Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

leftover problems from internet security 2011


  • This topic is locked This topic is locked
24 replies to this topic

#1 steve42day

steve42day

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:12:29 AM

Posted 02 March 2011 - 10:32 PM

I’m working on (my father-in-law’s) pretty old Dell desktop.

He was hit with Internet Security 2011 malware. It gave me quite a hard time.

In desperation I went into the registry and deleted several entries associated with the malware as per a help site I found. I looked at a dozen different sites including bleepingcomputer.

Then I finally used a fresh copy of malwarebytes (downloaded on my own laptop and transferred over with a flash drive). I ran it but it didn’t seem to find anything. Perhaps because I had pulled out several components already.

I also ran combofix which seemed to help(?)

Anyway, I ran updated versions of malware bytes and spybot S & D. Spybot came up with a few items which I “fixed” with spybot.

However, it looks like several of the programs, including Norton 360 are blocked. I was able to clear the block from malwarebytes using the cacls command.

I was not able to clear Spybot because I could not figure out how to type “Spybot – Search & Destroy” with the command prompt. I also am having trouble with Norton. –and who knows what else may have been affected.

At this point I don’t know what’s left in there. I fear there may be ‘pieces’ of the original malware. Additionally, I need to correct all the permissions it changed and I’m not sure how to find them (and correct them).

I read the preparation guide, downloaded the files, moved them to the desktop and ran them and saved the logs.

BTW, the computer is not connected to the internet at this time.

Thanks for your help!
Steve

Attached Files



BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:12:29 AM

Posted 10 March 2011 - 05:01 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



Thanks and again sorry for the delay.

Best Regards,
oneof4.


#3 steve42day

steve42day
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:12:29 AM

Posted 12 March 2011 - 11:49 AM

First let me thank you for your assistance.

BTW, I’m communicating via a different computer than the one that is having problems (I transfer files via a flash drive).

Taking your points one at a time:

1: I have not fixed the problem yet
2: I’m able to create a log
3: I do NOT have the original windows CD
4: trying now
5: I think I’ve done that in the original post, let me know if you need more details
6: ok
7: will attach fresh versions of the logs

Thanks again!
Steve
Attached File  DD 3-11S.txt   19.1KB   2 downloads
Attached File  Attach 3-11.txt   7.25KB   1 downloads
Attached File  defogger_disable 3-11.log   470bytes   0 downloads
Attached File  ark 3-11.txt   8.41KB   0 downloads

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:29 AM

Posted 13 March 2011 - 04:48 AM

Hi,

ComboFix should be run only under supervision of trained helper. Please post log of that older run (c:\ComboFix.txt contents).

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 steve42day

steve42day
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:12:29 AM

Posted 13 March 2011 - 02:06 PM

thank you, I'll be patient
here's the log:

ComboFix 11-02-23.08 - DOUG 03/02/2011 17:15:37.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.194 [GMT -5:00]
Running from: c:\documents and settings\DOUG\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2011-02-02 to 2011-03-02 )))))))))))))))))))))))))))))))
.

2011-02-24 21:55 . 2011-02-24 21:58 -------- d-----w- c:\program files\TweakNow RegCleaner 2011
2011-02-24 19:33 . 2011-02-24 21:14 -------- d-----w- c:\program files\Stevebot
2011-02-24 18:17 . 2011-02-24 18:55 -------- d-----w- c:\documents and settings\Steve
2011-02-24 00:02 . 2004-03-09 06:00 124688 ----a-w- c:\windows\system32\MSWinSck.ocx
2011-02-24 00:02 . 2011-02-24 00:02 -------- d-----w- c:\program files\Common Files\eSellerate
2011-02-24 00:02 . 2007-06-08 18:53 1753088 ----a-w- c:\windows\system32\ExGrid.dll
2011-02-24 00:02 . 2007-06-05 15:20 602112 ----a-w- c:\windows\system32\ExMenu.dll
2011-02-24 00:02 . 2007-06-05 15:19 516096 ----a-w- c:\windows\system32\ExTab.dll
2011-02-24 00:02 . 2007-04-03 21:51 614400 ----a-w- c:\windows\system32\ExButton.dll
2011-02-24 00:02 . 2007-04-03 21:51 307200 ----a-w- c:\windows\system32\ExPMenu.dll
2011-02-24 00:02 . 2005-10-11 19:40 356352 ----a-w- c:\windows\system32\eSellerateEngine.dll
2011-02-24 00:02 . 2005-10-04 13:11 118784 ----a-w- c:\windows\system32\eWebControl.dll
2011-02-24 00:02 . 1998-04-24 05:00 368912 ----a-w- c:\windows\system32\vbar332.dll
2011-02-24 00:02 . 2011-02-24 00:02 -------- d-----w- c:\program files\AnswersThatWork
2011-02-22 23:29 . 2011-02-24 19:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-22 23:27 . 2011-02-24 22:31 -------- d-----w- C:\Temp Download
2011-02-22 23:22 . 2011-02-22 23:34 -------- d-----w- c:\program files\steve
2011-02-22 22:08 . 2011-02-22 22:08 1409 ----a-w- c:\windows\QTFont.for
2011-02-22 21:53 . 2011-02-22 21:53 -------- d-----w- c:\documents and settings\DOUG\Local Settings\Application Data\Threat Expert
2011-02-22 19:33 . 2011-02-22 19:33 -------- d-----w- c:\windows\system32\N360_BACKUP
2011-02-22 19:22 . 2011-03-02 22:07 -------- d-----w- c:\program files\Symantec
2011-02-22 19:22 . 2011-03-02 22:07 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-02-22 19:22 . 2011-03-02 22:07 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-02-22 19:21 . 2011-02-22 19:22 -------- d-----w- c:\windows\system32\drivers\N360\0401000.020
2011-02-22 19:19 . 2011-02-22 19:19 -------- d-----w- c:\program files\Norton 360
2011-02-22 19:15 . 2011-02-22 20:16 -------- d-----w- c:\program files\NortonInstaller
2011-02-22 00:26 . 2011-02-22 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-02-21 23:30 . 2011-02-21 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-02-21 23:13 . 2011-01-07 19:54 767952 ----a-w- c:\windows\BDTSupport.dll0219.old
2011-02-21 23:13 . 2011-01-07 19:54 149456 ----a-w- c:\windows\SGDetectionTool.dll0219.old
2011-02-21 23:13 . 2011-01-07 19:54 2000848 ----a-w- c:\windows\PCTBDCore.dll0219.old
2011-02-21 23:11 . 2011-02-24 00:22 -------- d-----w- c:\program files\PC Tools Security
2011-02-21 23:05 . 2011-02-24 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-02-21 22:46 . 2011-02-21 22:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sammsoft
2011-02-21 22:46 . 2011-02-21 22:46 -------- d-----w- c:\program files\MemTurbo 4
2011-02-21 22:46 . 2011-02-21 22:46 -------- d-----w- c:\program files\ARO 2011
2011-02-21 22:13 . 2011-02-21 22:13 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-02-15 17:45 . 2011-02-15 17:45 -------- d-----w- C:\~ErdUserProfile.$$$
2011-02-15 17:17 . 2011-02-15 17:17 -------- d-----w- C:\symbols
2011-02-14 20:23 . 2011-02-15 00:14 -------- d-----w- C:\MRI_PE_TEMP
2011-02-14 19:22 . 2011-02-14 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Geek Squad
2011-02-14 16:37 . 2007-03-09 03:43 92592 ----a-w- c:\windows\system32\MSDartCmn.dll
2011-02-14 16:37 . 2007-03-09 03:43 61872 ----a-w- c:\windows\system32\MsDartSR.exe
2011-02-14 16:36 . 2011-02-15 17:21 -------- d-----w- C:\ErdUndoCache
2011-02-11 15:46 . 2011-02-24 21:13 -------- d-----w- c:\program files\Registry Easy
2011-02-01 18:14 . 2011-02-01 18:14 -------- d-----w- c:\documents and settings\DOUG\Local Settings\Application Data\Borders Desktop
2011-02-01 18:08 . 2011-02-01 18:11 -------- d-----w- c:\program files\Borders Desktop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2002-08-29 10:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2002-08-29 10:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-09-21 00:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2002-08-29 10:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-24 00:32 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2002-08-29 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2002-08-29 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:09 . 2011-01-21 16:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2011-01-21 16:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2008-09-21 00:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2010-12-13 17:51 . 2010-12-13 17:51 37376 ----a-w- c:\windows\system32\libusb0.dll
2010-12-13 17:51 . 2010-12-13 17:51 21504 ----a-w- c:\windows\system32\drivers\libusb0.sys
2010-12-09 15:15 . 2008-09-21 00:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2008-09-21 00:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2008-09-21 00:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2008-09-21 00:00 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-02-03 17:45 . 2008-09-28 15:47 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-02-03 17:45 . 2008-09-28 15:47 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-09-28 15:47 . 2008-09-28 15:47 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 99480]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"Omnipage"="c:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 49152]
"MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2006-01-19 110592]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-01-19 11776]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-12-06 50688]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"HostManager"="c:\program files\Common Files\AOL\1102893793\EE\AOLHostManager.exe" [2008-06-24 14688]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-06-19 202256]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2010-06-19 488968]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-24 282624]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-09-20 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
MemTurbo.lnk - c:\program files\MemTurbo 4\MemTurbo.exe [2011-2-21 3121760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^DOUG^Start Menu^Programs^Startup^wkcalrem.LNK]
backup=c:\windows\pss\wkcalrem.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"WinDefend"=2 (0x2)
"Rx2Engine"=3 (0x3)
"Rx2Agent"=2 (0x2)
"MyWebSearchService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1102893793\\ee\\aolservicehost.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1102893793\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\ScanSoft\\OmniPageSE\\EregEng\\NAVBrowser.exe"=

R0 SymDS;Symantec Data Store;c:\windows\SYSTEM32\DRIVERS\N360\0401000.020\symds.sys [2/22/2011 2:22 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\N360\0401000.020\symefa.sys [2/22/2011 2:22 PM 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110114.001\BHDrvx86.sys [1/14/2011 3:02 AM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\N360\0401000.020\cchpx86.sys [2/22/2011 2:22 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\SYSTEM32\DRIVERS\N360\0401000.020\ironx86.sys [2/22/2011 2:22 PM 116784]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/22/2011 2:42 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110218.003\IDSXpx86.sys [2/22/2011 2:43 PM 341944]
S1 MpKsl00654408;MpKsl00654408;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BABE0FA6-BCDF-4BD0-AD4B-6331C8B05D84}\MpKsl00654408.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BABE0FA6-BCDF-4BD0-AD4B-6331C8B05D84}\MpKsl00654408.sys [?]
S1 MpKsl519f04ce;MpKsl519f04ce;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3BA20B6C-8B5D-4A0D-88A0-8302C7FE7E14}\MpKsl519f04ce.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3BA20B6C-8B5D-4A0D-88A0-8302C7FE7E14}\MpKsl519f04ce.sys [?]
S1 MpKsl78ef075a;MpKsl78ef075a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E548C4F5-47B3-41F8-BEB8-5C07FB7EA494}\MpKsl78ef075a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E548C4F5-47B3-41F8-BEB8-5C07FB7EA494}\MpKsl78ef075a.sys [?]
S1 MpKslc6e8a24b;MpKslc6e8a24b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CEC65EB3-63C9-48F4-9415-1DDAD6F1F487}\MpKslc6e8a24b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CEC65EB3-63C9-48F4-9415-1DDAD6F1F487}\MpKslc6e8a24b.sys [?]
S1 MpKsle2efea6c;MpKsle2efea6c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{76631FA2-2E57-4D0E-927B-E7B7689DDA04}\MpKsle2efea6c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{76631FA2-2E57-4D0E-927B-E7B7689DDA04}\MpKsle2efea6c.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\documents and settings\DOUG\Desktop\Super\SASDIFSV.SYS --> c:\documents and settings\DOUG\Desktop\Super\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\documents and settings\DOUG\Desktop\Super\SASKUTIL.sys --> c:\documents and settings\DOUG\Desktop\Super\SASKUTIL.sys [?]
S2 gupdate1ca3bc162850b76;Google Update Service (gupdate1ca3bc162850b76);c:\program files\Google\Update\GoogleUpdate.exe [9/22/2009 3:15 PM 133104]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\4.1.0.32\ccsvchst.exe [2/22/2011 2:21 PM 126392]
S3 SASENUM;SASENUM;\??\c:\documents and settings\DOUG\Desktop\Super\SASENUM.SYS --> c:\documents and settings\DOUG\Desktop\Super\SASENUM.SYS [?]
S3 vbma1a24;Virtual Bus for Microsoft ACPI-Compliant System; [x]
.
Contents of the 'Scheduled Tasks' folder

2011-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-22 20:14]

2011-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-22 20:14]

2011-03-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2747982992-3001940826-1557354672-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2011-03-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2747982992-3001940826-1557354672-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2011-03-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2747982992-3001940826-1557354672-1011.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2011-02-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2747982992-3001940826-1557354672-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2011-02-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2747982992-3001940826-1557354672-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2011-02-24 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2747982992-3001940826-1557354672-1011.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2011-03-02 c:\windows\Tasks\User_Feed_Synchronization-{8F8F0198-6D65-4067-A591-C200634A7CE7}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - c:\program files\Common Files\Microsoft Shared\Information Retrieval\itss51.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\DOUG\Application Data\Mozilla\Firefox\Profiles\ycm4vp90.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2319576&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Free TV Bar Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-02 17:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.1.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2380)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE\ophook32.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-03-02 17:23:53
ComboFix-quarantined-files.txt 2011-03-02 22:23
ComboFix2.txt 2011-02-24 16:28
ComboFix3.txt 2011-01-21 16:04

Pre-Run: 10,962,116,608 bytes free
Post-Run: 10,977,566,720 bytes free

- - End Of File - - 4CCA54D10AA3CC60D1B7B7E7500E85BF

#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:29 AM

Posted 13 March 2011 - 02:55 PM

Hi,

Since ComboFix was run multiple times I need to see other ComboFix log. ComboFix3.txt (in c:\qoobox or c:\combofix folder) should be correct one.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 steve42day

steve42day
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:12:29 AM

Posted 13 March 2011 - 03:19 PM

I found several files under the qoobox folder: combofix2.txt, combox fix3.txt, Combofix quarantined-files.txt and add-remove programs.txt. I’ve attached them all here.

Thanks again,

Attached File  ComboFix2.txt   25.08KB   1 downloads
Attached File  ComboFix3.txt   22.82KB   1 downloads
Attached File  ComboFix-quarantined-files.txt   11.41KB   1 downloads
Attached File  Add-Remove Programs.txt   5.67KB   1 downloads

#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:29 AM

Posted 14 March 2011 - 04:27 AM

Hi,

Re-run ComboFix and let it update itself. Post back the report + a description of remaining issues.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 steve42day

steve42day
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:12:29 AM

Posted 14 March 2011 - 08:25 AM

Thanks again,

I downloaded version 11-03-5.01 this morning. When I ran it a window popped up saying Combofix has expired, click yes to run in reduced functionality. I clicked Yes:


ComboFix 11-03-05.01 - DOUG 03/14/2011 9:13.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.191 [GMT -4:00]
Running from: c:\documents and settings\DOUG\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((( Files Created from 2011-02-14 to 2011-03-14 )))))))))))))))))))))))))))))))
.
.
2011-03-02 23:24 . 2011-03-02 23:24 -------- d--h--w- c:\windows\PIF
2011-02-24 21:55 . 2011-02-24 21:58 -------- d-----w- c:\program files\TweakNow RegCleaner 2011
2011-02-24 19:33 . 2011-02-24 21:14 -------- d-----w- c:\program files\Stevebot
2011-02-24 18:17 . 2011-02-24 18:55 -------- d-----w- c:\documents and settings\Steve
2011-02-24 00:02 . 2004-03-09 06:00 124688 ----a-w- c:\windows\system32\MSWinSck.ocx
2011-02-24 00:02 . 2011-02-24 00:02 -------- d-----w- c:\program files\Common Files\eSellerate
2011-02-24 00:02 . 2007-06-08 18:53 1753088 ----a-w- c:\windows\system32\ExGrid.dll
2011-02-24 00:02 . 2007-06-05 15:20 602112 ----a-w- c:\windows\system32\ExMenu.dll
2011-02-24 00:02 . 2007-06-05 15:19 516096 ----a-w- c:\windows\system32\ExTab.dll
2011-02-24 00:02 . 2007-04-03 21:51 614400 ----a-w- c:\windows\system32\ExButton.dll
2011-02-24 00:02 . 2007-04-03 21:51 307200 ----a-w- c:\windows\system32\ExPMenu.dll
2011-02-24 00:02 . 2005-10-11 19:40 356352 ----a-w- c:\windows\system32\eSellerateEngine.dll
2011-02-24 00:02 . 2005-10-04 13:11 118784 ----a-w- c:\windows\system32\eWebControl.dll
2011-02-24 00:02 . 1998-04-24 05:00 368912 ----a-w- c:\windows\system32\vbar332.dll
2011-02-24 00:02 . 2011-02-24 00:02 -------- d-----w- c:\program files\AnswersThatWork
2011-02-22 23:29 . 2011-02-24 19:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-22 23:27 . 2011-02-24 22:31 -------- d-----w- C:\Temp Download
2011-02-22 23:22 . 2011-02-22 23:34 -------- d-----w- c:\program files\steve
2011-02-22 22:08 . 2011-02-22 22:08 1409 ----a-w- c:\windows\QTFont.for
2011-02-22 21:53 . 2011-02-22 21:53 -------- d-----w- c:\documents and settings\DOUG\Local Settings\Application Data\Threat Expert
2011-02-22 19:33 . 2011-02-22 19:33 -------- d-----w- c:\windows\system32\N360_BACKUP
2011-02-22 19:22 . 2011-03-02 22:07 -------- d-----w- c:\program files\Symantec
2011-02-22 19:22 . 2011-03-02 22:07 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-02-22 19:22 . 2011-03-02 22:07 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-02-22 19:21 . 2011-02-22 19:22 -------- d-----w- c:\windows\system32\drivers\N360\0401000.020
2011-02-22 19:19 . 2011-02-22 19:19 -------- d-----w- c:\program files\Norton 360
2011-02-22 19:15 . 2011-02-22 20:16 -------- d-----w- c:\program files\NortonInstaller
2011-02-22 00:26 . 2011-02-22 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-02-21 23:30 . 2011-02-21 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-02-21 23:13 . 2011-01-07 19:54 767952 ----a-w- c:\windows\BDTSupport.dll0219.old
2011-02-21 23:13 . 2011-01-07 19:54 149456 ----a-w- c:\windows\SGDetectionTool.dll0219.old
2011-02-21 23:13 . 2011-01-07 19:54 2000848 ----a-w- c:\windows\PCTBDCore.dll0219.old
2011-02-21 23:11 . 2011-02-24 00:22 -------- d-----w- c:\program files\PC Tools Security
2011-02-21 23:05 . 2011-02-24 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-02-21 22:46 . 2011-02-21 22:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sammsoft
2011-02-21 22:46 . 2011-02-21 22:46 -------- d-----w- c:\program files\MemTurbo 4
2011-02-21 22:46 . 2011-02-21 22:46 -------- d-----w- c:\program files\ARO 2011
2011-02-21 22:13 . 2011-02-21 22:13 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-02-15 17:45 . 2011-02-15 17:45 -------- d-----w- C:\~ErdUserProfile.$$$
2011-02-15 17:17 . 2011-02-15 17:17 -------- d-----w- C:\symbols
2011-02-14 20:23 . 2011-02-15 00:14 -------- d-----w- C:\MRI_PE_TEMP
2011-02-14 19:22 . 2011-02-14 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Geek Squad
2011-02-14 16:37 . 2007-03-09 03:43 92592 ----a-w- c:\windows\system32\MSDartCmn.dll
2011-02-14 16:37 . 2007-03-09 03:43 61872 ----a-w- c:\windows\system32\MsDartSR.exe
2011-02-14 16:36 . 2011-02-15 17:21 -------- d-----w- C:\ErdUndoCache
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2002-08-29 10:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2002-08-29 10:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-09-21 00:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2002-08-29 10:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-24 00:32 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2002-08-29 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2002-08-29 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:09 . 2011-01-21 16:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2011-01-21 16:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2008-09-21 00:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2009-02-03 17:45 . 2008-09-28 15:47 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-02-03 17:45 . 2008-09-28 15:47 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-09-28 15:47 . 2008-09-28 15:47 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 99480]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"Omnipage"="c:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 49152]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-01-19 11776]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-12-06 50688]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"HostManager"="c:\program files\Common Files\AOL\1102893793\EE\AOLHostManager.exe" [2008-06-24 14688]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-06-19 202256]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2010-06-19 488968]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-24 282624]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-09-20 77824]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
MemTurbo.lnk - c:\program files\MemTurbo 4\MemTurbo.exe [2011-2-21 3121760]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^DOUG^Start Menu^Programs^Startup^wkcalrem.LNK]
backup=c:\windows\pss\wkcalrem.LNKStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"WinDefend"=2 (0x2)
"Rx2Engine"=3 (0x3)
"Rx2Agent"=2 (0x2)
"MyWebSearchService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1102893793\\ee\\aolservicehost.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1102893793\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\ScanSoft\\OmniPageSE\\EregEng\\NAVBrowser.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\SYSTEM32\DRIVERS\N360\0401000.020\symds.sys [2/22/2011 3:22 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\N360\0401000.020\symefa.sys [2/22/2011 3:22 PM 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110114.001\BHDrvx86.sys [1/14/2011 4:02 AM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\N360\0401000.020\cchpx86.sys [2/22/2011 3:22 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\SYSTEM32\DRIVERS\N360\0401000.020\ironx86.sys [2/22/2011 3:22 PM 116784]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/22/2011 3:42 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110218.003\IDSXpx86.sys [2/22/2011 3:43 PM 341944]
S1 MpKsl00654408;MpKsl00654408;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BABE0FA6-BCDF-4BD0-AD4B-6331C8B05D84}\MpKsl00654408.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BABE0FA6-BCDF-4BD0-AD4B-6331C8B05D84}\MpKsl00654408.sys [?]
S1 MpKsl519f04ce;MpKsl519f04ce;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3BA20B6C-8B5D-4A0D-88A0-8302C7FE7E14}\MpKsl519f04ce.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3BA20B6C-8B5D-4A0D-88A0-8302C7FE7E14}\MpKsl519f04ce.sys [?]
S1 MpKsl78ef075a;MpKsl78ef075a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E548C4F5-47B3-41F8-BEB8-5C07FB7EA494}\MpKsl78ef075a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E548C4F5-47B3-41F8-BEB8-5C07FB7EA494}\MpKsl78ef075a.sys [?]
S1 MpKslc6e8a24b;MpKslc6e8a24b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CEC65EB3-63C9-48F4-9415-1DDAD6F1F487}\MpKslc6e8a24b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CEC65EB3-63C9-48F4-9415-1DDAD6F1F487}\MpKslc6e8a24b.sys [?]
S1 MpKsle2efea6c;MpKsle2efea6c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{76631FA2-2E57-4D0E-927B-E7B7689DDA04}\MpKsle2efea6c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{76631FA2-2E57-4D0E-927B-E7B7689DDA04}\MpKsle2efea6c.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\documents and settings\DOUG\Desktop\Super\SASDIFSV.SYS --> c:\documents and settings\DOUG\Desktop\Super\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\documents and settings\DOUG\Desktop\Super\SASKUTIL.sys --> c:\documents and settings\DOUG\Desktop\Super\SASKUTIL.sys [?]
S2 gupdate1ca3bc162850b76;Google Update Service (gupdate1ca3bc162850b76);c:\program files\Google\Update\GoogleUpdate.exe [9/22/2009 4:15 PM 133104]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\4.1.0.32\ccsvchst.exe [2/22/2011 3:21 PM 126392]
S3 SASENUM;SASENUM;\??\c:\documents and settings\DOUG\Desktop\Super\SASENUM.SYS --> c:\documents and settings\DOUG\Desktop\Super\SASENUM.SYS [?]
S3 vbma1a24;Virtual Bus for Microsoft ACPI-Compliant System; [x]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - pxdoapod
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-22 20:14]
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-22 20:14]
.
2011-03-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2747982992-3001940826-1557354672-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-03-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2747982992-3001940826-1557354672-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-03-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2747982992-3001940826-1557354672-1011.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-02-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2747982992-3001940826-1557354672-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-03-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2747982992-3001940826-1557354672-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-03-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2747982992-3001940826-1557354672-1011.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-03-14 c:\windows\Tasks\User_Feed_Synchronization-{8F8F0198-6D65-4067-A591-C200634A7CE7}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - c:\program files\Common Files\Microsoft Shared\Information Retrieval\itss51.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\DOUG\Application Data\Mozilla\Firefox\Profiles\ycm4vp90.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2319576&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Free TV Bar Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-14 09:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.1.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3784)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE\ophook32.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-03-14 09:21:28
ComboFix-quarantined-files.txt 2011-03-14 13:21
ComboFix2.txt 2011-03-02 22:23
ComboFix3.txt 2011-02-24 16:28
ComboFix4.txt 2011-01-21 16:04
.
Pre-Run: 10,912,583,680 bytes free
Post-Run: 10,894,802,944 bytes free
.
- - End Of File - - F57FFBA30F0E2AD96A68D0FB058F3AA0

#10 steve42day

steve42day
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:12:29 AM

Posted 14 March 2011 - 11:19 AM

Update:

I managed to run Spybot since I had reinstalled it under a different name a while back.

However, I still can’t open Norton

PS I have not restarted my computer since I posted the first file. Let me know if I should do that

Thanks again!
Steve

#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:29 AM

Posted 14 March 2011 - 11:30 AM

Hi,

There should be newer version of ComboFix available. Didn't it ask if you want to download newer version (you don't need to download manually but let the tool do it by itself)?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 steve42day

steve42day
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:12:29 AM

Posted 14 March 2011 - 12:16 PM

FYI, I had downloaded the older version form the following link:
http://www.forospyware.com/sUBs/ComboFix.exe
This is “ComboFix Download Link #2”

I found a later version at the “ComboFix Download Link”
The log file is pasted below.

As I mentioned, I haven’t restarted the computer and I am still not connected to the internet. So I didn’t try to update Spybot yet.
Let me know when it’s ok to do this.

Problems at this point:
I can’t open Norton.
I’m not sure if there are any other files that might have been corrupted during this. Is there a way to check?

Thanks again,
Steve

ComboFix 11-03-13.02 - DOUG 03/14/2011 12:57:06.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.264 [GMT -4:00]
Running from: E:\ComboFix.exe
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-14 to 2011-03-14 )))))))))))))))))))))))))))))))
.
.
2011-03-02 23:24 . 2011-03-02 23:24 -------- d--h--w- c:\windows\PIF
2011-02-24 21:55 . 2011-02-24 21:58 -------- d-----w- c:\program files\TweakNow RegCleaner 2011
2011-02-24 19:33 . 2011-02-24 21:14 -------- d-----w- c:\program files\Stevebot
2011-02-24 18:17 . 2011-02-24 18:55 -------- d-----w- c:\documents and settings\Steve
2011-02-24 00:02 . 2004-03-09 06:00 124688 ----a-w- c:\windows\system32\MSWinSck.ocx
2011-02-24 00:02 . 2011-02-24 00:02 -------- d-----w- c:\program files\Common Files\eSellerate
2011-02-24 00:02 . 2007-06-08 18:53 1753088 ----a-w- c:\windows\system32\ExGrid.dll
2011-02-24 00:02 . 2007-06-05 15:20 602112 ----a-w- c:\windows\system32\ExMenu.dll
2011-02-24 00:02 . 2007-06-05 15:19 516096 ----a-w- c:\windows\system32\ExTab.dll
2011-02-24 00:02 . 2007-04-03 21:51 614400 ----a-w- c:\windows\system32\ExButton.dll
2011-02-24 00:02 . 2007-04-03 21:51 307200 ----a-w- c:\windows\system32\ExPMenu.dll
2011-02-24 00:02 . 2005-10-11 19:40 356352 ----a-w- c:\windows\system32\eSellerateEngine.dll
2011-02-24 00:02 . 2005-10-04 13:11 118784 ----a-w- c:\windows\system32\eWebControl.dll
2011-02-24 00:02 . 1998-04-24 05:00 368912 ----a-w- c:\windows\system32\vbar332.dll
2011-02-24 00:02 . 2011-02-24 00:02 -------- d-----w- c:\program files\AnswersThatWork
2011-02-22 23:29 . 2011-03-14 16:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-22 23:27 . 2011-02-24 22:31 -------- d-----w- C:\Temp Download
2011-02-22 23:22 . 2011-02-22 23:34 -------- d-----w- c:\program files\steve
2011-02-22 22:08 . 2011-02-22 22:08 1409 ----a-w- c:\windows\QTFont.for
2011-02-22 21:53 . 2011-02-22 21:53 -------- d-----w- c:\documents and settings\DOUG\Local Settings\Application Data\Threat Expert
2011-02-22 19:33 . 2011-02-22 19:33 -------- d-----w- c:\windows\system32\N360_BACKUP
2011-02-22 19:22 . 2011-03-02 22:07 -------- d-----w- c:\program files\Symantec
2011-02-22 19:22 . 2011-03-02 22:07 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-02-22 19:22 . 2011-03-02 22:07 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-02-22 19:21 . 2011-02-22 19:22 -------- d-----w- c:\windows\system32\drivers\N360\0401000.020
2011-02-22 19:19 . 2011-02-22 19:19 -------- d-----w- c:\program files\Norton 360
2011-02-22 19:15 . 2011-02-22 20:16 -------- d-----w- c:\program files\NortonInstaller
2011-02-22 00:26 . 2011-02-22 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-02-21 23:30 . 2011-02-21 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-02-21 23:13 . 2011-01-07 19:54 767952 ----a-w- c:\windows\BDTSupport.dll0219.old
2011-02-21 23:13 . 2011-01-07 19:54 149456 ----a-w- c:\windows\SGDetectionTool.dll0219.old
2011-02-21 23:13 . 2011-01-07 19:54 2000848 ----a-w- c:\windows\PCTBDCore.dll0219.old
2011-02-21 23:11 . 2011-02-24 00:22 -------- d-----w- c:\program files\PC Tools Security
2011-02-21 23:05 . 2011-02-24 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-02-21 22:46 . 2011-02-21 22:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sammsoft
2011-02-21 22:46 . 2011-02-21 22:46 -------- d-----w- c:\program files\MemTurbo 4
2011-02-21 22:46 . 2011-02-21 22:46 -------- d-----w- c:\program files\ARO 2011
2011-02-21 22:13 . 2011-02-21 22:13 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-02-15 17:45 . 2011-02-15 17:45 -------- d-----w- C:\~ErdUserProfile.$$$
2011-02-15 17:17 . 2011-02-15 17:17 -------- d-----w- C:\symbols
2011-02-14 20:23 . 2011-02-15 00:14 -------- d-----w- C:\MRI_PE_TEMP
2011-02-14 19:22 . 2011-02-14 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Geek Squad
2011-02-14 16:37 . 2007-03-09 03:43 92592 ----a-w- c:\windows\system32\MSDartCmn.dll
2011-02-14 16:37 . 2007-03-09 03:43 61872 ----a-w- c:\windows\system32\MsDartSR.exe
2011-02-14 16:36 . 2011-02-15 17:21 -------- d-----w- C:\ErdUndoCache
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2002-08-29 10:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2002-08-29 10:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-09-21 00:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2002-08-29 10:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-24 00:32 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2002-08-29 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2002-08-29 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:09 . 2011-01-21 16:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2011-01-21 16:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2008-09-21 00:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2009-02-03 17:45 . 2008-09-28 15:47 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-02-03 17:45 . 2008-09-28 15:47 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-09-28 15:47 . 2008-09-28 15:47 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 99480]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"Omnipage"="c:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 49152]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-01-19 11776]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-12-06 50688]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"HostManager"="c:\program files\Common Files\AOL\1102893793\EE\AOLHostManager.exe" [2008-06-24 14688]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-06-19 202256]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2010-06-19 488968]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-24 282624]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-09-20 77824]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
MemTurbo.lnk - c:\program files\MemTurbo 4\MemTurbo.exe [2011-2-21 3121760]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^DOUG^Start Menu^Programs^Startup^wkcalrem.LNK]
backup=c:\windows\pss\wkcalrem.LNKStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"WinDefend"=2 (0x2)
"Rx2Engine"=3 (0x3)
"Rx2Agent"=2 (0x2)
"MyWebSearchService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1102893793\\ee\\aolservicehost.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1102893793\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\ScanSoft\\OmniPageSE\\EregEng\\NAVBrowser.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\SYSTEM32\DRIVERS\N360\0401000.020\symds.sys [2/22/2011 3:22 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\N360\0401000.020\symefa.sys [2/22/2011 3:22 PM 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110114.001\BHDrvx86.sys [1/14/2011 4:02 AM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\N360\0401000.020\cchpx86.sys [2/22/2011 3:22 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\SYSTEM32\DRIVERS\N360\0401000.020\ironx86.sys [2/22/2011 3:22 PM 116784]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/22/2011 3:42 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110218.003\IDSXpx86.sys [2/22/2011 3:43 PM 341944]
S1 MpKsl00654408;MpKsl00654408;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BABE0FA6-BCDF-4BD0-AD4B-6331C8B05D84}\MpKsl00654408.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BABE0FA6-BCDF-4BD0-AD4B-6331C8B05D84}\MpKsl00654408.sys [?]
S1 MpKsl519f04ce;MpKsl519f04ce;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3BA20B6C-8B5D-4A0D-88A0-8302C7FE7E14}\MpKsl519f04ce.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3BA20B6C-8B5D-4A0D-88A0-8302C7FE7E14}\MpKsl519f04ce.sys [?]
S1 MpKsl78ef075a;MpKsl78ef075a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E548C4F5-47B3-41F8-BEB8-5C07FB7EA494}\MpKsl78ef075a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E548C4F5-47B3-41F8-BEB8-5C07FB7EA494}\MpKsl78ef075a.sys [?]
S1 MpKslc6e8a24b;MpKslc6e8a24b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CEC65EB3-63C9-48F4-9415-1DDAD6F1F487}\MpKslc6e8a24b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CEC65EB3-63C9-48F4-9415-1DDAD6F1F487}\MpKslc6e8a24b.sys [?]
S1 MpKsle2efea6c;MpKsle2efea6c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{76631FA2-2E57-4D0E-927B-E7B7689DDA04}\MpKsle2efea6c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{76631FA2-2E57-4D0E-927B-E7B7689DDA04}\MpKsle2efea6c.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\documents and settings\DOUG\Desktop\Super\SASDIFSV.SYS --> c:\documents and settings\DOUG\Desktop\Super\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\documents and settings\DOUG\Desktop\Super\SASKUTIL.sys --> c:\documents and settings\DOUG\Desktop\Super\SASKUTIL.sys [?]
S2 gupdate1ca3bc162850b76;Google Update Service (gupdate1ca3bc162850b76);c:\program files\Google\Update\GoogleUpdate.exe [9/22/2009 4:15 PM 133104]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\4.1.0.32\ccsvchst.exe [2/22/2011 3:21 PM 126392]
S3 SASENUM;SASENUM;\??\c:\documents and settings\DOUG\Desktop\Super\SASENUM.SYS --> c:\documents and settings\DOUG\Desktop\Super\SASENUM.SYS [?]
S3 vbma1a24;Virtual Bus for Microsoft ACPI-Compliant System; [x]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - pxdoapod
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-22 20:14]
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-22 20:14]
.
2011-03-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2747982992-3001940826-1557354672-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-03-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2747982992-3001940826-1557354672-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-03-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2747982992-3001940826-1557354672-1011.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-02-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2747982992-3001940826-1557354672-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-03-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2747982992-3001940826-1557354672-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-03-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2747982992-3001940826-1557354672-1011.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-03-14 c:\windows\Tasks\User_Feed_Synchronization-{8F8F0198-6D65-4067-A591-C200634A7CE7}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - c:\program files\Common Files\Microsoft Shared\Information Retrieval\itss51.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\DOUG\Application Data\Mozilla\Firefox\Profiles\ycm4vp90.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2319576&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Free TV Bar Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-14 13:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.1.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2800)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE\ophook32.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-03-14 13:12:14
ComboFix-quarantined-files.txt 2011-03-14 17:12
ComboFix2.txt 2011-03-14 13:21
ComboFix3.txt 2011-03-02 22:23
ComboFix4.txt 2011-02-24 16:28
ComboFix5.txt 2011-03-14 16:54
.
Pre-Run: 10,906,775,552 bytes free
Post-Run: 10,888,380,416 bytes free
.
- - End Of File - - 78A61E3960A0913CBCE3329EA591AF3C

#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:29 AM

Posted 14 March 2011 - 02:35 PM

Hi,

Let's look at those Spybot and Norton related things in a bit.

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 steve42day

steve42day
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:12:29 AM

Posted 14 March 2011 - 03:29 PM

Thanks,

unfortunately, this is the file:

Running from: C:\Documents and Settings\DOUG\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\DOUG\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

#15 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:29 AM

Posted 15 March 2011 - 01:02 AM

Hi,

That's actually good results :)

Now, download this file to c:\program files folder.

Then drag'n'drop these folders to the downloaded file:
c:\program files\Spybot - Search & Destroy
c:\program files\Norton 360
c:\program files\NortonInstaller
c:\program files\Symantec

See if Spybot and Norton work after that (reboot first).

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users