Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tidserv 2 Activity and gaopdxserv.sys


  • This topic is locked This topic is locked
28 replies to this topic

#1 Rynofasho

Rynofasho

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 07 June 2011 - 11:07 PM

Hello all,

I'm trying to save a friend's computer for him. He has Norton and it kept telling him it saw Tidserv 2 activity. It would BSOD on start about 9 times out of 10, and I finally got it to boot once and ran TDSS Killer and Malwarebytes. TDSS Killer wiped out one issue and helped it become consistently bootable, and Malwarebytes found a lot of malware and various trojans. I do have logs if needed.

I know that the infection isn't over yet, however, so I wanted to ask for some help. I've got all the logs that you need.

DDS log

DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_22
Run by Tim at 18:39:35 on 2011-06-07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.429 [GMT -5:00]
.
AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton Utilities 15\Tools\Disk Doctor\DiskDoctorSrv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Utilities 15\Tools\SpeedDisk\SpeedDiskSrv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Utilities 15\Tools\Disk Doctor\DiskDoctorSrvProxy.exe
C:\Program Files\Norton Utilities 15\Tools\SpeedDisk\SpeedDiskSrvProxy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Tim\Application Data\U3\05505C6033A228A2\LaunchPad.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061207
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\18.6.0.29\ips\IPSBHO.DLL
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {4E7BD74F-2B8D-469E-85B2-BC27FE9AAE2E} - No File
TB: {B7D3E479-CC68-42B5-A338-938ECE35F419} - No File
uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\tim\startm~1\programs\startup\memoni~1.lnk - c:\program files\verizon wireless\v cast music manager\MEMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: commercebank.com\tunnell
Trusted Zone: turbotax.com
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {181BCAB2-C89B-4E4B-9E6B-59FA67A426B5} - hxxps://tunnel.commercebank.com/epa/nsepa.ocx
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\tim\application data\mozilla\firefox\profiles\pfyriad1.default\
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 FixTDSS;TDSS Fixtool driver;c:\windows\system32\drivers\FixTDSS.sys [2011-6-6 20472]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1206000.01d\symds.sys [2011-5-10 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1206000.01d\symefa.sys [2011-5-10 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\bashdefs\20110518.001\BHDrvx86.sys [2011-5-19 802936]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1206000.01d\ironx86.sys [2011-5-10 136312]
R2 DiskDoctorService;Norton Disk Doctor Service;c:\program files\norton utilities 15\tools\disk doctor\DiskDoctorSrv.exe [2011-3-21 1029480]
R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [2006-7-14 13824]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\18.6.0.29\ccsvchst.exe [2011-5-10 130008]
R2 SpeedDiskService;Norton SpeedDisk Service;c:\program files\norton utilities 15\tools\speeddisk\SpeedDiskSrv.exe [2011-3-21 1037672]
R2 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [2006-7-14 13696]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-22 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\ipsdefs\20110603.003\IDSXpx86.sys [2011-6-4 341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\virusdefs\20110603.038\NAVENG.SYS [2011-6-4 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\virusdefs\20110603.038\NAVEX15.SYS [2011-6-4 1542392]
S3 BlackBox;BlackBox SR2; [x]
S3 SymDSMon;SymDSMon;c:\windows\system32\drivers\SymDSMon.sys [2011-3-21 128248]
S3 SYMSpeedDisk;SYMSpeedDisk;c:\windows\system32\drivers\SymSpeedDisk.sys [2011-3-21 108800]
.
=============== Created Last 30 ================
.
2011-06-07 22:54:28 -------- d-----w- C:\GMER
2011-06-07 02:18:48 -------- d-----w- c:\documents and settings\tim\application data\FixTDSS
2011-06-07 02:18:47 20472 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
2011-06-07 01:53:59 -------- d-----w- c:\program files\Trend Micro
2011-06-07 01:52:30 -------- d-----w- c:\documents and settings\tim\application data\Malwarebytes
2011-06-07 01:51:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-07 01:51:17 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-06-07 01:51:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-07 01:51:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-06 00:27:28 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-06-06 00:27:28 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2011-05-30 15:46:59 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-05-30 15:46:59 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-05-30 15:46:59 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-05-30 15:46:59 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-05-30 15:46:59 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-05-30 15:46:58 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-05-30 15:46:58 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-05-30 15:46:57 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-05-26 15:52:52 -------- d-----w- c:\program files\Bonjour
2011-05-18 18:12:31 35412 ----a-w- c:\windows\oyilunutowuwuq.dll
2011-05-16 18:38:33 -------- d-sh--w- C:\found.001
2011-05-14 21:20:02 -------- d-----w- c:\program files\ARO 2011
2011-05-12 18:49:37 -------- d-sh--w- C:\found.000
2011-05-10 20:30:14 369784 ----a-w- c:\windows\system32\drivers\nav\1206000.01d\symtdi.sys
2011-05-10 20:30:14 331384 ----a-w- c:\windows\system32\drivers\nav\1206000.01d\symtdiv.sys
2011-05-10 20:30:13 296568 ----a-w- c:\windows\system32\drivers\nav\1206000.01d\symnets.sys
2011-05-10 20:30:12 744568 ----a-w- c:\windows\system32\drivers\nav\1206000.01d\symefa.sys
2011-05-10 20:30:11 516216 ----a-w- c:\windows\system32\drivers\nav\1206000.01d\srtsp.sys
2011-05-10 20:30:11 50168 ----a-w- c:\windows\system32\drivers\nav\1206000.01d\srtspx.sys
2011-05-10 20:30:11 340088 ----a-w- c:\windows\system32\drivers\nav\1206000.01d\symds.sys
2011-05-10 20:30:09 136312 ----a-w- c:\windows\system32\drivers\nav\1206000.01d\ironx86.sys
2011-05-10 20:28:24 -------- d-----w- c:\windows\system32\drivers\nav\1206000.01D
.
==================== Find3M ====================
.
2011-06-07 04:42:52 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-06-07 04:42:24 88 --sh--r- c:\windows\system32\7C73339D7B.sys
2011-05-26 15:32:08 0 ----a-w- c:\windows\Rvidofusocacezaf.bin
2011-05-10 20:30:21 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-05-10 20:30:21 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-04-20 00:56:54 69632 --sha-r- c:\windows\system32\ipxmontrp.dll
2011-04-20 00:56:54 69632 --sha-r- c:\windows\system32\iasadsp.dll
2011-04-06 21:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 21:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-29 18:58:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-29 18:58:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 18:39:52.31 ===============

I've also attached the attach.txt portion from the DDS scan and ark.log from the GMER scan. It still looks pretty nasty. Where do I begin?

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:44 PM

Posted 09 June 2011 - 07:23 PM

Hi

Please do the following:

Download Combofix from either of the links below. You must rename it to iexplore before saving it.
Save it to your desktop. Change the save as file type to "all files"

**Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

Link 1
Link 2

-----------------------------------------------------------


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------

  • NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.

    -----------------------------------------------------------

  • Double click on the renamed ComboFix.exe & follow the prompts. When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

-----------------------------------------------------------


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Rynofasho

Rynofasho
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 09 June 2011 - 09:19 PM

I BSOD'd on Combofix around the 25th stage. Also, I couldnt download the recovery console because the internet is too FUBARED, even though I'm pulling a valid IP and hard wired.

Should I try to run it again in safe mode?

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:44 PM

Posted 09 June 2011 - 09:22 PM

Yes, try it again in safe mode with networking

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Rynofasho

Rynofasho
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 09 June 2011 - 09:24 PM

Going. . .

#6 Rynofasho

Rynofasho
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 09 June 2011 - 09:44 PM

Done. PS havent rebooted at all since the original logs I sent, so you know. Wasn't prompted after CF either:

ComboFix 11-06-09.04 - Administrator 06/09/2011 21:35:24.2.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.749 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\donald mcallister\Application Data\DriveCleaner Free
c:\documents and settings\donald mcallister\Application Data\DriveCleaner Free\Logs\update.log
c:\documents and settings\donald mcallister\Application Data\GetModule
c:\documents and settings\donald mcallister\Application Data\GetModule\dicik.gz
c:\documents and settings\donald mcallister\Application Data\GetModule\kwdik.gz
c:\documents and settings\donald mcallister\Application Data\GetModule\ofadik.gz
c:\documents and settings\donald mcallister\Application Data\TMInc
c:\documents and settings\donald mcallister\Application Data\TMInc\game.cfg
c:\documents and settings\donald mcallister\Application Data\TMInc\user1.sav
c:\documents and settings\donald mcallister\err.log
c:\documents and settings\donald mcallister\Local Settings\Application Data\{D3C8362C-E475-4C24-AB3D-DE737EEF04A3}
c:\documents and settings\donald mcallister\Local Settings\Application Data\{D3C8362C-E475-4C24-AB3D-DE737EEF04A3}\chrome.manifest
c:\documents and settings\donald mcallister\Local Settings\Application Data\{D3C8362C-E475-4C24-AB3D-DE737EEF04A3}\chrome\content\_cfg.js
c:\documents and settings\donald mcallister\Local Settings\Application Data\{D3C8362C-E475-4C24-AB3D-DE737EEF04A3}\chrome\content\overlay.xul
c:\documents and settings\donald mcallister\Local Settings\Application Data\{D3C8362C-E475-4C24-AB3D-DE737EEF04A3}\install.rdf
c:\documents and settings\Matthew\err.log
c:\documents and settings\Matthew\Local Settings\Application Data\{DB7E92DC-2E9A-40F0-B9E7-C1CB10165373}
c:\documents and settings\Matthew\Local Settings\Application Data\{DB7E92DC-2E9A-40F0-B9E7-C1CB10165373}\chrome.manifest
c:\documents and settings\Matthew\Local Settings\Application Data\{DB7E92DC-2E9A-40F0-B9E7-C1CB10165373}\chrome\content\_cfg.js
c:\documents and settings\Matthew\Local Settings\Application Data\{DB7E92DC-2E9A-40F0-B9E7-C1CB10165373}\chrome\content\overlay.xul
c:\documents and settings\Matthew\Local Settings\Application Data\{DB7E92DC-2E9A-40F0-B9E7-C1CB10165373}\install.rdf
c:\documents and settings\Michael\err.log
c:\documents and settings\Patrick\err.log
c:\documents and settings\Patrick\Local Settings\Application Data\{410B76EA-4B80-478E-B1A3-E992B95801E5}
c:\documents and settings\Patrick\Local Settings\Application Data\{410B76EA-4B80-478E-B1A3-E992B95801E5}\chrome.manifest
c:\documents and settings\Patrick\Local Settings\Application Data\{410B76EA-4B80-478E-B1A3-E992B95801E5}\chrome\content\_cfg.js
c:\documents and settings\Patrick\Local Settings\Application Data\{410B76EA-4B80-478E-B1A3-E992B95801E5}\chrome\content\overlay.xul
c:\documents and settings\Patrick\Local Settings\Application Data\{410B76EA-4B80-478E-B1A3-E992B95801E5}\install.rdf
c:\documents and settings\Tim\Application Data\DriveCleaner Free
c:\documents and settings\Tim\Application Data\DriveCleaner Free\Logs\update.log
c:\documents and settings\Tim\err.log
c:\documents and settings\Tim\Local Settings\Application Data\{76783DDE-70E5-417B-BCD4-DE2B0EF6542B}
c:\documents and settings\Tim\Local Settings\Application Data\{76783DDE-70E5-417B-BCD4-DE2B0EF6542B}\chrome.manifest
c:\documents and settings\Tim\Local Settings\Application Data\{76783DDE-70E5-417B-BCD4-DE2B0EF6542B}\chrome\content\_cfg.js
c:\documents and settings\Tim\Local Settings\Application Data\{76783DDE-70E5-417B-BCD4-DE2B0EF6542B}\chrome\content\overlay.xul
c:\documents and settings\Tim\Local Settings\Application Data\{76783DDE-70E5-417B-BCD4-DE2B0EF6542B}\install.rdf
c:\program files\Common Files\rmko
c:\program files\Common Files\rmko\rmkoa.lck
c:\program files\Common Files\rmko\rmkod\class-barrel
c:\program files\Common Files\rmko\rmkod\vocabulary
c:\program files\Common Files\rmko\rmkol.lck
c:\program files\Common Files\rmko\rmkom.lck
c:\program files\Shared
c:\program files\Shared\shared.sig
.
.
((((((((((((((((((((((((( Files Created from 2011-05-10 to 2011-06-10 )))))))))))))))))))))))))))))))
.
.
2011-06-07 22:54 . 2011-06-07 22:54 -------- d-----w- C:\GMER
2011-06-07 03:05 . 2011-06-07 03:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-06-07 02:18 . 2011-06-07 02:18 -------- d-----w- c:\documents and settings\Tim\Application Data\FixTDSS
2011-06-07 02:18 . 2011-06-07 02:18 20472 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
2011-06-07 01:53 . 2011-06-07 01:53 -------- d-----w- c:\program files\Trend Micro
2011-06-07 01:52 . 2011-06-07 01:52 -------- d-----w- c:\documents and settings\Tim\Application Data\Malwarebytes
2011-06-07 01:51 . 2011-06-07 01:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-07 01:51 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-07 01:51 . 2011-06-07 01:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-07 01:51 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-07 01:49 . 2011-06-08 03:57 -------- d-----w- c:\documents and settings\Tim\Application Data\U3
2011-06-06 00:27 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-06-06 00:27 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2011-05-30 15:46 . 2011-05-30 15:46 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-30 15:46 . 2011-05-30 15:46 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-30 15:46 . 2011-05-30 15:46 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-30 15:46 . 2011-05-30 15:46 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-30 15:46 . 2011-05-30 15:46 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-30 15:46 . 2011-05-30 15:46 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-30 15:46 . 2011-05-30 15:46 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-05-30 15:46 . 2011-05-30 15:46 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-26 15:52 . 2011-05-26 15:52 -------- d-----w- c:\program files\Bonjour
2011-05-23 23:05 . 2011-05-23 23:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2011-05-18 18:12 . 2011-05-18 18:14 35412 ----a-w- c:\windows\oyilunutowuwuq.dll
2011-05-16 18:38 . 2011-05-16 18:38 -------- d-----w- C:\found.001
2011-05-14 23:40 . 2011-05-14 23:40 -------- d-----w- c:\documents and settings\donald mcallister\Application Data\Sammsoft
2011-05-14 21:20 . 2011-05-14 21:20 -------- d-----w- c:\documents and settings\Patrick\Application Data\Sammsoft
2011-05-14 21:20 . 2011-05-20 16:48 -------- d-----w- c:\program files\ARO 2011
2011-05-12 18:49 . 2011-05-12 18:49 -------- d-----w- C:\found.000
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-10 20:30 . 2010-03-20 16:37 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-05-10 20:30 . 2010-03-20 16:37 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-04-06 21:20 . 2011-04-06 21:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20 . 2011-04-06 21:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 21:20 . 2011-04-06 21:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-31 03:00 . 2011-05-10 20:30 516216 ----a-w- c:\windows\system32\drivers\NAV\1206000.01D\srtsp.sys
2011-03-31 03:00 . 2011-05-10 20:30 50168 ----a-w- c:\windows\system32\drivers\NAV\1206000.01D\srtspx.sys
2011-03-29 18:58 . 2011-03-29 18:58 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-29 18:58 . 2008-03-21 18:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-22 00:39 . 2011-05-10 20:30 369784 ----a-w- c:\windows\system32\drivers\NAV\1206000.01D\symtdi.sys
2011-03-22 00:39 . 2011-05-10 20:30 331384 ----a-w- c:\windows\system32\drivers\NAV\1206000.01D\symtdiv.sys
2011-03-22 00:39 . 2011-05-10 20:30 296568 ----a-w- c:\windows\system32\drivers\NAV\1206000.01D\symnets.sys
2011-03-15 02:31 . 2011-05-10 20:30 744568 ----a-w- c:\windows\system32\drivers\NAV\1206000.01D\symefa.sys
2008-02-08 02:46 . 2008-02-08 02:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 02:46 . 2008-02-08 02:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 02:46 . 2008-02-08 02:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 02:46 . 2008-02-08 02:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 02:46 . 2008-02-08 02:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 02:46 . 2008-02-08 02:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 02:46 . 2008-02-08 02:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-16 22:27 . 2007-03-16 22:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 22:27 . 2007-03-16 22:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 22:27 . 2007-03-16 22:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 17:47 . 2007-07-20 17:47 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 02:46 . 2008-02-08 02:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2011-05-30 15:46 . 2011-05-30 15:46 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-12-13 . C79FAD61CD4A26ED5AA8C16D991C6FBD . 3594752 . . [7.00.6000.20973] . . c:\windows\$hf_mig$\KB960714-IE7\SP2QFE\mshtml.dll
[7] 2008-10-16 . B74F31A4BD83797D7A083F922169287D . 3595264 . . [7.00.6000.20935] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\mshtml.dll
[7] 2008-08-27 . 1AD035E04A7068EC2820B055A3131ED8 . 3593216 . . [7.00.6000.16735] . . c:\windows\ie7updates\KB958215-IE7\mshtml.dll
[7] 2008-08-26 . 25CC085720EE3617FD1F8AB9E2F7CAB2 . 3594752 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\mshtml.dll
[7] 2008-06-23 . 28B8231CA8D55FC85E027A57C90F5C88 . 3594240 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\mshtml.dll
[7] 2008-04-24 . 8976CAB317105F7431B08EA32AB73C65 . 3591680 . . [7.00.6000.16674] . . c:\windows\ie7updates\KB953838-IE7\mshtml.dll
[7] 2008-04-23 . 4D612FF5D3B7EEF200595AE6F95D5E68 . 3593728 . . [7.00.6000.20815] . . c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\mshtml.dll
[7] 2008-04-14 . A706E122B398FE1AB85CB9B75D044223 . 3066880 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\mshtml.dll
[7] 2008-03-01 . 4EE273E2B09317C1217EF0DB91F93534 . 3593216 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\mshtml.dll
[7] 2007-10-30 . 54D8B404F17AA74C666F7F3AEF2AE459 . 3593216 . . [7.00.6000.20710] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\mshtml.dll
[7] 2007-10-30 . 8AB7ECF59D6EBBE986277B65ED4A40A1 . 3590656 . . [7.00.6000.16587] . . c:\windows\ie7updates\KB947864-IE7\mshtml.dll
[7] 2007-08-20 . AA8A4BD78D24FCDB96DDAEE3756AA372 . 3592192 . . [7.00.6000.20661] . . c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\mshtml.dll
[7] 2007-07-18 . 7CE243CFD47AD0DC431586CB8C542A11 . 3584000 . . [7.00.6000.20641] . . c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\mshtml.dll
[7] 2007-05-08 . 1D4E3B86C601A2497C99790CC4D7DF26 . 3584000 . . [7.00.6000.20591] . . c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\mshtml.dll
[7] 2007-03-07 . 190E1AE9B973049B12A67BAD478C770C . 3581952 . . [7.00.6000.16441] . . c:\windows\ie7updates\KB933566-IE7\mshtml.dll
[7] 2007-03-07 . DA297A862E5F093A07D37C05F608C686 . 3582976 . . [7.00.6000.20544] . . c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\mshtml.dll
[-] 2006-09-14 . CEFEA1C301139A817931BE132F0359FE . 3058688 . . [6.00.2900.2995] . . c:\windows\system32\mshtml.dll
[-] 2006-09-14 . CEFEA1C301139A817931BE132F0359FE . 3058688 . . [6.00.2900.2995] . . c:\windows\system32\dllcache\mshtml.dll
[-] 2006-05-19 . 8687E029BE63C77D4919485068C54D77 . 3055104 . . [6.00.2900.2912] . . c:\windows\$NtUninstallKB922760$\mshtml.dll
.
[7] 2008-10-16 . 0D5B75171FF51775B630A431B6C667E8 . 827904 . . [7.00.6000.20935] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[7] 2008-08-26 . 77C192FE56A70D7FA0247BA0A6201C32 . 827904 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[7] 2008-08-26 . EF8EBA98145BFA44E80D17A3B3453300 . 826368 . . [7.00.6000.16735] . . c:\windows\ie7updates\KB958215-IE7\wininet.dll
[7] 2008-06-23 . C66402A06B83B036C195242C0C8CF83C . 827904 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[7] 2008-04-23 . F6589BE784647CFDBC22EA51CCB1A57A . 826368 . . [7.00.6000.16674] . . c:\windows\ie7updates\KB953838-IE7\wininet.dll
[7] 2008-04-23 . 41546B396A526918DA7995A02EA04E51 . 827392 . . [7.00.6000.20815] . . c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
[7] 2008-04-14 . 7A4F775ABB2F1C97DEF3E73AFA2FAEDD . 666112 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\wininet.dll
[7] 2008-03-01 . 6316C2F0C61271C8ABDFF7429174879E . 827392 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
[7] 2007-10-10 . 30C1E0F34AD2972C72A01DB5C74AB065 . 824832 . . [7.00.6000.16574] . . c:\windows\ie7updates\KB947864-IE7\wininet.dll
[7] 2007-10-10 . 0E5D918F87EFA7D2424D66B499C7EB04 . 825344 . . [7.00.6000.20696] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
[7] 2007-08-20 . 357D54BF94FE9D6D8505A96B5C2A3BCA . 825344 . . [7.00.6000.20661] . . c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
[7] 2007-06-27 . D6ED5E042C5207553E7F5E842918137F . 824320 . . [7.00.6000.20627] . . c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
[7] 2007-04-25 . 431DEFBB4A3D7B0DC062C1B064623A2F . 823808 . . [7.00.6000.20583] . . c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\wininet.dll
[7] 2007-03-07 . 5B35DAE6E4886F64D1DA58C4E3E01EB9 . 822784 . . [7.00.6000.16441] . . c:\windows\ie7updates\KB933566-IE7\wininet.dll
[7] 2007-03-07 . B8F4DB39CA7353752F245379D285C80E . 823296 . . [7.00.6000.20544] . . c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\wininet.dll
[-] 2006-09-14 . D207370287CF769AEBEBF03837784963 . 664576 . . [6.00.2900.2995] . . c:\windows\system32\wininet.dll
[-] 2006-09-14 . D207370287CF769AEBEBF03837784963 . 664576 . . [6.00.2900.2995] . . c:\windows\system32\dllcache\wininet.dll
[-] 2006-05-10 . D94CFFDB53E7AC867438E2DFD50E7CBC . 663552 . . [6.00.2900.2904] . . c:\windows\$NtUninstallKB922760$\wininet.dll
.
[7] 2008-10-15 . 056C927CF7207857E8B34F7A8FFD9B9E . 633632 . . [7.00.6000.20935] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\iexplore.exe
[7] 2008-08-23 . E8305C30D35E85D6657ED3E9934CB302 . 635848 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\iexplore.exe
[7] 2008-08-23 . 1F03216084447F990AE797317D0A6E70 . 635848 . . [7.00.6000.16735] . . c:\windows\ie7updates\KB958215-IE7\iexplore.exe
[7] 2008-06-23 . C52A9EF571E91535EB78DB4B8B95EA07 . 625664 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\iexplore.exe
[7] 2008-04-22 . 197B7E4030CFBD8D2979D375E1787AA2 . 625664 . . [7.00.6000.20815] . . c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\iexplore.exe
[7] 2008-04-22 . 232B22817B90AE0AFF2D189E3E3735AC . 625664 . . [7.00.6000.16674] . . c:\windows\ie7updates\KB953838-IE7\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe
[7] 2008-02-22 . 6E0888626E0CAC79F57149814E22DB4D . 625664 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\iexplore.exe
[7] 2007-10-10 . E854D02E4231F704D9BE782A424E6D8B . 625152 . . [7.00.6000.16574] . . c:\windows\ie7updates\KB947864-IE7\iexplore.exe
[7] 2007-10-10 . 632BDE0179847234433CA50945442ACB . 625664 . . [7.00.6000.20696] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\iexplore.exe
[7] 2007-08-17 . 5577D0E3AC2F9F035ACD81B44AF5F511 . 625152 . . [7.00.6000.20661] . . c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\iexplore.exe
[7] 2007-06-27 . BD8502DFD53FC24FB8D6929DC46B8C2C . 625152 . . [7.00.6000.20627] . . c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\iexplore.exe
[7] 2007-04-24 . 9B3516C1F30DA17ADD3818573047D63C . 625152 . . [7.00.6000.20583] . . c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\iexplore.exe
[7] 2007-02-28 . D321092F8529CDAE843D6E24E3CAC6CB . 625152 . . [7.00.6000.20544] . . c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\iexplore.exe
[7] 2007-02-21 . 683DDE71BCF03B501B912D20CB93B549 . 623616 . . [7.00.6000.16441] . . c:\windows\ie7updates\KB933566-IE7\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 282624]
"nwiz"="nwiz.exe" [2006-08-23 1617920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
.
c:\documents and settings\Tim\Start Menu\Programs\Startup\
MEMonitor.lnk - c:\program files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2007-10-29 947544]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
backup=c:\windows\pss\ymetray.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^donald mcallister^Start Menu^Programs^Startup^BoontyBox Play Toad.lnk]
backup=c:\windows\pss\BoontyBox Play Toad.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\82230314469532258735422514065871
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Amok Eggs Four Web
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigiFast
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gamevance
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Java Load
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Java Syncro
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MS Update v1
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6wIPuSpdc
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinProx32_1
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-03-09 17:09 63712 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 13:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-27 06:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-12-08 00:18 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 09:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Walgreens PhotoShow Media Manager]
2006-04-20 06:35 237568 ----a-w- c:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"GoogleDesktopManager"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
R0 FixTDSS;TDSS Fixtool driver;c:\windows\system32\drivers\FixTDSS.sys [6/6/2011 9:18 PM 20472]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1206000.01D\symds.sys [5/10/2011 3:30 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1206000.01D\symefa.sys [5/10/2011 3:30 PM 744568]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110518.001\BHDrvx86.sys [5/19/2011 10:43 AM 802936]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1206000.01D\ironx86.sys [5/10/2011 3:30 PM 136312]
S2 DiskDoctorService;Norton Disk Doctor Service;c:\program files\Norton Utilities 15\Tools\Disk Doctor\DiskDoctorSrv.exe [3/21/2011 2:21 PM 1029480]
S2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [7/14/2006 2:01 AM 13824]
S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.6.0.29\ccsvchst.exe [5/10/2011 3:29 PM 130008]
S2 SpeedDiskService;Norton SpeedDisk Service;c:\program files\Norton Utilities 15\Tools\SpeedDisk\SpeedDiskSrv.exe [3/21/2011 2:21 PM 1037672]
S2 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [7/14/2006 2:02 AM 13696]
S3 BlackBox;BlackBox SR2; [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/22/2011 11:34 AM 105592]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110603.003\IDSXpx86.sys [6/4/2011 12:10 AM 341944]
S3 SymDSMon;SymDSMon;c:\windows\system32\drivers\SymDSMon.sys [3/21/2011 2:21 PM 128248]
S3 SYMSpeedDisk;SYMSpeedDisk;c:\windows\system32\drivers\SymSpeedDisk.sys [3/21/2011 2:21 PM 108800]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2011-05-14 c:\windows\Tasks\ARO 2011.job
- c:\program files\ARO 2011\ARO.exe [2011-05-14 15:13]
.
2011-06-08 c:\windows\Tasks\NUSchedule.job
- c:\program files\Norton Utilities 15\nu.exe [2011-03-21 07:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
DPF: {181BCAB2-C89B-4E4B-9E6B-59FA67A426B5} - hxxps://tunnel.commercebank.com/epa/nsepa.ocx
FF - ProfilePath - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\pfyriad1.default\
FF - prefs.js: network.proxy.type - 4
FF - user.js: yahoo.homepage.dontask - true
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-OE_OEM - c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
AddRemove-Colors of War Special Edition - c:\progra~1\eGames\COLORS~1\UNWISE.EXE
AddRemove-Zuma Deluxe - c:\program files\RealArcade\Installer\bin\gameinstaller.exe
AddRemove-{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110111700} - c:\program files\Oberon Media\Zuma Deluxe\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-09 21:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
Completion time: 2011-06-09 21:42:12
ComboFix-quarantined-files.txt 2011-06-10 02:42
.
Pre-Run: 98,168,946,688 bytes free
Post-Run: 117,463,961,600 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - F13BD893C5DCFE5B328A2A0EB434F13E

Edited by Rynofasho, 09 June 2011 - 09:45 PM.


#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:44 PM

Posted 09 June 2011 - 10:01 PM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic402485.html/page__view__findpost__p__2285564

Collect::
c:\windows\oyilunutowuwuq.dll

FCopy::
c:\windows\ServicePackFiles\i386\mshtml.dll | c:\windows\system32\mshtml.dll
c:\windows\ServicePackFiles\i386\mshtml.dll | c:\windows\system32\dllcache\mshtml.dll
c:\windows\ServicePackFiles\i386\wininet.dll | c:\windows\system32\wininet.dll
c:\windows\ServicePackFiles\i386\wininet.dll | c:\windows\system32\dllcache\wininet.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Amok Eggs Four Web]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\82230314469532258735422514065871]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6wIPuSpdc]

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 Rynofasho

Rynofasho
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 09 June 2011 - 10:20 PM

EDIT Nevermind, booted fine with internet on a regular restart -- updating MBAM database now.

Edited by Rynofasho, 09 June 2011 - 10:28 PM.


#9 Rynofasho

Rynofasho
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 10 June 2011 - 05:55 AM

CF Log

ComboFix 11-06-09.04 - Administrator 06/09/2011 22:13:28.3.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.556 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
.
file zipped: c:\windows\oyilunutowuwuq.dll
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\oyilunutowuwuq.dll
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\mshtml.dll --> c:\windows\system32\mshtml.dll
c:\windows\ServicePackFiles\i386\mshtml.dll --> c:\windows\system32\dllcache\mshtml.dll
c:\windows\ServicePackFiles\i386\wininet.dll --> c:\windows\system32\wininet.dll
c:\windows\ServicePackFiles\i386\wininet.dll --> c:\windows\system32\dllcache\wininet.dll
.
((((((((((((((((((((((((( Files Created from 2011-05-10 to 2011-06-10 )))))))))))))))))))))))))))))))
.
.
2011-06-07 22:54 . 2011-06-07 22:54 -------- d-----w- C:\GMER
2011-06-07 03:05 . 2011-06-07 03:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-06-07 02:18 . 2011-06-07 02:18 -------- d-----w- c:\documents and settings\Tim\Application Data\FixTDSS
2011-06-07 02:18 . 2011-06-07 02:18 20472 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
2011-06-07 01:53 . 2011-06-07 01:53 -------- d-----w- c:\program files\Trend Micro
2011-06-07 01:52 . 2011-06-07 01:52 -------- d-----w- c:\documents and settings\Tim\Application Data\Malwarebytes
2011-06-07 01:51 . 2011-06-07 01:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-07 01:51 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-07 01:51 . 2011-06-07 01:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-07 01:51 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-07 01:49 . 2011-06-08 03:57 -------- d-----w- c:\documents and settings\Tim\Application Data\U3
2011-06-06 00:27 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-06-06 00:27 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2011-05-30 15:46 . 2011-05-30 15:46 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-30 15:46 . 2011-05-30 15:46 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-30 15:46 . 2011-05-30 15:46 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-30 15:46 . 2011-05-30 15:46 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-30 15:46 . 2011-05-30 15:46 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-30 15:46 . 2011-05-30 15:46 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-30 15:46 . 2011-05-30 15:46 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-05-30 15:46 . 2011-05-30 15:46 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-26 15:52 . 2011-05-26 15:52 -------- d-----w- c:\program files\Bonjour
2011-05-23 23:05 . 2011-05-23 23:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2011-05-16 18:38 . 2011-05-16 18:38 -------- d-----w- C:\found.001
2011-05-14 23:40 . 2011-05-14 23:40 -------- d-----w- c:\documents and settings\donald mcallister\Application Data\Sammsoft
2011-05-14 21:20 . 2011-05-14 21:20 -------- d-----w- c:\documents and settings\Patrick\Application Data\Sammsoft
2011-05-14 21:20 . 2011-05-20 16:48 -------- d-----w- c:\program files\ARO 2011
2011-05-12 18:49 . 2011-05-12 18:49 -------- d-----w- C:\found.000
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-10 20:30 . 2010-03-20 16:37 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-05-10 20:30 . 2010-03-20 16:37 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-04-06 21:20 . 2011-04-06 21:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20 . 2011-04-06 21:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 21:20 . 2011-04-06 21:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-31 03:00 . 2011-05-10 20:30 516216 ----a-w- c:\windows\system32\drivers\NAV\1206000.01D\srtsp.sys
2011-03-31 03:00 . 2011-05-10 20:30 50168 ----a-w- c:\windows\system32\drivers\NAV\1206000.01D\srtspx.sys
2011-03-29 18:58 . 2011-03-29 18:58 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-29 18:58 . 2008-03-21 18:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-22 00:39 . 2011-05-10 20:30 369784 ----a-w- c:\windows\system32\drivers\NAV\1206000.01D\symtdi.sys
2011-03-22 00:39 . 2011-05-10 20:30 331384 ----a-w- c:\windows\system32\drivers\NAV\1206000.01D\symtdiv.sys
2011-03-22 00:39 . 2011-05-10 20:30 296568 ----a-w- c:\windows\system32\drivers\NAV\1206000.01D\symnets.sys
2011-03-15 02:31 . 2011-05-10 20:30 744568 ----a-w- c:\windows\system32\drivers\NAV\1206000.01D\symefa.sys
2008-02-08 02:46 . 2008-02-08 02:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 02:46 . 2008-02-08 02:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 02:46 . 2008-02-08 02:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 02:46 . 2008-02-08 02:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 02:46 . 2008-02-08 02:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 02:46 . 2008-02-08 02:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 02:46 . 2008-02-08 02:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-16 22:27 . 2007-03-16 22:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 22:27 . 2007-03-16 22:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 22:27 . 2007-03-16 22:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 17:47 . 2007-07-20 17:47 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 02:46 . 2008-02-08 02:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2011-05-30 15:46 . 2011-05-30 15:46 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-10-15 . 056C927CF7207857E8B34F7A8FFD9B9E . 633632 . . [7.00.6000.20935] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\iexplore.exe
[7] 2008-08-23 . E8305C30D35E85D6657ED3E9934CB302 . 635848 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\iexplore.exe
[7] 2008-08-23 . 1F03216084447F990AE797317D0A6E70 . 635848 . . [7.00.6000.16735] . . c:\windows\ie7updates\KB958215-IE7\iexplore.exe
[7] 2008-06-23 . C52A9EF571E91535EB78DB4B8B95EA07 . 625664 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\iexplore.exe
[7] 2008-04-22 . 197B7E4030CFBD8D2979D375E1787AA2 . 625664 . . [7.00.6000.20815] . . c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\iexplore.exe
[7] 2008-04-22 . 232B22817B90AE0AFF2D189E3E3735AC . 625664 . . [7.00.6000.16674] . . c:\windows\ie7updates\KB953838-IE7\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe
[7] 2008-02-22 . 6E0888626E0CAC79F57149814E22DB4D . 625664 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\iexplore.exe
[7] 2007-10-10 . E854D02E4231F704D9BE782A424E6D8B . 625152 . . [7.00.6000.16574] . . c:\windows\ie7updates\KB947864-IE7\iexplore.exe
[7] 2007-10-10 . 632BDE0179847234433CA50945442ACB . 625664 . . [7.00.6000.20696] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\iexplore.exe
[7] 2007-08-17 . 5577D0E3AC2F9F035ACD81B44AF5F511 . 625152 . . [7.00.6000.20661] . . c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\iexplore.exe
[7] 2007-06-27 . BD8502DFD53FC24FB8D6929DC46B8C2C . 625152 . . [7.00.6000.20627] . . c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\iexplore.exe
[7] 2007-04-24 . 9B3516C1F30DA17ADD3818573047D63C . 625152 . . [7.00.6000.20583] . . c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\iexplore.exe
[7] 2007-02-28 . D321092F8529CDAE843D6E24E3CAC6CB . 625152 . . [7.00.6000.20544] . . c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\iexplore.exe
[7] 2007-02-21 . 683DDE71BCF03B501B912D20CB93B549 . 623616 . . [7.00.6000.16441] . . c:\windows\ie7updates\KB933566-IE7\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [BU]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-21 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 282624]
"nwiz"="nwiz.exe" [2006-08-23 1617920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
.
c:\documents and settings\Tim\Start Menu\Programs\Startup\
MEMonitor.lnk - c:\program files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2007-10-29 947544]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
backup=c:\windows\pss\ymetray.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^donald mcallister^Start Menu^Programs^Startup^BoontyBox Play Toad.lnk]
backup=c:\windows\pss\BoontyBox Play Toad.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-03-09 17:09 63712 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 13:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-27 06:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-12-08 00:18 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 09:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Walgreens PhotoShow Media Manager]
2006-04-20 06:35 237568 ----a-w- c:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"GoogleDesktopManager"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
R0 FixTDSS;TDSS Fixtool driver;c:\windows\system32\drivers\FixTDSS.sys [6/6/2011 9:18 PM 20472]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1206000.01D\symds.sys [5/10/2011 3:30 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1206000.01D\symefa.sys [5/10/2011 3:30 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110518.001\BHDrvx86.sys [5/19/2011 10:43 AM 802936]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1206000.01D\ironx86.sys [5/10/2011 3:30 PM 136312]
R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [7/14/2006 2:01 AM 13824]
R2 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [7/14/2006 2:02 AM 13696]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/22/2011 11:34 AM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110603.003\IDSXpx86.sys [6/4/2011 12:10 AM 341944]
S3 BlackBox;BlackBox SR2; [x]
S3 SymDSMon;SymDSMon;c:\windows\system32\drivers\SymDSMon.sys [3/21/2011 2:21 PM 128248]
S3 SYMSpeedDisk;SYMSpeedDisk;c:\windows\system32\drivers\SymSpeedDisk.sys [3/21/2011 2:21 PM 108800]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2011-05-14 c:\windows\Tasks\ARO 2011.job
- c:\program files\ARO 2011\ARO.exe [2011-05-14 15:13]
.
2011-06-08 c:\windows\Tasks\NUSchedule.job
- c:\program files\Norton Utilities 15\nu.exe [2011-03-21 07:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
mSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
Trusted Zone: commercebank.com\tunnell
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.1.254
DPF: {181BCAB2-C89B-4E4B-9E6B-59FA67A426B5} - hxxps://tunnel.commercebank.com/epa/nsepa.ocx
FF - ProfilePath - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\pfyriad1.default\
FF - prefs.js: network.proxy.type - 4
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
URLSearchHooks-{B0EA550B-0C3B-4B56-95BE-A90F5362D6A9} - (no file)
WebBrowser-{4E7BD74F-2B8D-469E-85B2-BC27FE9AAE2E} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-09 22:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2196)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Norton Utilities 15\Tools\Disk Doctor\DiskDoctorSrv.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Norton Utilities 15\Tools\SpeedDisk\SpeedDiskSrv.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\eHome\ehmsas.exe
c:\program files\Norton Utilities 15\Tools\SpeedDisk\SpeedDiskSrvProxy.exe
c:\windows\system32\msiexec.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2011-06-09 22:24:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-10 03:24
ComboFix2.txt 2011-06-10 02:42
.
Pre-Run: 117,485,006,848 bytes free
Post-Run: 116,402,253,824 bytes free
.
Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 3DB236CDA25106AECDCF19BB7E7F3D2A
Upload was successful
_________________________________________________________________________________________________

MBAM

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6822

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.2180

6/9/2011 10:35:24 PM
mbam-log-2011-06-09 (22-35-24).txt

Scan type: Quick scan
Objects scanned: 224666
Time elapsed: 4 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0ED403E8-470A-4A8A-85A4-D7688CFE39A3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ED403E8-470A-4A8A-85A4-D7688CFE39A3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{BC36F9FB-688E-4F8D-8622-55D30A28A08F} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{B7D3E479-CC68-42B5-A338-938ECE35F419} (Adware.Softomate) -> Value: {B7D3E479-CC68-42B5-A338-938ECE35F419} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{B7D3E479-CC68-42B5-A338-938ECE35F419} (Adware.Softomate) -> Value: {B7D3E479-CC68-42B5-A338-938ECE35F419} -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Patrick\my documents\downloads\Setup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.



ESET was clean so no log.

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:44 PM

Posted 10 June 2011 - 01:45 PM

Hi,

Please do the following:

Visit ADOBEand download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 25 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 25 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u25 with JavaFX 1 License Agreement". Click on Continue. The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u25-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT

Please post a fresh DDS Log and advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Rynofasho

Rynofasho
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 10 June 2011 - 04:11 PM

Rut roh.

BSODing everytime now -- I think some windows updates autoinstalled and now it is dying. ksecdd.sys is causing a problem -- page fault in nonpaged area.

Now what? I do have the option to boot from the recovery console, FYI

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:44 PM

Posted 10 June 2011 - 04:14 PM

see if you have a system restore point to before the update installed

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 Rynofasho

Rynofasho
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 10 June 2011 - 04:24 PM

I tried using last known good config, still no dice

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:44 PM

Posted 10 June 2011 - 04:28 PM

system restore is a little different from LKG


Go to Start > run > press OK to open a run box


copy/paste the following into the open run box to start the system restore process > choose to do a system restore and you should be presented with restore points where the sytem was working properly, choose a restore point to before the update that crashed your system was installed;

%SystemRoot%\System32\restore\rstrui.exe

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 Rynofasho

Rynofasho
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 10 June 2011 - 04:38 PM

I can't load windows at all. I can get there from the recovery console and get to that directory but rstrui won't execute, just says it isn't a valid system command

Edited by Rynofasho, 10 June 2011 - 04:40 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users