.doc
2010-06-14 02:53:47 143 ----a-w- c:\documents and settings\kevin ray\webct_upload_applet.properties
2010-06-13 23:19:37 472064 ----a-w- C:\ca_gle_2.0_k8_1008.doc
2010-06-10 01:02:04 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-05-28 00:09:00 41872 ----a-w- c:\windows\system32\xfcodec.dll

==================== Find3M ====================

2010-05-11 21:27:11 88708 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\win32k.sys
2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-04 02:08:20 35415 ----a-w- c:\windows\DIIUnin.dat
2010-04-04 02:07:29 21840 ----atw- c:\windows\system32\SIntfNT.dll
2010-04-04 02:07:29 17212 ----atw- c:\windows\system32\SIntf32.dll
2010-04-04 02:07:29 12067 ----atw- c:\windows\system32\SIntf16.dll
2010-04-04 01:07:26 94208 ----a-w- c:\windows\DIIUnin.exe
2010-04-04 01:07:26 2829 ----a-w- c:\windows\DIIUnin.pif
2007-01-13 19:02:57 774144 ----a-w- c:\program files\RngInterstitial.dll
2005-10-06 21:17:34 280576 ----a-w- c:\windows\inf\wg311v3\WG311v3XP.sys
2005-10-06 21:17:34 280576 ----a-w- c:\windows\inf\wg311v3\WG311v3.sys
2005-03-01 17:16:42 212992 ----a-w- c:\windows\inf\wg311v3\CopyWHQLDriver.exe
2009-08-31 01:04:20 88 --sh--r- c:\windows\system32\AE0398F919.sys

============= FINISH: 15:44:46.89 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:28 PM

Posted 28 June 2010 - 05:56 AM

Hi kray931,

Welcome to Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

If the issue is not resolved please update me on the current condition of your computer.

#3 kray931

kray931
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 28 June 2010 - 07:29 AM

I am still having the same problems/symptoms as originally reported. I have made no changes/updates since my report. Please help...

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:28 PM

Posted 28 June 2010 - 07:38 AM

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  1. I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
    1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
    2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
    Therefore please go to add/remove in the control panel and remove either Norton 360 or Avira.

  2. You have the latest version of Java (Java 6 Update 20) and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Please uninstall the following:

    J2SE Runtime Environment 5.0 Update 6

  3. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • You will get a warning about the not trusted download sites for ComboFix, click Yes.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.




#5 kray931

kray931
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 28 June 2010 - 09:05 AM

Avira and J2SE removed.

Here is the ComboFix log

---------------------------------------------------------

ComboFix 10-06-27.04 - kevin ray 06/28/2010 8:33.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1081 [GMT -5:00]
Running from: c:\documents and settings\kevin ray\Desktop\Malware\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\kevin ray\Application Data\chrtmp
c:\documents and settings\kevin ray\Application Data\inst.exe
c:\program files\Shared
c:\windows\ebociwiqu.dll
c:\windows\exiyupunep.dll
c:\windows\itifikaha.dll
c:\windows\iwaqifih.dll
c:\windows\system\oeminfo.ini
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-28 )))))))))))))))))))))))))))))))
.

2010-06-24 18:59 . 2010-06-24 18:59 2728840 ----a-w- c:\documents and settings\kevin ray\Application Data\Mozilla\Firefox\Profiles\yk3vxknt.default\extensions\toolbar@ask.com\chrome\temp\askToolbar.exe
2010-06-24 04:28 . 2010-06-24 04:28 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb96.tmp.exe
2010-06-22 12:25 . 2010-06-22 12:25 503808 ----a-w- c:\documents and settings\kevin ray\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-64b52ee3-n\msvcp71.dll
2010-06-22 12:25 . 2010-06-22 12:25 499712 ----a-w- c:\documents and settings\kevin ray\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-64b52ee3-n\jmc.dll
2010-06-22 12:25 . 2010-06-22 12:25 348160 ----a-w- c:\documents and settings\kevin ray\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-64b52ee3-n\msvcr71.dll
2010-06-22 12:25 . 2010-06-22 12:25 61440 ----a-w- c:\documents and settings\kevin ray\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5ab31cbb-n\decora-sse.dll
2010-06-22 12:25 . 2010-06-22 12:25 12800 ----a-w- c:\documents and settings\kevin ray\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5ab31cbb-n\decora-d3d.dll
2010-06-22 12:24 . 2010-04-12 22:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-22 04:25 . 2010-06-22 04:25 -------- d-----w- c:\documents and settings\kevin ray\Local Settings\Application Data\Threat Expert
2010-06-22 04:03 . 2010-06-22 12:30 -------- d-----w- c:\program files\Spyware Doctor
2010-06-22 03:36 . 2010-06-22 03:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-22 03:35 . 2010-06-22 03:35 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-21 12:33 . 2010-06-21 14:27 -------- d-----w- c:\documents and settings\kevin ray\Local Settings\Application Data\jjromdhoi
2010-06-21 12:29 . 2010-06-21 12:29 -------- d-----w- c:\documents and settings\kevin ray\Local Settings\Application Data\{FEF30DD4-32BB-4AE9-A67A-5A821CF810EE}
2010-06-19 12:21 . 2010-06-19 12:21 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-06-19 12:20 . 2010-06-19 12:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-19 11:49 . 2010-06-26 23:57 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-19 11:41 . 2010-06-19 11:41 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-19 11:29 . 2010-06-21 16:41 120 ----a-w- c:\windows\Ngotukak.dat
2010-06-19 11:29 . 2010-06-21 12:29 0 ----a-w- c:\windows\Bzivalep.bin
2010-06-19 11:27 . 2010-06-22 00:40 -------- d-----w- c:\documents and settings\kevin ray\Local Settings\Application Data\fbtmwfpfh
2010-06-10 01:02 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-28 13:08 . 2006-12-04 08:15 -------- d-----w- c:\program files\Common Files\Java
2010-06-27 16:43 . 2008-08-08 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-25 20:32 . 2009-07-20 08:49 -------- d-----w- c:\program files\WoW
2010-06-25 20:10 . 2007-10-28 15:53 -------- d-----w- c:\documents and settings\kevin ray\Application Data\LimeWire
2010-06-25 00:01 . 2010-02-24 14:09 -------- d-----w- c:\program files\Ask.com
2010-06-22 12:28 . 2007-12-06 01:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-22 12:24 . 2006-12-04 08:15 -------- d-----w- c:\program files\Java
2010-06-21 23:33 . 2009-10-27 03:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-09 03:32 . 2008-09-03 22:31 -------- d-----w- c:\program files\Xfire
2010-06-09 00:17 . 2008-09-03 22:31 -------- d-----w- c:\documents and settings\kevin ray\Application Data\Xfire
2010-05-28 22:25 . 2007-01-13 06:21 1263 ----a-w- c:\windows\eReg.dat
2010-05-28 22:10 . 2006-12-04 08:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-28 21:40 . 2007-01-13 06:10 -------- d-----w- c:\program files\Maxis
2010-05-28 00:09 . 2010-05-28 00:09 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-05-25 18:32 . 2008-03-10 21:50 -------- d-----w- c:\program files\Windows Live Toolbar
2010-05-25 18:32 . 2007-03-20 03:08 -------- d-----w- c:\program files\The BOB&TOM Media Center
2010-05-25 18:32 . 2006-12-30 04:30 -------- d-----w- c:\program files\Quicken
2010-05-25 18:32 . 2006-12-04 08:21 -------- d-----w- c:\program files\Modem Helper
2010-05-14 06:23 . 2006-12-04 08:30 -------- d-----w- c:\program files\Google
2010-05-11 21:27 . 2009-12-19 15:27 88708 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-06 10:41 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 11:00 1851264 ------w- c:\windows\system32\win32k.sys
2010-04-29 20:39 . 2009-10-27 03:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-10-27 03:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2004-08-10 11:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-18 00:39 . 2006-12-04 08:40 118312 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-04 02:08 . 2010-04-04 01:07 35415 ----a-w- c:\windows\DIIUnin.dat
2010-04-04 02:07 . 2008-05-11 01:13 21840 ----atw- c:\windows\system32\SIntfNT.dll
2010-04-04 02:07 . 2008-05-11 01:13 17212 ----atw- c:\windows\system32\SIntf32.dll
2010-04-04 02:07 . 2008-05-11 01:13 12067 ----atw- c:\windows\system32\SIntf16.dll
2010-04-04 01:07 . 2010-04-04 01:07 94208 ----a-w- c:\windows\DIIUnin.exe
2010-04-04 01:07 . 2010-04-04 01:07 2829 ----a-w- c:\windows\DIIUnin.pif
2007-01-13 19:02 . 2007-01-13 19:03 774144 ----a-w- c:\program files\RngInterstitial.dll
2009-04-01 03:47 . 2009-01-09 20:52 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2009-08-31 01:04 . 2007-05-22 03:01 88 --sh--r- c:\windows\system32\AE0398F919.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-06-10 22:28 1233288 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-06-10 1233288]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-06-10 1233288]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 68856]
"CAHeadless"="d:\program files\Adobe\Elements Organizer 8.0\CAHeadless\ElementsAutoAnalyzer.exe" [2009-09-18 615808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfo33.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingh77.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingl85.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winly52.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmn44.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winov25.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winro13.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG311v3 Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG311v3 Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WG311v3 Smart Wizard.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^kevin ray^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\kevin ray\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataCaching]
2001-11-29 05:55 262144 ----a-w- c:\progra~1\DATACA~1\FLASHKSK.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2006-08-29 03:57 395776 ----a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 11:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-10 10:04 59392 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 22:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jing]
2009-02-19 07:48 2495752 ----a-w- c:\program files\TechSmith\Jing\Jing.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 06:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-07-24 16:20 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd3]
2006-09-19 14:07 827392 ----a-w- c:\windows\vsnpstd3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-12-20 02:07 1217808 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\The BOB&TOM Show]
2005-06-08 17:00 983040 ----a-w- c:\program files\The BOB&TOM Media Center\The BOB&TOM Media Center.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 22:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\WoW\\Repair.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"d:\\Program Files\\Adobe\\Elements Organizer 8.0\\AdobePhotoshopElementsMediaServer.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/2/2010 3:03 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/2/2010 3:03 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/2/2010 3:03 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100625.001\IDSXpx86.sys [6/25/2010 11:53 PM 331640]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2/2/2010 3:03 AM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/31/2010 8:46 PM 102448]
S0 Winfo33;Winfo33;c:\windows\system32\Drivers\Winfo33.sys --> c:\windows\system32\Drivers\Winfo33.sys [?]
S0 Wingh77;Wingh77;c:\windows\system32\Drivers\Wingh77.sys --> c:\windows\system32\Drivers\Wingh77.sys [?]
S0 Wingl85;Wingl85;c:\windows\system32\Drivers\Wingl85.sys --> c:\windows\system32\Drivers\Wingl85.sys [?]
S0 Winly52;Winly52;c:\windows\system32\Drivers\Winly52.sys --> c:\windows\system32\Drivers\Winly52.sys [?]
S0 Winmn44;Winmn44;c:\windows\system32\Drivers\Winmn44.sys --> c:\windows\system32\Drivers\Winmn44.sys [?]
S0 Winov25;Winov25;c:\windows\system32\Drivers\Winov25.sys --> c:\windows\system32\Drivers\Winov25.sys [?]
S0 Winro13;Winro13;c:\windows\system32\Drivers\Winro13.sys --> c:\windows\system32\Drivers\Winro13.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 11:05 PM 135664]
S3 SDSTOR2K;SanDisk USB ImageMate/SecureMate Mass Storage Driver;c:\windows\system32\drivers\SDSTOR2K.SYS [2/4/2008 9:32 AM 37781]
.
Contents of the 'Scheduled Tasks' folder

2010-06-28 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]

2010-06-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-04-12 07:59]

2010-06-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 04:05]

2010-06-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 04:05]

2010-06-28 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-06-10 22:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: MasterCook: Select Image - c:\program files\MasterCook 9\Web\MCIEContext.hta
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.7.1/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\kevin ray\Application Data\Mozilla\Firefox\Profiles\yk3vxknt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\kevin ray\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\kevin ray\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {FEF30DD4-32BB-4AE9-A67A-5A821CF810EE} - c:\documents and settings\kevin ray\Local Settings\Application Data\{FEF30DD4-32BB-4AE9-A67A-5A821CF810EE}
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
SSODL-WpqnwkOlsvAixyg-{F443A17B-5EE9-0BD1-97CF-6CE6C3B7D38F} - (no file)
SafeBoot-Winyx85.sys
MSConfigStartUp-advap32 - c:\documents and settings\LocalService\Application Data\517045061.exe
MSConfigStartUp-Messenger (Yahoo!) - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
MSConfigStartUp-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\3.bin\m3SrchMn.exe
MSConfigStartUp-My Web Search Community Tools - c:\program files\MyWebSearch\bar\3.bin\m3IMPipe.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
MSConfigStartUp-NeroCheck - c:\windows\system32\NeroCheck.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-28 08:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x89AA8EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28
\Driver\ACPI -> ACPI.sys @ 0xf735ecb8
\Driver\iaStor -> iaStor.sys @ 0xf7253f80
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: NETGEAR WG311v3 802.11g Wireless PCI Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf710abb0
PacketIndicateHandler -> NDIS.sys @ 0xf7117a21
SendHandler -> NDIS.sys @ 0xf70f587b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-684549800-1627861567-3933245458-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=

[HKEY_USERS\S-1-5-21-684549800-1627861567-3933245458-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a1,34,63,81,e7,d5,cb,57,f6,cc,3c,d1,b1,72,d0,21,c9,b9,ae,7b,0e,f3,a9,
2e,b4,95,93,f9,db,15,04,34,31,ef,a1,68,6d,2d,2e,c8,7c,52,53,7e,66,a0,ca,36,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1320)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1380)
c:\windows\system32\WININET.dll
.
Completion time: 2010-06-28 09:01:03
ComboFix-quarantined-files.txt 2010-06-28 14:00

Pre-Run: 70,937,001,984 bytes free
Post-Run: 71,016,226,816 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - AA7C185A6CB20A76CE758E1CD3BC5075


#6 kray931

kray931
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 28 June 2010 - 09:36 AM

Since Combofix completed I have continued to get messages from Norton360 about intrusion attempts being blocked. I still cannot get to Windows Update page. Rebooted with same symptoms.

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:28 PM

Posted 28 June 2010 - 10:14 AM

I'm aware of it, but anyway thanks for the update. We have still some work to do.

We are going to run this special tool.
  • Please download TDSSKiller.exe and save it to your desktop.
  • Run TDSSKiller.exe.
  • When it finished press any key to continue.
  • Let reboot if needed and tell me if it needed a reboot.
  • Also it makes a txt file on the C:\ directory (like TDSSKiller.2.3.2.0_Date_Time_log.txt). Please attach it to your replay.


#8 kray931

kray931
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 28 June 2010 - 01:23 PM

tdsskillerlog attached

Attached Files



#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:28 PM

Posted 28 June 2010 - 06:33 PM

The rootkit is taken care of and Norton should no have no warnings.thumbup2.gif

We need to finish the job.

Open notepad and copy/paste the text in the code box below into it:

CODE
http://www.bleepingcomputer.com/forums/t/326353/norton-intrusion-attempt-was-blocked/

Collect::
c:\windows\system32\drivers\winfo33.sys
c:\windows\system32\drivers\Wingh77.sys
c:\windows\system32\drivers\Wingl85.sys
c:\windows\system32\drivers\Winly52.sys
c:\windows\system32\drivers\Winmn44.sys
c:\windows\system32\drivers\Winov25.sys
c:\windows\system32\drivers\Winro13.sys
Driver::
Winfo33
Wingh77
Wingl85
Winly52
Winmn44
Winov25
winro13

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfo33.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingh77.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingl85.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winly52.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmn44.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winov25.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winro13.sys]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:0
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:0
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:0
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:0
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
[HKEY_CURRENT_USSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=-
[HKEY_CURRENT_USSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
RegLock::
[HKEY_USERS\S-1-5-21-684549800-1627861567-3933245458-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]


Save this as CFScript.txt





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Please copy and paste that log in your next reply.

**Important Note**

When CF finishes running, if the ComboFix log will opens along with a message box--do not be alarmed. With the above script, ComboFix will capture some bad files to submit for analysis, if they are still on the system.

#10 kray931

kray931
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 28 June 2010 - 07:09 PM

OK here is the new log:
----------------------------------------------------------

ComboFix 10-06-27.06 - kevin ray 06/28/2010 18:44:13.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1414 [GMT -5:00]
Running from: c:\documents and settings\kevin ray\Desktop\Malware\ComboFix.exe
Command switches used :: c:\documents and settings\kevin ray\Desktop\Malware\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Winfo33
-------\Service_Wingh77
-------\Service_Wingl85
-------\Service_Winly52
-------\Service_Winmn44
-------\Service_Winov25
-------\Service_Winro13


((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-28 )))))))))))))))))))))))))))))))
.

2010-06-28 14:22 . 2010-06-28 14:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-06-28 14:22 . 2010-06-28 14:22 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-06-22 12:24 . 2010-04-12 22:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-22 04:25 . 2010-06-22 04:25 -------- d-----w- c:\documents and settings\kevin ray\Local Settings\Application Data\Threat Expert
2010-06-22 04:03 . 2010-06-22 12:30 -------- d-----w- c:\program files\Spyware Doctor
2010-06-22 03:36 . 2010-06-22 03:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-22 03:35 . 2010-06-22 03:35 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-21 12:33 . 2010-06-21 14:27 -------- d-----w- c:\documents and settings\kevin ray\Local Settings\Application Data\jjromdhoi
2010-06-21 12:29 . 2010-06-21 12:29 -------- d-----w- c:\documents and settings\kevin ray\Local Settings\Application Data\{FEF30DD4-32BB-4AE9-A67A-5A821CF810EE}
2010-06-19 12:21 . 2010-06-19 12:21 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-06-19 12:20 . 2010-06-19 12:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-19 11:49 . 2010-06-26 23:57 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-19 11:41 . 2010-06-19 11:41 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-19 11:29 . 2010-06-21 16:41 120 ----a-w- c:\windows\Ngotukak.dat
2010-06-19 11:29 . 2010-06-21 12:29 0 ----a-w- c:\windows\Bzivalep.bin
2010-06-19 11:27 . 2010-06-22 00:40 -------- d-----w- c:\documents and settings\kevin ray\Local Settings\Application Data\fbtmwfpfh
2010-06-10 01:02 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-28 18:03 . 2005-08-16 10:37 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2010-06-28 17:44 . 2008-08-08 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-28 13:08 . 2006-12-04 08:15 -------- d-----w- c:\program files\Common Files\Java
2010-06-25 20:32 . 2009-07-20 08:49 -------- d-----w- c:\program files\WoW
2010-06-25 20:10 . 2007-10-28 15:53 -------- d-----w- c:\documents and settings\kevin ray\Application Data\LimeWire
2010-06-25 00:01 . 2010-02-24 14:09 -------- d-----w- c:\program files\Ask.com
2010-06-24 18:59 . 2010-06-24 18:59 2728840 ----a-w- c:\documents and settings\kevin ray\Application Data\Mozilla\Firefox\Profiles\yk3vxknt.default\extensions\toolbar@ask.com\chrome\temp\askToolbar.exe
2010-06-24 04:28 . 2010-06-24 04:28 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb96.tmp.exe
2010-06-22 12:28 . 2007-12-06 01:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-22 12:25 . 2010-06-22 12:25 503808 ----a-w- c:\documents and settings\kevin ray\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-64b52ee3-n\msvcp71.dll
2010-06-22 12:25 . 2010-06-22 12:25 499712 ----a-w- c:\documents and settings\kevin ray\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-64b52ee3-n\jmc.dll
2010-06-22 12:25 . 2010-06-22 12:25 348160 ----a-w- c:\documents and settings\kevin ray\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-64b52ee3-n\msvcr71.dll
2010-06-22 12:25 . 2010-06-22 12:25 61440 ----a-w- c:\documents and settings\kevin ray\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5ab31cbb-n\decora-sse.dll
2010-06-22 12:25 . 2010-06-22 12:25 12800 ----a-w- c:\documents and settings\kevin ray\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5ab31cbb-n\decora-d3d.dll
2010-06-22 12:24 . 2006-12-04 08:15 -------- d-----w- c:\program files\Java
2010-06-21 23:33 . 2009-10-27 03:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-09 03:32 . 2008-09-03 22:31 -------- d-----w- c:\program files\Xfire
2010-06-09 00:17 . 2008-09-03 22:31 -------- d-----w- c:\documents and settings\kevin ray\Application Data\Xfire
2010-05-28 22:25 . 2007-01-13 06:21 1263 ----a-w- c:\windows\eReg.dat
2010-05-28 22:10 . 2006-12-04 08:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-28 21:40 . 2007-01-13 06:10 -------- d-----w- c:\program files\Maxis
2010-05-28 00:09 . 2010-05-28 00:09 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-05-25 18:32 . 2008-03-10 21:50 -------- d-----w- c:\program files\Windows Live Toolbar
2010-05-25 18:32 . 2007-03-20 03:08 -------- d-----w- c:\program files\The BOB&TOM Media Center
2010-05-25 18:32 . 2006-12-30 04:30 -------- d-----w- c:\program files\Quicken
2010-05-25 18:32 . 2006-12-04 08:21 -------- d-----w- c:\program files\Modem Helper
2010-05-14 06:23 . 2006-12-04 08:30 -------- d-----w- c:\program files\Google
2010-05-11 21:27 . 2009-12-19 15:27 88708 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-06 10:41 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 11:00 1851264 ------w- c:\windows\system32\win32k.sys
2010-04-29 20:39 . 2009-10-27 03:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-10-27 03:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2004-08-10 11:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-18 00:39 . 2006-12-04 08:40 118312 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-04 02:08 . 2010-04-04 01:07 35415 ----a-w- c:\windows\DIIUnin.dat
2010-04-04 02:07 . 2008-05-11 01:13 21840 ----atw- c:\windows\system32\SIntfNT.dll
2010-04-04 02:07 . 2008-05-11 01:13 17212 ----atw- c:\windows\system32\SIntf32.dll
2010-04-04 02:07 . 2008-05-11 01:13 12067 ----atw- c:\windows\system32\SIntf16.dll
2010-04-04 01:07 . 2010-04-04 01:07 94208 ----a-w- c:\windows\DIIUnin.exe
2010-04-04 01:07 . 2010-04-04 01:07 2829 ----a-w- c:\windows\DIIUnin.pif
2007-01-13 19:02 . 2007-01-13 19:03 774144 ----a-w- c:\program files\RngInterstitial.dll
2009-04-01 03:47 . 2009-01-09 20:52 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2009-08-31 01:04 . 2007-05-22 03:01 88 --sh--r- c:\windows\system32\AE0398F919.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-06-10 22:28 1233288 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-06-10 1233288]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-06-10 1233288]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 68856]
"CAHeadless"="d:\program files\Adobe\Elements Organizer 8.0\CAHeadless\ElementsAutoAnalyzer.exe" [2009-09-18 615808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG311v3 Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG311v3 Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WG311v3 Smart Wizard.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^kevin ray^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\kevin ray\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataCaching]
2001-11-29 05:55 262144 ----a-w- c:\progra~1\DATACA~1\FLASHKSK.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2006-08-29 03:57 395776 ----a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 11:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-10 10:04 59392 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 22:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jing]
2009-02-19 07:48 2495752 ----a-w- c:\program files\TechSmith\Jing\Jing.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 06:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-07-24 16:20 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd3]
2006-09-19 14:07 827392 ----a-w- c:\windows\vsnpstd3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-12-20 02:07 1217808 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\The BOB&TOM Show]
2005-06-08 17:00 983040 ----a-w- c:\program files\The BOB&TOM Media Center\The BOB&TOM Media Center.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 22:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\WoW\\Repair.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"d:\\Program Files\\Adobe\\Elements Organizer 8.0\\AdobePhotoshopElementsMediaServer.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/2/2010 3:03 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/2/2010 3:03 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/2/2010 3:03 AM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100625.001\IDSXpx86.sys [6/25/2010 11:53 PM 331640]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2/2/2010 3:03 AM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/31/2010 8:46 PM 102448]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 11:05 PM 135664]
S3 SDSTOR2K;SanDisk USB ImageMate/SecureMate Mass Storage Driver;c:\windows\system32\drivers\SDSTOR2K.SYS [2/4/2008 9:32 AM 37781]
.
Contents of the 'Scheduled Tasks' folder

2010-06-28 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]

2010-06-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-04-12 07:59]

2010-06-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 04:05]

2010-06-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 04:05]

2010-06-29 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-06-10 22:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: MasterCook: Select Image - c:\program files\MasterCook 9\Web\MCIEContext.hta
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.7.1/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\kevin ray\Application Data\Mozilla\Firefox\Profiles\yk3vxknt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\kevin ray\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\kevin ray\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {FEF30DD4-32BB-4AE9-A67A-5A821CF810EE} - c:\documents and settings\kevin ray\Local Settings\Application Data\{FEF30DD4-32BB-4AE9-A67A-5A821CF810EE}
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-28 18:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-684549800-1627861567-3933245458-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a1,34,63,81,e7,d5,cb,57,f6,cc,3c,d1,b1,72,d0,21,c9,b9,ae,7b,0e,f3,a9,
2e,b4,95,93,f9,db,15,04,34,31,ef,a1,68,6d,2d,2e,c8,7c,52,53,7e,66,a0,ca,36,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1288)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1404)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Norton 360\AddOns\Norton AddOn Pack\Engine\3.8.0.5\ccProxy.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2010-06-28 19:06:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-29 00:06
ComboFix2.txt 2010-06-28 14:01

Pre-Run: 71,044,308,992 bytes free
Post-Run: 70,951,702,528 bytes free

- - End Of File - - A2DAD72CE253F6F70BCB804F0801BE43


#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:28 PM

Posted 28 June 2010 - 07:53 PM

We are almost there.
  1. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  2. Tell me also how is your computer running.


#12 kray931

kray931
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 28 June 2010 - 11:32 PM

MBAM found no infected files. Everything seems to be running well now. I can connect to Windows Update and haven't seen any serious Norton 360 warnings.



----------------------------------------------------------------
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4223

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/28/2010 10:48:52 PM
mbam-log-2010-06-28 (22-48-52).txt

Scan type: Quick scan
Objects scanned: 137934
Time elapsed: 11 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:28 PM

Posted 29 June 2010 - 02:45 AM

It looks good. thumbup2.gif
  1. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  2. You may delete any tool or log we used from your computer.

  3. I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
    • Download and install it.
    • Update it manually by clicking on Updates in the left pane and then Check for Updates.
    • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
    • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.

Happy Surfing kray931. smile.gif

#14 kray931

kray931
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 29 June 2010 - 07:51 AM

Done.

Thanks for all the help!!!

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:28 PM

Posted 29 June 2010 - 07:59 AM

You are very welcome. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users