Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan: HTTPS Tidserv Request 2


  • This topic is locked This topic is locked
22 replies to this topic

#1 EdSanDiego

EdSanDiego

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 09 August 2010 - 07:30 PM

I have pretty much lost control of my computer.
1) my system locks up and I frequently have to use manual power off
2) my searches (e.g., Google, are redirected to unrelated sites that I cannot back out of)
3) frequent porn popups
4) my wireless system usually crashes after a few Norton messages related to blocking HTTPS Tidserv
5 popups for registry cleaners
6) registry error message from Firefox (see attached screen capture)
7) unable to delete registry errors related to Macromedia Flash
8) NOTE: re DDS problems, only 1 file was created... tried several times, but never 2 files as indicated in the preparation text
9) NOTE: re GMER problems
a) screen was not blank prior to scan (see attached screen capture)
b) GMER caused 3 blue screen crashes before I finally got a scan (5 hrs)... (attached is ark-5hrs.txt)
10) Norton cannot detect the trojan during a full scan and it cannot remove it. I have had Norton products installed from day one. Symantec tech support told me that the trojan had probably attacked Norton and that I should just go back to a Restore Point. I didn't even try it. I had no confidence in anything they told me.
OOPS!..I can't attach any of the screen captures that show what I've been seeing. Sorry.
Ed

DDS:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Ed Tyson at 18:27:19.43 on Sun 08/08/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.112 [GMT -7:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\MMKeybd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe
C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Norton Save and Restore\Agent\VProTray.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe
C:\Program Files\SentrilockCardUtility\SentrilockCardUtility.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Ed Tyson\Application Data\Dropbox\bin\Dropbox.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\NORTON~4\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Ed Tyson\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://start.earthlink.net/AL/Search
uStart Page = hxxp://www.sandicor.com/
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: SrchHook Class: {44f9b173-041c-4825-a9b9-d914bd9dcbb3} - c:\program files\earthlink totalaccess\ElnIE.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
TB: EarthLink Toolbar: {c7768536-96f8-4001-b1a2-90ee21279187} - c:\program files\earthlink totalaccess\toolbar\Toolbar.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Norton Safe Web Lite: {30ceeea2-3742-40e4-85dd-812bf1cbb83d} - c:\program files\norton safe web lite\engine\1.0.1.8\coIEPlg.dll
TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [OpAgent] "OpAgent.exe" /agent
uRun: [<NO NAME>]
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [DellCleanup] c:\dell\WINCLEAN.EXE
mRun: [POINTER] c:\program files\microsoft hardware\mouse\point32.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DellTouch] c:\windows\MMKeybd.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [WinFaxAppPortStarter] wfxsnt40.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [nwiz] nwiz.exe /install
mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ScanSoft OmniPage 16-reminder] "c:\program files\scansoft\omnipage16\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\omnipage 16\ereg\Ereg.ini"
mRun: [IPInSightMonitor 01] "c:\program files\earthlink totalaccess\fastlane2\IPMon32.exe"
mRun: [IPInSightLAN 01] "c:\program files\earthlink totalaccess\fastlane2\IPClient.exe" -l
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Norton Save and Restore 2.0] "c:\program files\norton save and restore\agent\VProTray.exe"
mRun: [NSWosCheck] "c:\program files\norton systemworks premier\osCheck.exe"
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [Iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe
mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [<NO NAME>]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\edtyso~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\ed tyson\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\edtyso~1\startm~1\programs\startup\launch~1.lnk - c:\docume~1\edtyso~1\applic~1\microsoft\installer\{d8e363a7-88b7-446d-b2c0-e26ce4dc8e54}\_294823.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\camiov~1.lnk - c:\program files\sierra imaging\image expert 2000\IXApplet.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\star

BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:09 AM

Posted 10 August 2010 - 03:03 PM

Good evening. smile.gif

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#3 EdSanDiego

EdSanDiego
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 12 August 2010 - 01:17 PM

To: Noviciate
Thx for your response.
Had some problems with ComboFix hanging up or locking up the computer. It finally ran after the 4th try.
Along with some other programs, ComboFix seems to have deleted or uninstalled parts of Norton AntiVirus. I keep getting error messages 3035,6 and 3039,1. I tried their autofix system but it did not work. Not sure if I should tend to it now or wait for you to finish.
Re: sending $ thru paypal to combofix, I don't have an account. Is there another way? I don't want to get involved with PayPal.

Thank you so much for your time and expertise.
Ed
P.S. I disabled all that I could see in Norton. All scans that I could see were OFF.

LOG from ComboFix:
ComboFix 10-08-11.04 - Ed Tyson 08/11/2010 17:44:13.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.349 [GMT -7:00]
Running from: c:\documents and settings\Ed Tyson\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\vlc-1.0.1-win32.exe
c:\documents and settings\Ed Tyson\g2mdlhlpx.exe
C:\LOGB62.tmp
c:\program files\Internet Explorer\SET75.tmp
c:\program files\Internet Explorer\SET76.tmp
c:\program files\Internet Explorer\SET77.tmp
C:\setup.exe
c:\windows\system32\Help
c:\windows\system32\Help\Help\About_KMT.html
c:\windows\system32\Help\Help\Customer_Support.html
c:\windows\system32\Help\Help\FAQs.html
c:\windows\system32\Help\Help\Introduction.html
c:\windows\system32\Help\Help\My Favorites.html
c:\windows\system32\Help\Help\Opening a Template.html
c:\windows\system32\Help\Help\OR 4.css
c:\windows\system32\Help\Help\PDF_Roundtrip.html
c:\windows\system32\Help\Help\Photo_Editor.html
c:\windows\system32\Help\Help\PhotoImages\brightness.jpg
c:\windows\system32\Help\Help\PhotoImages\contrast.jpg
c:\windows\system32\Help\Help\PhotoImages\crop to fit.jpg
c:\windows\system32\Help\Help\PhotoImages\flip.jpg
c:\windows\system32\Help\Help\PhotoImages\grau scale.jpg
c:\windows\system32\Help\Help\PhotoImages\hue.jpg
c:\windows\system32\Help\Help\PhotoImages\Main screen.jpg
c:\windows\system32\Help\Help\PhotoImages\mosaic.jpg
c:\windows\system32\Help\Help\PhotoImages\motion blur.jpg
c:\windows\system32\Help\Help\PhotoImages\partial gray scale.jpg
c:\windows\system32\Help\Help\PhotoImages\revert to original image.jpg
c:\windows\system32\Help\Help\PhotoImages\rotate left.jpg
c:\windows\system32\Help\Help\PhotoImages\rotate right.jpg
c:\windows\system32\Help\Help\PhotoImages\saturation.jpg
c:\windows\system32\Help\Help\PhotoImages\sepia.jpg
c:\windows\system32\Help\Help\PhotoImages\sharpness.jpg
c:\windows\system32\Help\Help\PhotoImages\undo.jpg
c:\windows\system32\Help\Help\Preferences.html
c:\windows\system32\Help\Help\Profiles.html
c:\windows\system32\Help\Help\Readme.html
c:\windows\system32\Help\Help\TemplateZone_Products.html
c:\windows\system32\Help\Help\Theme Manager.html
c:\windows\system32\Help\Help\ThemeImages\apply color theme.jpg
c:\windows\system32\Help\Help\ThemeImages\Color Beam button.jpg
c:\windows\system32\Help\Help\ThemeImages\Color Palette button.jpg
c:\windows\system32\Help\Help\ThemeImages\Color Picker button.jpg
c:\windows\system32\Help\Help\ThemeImages\color wheel.jpg
c:\windows\system32\Help\Help\ThemeImages\Create color theme.jpg
c:\windows\system32\Help\Help\ThemeImages\default color theme.jpg
c:\windows\system32\Help\Help\ThemeImages\edit theme.jpg
c:\windows\system32\Help\Help\ThemeImages\Theme manager create theme.jpg
c:\windows\system32\Help\Help\ThemeImages\Theme Manager.jpg
c:\windows\system32\Help\Help\ThemeImages\thememanager link.jpg
c:\windows\system32\Help\Help\TOC.html
c:\windows\system32\Help\Help\Uninstalling_the_Product.html
c:\windows\system32\Help\Help\Using_TemplatePacks.html
c:\windows\system32\Help\Help\Using_the_TemplateBrowser.html
c:\windows\system32\Help\Help\Working_with_ExcelTemplates.html
c:\windows\system32\Help\Help\Working_with_PowerPointTemplates.html
c:\windows\system32\Help\Help\Working_with_WordTemplates.html

Infected copy of c:\windows\system32\drivers\aic78xx.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-07-12 to 2010-08-12 )))))))))))))))))))))))))))))))
.

2010-07-28 19:08 . 2010-07-28 19:08 -------- d-----w- c:\windows\system32\drivers\NST
2010-07-28 19:08 . 2010-07-28 19:08 -------- d-----w- c:\program files\Norton Safe Web Lite
2010-07-21 15:51 . 2010-07-21 15:51 -------- d-----w- c:\program files\IObit
2010-07-21 15:51 . 2010-07-21 15:51 -------- d-----w- c:\documents and settings\Ed Tyson\Application Data\IObit
2010-07-21 15:47 . 2010-07-21 15:47 -------- d-----w- c:\program files\FastStone Capture
2010-07-21 15:42 . 2010-07-21 15:42 -------- d-----w- c:\program files\FastStone Image Viewer
2010-07-21 04:46 . 2010-07-21 12:34 -------- d-----w- c:\documents and settings\Ed Tyson\Local Settings\Application Data\NPE
2010-07-21 04:21 . 2010-07-21 04:21 -------- d-----w- c:\documents and settings\Ed Tyson\Application Data\Tific
2010-07-20 06:47 . 2010-05-06 04:01 361904 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-07-20 06:47 . 2010-04-22 03:02 173104 ----a-w- c:\windows\system32\drivers\symefa.sys
2010-07-20 06:47 . 2010-04-22 02:29 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-07-20 06:47 . 2009-08-30 00:17 328752 ----a-w- c:\windows\system32\drivers\symds.sys
2010-07-20 06:47 . 2010-04-29 05:03 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
2010-07-20 06:47 . 2010-02-26 00:22 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys
2010-07-13 14:25 . 2010-07-13 14:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-12 00:34 . 2010-05-14 17:13 -------- d-----w- c:\documents and settings\Ed Tyson\Application Data\Dropbox
2010-08-11 13:34 . 2010-07-04 00:26 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-08 17:48 . 2010-08-08 17:48 503808 ----a-w- c:\documents and settings\Ed Tyson\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5f864a80-n\msvcp71.dll
2010-08-08 17:48 . 2010-08-08 17:48 499712 ----a-w- c:\documents and settings\Ed Tyson\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5f864a80-n\jmc.dll
2010-08-08 17:48 . 2010-08-08 17:48 348160 ----a-w- c:\documents and settings\Ed Tyson\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5f864a80-n\msvcr71.dll
2010-08-08 17:48 . 2010-08-08 17:48 61440 ----a-w- c:\documents and settings\Ed Tyson\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-794ba30d-n\decora-sse.dll
2010-08-08 17:48 . 2010-08-08 17:48 12800 ----a-w- c:\documents and settings\Ed Tyson\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-794ba30d-n\decora-d3d.dll
2010-08-05 21:56 . 2007-09-21 04:06 -------- d-----w- c:\documents and settings\Ed Tyson\Application Data\U3
2010-08-02 19:10 . 2008-10-08 20:45 -------- d-----w- c:\program files\Norton SystemWorks Premier
2010-07-28 19:08 . 2009-07-04 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-07-28 19:05 . 2009-07-04 23:53 -------- d-----w- c:\program files\NortonInstaller
2010-07-21 15:42 . 2008-05-23 20:41 -------- d-----w- c:\documents and settings\Ed Tyson\Application Data\FastStone
2010-07-20 03:34 . 2007-05-12 04:31 -------- d-----w- c:\program files\Symantec
2010-07-20 03:34 . 2008-09-16 23:53 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-07-20 03:34 . 2008-09-16 23:53 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-07-20 03:34 . 2008-09-16 23:53 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-07-20 03:34 . 2008-09-16 23:53 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-07-20 03:29 . 2009-07-04 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-07-11 22:50 . 2007-05-17 22:42 -------- d-----w- c:\program files\Google
2010-07-11 22:46 . 2010-07-11 22:46 -------- dc----w- c:\documents and settings\All Users\Application Data\{65893B95-F47B-4483-B883-86BA181E9B54}
2010-07-11 22:36 . 2007-04-17 22:21 -------- d-----w- c:\program files\Lavasoft
2010-07-06 17:29 . 2010-07-11 22:46 2979280 -c--a-w- c:\documents and settings\All Users\Application Data\{65893B95-F47B-4483-B883-86BA181E9B54}\Ad-AwareInstall.exe
2010-07-06 17:28 . 2009-08-11 05:18 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-04 16:13 . 2010-07-04 05:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-04 00:26 . 2007-04-18 02:41 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-24 19:46 . 2009-08-26 18:28 -------- d-----w- c:\documents and settings\Ed Tyson\Application Data\HpUpdate
2010-06-22 13:52 . 2010-06-22 13:52 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-22 13:51 . 2009-08-10 20:11 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-17 22:12 . 2007-06-29 00:19 -------- d-----w- c:\program files\Common Files\Java
2010-06-17 22:09 . 2010-06-17 22:10 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-17 22:08 . 2007-06-29 00:20 -------- d-----w- c:\program files\Java
2010-06-03 21:24 . 2010-07-28 19:09 813936 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_1.0.1.8\coFFNST\components\coFFNST.dll
2010-05-30 23:34 . 2010-05-30 23:34 290816 ----a-w- c:\documents and settings\Ed Tyson\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2010-05-30 23:34 . 2010-05-30 23:34 290816 ----a-w- c:\documents and settings\Ed Tyson\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2010-05-30 23:34 . 2010-05-30 23:34 290816 ----a-w- c:\documents and settings\Ed Tyson\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2010-05-30 23:34 . 2010-05-30 23:34 290816 ----a-w- c:\documents and settings\Ed Tyson\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2010-05-28 16:48 . 2010-05-28 16:48 503808 ----a-w- c:\documents and settings\Ed Tyson\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5c50ebfc-n\msvcp71.dll
2010-05-28 16:48 . 2010-05-28 16:48 499712 ----a-w- c:\documents and settings\Ed Tyson\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5c50ebfc-n\jmc.dll
2010-05-28 16:48 . 2010-05-28 16:48 348160 ----a-w- c:\documents and settings\Ed Tyson\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5c50ebfc-n\msvcr71.dll
2010-05-28 16:48 . 2010-05-28 16:48 61440 ----a-w- c:\documents and settings\Ed Tyson\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-656369d1-n\decora-sse.dll
2010-05-28 16:48 . 2010-05-28 16:48 12800 ----a-w- c:\documents and settings\Ed Tyson\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-656369d1-n\decora-d3d.dll
2010-05-14 17:14 . 2010-05-14 17:14 89831 ----a-w- c:\documents and settings\Ed Tyson\Application Data\Dropbox\bin\Uninstall.exe
2000-12-12 19:17 . 2000-12-14 02:22 100432 ------w- c:\program files\Win2000PPAHotfix.exe
2009-07-10 16:57 . 2007-09-14 17:58 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-07-10 16:57 . 2007-09-14 17:58 185232 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2001-08-18 12:00 . 2001-08-18 12:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12 . 2001-08-18 12:00 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11 . 2001-08-18 12:00 1028096 --sha-w- c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 . 2001-08-18 12:00 57344 --sh--w- c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 . 2001-08-18 12:00 413696 --sha-w- c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 00:12 . 2002-01-10 17:31 343040 --sha-w- c:\windows\SYSTEM32\msvcrt.dll
2008-04-14 00:12 . 2001-08-18 12:00 551936 --sh--w- c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 00:12 . 2001-08-18 12:00 84992 --sha-w- c:\windows\SYSTEM32\olepro32.dll
2008-04-14 00:12 . 2001-08-18 12:00 11776 --sh--w- c:\windows\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Ed Tyson\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Ed Tyson\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Ed Tyson\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-07-14 2347216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellCleanup"="c:\dell\WINCLEAN.EXE" [2001-10-04 153600]
"POINTER"="c:\program files\Microsoft Hardware\Mouse\point32.exe" [2001-08-24 167936]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"DellTouch"="c:\windows\MMKeybd.exe" [2001-09-05 163840]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-08-23 196608]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2001-06-12 69632]
"WinFaxAppPortStarter"="wfxsnt40.exe" [2001-08-08 43520]
"NeroCheck"="c:\windows\System32\NeroCheck.exe" [2001-06-12 151552]
"nwiz"="nwiz.exe" [2003-07-28 323584]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"ScanSoft OmniPage 16-reminder"="c:\program files\ScanSoft\OmniPage16\Ereg\Ereg.exe" [2007-07-20 328992]
"IPInSightMonitor 01"="c:\program files\EarthLink TotalAccess\FastLane2\IPMon32.exe" [2005-08-11 122880]
"IPInSightLAN 01"="c:\program files\EarthLink TotalAccess\FastLane2\IPClient.exe" [2005-08-11 380928]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"Norton Save and Restore 2.0"="c:\program files\Norton Save and Restore\Agent\VProTray.exe" [2008-05-07 2037088]
"NSWosCheck"="c:\program files\Norton SystemWorks Premier\osCheck.exe" [2007-09-18 25472]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-22 451896]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-03-13 517768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-25 98304]

c:\documents and settings\Ed Tyson\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Ed Tyson\Application Data\Dropbox\bin\Dropbox.exe [2010-2-25 21979992]
LaunchU3.exe.lnk - c:\documents and settings\Ed Tyson\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2009-9-15 22486]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Camio Viewer 2000.lnk - c:\program files\Sierra Imaging\Image Expert 2000\IXApplet.exe [2001-11-16 49152]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
SentriLockCardUtility.lnk - c:\program files\SentrilockCardUtility\SentrilockCardUtility.exe [2007-5-18 5503432]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2002-2-3 106560]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MindSpring\\MindSpring.exe"=
"c:\\Documents and Settings\\Ed Tyson\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:*:Disabled:EarthLink UHP Modem Support
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [8/10/2009 1:11 PM 64288]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [4/20/2007 10:58 AM 3744]
R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [1/26/2005 11:47 AM 65604]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [4/20/2007 10:58 AM 3904]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\17.7.0.12\ccsvchst.exe [7/19/2010 11:46 PM 126392]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [8/6/2001 12:41 PM 28672]
R2 Norton Save and Restore;Norton Save and Restore;c:\program files\Norton Save and Restore\Agent\VProSvc.exe [6/27/2007 6:45 PM 3425632]
R2 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~4\NORTON~1\NPROTECT.EXE [11/3/2005 8:08 PM 95832]
R2 NSL;Norton Safe Web Lite;c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe [7/28/2010 12:08 PM 126904]
R3 BW2NDIS5;BW2NDIS5;c:\windows\SYSTEM32\DRIVERS\BW2NDIS5.SYS [11/1/2004 2:16 PM 17536]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/26/2010 8:25 PM 102448]
R3 Msikbd2k;DellTouch;c:\windows\SYSTEM32\DRIVERS\Msikbd2k.sys [10/3/2000 2:18 PM 6942]
R3 NeroCd2k;NeroCd2k;c:\windows\SYSTEM32\DRIVERS\NeroCD2k.sys [4/16/2001 3:54 AM 44227]
R3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\SYSTEM32\DRIVERS\SCR3XX2K.sys [10/17/2007 11:11 PM 56448]
R3 tbcspud;Santa Cruz Driver;c:\windows\SYSTEM32\DRIVERS\tbcspud.sys [12/31/1979 11:00 PM 142336]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\SYSTEM32\DRIVERS\tbcwdm.sys [12/31/1979 11:00 PM 524288]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1107000.00C\SYMDS.SYS --> c:\windows\system32\drivers\NAV\1107000.00C\SYMDS.SYS [?]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1107000.00C\SYMEFA.SYS --> c:\windows\system32\drivers\NAV\1107000.00C\SYMEFA.SYS [?]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20100719.001\BHDrvx86.sys [7/19/2010 4:28 PM 692272]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1107000.00C\ccHPx86.sys --> c:\windows\system32\drivers\NAV\1107000.00C\ccHPx86.sys [?]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1107000.00C\Ironx86.SYS --> c:\windows\system32\drivers\NAV\1107000.00C\Ironx86.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/11/2010 3:47 PM 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/6/2010 10:28 AM 1355416]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100809.001\IDSXpx86.sys [8/10/2010 5:24 PM 331640]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\usb101et.sys [11/24/2001 9:36 PM 32384]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [4/10/2010 5:05 PM 266544]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;c:\windows\SYSTEM32\DRIVERS\SCR33X2K.sys [5/18/2007 7:28 AM 64088]
S3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [11/16/2001 1:40 PM 19232]
S4 mrtRate;mrtRate;c:\windows\SYSTEM32\DRIVERS\MrtRate.sys [11/26/2001 11:17 AM 34712]
.
Contents of the 'Scheduled Tasks' folder

2010-08-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-06 22:28]

2010-08-12 c:\windows\Tasks\ConfigExec.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-11 00:05]

2010-08-11 c:\windows\Tasks\DataUpload.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-11 00:05]

2010-08-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-11 22:46]

2010-08-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-11 22:46]

2010-08-09 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks Premier\OBC.exe [2007-09-18 15:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sandicor.com/
uInternet Settings,ProxyOverride = <local>
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
LSP: c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {71CA4411-45EC-4608-B9D7-6D4B6A9D1BB4} - hxxp://service.dell.com/dell/SystemProfiler.cab
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://tempo5.sandicor.com/5.0.05.46/Control/IRCSharc.cab
FF - ProfilePath - c:\documents and settings\Ed Tyson\Application Data\Mozilla\Firefox\Profiles\l22iv8cx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_1.0.1.8\coFFNST\components\coFFNST.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
URLSearchHooks-{E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - (no file)
WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKCU-Run-OpAgent - OpAgent.exe
AddRemove-Adobe Photoshop 5.0 Limited Edition - c:\program files\Adobe\Photoshop 5.0 LE\DeIsL2.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-11 18:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NSL]
"ImagePath"="\"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe\" /s \"NSL\" /m \"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
@DACL=(02 0010)
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@DACL=(02 0010)
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(796)
c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll
.
Completion time: 2010-08-11 18:11:12
ComboFix-quarantined-files.txt 2010-08-12 01:11

Pre-Run: 26,606,112,768 bytes free
Post-Run: 26,610,601,984 bytes free

- - End Of File - - 01E9946E5E99CCD1868F40D226F91063


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:09 AM

Posted 12 August 2010 - 01:43 PM

Good evening. smile.gif

QUOTE
Re: sending $ thru paypal to combofix, I don't have an account. Is there another way? I don't want to get involved with PayPal.

I don't know, so i've contacted sUBs to see what the score is.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I don't see any indication that ComboFix has removed anything Norton related, but I can't say for certain that it has had nothing to do with whatever issue Norton has. If there doesn't seem to be a simple solution to the problem, you may have to uninstall and reinstall Norton to solve it's issues, but i'm not really sure - it's what I used to do when I had it and it wouldn't play nicely.

It's best if you can resolve this before we continue as a dodgy anti-virus is a recipe for tears at bedtime.

So long, and thanks for all the fish.

 

 


#5 EdSanDiego

EdSanDiego
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 12 August 2010 - 05:02 PM

Now that a third error message has popped up, I'll go to Symantec tech support. I have a 3-user license and don't want to lose an install.
Re: combofix, if I have an address, I can send a personal check.

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:09 AM

Posted 13 August 2010 - 03:03 PM

Good evening. smile.gif

Having had Symantec software myself in the past and needing to reinstall, I don't think that it affects your user license, but better to check. Let me know how you get on with tech support.

The reply I received from sUBs is as follows, more or less -
QUOTE
Please convey my thanks to the said gentleman. It's okay if Paypal isn't workable. Donations aren't necessary.


So long, and thanks for all the fish.

 

 


#7 EdSanDiego

EdSanDiego
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 14 August 2010 - 02:48 PM

I just finished the uninstall/reinstall of NAV with the help of tech support. There were some hidden files that I could not uninstall with the Norton Removal Tools that I downloaded. At this point, everything seems to be OK with NAV.
My system is much better... no redirects of my searches. No malicious pop-ups.
I did have to do a manual shut-down yesterday, but I believe that was due to NAV errors that locked up my system.
I received a post from another team member who said that ComboFix apparently removed the rootkit problem. Is that true?


#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:09 AM

Posted 14 August 2010 - 04:40 PM

QUOTE
There were some hidden files that I could not uninstall with the Norton Removal Tools that I downloaded.

Is that Norton related hidden files? I ask because there is another removal tool that you may find that works better should you ever need to do the same thing again in future.

QUOTE
I received a post from another team member who said that ComboFix apparently removed the rootkit problem.

Might I enquire who?

QUOTE
Is that true?

The nasty that Norton was warning you about does indeed appear to be gone.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

With nasties such as the one that you had I like to have a second opinion on the state of your hard drive, so will you work through the following and post accordingly:

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh DDS log AND a description of how your PC is behaving.

So long, and thanks for all the fish.

 

 


#9 EdSanDiego

EdSanDiego
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 14 August 2010 - 05:08 PM

1) The comment came from Blathnat, who suggested that TeaTimer in SpyBot may be creating problems with NAV. She (I checked on her info box) suggested that I join a Norton forum. After the reinstall, I asked the tech at Symantec (India) if either SpyBot or AdAware interfered with NAV. The answer was 'no.'
2) The "hidden" files were from Symantec WebFax Pro. It did not show in either Add/Remove, Search or my visual check of all Symantec and Norton folders that I could find in Program files. The tech took control of my system and had to try a few different removal tools before finally scrubbing it and all Norton products in my system. It may have been in an old version of Norton System Works. Not sure. Norton Removal Tool kept prompting me to first delete WebFaxPro before continuing. It would not proceed without that occuring first.
3) in past SpyBot scans, there was a registry problem related to Macromedia Flash Player. I could not fix or remove the error. When I went to the registry, I was able to find it, but it could not be deleted. I have not run SpyBot since the NAV reinstall. Are you able to determine if it has been resolved?
4) I will follow your most recent instructions for MalwareBytes and reply.
Thx again.


#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:09 AM

Posted 14 August 2010 - 05:21 PM

Thanks.

QUOTE
in past SpyBot scans, there was a registry problem related to Macromedia Flash Player.

Can you give me a little more information on this.

So long, and thanks for all the fish.

 

 


#11 EdSanDiego

EdSanDiego
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 14 August 2010 - 11:12 PM

1) re: registry error for Macromedia... I did not write down the full description. I went to regedit to try to remove it manually, but I kept getting a message stating that I could not delete it.
2) MalwareBytes found 4 items that were removed. On the next restart, I received 2 messages:
a) something shut down AdAware
cool.gif a message from Norton stating that I had been infected with Backdoor.Tidserv.Inf and that it requires manual removal.
3) Log from MalwareBytes:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4430

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/14/2010 8:03:15 PM
mbam-log-2010-08-14 (20-03-15).txt

Scan type: Full scan (C:\|)
Objects scanned: 325665
Time elapsed: 3 hour(s), 27 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Ed Tyson\Application Data\ErrorSmart (Rogue.ErrorSmart) -> No action taken.
C:\Documents and Settings\Ed Tyson\Application Data\ErrorSmart\Log (Rogue.ErrorSmart) -> No action taken.
C:\Documents and Settings\Ed Tyson\Application Data\ErrorSmart\Registry Backups (Rogue.ErrorSmart) -> No action taken.

Files Infected:
C:\Documents and Settings\Ed Tyson\Application Data\ErrorSmart\Registry Backups\2008-03-09_20-00-02.reg (Rogue.ErrorSmart) -> No action taken.


#12 EdSanDiego

EdSanDiego
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 15 August 2010 - 12:07 PM

FYI:
1) I searched the log files for the Macromedia -related registry problem. It is in one of the "locked keys." See Macromedia........ Active X
2) I did a full system scan with AdAware: zero items
3) Did a full scan with SpyBot: one hit- "Microsoft Security Center- Disabled"
4) there was an icon in my post of yesterday. I did not intend to put it there, but could not remove it.



#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:09 AM

Posted 15 August 2010 - 02:00 PM

Good evening. smile.gif

QUOTE
On the next restart, I received 2 messages:
a) something shut down AdAware
b ) a message from Norton stating that I had been infected with Backdoor.Tidserv.Inf and that it requires manual removal.

As I cannot see your computer screen I am dependant on your description of events and you aren't giving me too much to go on.
I assume that the message about Ad-Aware was from Ad-Aware - is this correct and what exactly did it say?
What was it that Norton actually detected - I need to know whether it was files, folders or registry entries and if possible what they were.

So long, and thanks for all the fish.

 

 


#14 EdSanDiego

EdSanDiego
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 15 August 2010 - 07:45 PM

My apologies for not being complete.
1) re: the AdAware shutdown after the NAV reinstall, I don't remember the exact message. However, I re-booted and it worked fine. I did a full scan and it turned up zero.
2) Norton did not initially give any more than I gave you. More came after I did a full system scan (see #4 below).
3) I did a quick scan with Norton, and it found 39 tracking cookies that it deleted.
4) I then did a full system scan with Norton (it just finished) and it found Backdoor.Tidserv!inf.
According to Norton, the infected file is c:\Qoobox\quarantine\c\windows\system32\Drivers\aic78xx.sys.vir and manual removal is required.
Should I attempt the Norton system for removal? It involves the use of Windows Recovery Console.
Please advise.

#15 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:09 AM

Posted 16 August 2010 - 01:44 PM

Good evening. smile.gif

QUOTE
1) re: the AdAware shutdown after the NAV reinstall, I don't remember the exact message. However, I re-booted and it worked fine. I did a full scan and it turned up zero.

We'll put this one down to experience then, as long as it doesn't become a regular thing.

QUOTE
4) I then did a full system scan with Norton (it just finished) and it found Backdoor.Tidserv!inf.
According to Norton, the infected file is c:\Qoobox\quarantine\c\windows\system32\Drivers\aic78xx.sys.vir and manual removal is required.
Should I attempt the Norton system for removal? It involves the use of Windows Recovery Console.

c:\Qoobox\quarantine is the location that ComboFix uses to dump files that it has removed in case that they are needed for some purpose. The Recovery Console isn't actually necessary for the removal, you can just open the folder and delete the file.
However once your machine is clean CF will be uninstalled and it will remove the folder anyway, so i'd just ignore Norton with regard to this detection.

If you let me have a fresh DDS log and tell me how the PC is behaving, apart from the issues already mentioned, we'll take it from there.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users