Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with some redirect / ad pop-up malware


  • This topic is locked This topic is locked
19 replies to this topic

#1 j_hong25

j_hong25

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 13 September 2010 - 11:30 AM


Within the last six months, the use of Google has caused other windows to pop up, showing me fake news sites, faux anti-virus solutions, etc. My computer is drastically slower, as I've noticed with the use of playing back compositions in Finale. I've been running Norton Internet Security for the past three years and it has never slowed me down...
I am using a Dell Inspiron Laptop with Windows XP Home Edition.

I tried following the steps before posting my dilemma in this forum. I was able to comply with all the steps except completing the GMER scan. I desperately tried to accomplish this over the past two weeks every day -- initially waiting for over 20 hours (to no avail...), disconnecting from the internet and shutting off all Norton processes, then inevitably trying to scan in safe mode. It would not let me scan in safe mode. All other previous times I tried to scan, it showed me the Blue Screen of Death with a different cause of problem each time...I absolutely could not get a GMER scan completed.

So for now I am just posting my DDS scan in hopes of starting somewhere. Here it is below:



DDS (Ver_10-03-17.01) - NTFSx86
Run by Benjamin J. Park at 22:58:19.00 on Tue 09/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1140 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\XYNTService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\VService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Benjamin J. Park\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uWindow Title = Microsoft Internet Explorer provided by Verizon Online
uSearch Bar =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uLocal Page =
mDefault_Page_URL =
mLocal Page =
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.7.0.12\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} -
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {E83FA434-9BC0-47F6-8740-71A646482E77} - No File
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Google Update] "c:\documents and settings\benjamin j. park\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\benjam~1.par\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bounce~1.lnk - c:\program files\cms products\bounceback express\BBLauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\linksys\wireless-g notebook adapter with speedbooster\Startup.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: newbienudes.com\www
Trusted Zone: turbotax.com
DPF: ConferenceRoom Java Client - hxxp://irc.theamateurchat.com/java/cr.cab
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Yahoo! Poker - hxxp://download.games.yahoo.com/games/clients/y/pt3_x.cab
DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
DPF: {00000045-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/sg726acm.cab
DPF: {00000075-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxmsdec.CAB
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124820645406
DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} - hxxp://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124820631734
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37871.4691782407
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - hxxp://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.shockwave.com/content/zuma/popcaploader_v5.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\benjam~1.par\applic~1\mozilla\firefox\profiles\g0zwg4l1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - plugin: c:\documents and settings\benjamin j. park\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\benjamin j. park\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\benjamin j. park\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin9.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-3 64288]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1107000.00c\symds.sys [2010-5-25 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1107000.00c\symefa.sys [2010-5-25 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\bashdefs\20100810.004\BHDrvx86.sys [2010-8-9 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1107000.00c\cchpx86.sys [2010-5-25 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1107000.00c\ironx86.sys [2010-5-25 116784]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2001-12-19 8576]
R2 NICSer_WPC54GS;NICSer_WPC54GS;c:\program files\linksys\wireless-g notebook adapter with speedbooster\NICServ.exe [2006-10-3 455680]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.7.0.12\ccsvchst.exe [2010-5-25 126392]
R2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys [2006-10-25 7424]
R2 VAgnt Helper Service;VAgnt Helper Service;c:\windows\system32\XYNTService.exe [2010-4-8 49152]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\ipsdefs\20100906.001\IDSXpx86.sys [2010-9-7 331640]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\virusdefs\20100907.025\NAVENG.SYS [2010-9-7 85424]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\virusdefs\20100907.025\NAVEX15.SYS [2010-9-7 1362608]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]
S3 SCR131C;SCRx31 Serial Smart Card Reader;c:\windows\system32\drivers\SCR131C.sys [2002-11-7 181875]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;c:\windows\system32\drivers\SCR33X2K.sys [2004-4-6 64088]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2010-08-14 17:04:10 138496 ----a-w- c:\windows\system32\drivers\uviffjci.sys

==================== Find3M ====================

2010-07-21 20:21:39 138496 ----a-w- c:\windows\system32\drivers\xqyyhdgw.sys
2010-07-03 15:17:47 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2005-01-22 21:04:34 56 --sh--r- c:\windows\system32\F14AC3F7D7.sys
2006-12-26 10:28:47 11480 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-09-26 21:48:53 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092620080927\index.dat

============= FINISH: 23:01:12.60 ===============





BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:34 AM

Posted 19 September 2010 - 11:44 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from RKUnHooker
      3.let me know of any problems you may have had

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 j_hong25

j_hong25
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 22 September 2010 - 07:13 PM

Hello Gringo!

Thank you for your reply! I am sorry my response is delayed...but here is the information requested in your instructions.
Below in order is the dds.txt, the attach.txt, and finally the Rootkit Unhooker report. I did not experience any problems completing the steps.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Benjamin J. Park at 19:45:45.70 on Wed 09/22/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1268 [GMT -4:00]

AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\XYNTService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\CMS Products\BounceBack Express\BBLauncher.exe
C:\WINDOWS\System32\VService.exe
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Benjamin J. Park\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uWindow Title = Microsoft Internet Explorer provided by Verizon Online
uSearch Bar =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uLocal Page =
mDefault_Page_URL =
mLocal Page =
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.7.0.12\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} -
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {E83FA434-9BC0-47F6-8740-71A646482E77} - No File
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Google Update] "c:\documents and settings\benjamin j. park\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\benjam~1.par\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bounce~1.lnk - c:\program files\cms products\bounceback express\BBLauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\linksys\wireless-g notebook adapter with speedbooster\Startup.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: newbienudes.com\www
Trusted Zone: turbotax.com
DPF: ConferenceRoom Java Client - hxxp://irc.theamateurchat.com/java/cr.cab
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Yahoo! Poker - hxxp://download.games.yahoo.com/games/clients/y/pt3_x.cab
DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
DPF: {00000045-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/sg726acm.cab
DPF: {00000075-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxmsdec.CAB
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124820645406
DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} - hxxp://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124820631734
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37871.4691782407
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - hxxp://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.shockwave.com/content/zuma/popcaploader_v5.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\benjam~1.par\applic~1\mozilla\firefox\profiles\g0zwg4l1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - plugin: c:\documents and settings\benjamin j. park\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\benjamin j. park\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\benjamin j. park\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\benjamin j. park\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin9.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1107000.00c\symds.sys [2010-5-25 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1107000.00c\symefa.sys [2010-5-25 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\bashdefs\20100901.003\BHDrvx86.sys [2010-8-31 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1107000.00c\cchpx86.sys [2010-5-25 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1107000.00c\ironx86.sys [2010-5-25 116784]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2001-12-19 8576]
R2 NICSer_WPC54GS;NICSer_WPC54GS;c:\program files\linksys\wireless-g notebook adapter with speedbooster\NICServ.exe [2006-10-3 455680]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.7.0.12\ccsvchst.exe [2010-5-25 126392]
R2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys [2006-10-25 7424]
R2 VAgnt Helper Service;VAgnt Helper Service;c:\windows\system32\XYNTService.exe [2010-4-8 49152]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\ipsdefs\20100920.001\IDSXpx86.sys [2010-9-22 331640]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\virusdefs\20100921.003\NAVENG.SYS [2010-9-22 85424]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\virusdefs\20100921.003\NAVEX15.SYS [2010-9-22 1362608]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-7 135664]
S3 SCR131C;SCRx31 Serial Smart Card Reader;c:\windows\system32\drivers\SCR131C.sys [2002-11-7 181875]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;c:\windows\system32\drivers\SCR33X2K.sys [2004-4-6 64088]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2010-09-08 21:54:02 0 ----a-w- c:\documents and settings\benjamin j. park\defogger_reenable

==================== Find3M ====================

2010-08-14 17:04:10 138496 ----a-w- c:\windows\system32\drivers\uviffjci.sys
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2005-01-22 21:04:34 56 --sh--r- c:\windows\system32\F14AC3F7D7.sys
2006-12-26 10:28:47 11480 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-09-26 21:48:53 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092620080927\index.dat

============= FINISH: 19:48:14.47 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 9/7/2003 2:34:08 AM
System Uptime: 9/22/2010 9:06:46 AM (10 hours ago)

Motherboard: Dell Computer Corporation | |
Processor: Mobile Intel® Pentium® 4 CPU 3.20GHz | Microprocessor | 3189/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 37 GiB total, 3.568 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP187: 6/13/2010 1:39:44 PM - Software Distribution Service 3.0
RP188: 6/14/2010 11:19:58 AM - Software Distribution Service 3.0
RP189: 6/20/2010 5:14:57 PM - System Checkpoint
RP190: 6/20/2010 5:42:08 PM - Printer Driver Vbuzzer Fax Printer Driver Installed
RP191: 6/24/2010 4:04:44 PM - Software Distribution Service 3.0
RP192: 6/28/2010 9:28:03 PM - System Checkpoint
RP193: 7/20/2010 5:21:42 PM - Software Distribution Service 3.0
RP194: 8/3/2010 4:29:32 PM - Software Distribution Service 3.0
RP195: 8/4/2010 4:47:19 PM - System Checkpoint
RP196: 8/8/2010 3:24:30 PM - System Checkpoint
RP197: 8/13/2010 2:26:09 PM - Software Distribution Service 3.0
RP198: 8/15/2010 12:54:39 PM - System Checkpoint
RP199: 9/2/2010 3:40:03 PM - System Checkpoint
RP200: 9/7/2010 10:15:13 PM - System Checkpoint

==== Installed Programs ======================


AC3Filter (remove only)
Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop CS
Adobe Product/Adobe Studio Update 10/2001
Adobe Reader 7.1.0
Adobe® Photoshop® Album Starter Edition 3.0
AnswerWorks 4.0 Runtime - English
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Control Panel
ATI Display Driver
Audacity 1.3.4 (Unicode)
AutoUpdate
B44Inst
BACS
BCM V.92 56K Modem
Bonjour
BounceBack Express
Broadcom 440x Driver Installer
Broadcom Advanced Control Suite
capella-reader Version 5.3
Critical Update for Windows Media Player 11 (KB959772)
dBpowerAMP FLAC Codec
dBpowerAMP Music Converter
Dell Driver Download Manager
Dell Picture Studio - Dell Image Expert
Dell ResourceCD
Dell Support Center (Support Software)
DiscWizard for Windows
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DNA
Dolet Light for Finale
Easy CD Creator 5 Basic
Eusing Free Registry Cleaner
FileSpecs extension for Ad-aware 6
Finale 2008
Free Download Manager 3.0
FUJIFILM USB Driver
Garmin WebUpdater
Garritan Instruments for Finale
Google Calendar Sync
Google Desktop
Google Earth
Google Talk (remove only)
Google Talk Plugin
Google Update Helper
Google Updater
GSpot Codec Information Appliance
HexDump extension for Ad-aware 6
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
ICS Viewer 6.0
ICUII
InFlac 1.1.1
InterActual Player
InterVideo WinDVD
iPod for Windows 2006-01-10
iPod for Windows User Guide
iPod System Software Updater 2.1
iTunes
Java 2 Runtime Environment, SE v1.4.1_02
Java Auto Updater
Java Web Start
Java™ 6 Update 18
Learn2 Player (Uninstall Only)
LSP Explorer Pluginfor Ad-aware 6
Magic ISO Maker v5.4 (build 0251)
MagicDisc 2.6.93
Messenger Control Plugin for Ad-aware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office XP Media Content
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.6.8)
MSN
Musicnotes Player V1.23.1
Norton Internet Security
Odyssey Client
OE Messenger Plugin for Ad-aware
Office Animation Runtime
Paint Shop Pro 7
PCFriendly
PeerGuardian 2.0
Picasa
Picasa 3
QuickTime
RealPlayer
Rhapsody Player Engine
Riva FLV Encoder 2.0
SafePublish
SCR531 Smartcard Reader
Security Update for 2007 Microsoft Office System (KB2277947)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB980376)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2251419)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 Series (KB969878)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
SigmaTel AC97 Audio Drivers
Software Informer 1.0 BETA
Spy Sweeper
Spybot - Search & Destroy
Spybot - Search & Destroy 1.2
Streambox Vcr Suite 2
Synaptics Pointing Device Driver
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb2279264)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.0.1
WebFldrs XP
Winamp (remove only)
Windows Desktop Search 3.01
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Wireless-G Notebook Adapter with SpeedBooster
Xiph QuickTime Components

==== Event Viewer Messages From Past Week ========

9/22/2010 7:14:23 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

==== End Of File ===========================


RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2260992 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2260992 bytes
0x804D7000 RAW 2260992 bytes
0x804D7000 WMIxWDM 2260992 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xA6286000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\VirusDefs\20100921.003\NAVEX15.SYS 1359872 bytes (Symantec Corporation, AV Engine)
0xBF059000 C:\WINDOWS\System32\ati3d2ag.dll 1159168 bytes (ATI Technologies Inc. , ati3d2ag.dll)
0xB9133000 C:\WINDOWS\System32\DRIVERS\BCMSM.sys 1101824 bytes (Broadcom Corporation, Modem Device Driver)
0xA88B4000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\BASHDefs\20100901.003\BHDrvx86.sys 704512 bytes (Symantec Corporation, BASH Driver)
0xB9356000 C:\WINDOWS\System32\DRIVERS\ati2mtag.sys 626688 bytes (ATI Technologies Inc., ATI Radeon Miniport Driver)
0xF7B52000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xAB131000 C:\WINDOWS\system32\drivers\NIS\1107000.00C\ccHPx86.sys 520192 bytes (Symantec Corporation, Common Client Hash Provider Driver)
0xAB22B000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xAB1CD000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0xB907D000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xAB40A000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xACE58000 C:\WINDOWS\System32\Drivers\NIS\1107000.00C\SRTSP.SYS 356352 bytes (Symantec Corporation, Symantec AutoProtect)
0xA9B38000 C:\WINDOWS\System32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xAB38B000 C:\WINDOWS\System32\Drivers\NIS\1107000.00C\SYMTDI.SYS 356352 bytes (Symantec Corporation, Network Dispatch Driver)
0xF742C000 SYMDS.SYS 352256 bytes
0xA65D2000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\IPSDefs\20100920.001\IDSxpx86.sys 348160 bytes (Symantec Corporation, IDS Core Driver)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 290816 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB92DC000 C:\WINDOWS\System32\DRIVERS\SynTP.sys 270336 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0xA87A8000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xAB4F5000 C:\WINDOWS\System32\Drivers\cdudf_xp.SYS 241664 bytes (Roxio, CD-UDF NT Filesystem Driver)
0xB9264000 C:\WINDOWS\system32\drivers\STAC97.sys 221184 bytes (SigmaTel, Inc., SigmaTel Audio Driver (WDM))
0xAB488000 C:\WINDOWS\System32\Drivers\UdfReadr_xp.SYS 208896 bytes (Roxio, CD-UDF NT Filesystem Reader Driver)
0xF75A8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA9ECA000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF783D000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF786A000 SYMEFA.SYS 184320 bytes
0xA6B47000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xAB29B000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xAB2E8000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xAB365000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xAB564000 C:\WINDOWS\system32\Drivers\SYMEVENT.SYS 151552 bytes (Symantec Corporation, Symantec Event Library)
0xB9240000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB931E000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB92B9000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xAB2C6000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806FF000 ACPI_HAL 134400 bytes
0x806FF000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7482000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF74BA000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xACCE9000 C:\WINDOWS\system32\drivers\NIS\1107000.00C\Ironx86.SYS 126976 bytes (Symantec Corporation, Iron Driver)
0xB929A000 C:\WINDOWS\System32\Drivers\pwd_2k.SYS 126976 bytes (Roxio, Win2000 Framework for Packet Write Driver)
0xF74D9000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xAB1B0000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 118784 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0xBA7E6000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF74A2000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB90F3000 C:\WINDOWS\system32\DRIVERS\mcdbus.sys 98304 bytes (MagicISO, Inc., MagicISO SCSI Host Controller)
0xB90DB000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF7403000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB911C000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA9D75000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xA6272000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\VirusDefs\20100921.003\NAVENG.SYS 81920 bytes (Symantec Corporation, AV Engine)
0xB9342000 C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAB463000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF741A000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7597000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB910B000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB8F97000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA7B6000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF74F7000 C:\WINDOWS\System32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF75F7000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF7537000 C:\WINDOWS\System32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xBA796000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA746000 C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys 61440 bytes (Funk Software, Inc., Odyssey Intermediate Driver)
0xBA7A6000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xAAFF5000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF7587000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7607000 C:\WINDOWS\System32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF7657000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA7D6000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xBA786000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7637000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA766000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7687000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xF7507000 C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys 45056 bytes (Broadcom Corporation, Broadcom Corporation NDIS 5.1 ethernet driver)
0xB8FE7000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA7C6000 C:\WINDOWS\System32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7627000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA776000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF7677000 sbp2port.sys 45056 bytes (Microsoft Corporation, SBP-2 Protocol Driver)
0xF7617000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF76C7000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xB93FF000 C:\WINDOWS\system32\drivers\NIS\1107000.00C\SRTSPX.SYS 40960 bytes (Symantec Corporation, Symantec AutoProtect)
0xF76A7000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7647000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xA7D6F000 C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF7517000 C:\WINDOWS\System32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA756000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF7527000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA7169000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF7667000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF7547000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF781F000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xACEC7000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF77FF000 C:\WINDOWS\System32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF776F000 C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF7707000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7817000 C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF780F000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7747000 C:\WINDOWS\System32\Drivers\mmc_2K.SYS 24576 bytes (Roxio, CD-R/RW AddOn MMC Driver (W2K))
0xF7807000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF77F7000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xACED7000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xACECF000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF774F000 C:\WINDOWS\System32\DRIVERS\omci.sys 20480 bytes (Dell Computer Corporation, OMCI Device Driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7737000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF773F000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF771F000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xACEDF000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF789F000 C:\WINDOWS\System32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xBA2F2000 C:\WINDOWS\System32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xF7933000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xAACD9000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF789B000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xAAFDD000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xA9DEA000 C:\WINDOWS\System32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xAA02B000 C:\WINDOWS\System32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA2E2000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA302000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB9017000 C:\WINDOWS\system32\drivers\VCdRom.sys 12288 bytes (Microsoft Corporation, Driver for Virtual CD-ROMs)
0xF798F000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF798D000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF798B000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7991000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF79DD000 C:\WINDOWS\system32\DRIVERS\portd2k.sys 8192 bytes (CMS Peripherals, Inc., BounceBack Port I/O)
0xF7993000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF79DF000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF79DB000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7989000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7A92000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7A71000 C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS 4096 bytes (Sonic Solutions, CDR4 CD and DVD Place Holder Driver (see PxHelp))
0xF7A72000 C:\WINDOWS\System32\Drivers\Cdralw2k.SYS 4096 bytes (Sonic Solutions, CDRAL Place Holder Driver (see PxHelp))
0xF7AC1000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7A73000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A4F000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x89F29AEA ?_empty_? 1302 bytes
!!!!!!!!!!!Hidden driver: 0x8A03B8E8 ?_empty_? 0 bytes
==============================================
>Stealth
==============================================
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88C09CD8 ] TID: 108
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8993C820 ] TID: 140
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x893E2760 ] TID: 156
0x80562520 Faked ServiceTable-->NICServ.exe [ ETHREAD 0x893D7880 ] TID: 164
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8A07B020 ] TID: 172
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x893CC380 ] TID: 204, 30863072 bytes
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8991BAD0 ] TID: 228
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x8904F848 ] TID: 236
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x893E1DA8 ] TID: 252
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x88BB6DA8 ] TID: 304
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88AC2020 ] TID: 308
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x89415408 ] TID: 320
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89442DA8 ] TID: 336
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x88C18020 ] TID: 344
0x80562520 Faked ServiceTable-->VService.exe [ ETHREAD 0x89354BE0 ] TID: 348
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8A08EDA8 ] TID: 352, 4194368 bytes
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89916B48 ] TID: 356
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89415818 ] TID: 360
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89448BA8 ] TID: 364
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89E83020 ] TID: 372
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89E97DA8 ] TID: 384
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x89FEC3B0 ] TID: 404
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89E97518 ] TID: 408
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8A414868 ] TID: 504
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89530BA0 ] TID: 508
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89531BC8 ] TID: 512
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89543998 ] TID: 516
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89543720 ] TID: 520, 3997757 bytes
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x895434A8 ] TID: 524
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8A414DA8 ] TID: 528
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x895059F8 ] TID: 540
0x80562520 Faked ServiceTable-->sprtsvc.exe [ ETHREAD 0x8935FA60 ] TID: 572
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x894F0DA8 ] TID: 580
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x894F0770 ] TID: 584
0x80562520 Faked ServiceTable-->AppleMobileDeviceService.exe [ ETHREAD 0x894EFAF8 ] TID: 612
0x80562520 Faked ServiceTable-->AppleMobileDeviceService.exe [ ETHREAD 0x894FD470 ] TID: 616
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x894F1848 ] TID: 672
0x80562520 Faked ServiceTable-->iPodService.exe [ ETHREAD 0x891A89C8 ] TID: 676
0x80562520 Faked ServiceTable-->mDNSResponder.exe [ ETHREAD 0x894D9DA8 ] TID: 696
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89370DA8 ] TID: 700
0x80562520 Faked ServiceTable-->iPodService.exe [ ETHREAD 0x89192A48 ] TID: 772
0x80562520 Faked ServiceTable-->firefox.exe [ ETHREAD 0x88B80CD8 ] TID: 776
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x89044BF8 ] TID: 784
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89E82DA8 ] TID: 792
0x80562520 Faked ServiceTable-->smss.exe [ ETHREAD 0x89F13718 ] TID: 808, 8781826 bytes
0x80562520 Faked ServiceTable-->smss.exe [ ETHREAD 0x89F13020 ] TID: 812
0x80562520 Faked ServiceTable-->smss.exe [ ETHREAD 0x8A1095E8 ] TID: 816, 8781826 bytes
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x893408B8 ] TID: 820
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89340DA8 ] TID: 824, 8781826 bytes
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8932FDA8 ] TID: 844
0x80562520 Faked ServiceTable-->sprtsvc.exe [ ETHREAD 0x8A07BDA8 ] TID: 860, 8781826 bytes
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x892E7020 ] TID: 872
0x80562520 Faked ServiceTable-->csrss.exe [ ETHREAD 0x896DB680 ] TID: 896, 8781826 bytes
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x89740DA8 ] TID: 944
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x896F7910 ] TID: 948, 8781826 bytes
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x896F7478 ] TID: 956
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x896F2AA8 ] TID: 992, 8781827 bytes
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x896F2610 ] TID: 996
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x896F4CB0 ] TID: 1000, 8781827 bytes
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x8973B910 ] TID: 1008
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x8973E910 ] TID: 1012, 8781828 bytes
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x88BEE3E0 ] TID: 1016
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x896EFDA8 ] TID: 1020, 25690115 bytes
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x896D8910 ] TID: 1024
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88F76AB0 ] TID: 1032, 8781837 bytes
0x80562520 Faked ServiceTable-->plugin-container.exe [ ETHREAD 0x8991B5F8 ] TID: 1036
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x89743910 ] TID: 1040, 8781841 bytes
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x892F2020 ] TID: 1044
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x896EDDA8 ] TID: 1072, 8781844 bytes
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x896DBDA8 ] TID: 1084
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x896D52E8 ] TID: 1092, 8781845 bytes
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x896E4CB0 ] TID: 1096
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x896FEBA0 ] TID: 1100, 8781846 bytes
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x89736818 ] TID: 1104
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x896FB588 ] TID: 1108
0x80562520 Faked ServiceTable-->iPodService.exe [ ETHREAD 0x8A5A5A08 ] TID: 1116
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x896EF020 ] TID: 1136, 8781849 bytes
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x897B5408 ] TID: 1140
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x89739478 ] TID: 1148, 7602254 bytes
0x80562520 Faked ServiceTable-->iPodService.exe [ ETHREAD 0x891966C0 ] TID: 1164
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x897A5DA8 ] TID: 1168, 7864368 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89144BA0 ] TID: 1176
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88FAF878 ] TID: 1188, 8781865 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89741998 ] TID: 1192
0x80562520 Faked ServiceTable-->plugin-container.exe [ ETHREAD 0x899028A8 ] TID: 1196, 8781866 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x897414A8 ] TID: 1200
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89313420 ] TID: 1212, 8781947 bytes
0x80562520 Faked ServiceTable-->jqs.exe [ ETHREAD 0x894BBBA0 ] TID: 1224
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x896DF9C0 ] TID: 1236
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89348020 ] TID: 1244
0x80562520 Faked ServiceTable-->plugin-container.exe [ ETHREAD 0x899E15F8 ] TID: 1252
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x896D49A0 ] TID: 1284
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89747998 ] TID: 1288
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89747720 ] TID: 1292
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x897474A8 ] TID: 1296
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x897042E8 ] TID: 1308
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x893E4720 ] TID: 1312
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x891D6DA8 ] TID: 1340
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x894D46B0 ] TID: 1356
0x80562520 Faked ServiceTable-->scardsvr.exe [ ETHREAD 0x894D19E8 ] TID: 1364
0x80562520 Faked ServiceTable-->searchprotocolhost.exe [ ETHREAD 0x88BB7790 ] TID: 1376
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x89357BA8 ] TID: 1380
0x80562520 Faked ServiceTable-->firefox.exe [ ETHREAD 0x88B7A020 ] TID: 1384
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x89176540 ] TID: 1396
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89746DA8 ] TID: 1416
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x897A2DA8 ] TID: 1420
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x895925D8 ] TID: 1424
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8A1BEB20 ] TID: 1428
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89593928 ] TID: 1444
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89594B30 ] TID: 1476
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x893E8768 ] TID: 1480, 7602254 bytes
0x80562520 Faked ServiceTable-->BCMSMMSG.exe [ ETHREAD 0x8A083DA8 ] TID: 1516
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x89592DA8 ] TID: 1524, 2147450879 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x896F6998 ] TID: 1528
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x896F6720 ] TID: 1532
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89599DA8 ] TID: 1540
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x89598928 ] TID: 1576
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x894B5720 ] TID: 1580
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x893C0560 ] TID: 1608
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8959C020 ] TID: 1624
0x80562520 Faked ServiceTable-->jqs.exe [ ETHREAD 0x894BB2A0 ] TID: 1628
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8959FA08 ] TID: 1644
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89588DA8 ] TID: 1648
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89F0A7E8 ] TID: 1668
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8A083728 ] TID: 1672
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x893D35D8 ] TID: 1676
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8959C588 ] TID: 1680
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x894BEBB0 ] TID: 1692
0x80562520 Faked ServiceTable-->plugin-container.exe [ ETHREAD 0x899E7DA8 ] TID: 1704
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x893E44A8 ] TID: 1716
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x8995B900 ] TID: 1732
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8970C6E8 ] TID: 1736
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x893D4808 ] TID: 1740
0x80562520 Faked ServiceTable-->iTunesHelper.exe [ ETHREAD 0x8932E598 ] TID: 1748
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89562AF8 ] TID: 1756
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8958BBA8 ] TID: 1760
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8954A6A8 ] TID: 1764, 5 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89545420 ] TID: 1768
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8958EBC8 ] TID: 1772
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x89899AD8 ] TID: 1792
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89FEC9B8 ] TID: 1804
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89540980 ] TID: 1824
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89544BA0 ] TID: 1832
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x899D17E8 ] TID: 1868
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x8955F9B8 ] TID: 1888
0x80562520 Faked ServiceTable-->sprtcmd.exe [ ETHREAD 0x8A0ACB20 ] TID: 1892
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x899F2490 ] TID: 1900, 7602254 bytes
0x80562520 Faked ServiceTable-->scardsvr.exe [ ETHREAD 0x8952FBA0 ] TID: 1932, 2853156436 bytes
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x8957EBD8 ] TID: 1940, 1653025001 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89265DA8 ] TID: 1944
0x80562520 Faked ServiceTable-->firefox.exe [ ETHREAD 0x89021DA8 ] TID: 1948
0x80562520 Faked ServiceTable-->plugin-container.exe [ ETHREAD 0x88B359D8 ] TID: 1952
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x894F2BA0 ] TID: 1976
0x80562520 Faked ServiceTable-->iTunesHelper.exe [ ETHREAD 0x89193920 ] TID: 1988
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x892BF698 ] TID: 1996
0x80562520 Faked ServiceTable-->csrss.exe [ ETHREAD 0x897C1880 ] TID: 2000
0x80562520 Faked ServiceTable-->plugin-container.exe [ ETHREAD 0x88AB4410 ] TID: 2004
0x80562520 Faked ServiceTable-->OdHost.exe [ ETHREAD 0x897D2740 ] TID: 2016
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x893EE7A8 ] TID: 2032
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x893DADA8 ] TID: 2036
0x80562520 Faked ServiceTable-->iTunesHelper.exe [ ETHREAD 0x893FA590 ] TID: 2044
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88AD3C90 ] TID: 2056
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x894CCDA8 ] TID: 2072, 1100456 bytes
0x80562520 Faked ServiceTable-->firefox.exe [ ETHREAD 0x89838020 ] TID: 2096
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x897B6BD0 ] TID: 2120
0x80562520 Faked ServiceTable-->OdHost.exe [ ETHREAD 0x89247DA8 ] TID: 2124
0x80562520 Faked ServiceTable-->OdHost.exe [ ETHREAD 0x89238678 ] TID: 2140
0x80562520 Faked ServiceTable-->firefox.exe [ ETHREAD 0x88B38020 ] TID: 2152
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x898F1788 ] TID: 2156
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x88C09970 ] TID: 2184
0x80562520 Faked ServiceTable-->SynTPEnh.exe [ ETHREAD 0x896F9998 ] TID: 2220
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88F7E528 ] TID: 2228
0x80562520 Faked ServiceTable-->firefox.exe [ ETHREAD 0x899B5020 ] TID: 2236
0x80562520 Faked ServiceTable-->XYNTService.exe [ ETHREAD 0x8959DDA8 ] TID: 2256
0x80562520 Faked ServiceTable-->plugin-container.exe [ ETHREAD 0x89982C58 ] TID: 2264
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x88B4ADA8 ] TID: 2272
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x891A25D0 ] TID: 2288
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89092588 ] TID: 2292
0x80562520 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x89920A48 ] TID: 2312
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x88BB6910 ] TID: 2316
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x899CF710 ] TID: 2332
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x88B29A80 ] TID: 2336
0x80562520 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x89A9B9B8 ] TID: 2376
0x80562520 Faked ServiceTable-->firefox.exe [ ETHREAD 0x892D2500 ] TID: 2380
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8908CB30 ] TID: 2384
0x80562520 Faked ServiceTable-->searchfilterhost.exe [ ETHREAD 0x89815020 ] TID: 2408
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x892BFD00 ] TID: 2468
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x88F6E880 ] TID: 2480
0x80562520 Faked ServiceTable-->sprtsvc.exe [ ETHREAD 0x890F32A8 ] TID: 2488
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x8937DAA0 ] TID: 2492
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x893D8BA0 ] TID: 2508
0x80562520 Faked ServiceTable-->firefox.exe [ ETHREAD 0x8999DA50 ] TID: 2516
0x80562520 Faked ServiceTable-->iPodService.exe [ ETHREAD 0x8938DDA8 ] TID: 2520
0x80562520 Faked ServiceTable-->Directcd.exe [ ETHREAD 0x897B25A0 ] TID: 2528
0x80562520 Faked ServiceTable-->Directcd.exe [ ETHREAD 0x893D8500 ] TID: 2532
0x80562520 Faked ServiceTable-->Directcd.exe [ ETHREAD 0x895B5928 ] TID: 2536
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x88F41DA8 ] TID: 2556
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89706DA8 ] TID: 2560
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89097DA8 ] TID: 2588
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8918EBA8 ] TID: 2592
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x89929DA8 ] TID: 2600
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8903F020 ] TID: 2612
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x895CA668 ] TID: 2628
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x897B3998 ] TID: 2636
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8905BA98 ] TID: 2652
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x895C8DA8 ] TID: 2668
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8A2009F8 ] TID: 2672
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8943D460 ] TID: 2676
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x895AC020 ] TID: 2680
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8A6796A8 ] TID: 2696
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x890448E0 ] TID: 2708
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x8904F5D0 ] TID: 2712
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x8898CDA8 ] TID: 2716
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8897FDA8 ] TID: 2724
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x895A8DA8 ] TID: 2748
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x8890B020 ] TID: 2760, 6619256 bytes
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8A214020 ] TID: 2768
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x88902020 ] TID: 2784
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x889E6020 ] TID: 2796
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88AFDBC8 ] TID: 2800
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x89812020 ] TID: 2808
0x80562520 Faked ServiceTable-->OdHost.exe [ ETHREAD 0x89199960 ] TID: 2820
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89726DA8 ] TID: 2824
0x80562520 Faked ServiceTable-->firefox.exe [ ETHREAD 0x89321798 ] TID: 2828
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8927C710 ] TID: 2848
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89A5E020 ] TID: 2872
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x892598C8 ] TID: 2888
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x89281518 ] TID: 2892
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x89257928 ] TID: 2896
0x80562520 Faked ServiceTable-->sprtcmd.exe [ ETHREAD 0x892D8318 ] TID: 2904
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x897D7460 ] TID: 2916
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8993C5A8 ] TID: 2936, 32 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88A60BA8 ] TID: 2948
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89194BA8 ] TID: 2996
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8A678DA8 ] TID: 3012
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x89262790 ] TID: 3016, 7929939 bytes
0x80562520 Faked ServiceTable-->jqs.exe [ ETHREAD 0x88FD5020 ] TID: 3032
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x895C3BA0 ] TID: 3036
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8956D750 ] TID: 3040
0x80562520 Faked ServiceTable-->firefox.exe [ ETHREAD 0x891E45F0 ] TID: 3044
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88ABD8F0 ] TID: 3060
0x80562520 Faked ServiceTable-->iTunesHelper.exe [ ETHREAD 0x894A8978 ] TID: 3072
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88F55860 ] TID: 3076, 7536686 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88F75BD8 ] TID: 3080, 6619252 bytes
0x80562520 Faked ServiceTable-->alg.exe [ ETHREAD 0x893F3928 ] TID: 3088
0x80562520 Faked ServiceTable-->alg.exe [ ETHREAD 0x89014558 ] TID: 3092
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x892519C8 ] TID: 3096
0x80562520 Faked ServiceTable-->alg.exe [ ETHREAD 0x897444E8 ] TID: 3100
0x80562520 Faked ServiceTable-->alg.exe [ ETHREAD 0x89236020 ] TID: 3104, 7274601 bytes
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x892A7BC8 ] TID: 3108
0x80562520 Faked ServiceTable-->iPodService.exe [ ETHREAD 0x8A650BA0 ] TID: 3196, 47464208 bytes
0x80562520 Faked ServiceTable-->iPodService.exe [ ETHREAD 0x8A650928 ] TID: 3200
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89255398 ] TID: 3216, 7471215 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8958A720 ] TID: 3220, 3407928 bytes
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x890131C0 ] TID: 3228
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88FCB2F0 ] TID: 3232
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88F39DA8 ] TID: 3240
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x895ABDA8 ] TID: 3248
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8943DDA8 ] TID: 3252
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89438BA0 ] TID: 3256
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x895A8B30 ] TID: 3260
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89422BA0 ] TID: 3264
0x80562520 Faked ServiceTable-->sprtsvc.exe [ ETHREAD 0x892B7BC8 ] TID: 3288
0x80562520 Faked ServiceTable-->iTunesHelper.exe [ ETHREAD 0x88BD9A18 ] TID: 3292
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x890DF668 ] TID: 3328
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x891D8020 ] TID: 3336
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8927A390 ] TID: 3348
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x897CADA8 ] TID: 3356
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88AAA020 ] TID: 3364
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8990E578 ] TID: 3412
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88F5A020 ] TID: 3420
0x80562520 Faked ServiceTable-->searchprotocolhost.exe [ ETHREAD 0x898BE020 ] TID: 3436
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89A55DA8 ] TID: 3440, 5439520 bytes
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88FB67A0 ] TID: 3448, 7929971 bytes
0x80562520 Faked ServiceTable-->sprtsvc.exe [ ETHREAD 0x892A6DA8 ] TID: 3456, 2097196 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8925DDA8 ] TID: 3472
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89E6BD10 ] TID: 3496
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x892225A0 ] TID: 3516
0x80562520 Faked ServiceTable-->sprtcmd.exe [ ETHREAD 0x8A43B5A8 ] TID: 3520, 3204448256 bytes
0x80562520 Faked ServiceTable-->sprtcmd.exe [ ETHREAD 0x895B2998 ] TID: 3524
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8986F020 ] TID: 3528
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88FDA710 ] TID: 3544
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88BDB020 ] TID: 3548
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8907C020 ] TID: 3560
0x80562520 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x8A5AD798 ] TID: 3572
0x80562520 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x8A04DDA8 ] TID: 3576
0x80562520 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x894C8BC0 ] TID: 3588
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89109AB0 ] TID: 3596
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88FF35A8 ] TID: 3604
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x893BDBC8 ] TID: 3628
0x80562520 Faked ServiceTable-->iPodService.exe [ ETHREAD 0x891F15C8 ] TID: 3636, 3276832 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x897C5020 ] TID: 3648, 6750305 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8A659DA8 ] TID: 3660, 6881396 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89554BA0 ] TID: 3664, 655373 bytes
0x80562520 Faked ServiceTable-->RKUnhookerLE.EXE [ ETHREAD 0x8A01BBB0 ] TID: 3672, 7143525 bytes
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x8921DDA8 ] TID: 3676, 7209071 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8938FDA8 ] TID: 3684, 6553632 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x897C46F0 ] TID: 3688, 6553701 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x893BCDA8 ] TID: 3692, 4784215 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8939D3E8 ] TID: 3700, 6881400 bytes
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x891FE7E0 ] TID: 3704, 3538976 bytes
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x89207980 ] TID: 3708, 3407904 bytes
0x80562520 Faked ServiceTable-->firefox.exe [ ETHREAD 0x891B98C0 ] TID: 3724, 5373992 bytes
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x894C5C70 ] TID: 3736, 6422560 bytes
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8926BBA0 ] TID: 3740, 5439580 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8909B700 ] TID: 3748
0x80562520 Faked ServiceTable-->plugin-container.exe [ ETHREAD 0x88AACD10 ] TID: 3756
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8938E998 ] TID: 3760
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8938AB68 ] TID: 3764
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89389D10 ] TID: 3772
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8943BDA8 ] TID: 3776
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89172020 ] TID: 3780
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88F67928 ] TID: 3784
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89226C38 ] TID: 3800
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89385540 ] TID: 3816
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8937E998 ] TID: 3820
0x80562520 Faked ServiceTable-->iTunesHelper.exe [ ETHREAD 0x892E8BA8 ] TID: 3824
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x89214DA8 ] TID: 3848
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88FBB3C0 ] TID: 3856
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8A64F310 ] TID: 3860
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8936B998 ] TID: 3864
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89394928 ] TID: 3884
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x893C2740 ] TID: 3888
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x8A64E630 ] TID: 3892
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x8938B668 ] TID: 3896
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x8937A020 ] TID: 3900
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8934D788 ] TID: 3948
0x80562520 Faked ServiceTable-->firefox.exe [ ETHREAD 0x89175020 ] TID: 3980
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x89546BE0 ] TID: 4028
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89179020 ] TID: 4048
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x892CF228 ] TID: 4060
0x80562520 Faked ServiceTable-->firefox.exe [ ETHREAD 0x89028D50 ] TID: 4080
0x80562520 Faked ServiceTable-->iTunesHelper.exe [ ETHREAD 0x89335998 ] TID: 4092
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89937020 ] TID: 4128
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x893964B8 ] TID: 4136
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88DCACB8 ] TID: 4164
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88B8D710 ] TID: 4172
0x80562520 Faked ServiceTable-->OdHost.exe [ ETHREAD 0x89154898 ] TID: 4180
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x898D4020 ] TID: 4192
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88FE98B0 ] TID: 4196
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x890B7DA8 ] TID: 4200
0x80562520 Faked ServiceTable-->RKUnhookerLE.EXE [ ETHREAD 0x88A08288 ] TID: 4204
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89108020 ] TID: 4216
0x80562520 Faked ServiceTable-->realsched.exe [ ETHREAD 0x88C00020 ] TID: 4264
0x80562520 Faked ServiceTable-->iPodService.exe [ ETHREAD 0x891433C0 ] TID: 4272
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8911EB30 ] TID: 4320
0x80562520 Faked ServiceTable-->searchfilterhost.exe [ ETHREAD 0x88B8BDA8 ] TID: 4332
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x89234C58 ] TID: 4336
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88F8C020 ] TID: 4376
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x889E00D0 ] TID: 4412
0x80562520 Faked ServiceTable-->RKUnhookerLE.EXE [ ETHREAD 0x88C1D020 ] TID: 4436
0x80562520 Faked ServiceTable-->sprtcmd.exe [ ETHREAD 0x88A1FB30 ] TID: 4464
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x88AF9B80 ] TID: 4480
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8A1F6A40 ] TID: 4488
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x899621F0 ] TID: 4552
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8954E518 ] TID: 4588
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x88ACD8D8 ] TID: 4612
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x889AF4A8 ] TID: 4620
0x80562520 Faked ServiceTable-->SynTPEnh.exe [ ETHREAD 0x89950D68 ] TID: 4656
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x892EEC88 ] TID: 4660
0x80562520 Faked ServiceTable-->jqs.exe [ ETHREAD 0x88BFB378 ] TID: 4716
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x891E35F0 ] TID: 4788
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88AA8BA8 ] TID: 4800
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89A8E390 ] TID: 4912
0x80562520 Faked ServiceTable-->sprtcmd.exe [ ETHREAD 0x8A5FA330 ] TID: 4940
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x888A2020 ] TID: 4956
0x80562520 Faked ServiceTable-->searchprotocolhost.exe [ ETHREAD 0x898CCDA8 ] TID: 5016
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x890FD390 ] TID: 5028
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88980020 ] TID: 5036
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8888B020 ] TID: 5076
0x80562520 Faked ServiceTable-->sprtsvc.exe [ ETHREAD 0x899B2C40 ] TID: 5120
0x80562520 Faked ServiceTable-->realsched.exe [ ETHREAD 0x88F60DA8 ] TID: 5132
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89A2E740 ] TID: 5188
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88C1AB60 ] TID: 5224
0x80562520 Faked ServiceTable-->RKUnhookerLE.EXE [ ETHREAD 0x889325C0 ] TID: 5260
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x888FC020 ] TID: 5284
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x897573E0 ] TID: 5308
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8A22B020 ] TID: 5348
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8917E448 ] TID: 5376
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x896ED480 ] TID: 5408
0x80562520 Faked ServiceTable-->OdHost.exe [ ETHREAD 0x88953528 ] TID: 5424
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89E78060 ] TID: 5472
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x897FC020 ] TID: 5480
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x896F0BA0 ] TID: 5492
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88A20020 ] TID: 5556
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x892FFD10 ] TID: 5564
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x890C88E8 ] TID: 5612
0x80562520 Faked ServiceTable-->searchprotocolhost.exe [ ETHREAD 0x891BA240 ] TID: 5676
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x88F64360 ] TID: 5696
0x80562520 Faked ServiceTable-->searchindexer.exe [ ETHREAD 0x88B704B8 ] TID: 5704
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89136A30 ] TID: 5728
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x888AE020 ] TID: 5744
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x899DC020 ] TID: 5764
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8925A020 ] TID: 5788
0x80562520 Faked ServiceTable-->RKUnhookerLE.EXE [ ETHREAD 0x88A642B0 ] TID: 5796
0x80562520 Faked ServiceTable-->sprtcmd.exe [ ETHREAD 0x897F7B00 ] TID: 5800
0x80562520 Faked ServiceTable-->AppleMobileDeviceService.exe [ ETHREAD 0x88BC2458 ] TID: 5924
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x899FEBE8 ] TID: 5944
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x898FB020 ] TID: 5952
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89443020 ] TID: 5984
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89A270D8 ] TID: 5988
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88F6D338 ] TID: 6032
0x80562520 Faked ServiceTable-->AppleMobileDeviceService.exe [ ETHREAD 0x8912AC70 ] TID: 6076
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8A55CDA8 ] TID: 6112
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x8A23BDA8 ] TID: 6136
0xF74A2000 WARNING: suspicious driver modification [atapi.sys::0x89F29AEA]
0xAB2C6000 WARNING: Virus alike driver modification [afd.sys], 139264 bytes
0x048A0000 Hidden Image-->SupportSoft.Agent.Sprocket.dll [ EPROCESS 0x8952A9F8 ] PID: 2212, 28672 bytes
0x04780000 Hidden Image-->SupportSoft.Agent.Sprocket.SupportMessage.dll [ EPROCESS 0x8952A9F8 ] PID: 2212, 45056 bytes
0x03600000 Hidden Image-->sprtmessage.dll [ EPROCESS 0x8952A9F8 ] PID: 2212, 77824 bytes


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:34 AM

Posted 22 September 2010 - 07:36 PM

Greetings

One or more of the identified infections is Known as a Backdoor Trojan. - TDSS rootkit <--please read

What this virus does do.
QUOTE
Functionality
The functionality that the Trojan exhibits implies that it has been designed with profit-making as its primary objective. Making money from the Web typically involves generating Web traffic, installing pay-per-install software and also by generating sales leads for other Web sites and services of a dubious nature. It tries to achieve its objective by employing an array of techniques to try and make the user participate in these income-generating activities.


What the virus can do.
QUOTE
Backdoor.Tidserv is a Trojan horse that uses an advanced rootkit to hide itself. It also displays advertisements, redirects user search results, and opens a back door on the compromised computer.


This "could" allow hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can clean this machine but I cannot guarantee that it will be 100% secure afterwards. "If you would like to continue, then follow the steps below, otherwise please let me know"

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 j_hong25

j_hong25
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 24 September 2010 - 01:56 PM

Hello Gringo,

1.) The ComboFix log is posted below.
2.) I did not have any problems per se, but the ComboFix scanner restarted my computer twice during the process and Norton Internet Security forced me to uninstall and reinstall. I have since done that and as a result...
3.)...the computer seems to be doing good. No more pop-ups and the slow down appears to have diminished, but hard to tell.

Again, here is the ComboFix log:

ComboFix 10-09-23.01 - Benjamin J. Park 09/23/2010 21:00:16.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1698 [GMT -4:00]
Running from: c:\documents and settings\Benjamin J. Park\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Benjamin J. Park\GoToAssistDownloadHelper.exe
c:\progra~1\AWS\WEATHE~1\MINIbu~1.dll
c:\program files\AWS\WEATHE~1\MINIBU~1.DLL
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\patch.exe
c:\windows\system32\drivers\fad.sys
c:\windows\tempf.txt

Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_gaopdxserv.sys
-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2010-08-24 to 2010-09-24 )))))))))))))))))))))))))))))))
.

2010-09-23 23:45 . 2010-04-22 03:02 173104 ----a-w- c:\windows\system32\drivers\symefa.sys
2010-09-23 23:45 . 2010-02-04 01:40 328752 ----a-w- c:\windows\system32\drivers\symds.sys
2010-09-23 23:45 . 2010-04-29 05:03 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
2010-09-23 23:45 . 2010-04-22 02:29 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-09-23 23:45 . 2010-02-26 00:22 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-24 01:54 . 2009-12-28 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-09-24 00:20 . 2008-12-07 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-09-14 22:20 . 2009-04-28 23:32 -------- d-----w- c:\documents and settings\Benjamin J. Park\Application Data\Free Download Manager
2010-09-13 18:05 . 2007-10-13 05:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-13 17:53 . 2003-11-29 18:51 -------- d-----w- c:\program files\iTunes
2010-09-13 17:51 . 2004-04-01 05:30 -------- d-----w- c:\program files\iPod
2010-09-13 17:51 . 2007-09-06 06:51 -------- d-----w- c:\program files\Common Files\Apple
2010-09-13 17:43 . 2003-10-18 20:56 -------- d-----w- c:\program files\QuickTime
2010-09-08 21:52 . 2004-07-06 20:14 -------- d-----w- c:\program files\Lavasoft
2010-09-08 21:52 . 2010-07-03 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-09-04 13:29 . 2007-12-17 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2010-08-14 17:04 . 2010-08-14 17:04 138496 ----a-w- c:\windows\system32\drivers\uviffjci.sys
2010-08-13 21:56 . 2008-05-11 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-04 20:17 . 2010-06-09 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-08-03 20:19 . 2010-08-03 20:19 -------- d-----w- c:\documents and settings\Benjamin J. Park\Application Data\Tific
2010-07-21 20:21 . 2010-07-21 20:21 138496 ----a-w- c:\windows\system32\drivers\xqyyhdgw.sys
2010-07-03 15:17 . 2010-07-03 15:18 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-30 12:31 . 2002-09-03 16:58 149504 ----a-w- c:\windows\system32\schannel.dll
2006-04-18 05:23 . 2006-04-18 05:24 123392 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2005-01-22 21:04 . 2004-07-27 20:58 56 --sh--r- c:\windows\system32\F14AC3F7D7.sys
2006-12-26 10:28 . 2004-07-27 20:58 11480 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Google Update"="c:\documents and settings\Benjamin J. Park\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-30 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-03-18 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-03-18 569344]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-29 28672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-04-30 327680]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-04-18 158208]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-22 180269]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]

c:\documents and settings\Benjamin J. Park\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-5-10 546816]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2003-9-7 82026]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
BounceBack Launcher.lnk - c:\program files\CMS Products\BounceBack Express\BBLauncher.exe [2006-10-25 90112]
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-10-2 546288]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]
Wireless-G Notebook Adapter with SpeedBooster Utility.lnk - c:\program files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe [2006-10-3 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\kav\\kav7\\setup.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\Benjamin J. Park\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Benjamin J. Park\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\icuii\\ICUII.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [12/19/2001 3:45 PM 8576]
R2 NICSer_WPC54GS;NICSer_WPC54GS;c:\program files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe [10/3/2006 2:15 PM 455680]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe [9/23/2010 7:44 PM 126392]
R2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys [10/25/2006 5:31 PM 7424]
R2 VAgnt Helper Service;VAgnt Helper Service;c:\windows\system32\XYNTService.exe [4/8/2010 11:43 AM 49152]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 9:44 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\IPSDefs\20100923.001\IDSXpx86.sys [9/23/2010 7:47 PM 331640]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1108000.005\SYMDS.SYS --> c:\windows\system32\drivers\NIS\1108000.005\SYMDS.SYS [?]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1108000.005\SYMEFA.SYS --> c:\windows\system32\drivers\NIS\1108000.005\SYMEFA.SYS [?]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\BASHDefs\20100901.003\BHDrvx86.sys [8/31/2010 6:57 PM 692272]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1108000.005\ccHPx86.sys --> c:\windows\system32\drivers\NIS\1108000.005\ccHPx86.sys [?]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1108000.005\Ironx86.SYS --> c:\windows\system32\drivers\NIS\1108000.005\Ironx86.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/7/2010 8:28 PM 135664]
S3 SCR131C;SCRx31 Serial Smart Card Reader;c:\windows\system32\drivers\SCR131C.sys [11/7/2002 5:04 AM 181875]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;c:\windows\system32\drivers\SCR33X2K.sys [4/6/2004 5:24 AM 64088]
.
Contents of the 'Scheduled Tasks' folder

2010-09-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 16:34]

2010-09-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-07 20:12]

2010-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-08 00:28]

2010-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-08 00:28]

2010-09-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-688789844-725345543-1004Core.job
- c:\documents and settings\Benjamin J. Park\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-30 17:52]

2010-09-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-688789844-725345543-1004UA.job
- c:\documents and settings\Benjamin J. Park\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-30 17:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uLocal Page =
mLocal Page =
uInternet Settings,ProxyOverride = *.local
Trusted Zone: newbienudes.com\www
Trusted Zone: turbotax.com
DPF: ConferenceRoom Java Client - hxxp://irc.theamateurchat.com/java/cr.cab
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Benjamin J. Park\Application Data\Mozilla\Firefox\Profiles\g0zwg4l1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - plugin: c:\documents and settings\Benjamin J. Park\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Benjamin J. Park\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Benjamin J. Park\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Benjamin J. Park\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin9.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-23 22:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.8.0.5\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):c7,18,3d,05,82,8a,b8,a1,59,b9,12,34,68,12,83,d7,aa,54,16,01,4b,
f5,b9,28,14,25,10,a8,0c,d9,f1,33,44,d5,5f,b2,51,12,0d,9f,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{a29b7b24-d42a-43c1-9bb6-9df4aa19f33c}]
@Denied: (Full) (Everyone)
"Model"=dword:000000ad
"Therad"=dword:00000022
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1260)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\System32\VService.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\562C4DD5\17.8.0.5\InstStub.exe
c:\windows\system32\wscntfy.exe
c:\windows\BCMSMMSG.exe
c:\program files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
c:\program files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\WPC54Cfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-09-23 22:14:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-24 02:14

Pre-Run: 3,609,378,816 bytes free
Post-Run: 7,475,073,024 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 5E3A951D32BA4F4CF26AD1E916E8F8EA


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:34 AM

Posted 24 September 2010 - 02:48 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
File::
c:\windows\system32\drivers\uviffjci.sys
c:\windows\system32\drivers\xqyyhdgw.sys

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{a29b7b24-d42a-43c1-9bb6-9df4aa19f33c}]


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"
    In your next post I need the following
    1. report from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now after running the script?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 j_hong25

j_hong25
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 25 September 2010 - 09:16 AM

Dear Gringo,

-Below I post my new report from ComboFix with the CFScript you sent.
-No problems experienced with the computer
-Computer seems to be doing fine

ComboFix 10-09-23.01 - Benjamin J. Park 09/25/2010 9:45.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1498 [GMT -4:00]
Running from: c:\documents and settings\Benjamin J. Park\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Benjamin J. Park\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FILE ::
"c:\windows\system32\drivers\uviffjci.sys"
"c:\windows\system32\drivers\xqyyhdgw.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\uviffjci.sys
c:\windows\system32\drivers\xqyyhdgw.sys

.
((((((((((((((((((((((((( Files Created from 2010-08-25 to 2010-09-25 )))))))))))))))))))))))))))))))
.

2010-09-24 18:08 . 2010-09-24 18:08 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-09-24 18:08 . 2010-09-24 18:08 -------- d-----w- c:\program files\Symantec
2010-09-24 18:08 . 2010-09-24 18:08 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-09-24 18:07 . 2010-09-24 18:07 -------- d-----w- c:\program files\Norton Internet Security
2010-09-23 23:45 . 2010-04-22 03:02 173104 ----a-w- c:\windows\system32\drivers\symefa.sys
2010-09-23 23:45 . 2010-02-04 01:40 328752 ----a-w- c:\windows\system32\drivers\symds.sys
2010-09-23 23:45 . 2010-04-29 05:03 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
2010-09-23 23:45 . 2010-02-26 00:22 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys
2010-09-13 17:32 . 2010-09-13 17:32 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-09-01 02:38 . 2010-07-09 14:26 475136 ------w- c:\documents and settings\All Users\Application Data\Dell\RMC\RMCCreationInfo.exe
2010-09-01 02:38 . 2010-07-02 14:25 60416 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\ZLib1.dll
2010-09-01 02:37 . 2010-08-17 18:10 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe
2010-08-31 16:11 . 2010-08-31 16:11 3401880 ----a-w- c:\documents and settings\Benjamin J. Park\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-08-31 15:55 . 2010-08-31 15:55 275096 ----a-w- c:\documents and settings\Benjamin J. Park\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-08-31 15:39 . 2010-08-31 15:39 3734536 ----a-w- c:\documents and settings\Benjamin J. Park\Application Data\Mozilla\plugins\Google Talk Plugin Extras\d3dx9_36.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-25 13:55 . 2003-09-07 07:01 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-09-25 13:21 . 2008-12-07 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-09-24 18:12 . 2009-12-16 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-09-24 18:08 . 2010-09-24 18:08 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-09-24 18:08 . 2010-09-24 18:08 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-09-24 18:07 . 2009-12-28 16:11 -------- d-----w- c:\program files\NortonInstaller
2010-09-24 16:53 . 2009-12-28 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-09-14 22:20 . 2009-04-28 23:32 -------- d-----w- c:\documents and settings\Benjamin J. Park\Application Data\Free Download Manager
2010-09-13 18:05 . 2007-10-13 05:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-13 17:53 . 2003-11-29 18:51 -------- d-----w- c:\program files\iTunes
2010-09-13 17:51 . 2004-04-01 05:30 -------- d-----w- c:\program files\iPod
2010-09-13 17:51 . 2007-09-06 06:51 -------- d-----w- c:\program files\Common Files\Apple
2010-09-13 17:43 . 2003-10-18 20:56 -------- d-----w- c:\program files\QuickTime
2010-09-12 23:25 . 2010-07-20 21:38 452104 ----a-w- c:\documents and settings\Benjamin J. Park\Application Data\Real\Update\setup3.12\setup.exe
2010-09-08 21:52 . 2004-07-06 20:14 -------- d-----w- c:\program files\Lavasoft
2010-09-08 21:52 . 2010-07-03 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-09-04 13:29 . 2007-12-17 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2010-08-13 21:56 . 2008-05-11 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-04 20:17 . 2010-06-09 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-08-03 20:19 . 2010-08-03 20:19 -------- d-----w- c:\documents and settings\Benjamin J. Park\Application Data\Tific
2010-07-03 15:17 . 2010-07-03 15:18 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-30 12:31 . 2002-09-03 16:58 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-28 19:57 . 2010-03-15 10:37 439816 ----a-w- c:\documents and settings\Benjamin J. Park\Application Data\Real\Update\setup3.10\setup.exe
2006-04-18 05:23 . 2006-04-18 05:24 123392 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2005-01-22 21:04 . 2004-07-27 20:58 56 --sh--r- c:\windows\system32\F14AC3F7D7.sys
2006-12-26 10:28 . 2004-07-27 20:58 11480 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Google Update"="c:\documents and settings\Benjamin J. Park\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-30 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-03-18 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-03-18 569344]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-29 28672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-04-30 327680]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-04-18 158208]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-22 180269]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]

c:\documents and settings\Benjamin J. Park\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-5-10 546816]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2003-9-7 82026]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
BounceBack Launcher.lnk - c:\program files\CMS Products\BounceBack Express\BBLauncher.exe [2006-10-25 90112]
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-10-2 546288]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]
Wireless-G Notebook Adapter with SpeedBooster Utility.lnk - c:\program files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe [2006-10-3 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\kav\\kav7\\setup.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\Benjamin J. Park\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Benjamin J. Park\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\icuii\\ICUII.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1201000.025\SymDS.sys [9/24/2010 2:07 PM 339504]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1201000.025\SymEFA.sys [9/24/2010 2:07 PM 666672]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20100901.003\BHDrvx86.sys [8/31/2010 6:57 PM 692272]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1201000.025\Ironx86.sys [9/24/2010 2:07 PM 134704]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [12/19/2001 3:45 PM 8576]
R2 NICSer_WPC54GS;NICSer_WPC54GS;c:\program files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe [10/3/2006 2:15 PM 455680]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.1.0.37\ccSvcHst.exe [9/24/2010 2:07 PM 126904]
R2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys [10/25/2006 5:31 PM 7424]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20100924.001\IDSXpx86.sys [9/25/2010 9:29 AM 331640]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/7/2010 8:28 PM 135664]
S2 VAgnt Helper Service;VAgnt Helper Service;c:\windows\system32\XYNTService.exe [4/8/2010 11:43 AM 49152]
S3 SCR131C;SCRx31 Serial Smart Card Reader;c:\windows\system32\drivers\SCR131C.sys [11/7/2002 5:04 AM 181875]
S3 SCR33X USB Smart Card Reader;SCR33X USB Smart Card Reader;c:\windows\system32\drivers\SCR33X2K.sys [4/6/2004 5:24 AM 64088]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BHDRVX86
*NewlyCreated* - EECTRL
*NewlyCreated* - NAVENG
*NewlyCreated* - NAVEX15
*NewlyCreated* - NIS
*NewlyCreated* - SRTSP
*NewlyCreated* - SRTSPX
*NewlyCreated* - SYMDS
*NewlyCreated* - SYMEFA
*NewlyCreated* - SYMIRON
*Deregistered* - EraserUtilDrv11010
.
Contents of the 'Scheduled Tasks' folder

2010-09-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 16:34]

2010-09-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-07 20:12]

2010-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-08 00:28]

2010-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-08 00:28]

2010-09-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-688789844-725345543-1004Core.job
- c:\documents and settings\Benjamin J. Park\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-30 17:52]

2010-09-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-688789844-725345543-1004UA.job
- c:\documents and settings\Benjamin J. Park\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-30 17:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uLocal Page =
mLocal Page =
uInternet Settings,ProxyOverride = *.local
Trusted Zone: newbienudes.com\www
Trusted Zone: turbotax.com
DPF: ConferenceRoom Java Client - hxxp://irc.theamateurchat.com/java/cr.cab
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Benjamin J. Park\Application Data\Mozilla\Firefox\Profiles\g0zwg4l1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - plugin: c:\documents and settings\Benjamin J. Park\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Benjamin J. Park\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Benjamin J. Park\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Benjamin J. Park\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin9.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-25 10:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.1.0.37\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.1.0.37\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):c7,18,3d,05,82,8a,b8,a1,59,b9,12,34,68,12,83,d7,aa,54,16,01,4b,
f5,b9,28,14,25,10,a8,0c,d9,f1,33,44,d5,5f,b2,51,12,0d,9f,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-09-25 10:05:49
ComboFix-quarantined-files.txt 2010-09-25 14:05
ComboFix2.txt 2010-09-24 02:14

Pre-Run: 7,245,238,272 bytes free
Post-Run: 7,355,019,264 bytes free

- - End Of File - - E76AD156871795A9F04732837CA14E0F


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:34 AM

Posted 25 September 2010 - 01:37 PM

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs
    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    Adobe Reader 7.1.0
    Java 2 Runtime Environment, SE v1.4.1_02
    Java Web Start
    Viewpoint Media Player


    and click on remove

Update Adobe Reader
    Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.
      If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.

Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :
    Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis
  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"
    In your next post I need the following
    1. Log From MBAM
    2. report from Hijackthis
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 j_hong25

j_hong25
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 27 September 2010 - 10:19 PM

Dear Gringo,

Below you will find first my MBAM Log and then my HiJackThis report, respectively.

The only snags I had with following your instructions was updating Java, which I was able to do from their website, and noticing a curious "eBay" icon on my desktop after I removed my previous version of Adobe Acrobat Reader and installed FoxIt Reader -- the "eBay" icon referenced a website at http://www.adon-demand.de/red/2303 and seemed odd...so I just manually deleted it! Thought you should know. Thanks!

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4707

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/27/2010 11:10:35 PM
mbam-log-2010-09-27 (23-10-35).txt

Scan type: Quick scan
Objects scanned: 167116
Time elapsed: 14 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:13:34 PM, on 9/27/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360\Engine\4.2.0.12\ccSvcHst.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\XYNTService.exe
C:\WINDOWS\System32\VService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Norton 360\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\OdHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\4.2.0.12\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\4.2.0.12\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\4.2.0.12\coIEPlg.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Benjamin J. Park\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BounceBack Launcher.lnk = ?
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless-G Notebook Adapter with SpeedBooster Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\Startup.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.newbienudes.com
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateurchat.com/java/cr.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124820645406
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124820631734
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v5.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bri21crmsd - Apple Inc. - (no file)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
O23 - Service: NICSer_WPC54GS - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter with SpeedBooster\NICServ.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: VAgnt Helper Service - Unknown owner - C:\WINDOWS\system32\XYNTService.exe

--
End of file - 10939 bytes






#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:34 AM

Posted 27 September 2010 - 10:26 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):
      O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
      O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
      O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
      O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
      O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
      O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
      O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
      O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
      O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
      O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Benjamin J. Park\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
      O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
      O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
      O4 - Global Startup: BounceBack Launcher.lnk = ?
      O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
      O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

      NOTE**You can research each of those lines >here< and see if you want to keep them or not
      just copy the name between the brakets and paste into the search space
      O4 - HKLM\..\Run: [IntelliPoint]


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:34 AM

Posted 30 September 2010 - 05:57 PM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 j_hong25

j_hong25
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 30 September 2010 - 07:45 PM

Dear Gringo,

I was able to complete the first step in your last reply -- removing unneeded startup entries. I've been wanting to do that for the longest time since my computer takes eons to start up. So that was successfuly accomplished.

Unfortunately, I've still been trying to tackle completing the ESET Online Scanner. I may be doing something wrong, but perhaps you can tell me...

The first time I tried to run the scan, it was moving along pretty well. Then at around 9% completion, it stalled and I waited over 2 hours while it seemed to be scanning one file.

I tried again yesterday and the same stall happened at around 51%. But I had to do some other work on my computer, so I stopped the scan and closed out of the site.

Today I attempted for the third time and it stalled at around 38%. I also noticed right after I stopped, my internet connection was noticeably slower.

During all attempts I also disabled my Norton 360 auto-protect, and received the warning that I was "At Risk." But I did so at the recommendation of your instructions to stop all auto-scans during the ESET Scan. Could I have been attacked during that time?

I will try scanning again, this time keeping my Norton 360 intact.

Here's hoping for the best!



#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:34 AM

Posted 30 September 2010 - 09:44 PM

Hello

sounds like something is interfering but lets try this one

:Kaspersky scan:
    Please go to Kaspersky website and perform an online antivirus scan.
    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
        Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    • Please post this log in your next reply.



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 j_hong25

j_hong25
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 30 September 2010 - 10:33 PM

Dear Gringo,

My previous excuses were preemptive and I replied in haste.
I was able to complete the ESET scan with my Norton 360 Antivirus scan disabled.

My apologies!

Here is the log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=aadd4731241f3c49af1a31b81b906a7e
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-09-28 07:53:26
# local_time=2010-09-28 03:53:26 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3589 16777189 100 86 0 48980870 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=1320
# found=1
# cleaned=0
# scan_time=1032
C:\AOL Instant Messenger\AIM.exe Win32/Adware.WBug.A application 00000000000000000000000000000000 I
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=aadd4731241f3c49af1a31b81b906a7e
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-09-30 11:36:18
# local_time=2010-09-30 07:36:18 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3589 16777189 100 86 182503 49166430 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=6738
# found=2
# cleaned=0
# scan_time=1645
C:\AOL Instant Messenger\AIM.exe Win32/Adware.WBug.A application 00000000000000000000000000000000 I
C:\Documents and Settings\Benjamin J. Park\.jpi_cache\file\1.0\SecurityClassLoader.class-6fd9f626-7aff2112.class Win32/Adware.CWS.gen application 00000000000000000000000000000000 I
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=aadd4731241f3c49af1a31b81b906a7e
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-09-30 11:56:36
# local_time=2010-09-30 07:56:36 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3589 16777189 100 86 184341 49168268 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=4089
# found=1
# cleaned=0
# scan_time=1025
C:\AOL Instant Messenger\AIM.exe Win32/Adware.WBug.A application 00000000000000000000000000000000 I
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=aadd4731241f3c49af1a31b81b906a7e
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-10-01 03:22:54
# local_time=2010-09-30 11:22:54 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3589 16777173 100 86 188421 49172348 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=125565
# found=8
# cleaned=0
# scan_time=9322
C:\AOL Instant Messenger\AIM.exe Win32/Adware.WBug.A application 00000000000000000000000000000000 I
C:\Documents and Settings\Benjamin J. Park\.jpi_cache\file\1.0\SecurityClassLoader.class-6fd9f626-7aff2112.class Win32/Adware.CWS.gen application 00000000000000000000000000000000 I
C:\Documents and Settings\Benjamin J. Park\Application Data\Microsoft\Internet Explorer\Quick Launch\eBay.url Win32/Adware.ADON application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\PROGRA~1\AWS\WEATHE~1\MINIBU~1.DLL.vir Win32/Adware.WBug.A application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\afd.sys.vir Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D6C446ED-B00F-44C6-8A77-FA2FB91DCBAC}\RP200\A0064073.dll probably a variant of Win32/Agent.HNCJWDG trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D6C446ED-B00F-44C6-8A77-FA2FB91DCBAC}\RP201\A0066584.sys Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{D6C446ED-B00F-44C6-8A77-FA2FB91DCBAC}\RP201\A0066654.dll Win32/Adware.WBug.A application 00000000000000000000000000000000 I


#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:34 AM

Posted 30 September 2010 - 10:41 PM

Greetings

There are somethings in the online scan I want to remove so run this scrript for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
File::
C:\Documents and Settings\Benjamin J. Park\.jpi_cache\file\1.0\SecurityClassLoader.class-6fd9f626-7aff2112.class
C:\Documents and Settings\Benjamin J. Park\Application Data\Microsoft\Internet Explorer\Quick Launch\eBay.url


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"
    In your next post I need the following
    1. report from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now after running the script?

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users