Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown-to-Norton Malware Mines $$&Tax data--Sends to Net--OverLoads Win\Temp


  • This topic is locked This topic is locked
22 replies to this topic

#1 maggie2011

maggie2011

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Northern Virginia
  • Local time:04:12 AM

Posted 19 September 2011 - 03:22 PM

Three weeks ago, a major part of my previous-year tax return appeared on an internet site advertizing
"financial management" services to be provided by me and other professionals. (I am a clinical
psychologist and an artist, not a money manager.) The information posted is sufficient for identity theft.

I discovered that something infected my two Windows computers and was
1. mining and uploading financial files and
2. filling up my Windows\Temp folder with multi-GB files. Every folder in My Documents was duplicated; most of the
folders were empty, and there was a big red-and-yellow icon next to the one folder holding a tax file
which I had submitted to IRS by e-filing. These problems started after I opened what at first appeared to be a legitimate email
from my lawyer. It had no attachment, but the contents appeared to be a bogus request to be his friend on a social network.
He denied sending it, so I asked him (via snail mail) to take me off his digital contact list.


I immediately removed all financial and personal and patient files from each computer and saved
them on hard drives not connected to the systems at home and at work. Complete system scans with
Norton Internet Security's latest malware definitions found nothing on either computer. Norton
Power Eraser found and removed two files on each computer: 1. scanwiz.exe (a scanner I have used
for years with no problems) and
2. \REGISTRY\MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open

I spent many many hours "chatting" with Norton supervisors and case managers, with no solutions.
The malware still creates a folder almost every minute in the Windows\Temp folder. Before I ran
Norton PE, these folders were many GB in each file. They still appear but are only KB in size.

For this desktop I have an August 13 restore point. I think that is before the infection. I have all of my data on hard drives
not currently attached to the system. For my laptop at my work office, I have a complete Norton Save and Restore backup
from August 18 (Somebody on the Norton Forum called this kind of a backup an disk image.) My data files and programs
are the same on both computers, but the Dell desktop and the Dell laptop are different hardware, so I do not know if
the disk image is useful on this computer.

Thank you for having this amazing site; I learned so much in the days reading your materials and preparing this
topic.

maggie 2011 (new signature follows:)

Dell Optiplex 755 Ultra Small Form Factor CPU: Core 2 Duo E8500/3.16GHz6M, VT, 1333FSB Ram: 4GB, Non-ECC, 800MHZ, DDR2.2 x2 GB
Motherboard: Dell Optiplex 755 Storage: Seagate 500 GB internal SATA, External: Dell RD1000 tape USB 320GB cartridges, and Seagate GoFlexPro 750GB
Video: Intel Q35 Express Chipset Family Integrated GMA3100 Network: Cisco Lynksys Ethernet home network, Intel 2GB Network Connection, DSL
OS: Windows XP Professional SP 3, 5.1 Build 2600 Web & Email: Firefox 6.0.2, Google email
AV: Norton Internet Security 2011 Anti-Spyware: Spybot Search & Destroy Sound: SoundMAX HD Audio

The following is the content of dds.txt


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Mary at 19:35:58 on 2011-09-18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.1887 [GMT -4:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\system32\svchost.exe -k HPHNDUService
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\WINDOWS\system32\nlssrv32.exe
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton PC Checkup\Engine\2.0.8.13\SymcPCCULaunchSvc.exe
C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
C:\PROGRA~1\NORTON~4\NORTON~1\NPROTECT.EXE
C:\Program Files\Norton PC Checkup\Engine\2.0.8.13\ccSvcHst.exe
C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Norton PC Checkup\Engine\2.0.8.13\ccSvcHst.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~4\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\VERIZONDM\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\VERIZONDM\bin\tgsrvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Norton Save and Restore\Agent\VProTray.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Symantec\Norton Online Backup\NOBuAgent.exe
C:\Program Files\Symantec\Norton Online Backup\NOBuClient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\Program Files\Nuance\PDF Viewer Plus\pdfpro5hook.exe
C:\Program Files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\562C4DD5\19.1.0.28\InstStub.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\Documents and Settings\Mary\My Documents\Downloads\Programs\Defogger.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Nuance\PaperPort\NuanceWDS.exe
C:\WINDOWS\system32\taskmgr.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.nytimes.com/
uInternet Connection Wizard,ShellNext = https://nobu.backup.com/backup_agents/register/temp672DDFDE-C095-401E-9995-94635A56A0E0?display_name=dell&TZ=-300
uInternet Settings,ProxyOverride = *.local
BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PlusIEEventHelper Class: {551a852f-39a6-44a7-9c13-afbec9185a9d} - c:\program files\nuance\pdf viewer plus\bin\PlusIEContextMenu.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.6.0.29\ips\IPSBHO.DLL
BHO: ZeonIEEventHelper Class: {da986d7d-ccaf-47b2-84fe-bfa1549bebf9} - c:\program files\nuance\pdf viewer plus\bin\ZeonIEFavClient.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
TB: Nuance PDF: {e3286bf1-e654-42ff-b4a6-5e111731df6b} - c:\program files\nuance\pdf viewer plus\bin\ZeonIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
uRun: [Norton Download Manager{NIS191028-SHPD-FSD21017}] c:\documents and settings\all users\documents\norton\{nis191028-shpd-fsd21017}\NISDownloader.exe /m
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Norton Save and Restore 2.0] "c:\program files\norton save and restore\agent\VProTray.exe"
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NSWosCheck] "c:\program files\norton systemworks\osCheck.exe"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [NswUiTray] c:\program files\norton systemworks\NswUiTray.exe
mRun: [Norton Online Backup] c:\program files\symantec\norton online backup\NOBuClient.exe
StartupFolder: c:\docume~1\mary\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\mary\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\documents and settings\mary\start menu\programs\startup\EvernoteClipper.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-explorer: NoSMMyDocs = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoStartMenuMyMusic = 1 (0x1)
uPolicies-explorer: NoTaskGrouping = 1 (0x1)
IE: Add to Evernote 4.0 - c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: Append the content of the link to existing PDF file - c:\program files\nuance\pdf viewer plus\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\nuance\pdf viewer plus\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to existing PDF file - c:\program files\nuance\pdf viewer plus\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Create PDF file - c:\program files\nuance\pdf viewer plus\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\nuance\pdf viewer plus\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\nuance\pdf viewer plus\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open with PDF Viewer Plus - c:\program files\nuance\pdf viewer plus\bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm
IE: {5E638779-1818-4754-A595-EF1C63B87A56} - c:\program files\norton systemworks\norton cleanup\WCQuick.lnk
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1292170344859
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.2 71.252.0.12 68.237.161.12
TCP: Interfaces\{996E7942-3D30-4E1E-88C9-F474726AA441} : DhcpNameServer = 192.168.1.2 71.252.0.12 68.237.161.12
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mary\application data\mozilla\firefox\profiles\4wsa42ax.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\coffplgn_2011_7_1_3\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\mary\application data\idm\idmmzcc5\components\idmmzcc.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SMR210;Symantec SMR Utility Service 2.1.0;c:\windows\system32\drivers\SMR210.SYS [2011-9-18 83064]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1301000.01c\SymDS.sys [2011-9-18 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1301000.01c\SymEFA.sys [2011-9-18 897656]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [2011-3-10 101616]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1301000.01c\Ironx86.sys [2011-9-18 149624]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-12-18 189736]
R2 HPHNDUSVC;HP Home Network Diagnostic Support Service;c:\windows\system32\svchost.exe -k HPHNDUService [2008-4-14 14336]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\19.1.0.28\ccSvcHst.exe [2011-9-18 138760]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [2011-5-23 63488]
R2 NOBU;Norton Online Backup;c:\program files\symantec\norton online backup\NOBuAgent.exe [2010-6-8 2057560]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\norton pc checkup\engine\2.0.8.13\SymcPCCULaunchSvc.exe [2011-9-6 120248]
R2 Norton Save and Restore;Norton Save and Restore;c:\program files\norton save and restore\agent\VProSvc.exe [2007-2-13 3425632]
R2 NProtectService;Norton UnErase Protection;c:\progra~1\norton~4\norton~1\NPROTECT.EXE [2008-9-25 95600]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\norton pc checkup\engine\2.0.8.13\ccSvcHst.exe [2011-9-6 126392]
R2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files\nuance\paperport\PDFProFiltSrvPP.exe [2009-8-27 144672]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2009-10-16 431456]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\verizondm\bin\sprtsvc.exe [2010-9-29 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\verizondm\bin\tgsrvc.exe [2010-9-29 185640]
R3 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\bashdefs\20110909.001\BHDrvx86.sys [2011-9-9 816760]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-31 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\ipsdefs\20110917.031\IDSXpx86.sys [2011-9-17 356280]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\virusdefs\20110917.007\NAVENG.SYS [2011-9-17 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\virusdefs\20110917.007\NAVEX15.SYS [2011-9-17 1576312]
S0 cerc6;cerc6; [x]
S1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\nis\1301000.01c\ccSetx86.sys [2011-9-18 132744]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-4-14 14336]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2011-1-9 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\adobe\elements 9 organizer\PhotoshopElementsFileAgent.exe [2010-9-6 169408]
.
=============== Created Last 30 ================
.
2011-09-18 20:29:15 -------- d-----w- c:\windows\system32\drivers\nbrtwizard\0401000.00F
2011-09-18 20:29:15 -------- d-----w- c:\windows\system32\drivers\NBRTWizard
2011-09-18 20:29:13 -------- d-----w- c:\program files\Norton Bootable Recovery Tool Wizard
2011-09-18 20:09:33 897656 ----a-r- c:\windows\system32\drivers\nis\1301000.01c\SymEFA.sys
2011-09-18 20:09:33 566904 ----a-r- c:\windows\system32\drivers\nis\1301000.01c\srtsp.sys
2011-09-18 20:09:33 387192 ----a-r- c:\windows\system32\drivers\nis\1301000.01c\symtdi.sys
2011-09-18 20:09:33 344184 ----a-r- c:\windows\system32\drivers\nis\1301000.01c\symtdiv.sys
2011-09-18 20:09:33 340088 ----a-r- c:\windows\system32\drivers\nis\1301000.01c\SymDS.sys
2011-09-18 20:09:33 31864 ----a-r- c:\windows\system32\drivers\nis\1301000.01c\srtspx.sys
2011-09-18 20:09:33 314488 ----a-r- c:\windows\system32\drivers\nis\1301000.01c\symnets.sys
2011-09-18 20:09:33 149624 ----a-r- c:\windows\system32\drivers\nis\1301000.01c\Ironx86.sys
2011-09-18 20:09:33 132744 ----a-r- c:\windows\system32\drivers\nis\1301000.01c\ccSetx86.sys
2011-09-18 20:09:28 2801 ----a-r- c:\windows\system32\drivers\nis\1301000.01c\SymVTcer.dat
2011-09-18 20:09:28 -------- d-----w- c:\windows\system32\drivers\nis\1301000.01C
2011-09-18 18:38:57 20 ----a-w- c:\windows\system32\drivers\SMR210.dat
2011-09-18 18:38:53 83064 ----a-w- c:\windows\system32\drivers\SMR210.SYS
2011-09-07 01:04:15 -------- d-----w- c:\documents and settings\mary\local settings\application data\NPE
2011-09-07 00:13:45 -------- d-----w- c:\documents and settings\mary\local settings\application data\Tific
2011-09-07 00:13:27 -------- d-----w- c:\windows\system32\drivers\nortonpccheckup\0200080.00D
2011-09-07 00:13:27 -------- d-----w- c:\windows\system32\drivers\NortonPCCheckup
2011-09-07 00:13:26 -------- d-----w- c:\program files\Norton PC Checkup
2011-08-31 03:53:37 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-08-31 03:53:36 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-08-31 03:53:35 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-08-31 03:53:35 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-08-31 02:36:12 -------- d-----r- C:\DATA PICKETT & PRACTICE
2011-08-28 21:23:37 -------- d-----w- c:\documents and settings\mary\application data\Windows Search
2011-08-28 01:00:24 -------- d-----w- c:\program files\WePrint
2011-08-22 00:13:33 -------- d-----w- c:\documents and settings\mary\local settings\application data\Identities
2011-08-22 00:13:28 -------- d-----w- c:\documents and settings\mary\application data\Windows Desktop Search
2011-08-22 00:11:35 -------- d-----w- c:\program files\Windows Desktop Search
.
==================== Find3M ====================
.
2011-09-18 20:09:49 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-09-18 20:09:49 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-15 07:30:11 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-18 19:49:30 1030024 ----a-w- c:\program files\SkypeSetup_2.exe
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 15:14:42 101616 ----a-w- c:\windows\system32\drivers\idmtdi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ------w- c:\windows\system32\html.iec
2011-06-17 19:34:56 5585240 ----a-w- c:\program files\NortonOnlineBackup.exe
2011-05-23 14:36:42 6943496 ----a-w- c:\program files\FCTB5Setup.exe
2011-04-24 20:13:26 2591920 ----a-w- c:\program files\FLVPlayerSetup.exe
2011-04-24 20:09:02 2899576 ----a-w- c:\program files\FFPsetup.exe
2011-04-24 19:24:22 2832544 ----a-w- c:\program files\install_flash_player.exe
2011-04-11 20:38:58 2740320 ----a-w- c:\program files\HPHNDU.exe
2010-04-15 21:17:40 37450936 ----a-w- c:\program files\SanDiskBackup.exe
2009-11-12 21:13:10 10270208 ----a-w- c:\program files\SeaToolsForWindowsSetup.exe
2009-11-03 17:03:06 1445516 ----a-w- c:\program files\SeaToolsforWindows_Warranty.exe
2008-05-13 21:54:04 50688 ----a-w- c:\program files\ATF-Cleaner.exe
.
============= FINISH: 19:37:41.07 ===============

Attached File  ark.txt   14.64KB   1 downloads

Attached File  attach.txt   17.7KB   0 downloads

Computer: Dell Optiplex 755 Ultra Small Form Factor CPU: Core 2 Duo E8500/3.16GHz6M, VT, 1333FSB Ram: 4GB, Non-ECC, 800MHZ, DDR2.2 x2 GB Motherboard: Dell Optiplex 755 Storage: Seagate 500 GB internal SATA, External: Dell external RD1000 tape USB device with 320GB cartridges, and Seagate GoFlexPro 750GB for Mac & Win Video: Intel Q35 Express Chipset Family Integrated Video GMA3100 Network: Cisco Lynksys Ethernet home network, Intel 2GB Network Connection, DSLOS: Windows XP Professional SP 3, 5.1 Build 2600 Web & Email: Firefox 6.0.2, Google email Antivirus: Norton Internet Security 2012 Anti-Spyware: Spybot Search & Destroy Sound: SoundMAX HD Audio

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:12 AM

Posted 24 September 2011 - 10:29 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Nothing suspicious was found on your DDS log.

Download these tools. Run them in the order listed.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Post the logs and let me know if the problem persists.

#3 maggie2011

maggie2011
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Northern Virginia
  • Local time:04:12 AM

Posted 24 September 2011 - 01:53 PM

Dear nasdaq,

I just found your reply and directions on my iPad. THANK YOU so much for replying and
for putting in all the time on analysis. I am printing out your directions now (from a Mac
computer) and will start implementing your suggestions right away.
maggie2011
Computer: Dell Optiplex 755 Ultra Small Form Factor CPU: Core 2 Duo E8500/3.16GHz6M, VT, 1333FSB Ram: 4GB, Non-ECC, 800MHZ, DDR2.2 x2 GB Motherboard: Dell Optiplex 755 Storage: Seagate 500 GB internal SATA, External: Dell external RD1000 tape USB device with 320GB cartridges, and Seagate GoFlexPro 750GB for Mac & Win Video: Intel Q35 Express Chipset Family Integrated Video GMA3100 Network: Cisco Lynksys Ethernet home network, Intel 2GB Network Connection, DSLOS: Windows XP Professional SP 3, 5.1 Build 2600 Web & Email: Firefox 6.0.2, Google email Antivirus: Norton Internet Security 2012 Anti-Spyware: Spybot Search & Destroy Sound: SoundMAX HD Audio

#4 maggie2011

maggie2011
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Northern Virginia
  • Local time:04:12 AM

Posted 24 September 2011 - 02:37 PM

Dear nasdaq,

Following is the contents from the scanlog of aswMBR.exe on my computer:

aswMBR version 0.9.8.986 Copyrightę 2011 AVAST Software
Run date: 2011-09-24 14:59:21
-----------------------------
14:59:21.609 OS Version: Windows 5.1.2600 Service Pack 3
14:59:21.609 Number of processors: 2 586 0x1706
14:59:21.609 ComputerName: VIVADELLA UserName: Mary
14:59:29.375 Initialize success
15:10:37.546 AVAST engine defs: 11092401
15:17:45.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
15:17:45.734 Disk 0 Vendor: ST350041 CC38 Size: 476940MB BusType: 3
15:17:45.765 Disk 0 MBR read successfully
15:17:45.765 Disk 0 MBR scan
15:17:45.812 Disk 0 Windows XP default MBR code
15:17:45.812 Disk 0 scanning sectors +976752000
15:17:45.875 Disk 0 scanning C:\WINDOWS\system32\drivers
15:17:53.562 Service scanning
15:17:54.593 Modules scanning
15:18:09.062 Disk 0 trace - called modules:
15:18:09.078 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
15:18:09.093 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a2f05c8]
15:18:09.093 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8ac66028]
15:18:12.218 AVAST engine scan C:\WINDOWS
15:18:28.140 AVAST engine scan C:\WINDOWS\system32
15:20:06.562 AVAST engine scan C:\WINDOWS\system32\drivers
15:20:43.312 AVAST engine scan C:\Documents and Settings\Mary
15:24:41.234 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Mary\Desktop\MBR.dat"
15:24:41.234 The log file has been saved successfully to "C:\Documents and Settings\Mary\Desktop\aswMBR.txt"


I am attaching the file MBR.dat, compressed

I have also downloaded tdsskiller.zip and ComboFix.exe to my desktop, but I think your directions meant for me to
send you the first scan results before taking any more action, so I will sit tight until I hear from you.
Thank you.
Attached File  MBR.zip   497bytes   0 downloads
maggie2011
Computer: Dell Optiplex 755 Ultra Small Form Factor CPU: Core 2 Duo E8500/3.16GHz6M, VT, 1333FSB Ram: 4GB, Non-ECC, 800MHZ, DDR2.2 x2 GB Motherboard: Dell Optiplex 755 Storage: Seagate 500 GB internal SATA, External: Dell external RD1000 tape USB device with 320GB cartridges, and Seagate GoFlexPro 750GB for Mac & Win Video: Intel Q35 Express Chipset Family Integrated Video GMA3100 Network: Cisco Lynksys Ethernet home network, Intel 2GB Network Connection, DSLOS: Windows XP Professional SP 3, 5.1 Build 2600 Web & Email: Firefox 6.0.2, Google email Antivirus: Norton Internet Security 2012 Anti-Spyware: Spybot Search & Destroy Sound: SoundMAX HD Audio

#5 maggie2011

maggie2011
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Northern Virginia
  • Local time:04:12 AM

Posted 24 September 2011 - 03:37 PM

CORRECTION

My husband helped me to re-read your instructions and to decide that I misinterpreted them at first.
I will continue with the other instructions and then send the results.

Thank you,

maggie2011
Computer: Dell Optiplex 755 Ultra Small Form Factor CPU: Core 2 Duo E8500/3.16GHz6M, VT, 1333FSB Ram: 4GB, Non-ECC, 800MHZ, DDR2.2 x2 GB Motherboard: Dell Optiplex 755 Storage: Seagate 500 GB internal SATA, External: Dell external RD1000 tape USB device with 320GB cartridges, and Seagate GoFlexPro 750GB for Mac & Win Video: Intel Q35 Express Chipset Family Integrated Video GMA3100 Network: Cisco Lynksys Ethernet home network, Intel 2GB Network Connection, DSLOS: Windows XP Professional SP 3, 5.1 Build 2600 Web & Email: Firefox 6.0.2, Google email Antivirus: Norton Internet Security 2012 Anti-Spyware: Spybot Search & Destroy Sound: SoundMAX HD Audio

#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:12 AM

Posted 24 September 2011 - 06:28 PM

After running the TDSSKiller run ComboFix and post the logs.

#7 maggie2011

maggie2011
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Northern Virginia
  • Local time:04:12 AM

Posted 24 September 2011 - 07:47 PM

Dear nasdaq,

Following is the contents from the scanlog of aswMBR.exe on my computer:

aswMBR version 0.9.8.986 Copyrightę 2011 AVAST Software
Run date: 2011-09-24 14:59:21
-----------------------------
14:59:21.609 OS Version: Windows 5.1.2600 Service Pack 3
14:59:21.609 Number of processors: 2 586 0x1706
14:59:21.609 ComputerName: VIVADELLA UserName: Mary
14:59:29.375 Initialize success
15:10:37.546 AVAST engine defs: 11092401
15:17:45.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
15:17:45.734 Disk 0 Vendor: ST350041 CC38 Size: 476940MB BusType: 3
15:17:45.765 Disk 0 MBR read successfully
15:17:45.765 Disk 0 MBR scan
15:17:45.812 Disk 0 Windows XP default MBR code
15:17:45.812 Disk 0 scanning sectors +976752000
15:17:45.875 Disk 0 scanning C:\WINDOWS\system32\drivers
15:17:53.562 Service scanning
15:17:54.593 Modules scanning
15:18:09.062 Disk 0 trace - called modules:
15:18:09.078 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
15:18:09.093 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a2f05c8]
15:18:09.093 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8ac66028]
15:18:12.218 AVAST engine scan C:\WINDOWS
15:18:28.140 AVAST engine scan C:\WINDOWS\system32
15:20:06.562 AVAST engine scan C:\WINDOWS\system32\drivers
15:20:43.312 AVAST engine scan C:\Documents and Settings\Mary
15:24:41.234 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Mary\Desktop\MBR.dat"
15:24:41.234 The log file has been saved successfully to "C:\Documents and Settings\Mary\Desktop\aswMBR.txt"


I am attaching the file MBR.dat, compressed


Posted Image MBR.zip (497bytes)
Number of downloads: 0



antivirus activity temporarily, because it would not accept my password. The password was correct, and it worked on my Norton
Online account, etc. I consulted your forum topics for disabling protection. After those solutions did not help, I consulted Norton
online and changed my password. That and a reboot also did not solve the NIS refusal of my password, so I uninstalled the program.


Then I ran TDSSKiller again. Same null results both times, except the program would not allow me to copy the report from the windows
version produced by clicking on "report". I found the log in my root directory, and here it is:



17:32:02.0796 5708 TDSS rootkit removing tool 2.6.0.0 Sep 23 2011 07:42:37
17:32:04.0281 5708 ============================================================
17:32:04.0281 5708 Current date / time: 2011/09/24 17:32:04.0281
17:32:04.0281 5708 SystemInfo:
17:32:04.0281 5708
17:32:04.0281 5708 OS Version: 5.1.2600 ServicePack: 3.0
17:32:04.0281 5708 Product type: Workstation
17:32:04.0281 5708 ComputerName: VIVADELLA
17:32:04.0281 5708 UserName: Mary
17:32:04.0281 5708 Windows directory: C:\WINDOWS
17:32:04.0281 5708 System windows directory: C:\WINDOWS
17:32:04.0281 5708 Processor architecture: Intel x86
17:32:04.0281 5708 Number of processors: 2
17:32:04.0281 5708 Page size: 0x1000
17:32:04.0281 5708 Boot type: Normal boot
17:32:04.0281 5708 ============================================================
17:32:05.0125 5708 Initialize success
17:32:21.0218 4312 ============================================================
17:32:21.0218 4312 Scan started
17:32:21.0218 4312 Mode: Manual;
17:32:21.0218 4312 ============================================================
17:32:22.0421 4312 Abiosdsk - ok
17:32:22.0453 4312 abp480n5 - ok
17:32:22.0500 4312 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
17:32:22.0500 4312 ACPI - ok
17:32:22.0531 4312 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
17:32:22.0531 4312 ACPIEC - ok
17:32:22.0578 4312 ADIHdAudAddService (053a070bd25649abbbad7862aea051d0) C:\WINDOWS\system32\drivers\ADIHdAud.sys
17:32:22.0578 4312 ADIHdAudAddService - ok
17:32:22.0578 4312 adpu160m - ok
17:32:22.0625 4312 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
17:32:22.0625 4312 aec - ok
17:32:22.0656 4312 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
17:32:22.0656 4312 AFD - ok
17:32:22.0671 4312 Aha154x - ok
17:32:22.0671 4312 aic78u2 - ok
17:32:22.0671 4312 aic78xx - ok
17:32:22.0687 4312 AliIde - ok
17:32:22.0687 4312 amsint - ok
17:32:22.0703 4312 asc - ok
17:32:22.0703 4312 asc3350p - ok
17:32:22.0703 4312 asc3550 - ok
17:32:22.0750 4312 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
17:32:22.0750 4312 AsyncMac - ok
17:32:22.0781 4312 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
17:32:22.0781 4312 atapi - ok
17:32:22.0781 4312 Atdisk - ok
17:32:22.0828 4312 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
17:32:22.0828 4312 Atmarpc - ok
17:32:22.0859 4312 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
17:32:22.0859 4312 audstub - ok
17:32:22.0859 4312 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
17:32:22.0859 4312 Beep - ok
17:32:23.0015 4312 BHDrvx86 (09b8897ac84c49beabea75cf9fe1ab45) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20110909.001\BHDrvx86.sys
17:32:23.0015 4312 BHDrvx86 - ok
17:32:23.0093 4312 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
17:32:23.0093 4312 BthEnum - ok
17:32:23.0125 4312 BTHMODEM (fca6f069597b62d42495191ace3fc6c1) C:\WINDOWS\system32\DRIVERS\bthmodem.sys
17:32:23.0125 4312 BTHMODEM - ok
17:32:23.0140 4312 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
17:32:23.0156 4312 BthPan - ok
17:32:23.0171 4312 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
17:32:23.0187 4312 BTHPORT - ok
17:32:23.0203 4312 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
17:32:23.0203 4312 BTHUSB - ok
17:32:23.0218 4312 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
17:32:23.0218 4312 cbidf2k - ok
17:32:23.0312 4312 ccSet_NIS (2b2f9b4a08190334a9c36446b208bae9) C:\WINDOWS\system32\drivers\NIS\1301010.003\ccSetx86.sys
17:32:23.0312 4312 ccSet_NIS - ok
17:32:23.0312 4312 cd20xrnt - ok
17:32:23.0343 4312 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
17:32:23.0343 4312 Cdaudio - ok
17:32:23.0406 4312 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
17:32:23.0406 4312 Cdfs - ok
17:32:23.0453 4312 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
17:32:23.0453 4312 Cdrom - ok
17:32:23.0453 4312 cerc6 - ok
17:32:23.0453 4312 Changer - ok
17:32:23.0468 4312 CmdIde - ok
17:32:23.0484 4312 Cpqarray - ok
17:32:23.0484 4312 dac2w2k - ok
17:32:23.0484 4312 dac960nt - ok
17:32:23.0531 4312 DgiVecp (770471de2550820feeb7e5d24bf2e273) C:\WINDOWS\system32\Drivers\DgiVecp.sys
17:32:23.0546 4312 DgiVecp - ok
17:32:23.0546 4312 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
17:32:23.0546 4312 Disk - ok
17:32:23.0578 4312 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
17:32:23.0593 4312 dmboot - ok
17:32:23.0609 4312 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
17:32:23.0609 4312 dmio - ok
17:32:23.0625 4312 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
17:32:23.0625 4312 dmload - ok
17:32:23.0671 4312 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
17:32:23.0671 4312 DMusic - ok
17:32:23.0671 4312 dpti2o - ok
17:32:23.0718 4312 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
17:32:23.0718 4312 drmkaud - ok
17:32:23.0750 4312 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
17:32:23.0750 4312 e1express - ok
17:32:23.0984 4312 eeCtrl (8f7dbc4be48f5388a6fe1f285e7948ef) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
17:32:24.0000 4312 eeCtrl - ok
17:32:24.0046 4312 EraserUtilDrv11113 (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11113.sys
17:32:24.0078 4312 EraserUtilDrv11113 - ok
17:32:24.0109 4312 EraserUtilRebootDrv (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
17:32:24.0109 4312 EraserUtilRebootDrv - ok
17:32:24.0187 4312 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
17:32:24.0187 4312 Fastfat - ok
17:32:24.0218 4312 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
17:32:24.0218 4312 Fdc - ok
17:32:24.0234 4312 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
17:32:24.0234 4312 Fips - ok
17:32:24.0234 4312 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
17:32:24.0234 4312 Flpydisk - ok
17:32:24.0281 4312 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
17:32:24.0281 4312 FltMgr - ok
17:32:24.0281 4312 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
17:32:24.0281 4312 Fs_Rec - ok
17:32:24.0296 4312 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
17:32:24.0296 4312 Ftdisk - ok
17:32:24.0343 4312 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
17:32:24.0343 4312 GEARAspiWDM - ok
17:32:24.0343 4312 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
17:32:24.0359 4312 Gpc - ok
17:32:24.0531 4312 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
17:32:24.0531 4312 HDAudBus - ok
17:32:24.0562 4312 HECI (c865d1f6d03595df213dc3c67e4e4c58) C:\WINDOWS\system32\DRIVERS\HECI.sys
17:32:24.0562 4312 HECI - ok
17:32:24.0593 4312 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
17:32:24.0593 4312 hidusb - ok
17:32:24.0593 4312 hpn - ok
17:32:24.0656 4312 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
17:32:24.0656 4312 HTTP - ok
17:32:24.0656 4312 i2omgmt - ok
17:32:24.0656 4312 i2omp - ok
17:32:24.0703 4312 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
17:32:24.0703 4312 i8042prt - ok
17:32:24.0828 4312 ialm (12c7f8d581c4a9f126f5f8f5683a1c29) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
17:32:25.0031 4312 ialm - ok
17:32:25.0078 4312 iastor (8ef427c54497c5f8a7a645990e4278c7) C:\WINDOWS\system32\drivers\iastor.sys
17:32:25.0078 4312 iastor - ok
17:32:25.0125 4312 IDMTDI (330a6a0baf4fd945bde14c7b1d88d9b9) C:\WINDOWS\system32\DRIVERS\idmtdi.sys
17:32:25.0125 4312 IDMTDI - ok
17:32:25.0234 4312 IDSxpx86 (e72d3894d42355e9cd5fd77e1e4fea11) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20110923.030\IDSxpx86.sys
17:32:25.0234 4312 IDSxpx86 - ok
17:32:25.0312 4312 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
17:32:25.0328 4312 Imapi - ok
17:32:25.0328 4312 ini910u - ok
17:32:25.0343 4312 IntelIde - ok
17:32:25.0375 4312 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
17:32:25.0390 4312 intelppm - ok
17:32:25.0406 4312 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
17:32:25.0406 4312 Ip6Fw - ok
17:32:25.0421 4312 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
17:32:25.0421 4312 IpFilterDriver - ok
17:32:25.0437 4312 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
17:32:25.0437 4312 IpInIp - ok
17:32:25.0468 4312 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
17:32:25.0468 4312 IpNat - ok
17:32:25.0484 4312 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
17:32:25.0484 4312 IPSec - ok
17:32:25.0531 4312 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
17:32:25.0546 4312 IRENUM - ok
17:32:25.0593 4312 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
17:32:25.0593 4312 isapnp - ok
17:32:25.0609 4312 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
17:32:25.0609 4312 Kbdclass - ok
17:32:25.0609 4312 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
17:32:25.0609 4312 kbdhid - ok
17:32:25.0656 4312 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
17:32:25.0656 4312 kmixer - ok
17:32:25.0687 4312 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
17:32:25.0687 4312 KSecDD - ok
17:32:25.0687 4312 lbrtfdc - ok
17:32:25.0718 4312 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
17:32:25.0718 4312 mnmdd - ok
17:32:25.0734 4312 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
17:32:25.0734 4312 Modem - ok
17:32:25.0750 4312 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
17:32:25.0750 4312 Mouclass - ok
17:32:25.0781 4312 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
17:32:25.0781 4312 mouhid - ok
17:32:25.0781 4312 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
17:32:25.0781 4312 MountMgr - ok
17:32:25.0828 4312 MQAC (70c14f5cca5cf73f8a645c73a01d8726) C:\WINDOWS\system32\drivers\mqac.sys
17:32:25.0828 4312 MQAC - ok
17:32:25.0828 4312 mraid35x - ok
17:32:25.0843 4312 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
17:32:25.0843 4312 MRxDAV - ok
17:32:25.0890 4312 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
17:32:25.0937 4312 MRxSmb - ok
17:32:25.0953 4312 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
17:32:25.0968 4312 Msfs - ok
17:32:26.0000 4312 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
17:32:26.0000 4312 MSKSSRV - ok
17:32:26.0015 4312 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
17:32:26.0015 4312 MSPCLOCK - ok
17:32:26.0031 4312 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
17:32:26.0031 4312 MSPQM - ok
17:32:26.0046 4312 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
17:32:26.0062 4312 mssmbios - ok
17:32:26.0078 4312 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
17:32:26.0078 4312 Mup - ok
17:32:26.0093 4312 n558 (88705dc61b9275b82e48904d53031f5b) C:\WINDOWS\system32\Drivers\n558.sys
17:32:26.0093 4312 n558 - ok
17:32:26.0234 4312 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20110923.025\NAVENG.SYS
17:32:26.0250 4312 NAVENG - ok
17:32:26.0281 4312 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20110923.025\NAVEX15.SYS
17:32:26.0312 4312 NAVEX15 - ok
17:32:26.0390 4312 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
17:32:26.0390 4312 NDIS - ok
17:32:26.0421 4312 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
17:32:26.0437 4312 NdisTapi - ok
17:32:26.0468 4312 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
17:32:26.0484 4312 Ndisuio - ok
17:32:26.0515 4312 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
17:32:26.0515 4312 NdisWan - ok
17:32:26.0546 4312 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
17:32:26.0562 4312 NDProxy - ok
17:32:26.0562 4312 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
17:32:26.0562 4312 NetBIOS - ok
17:32:26.0578 4312 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
17:32:26.0578 4312 NetBT - ok
17:32:26.0625 4312 NPDriver (65194f525aef541eaa5056eb3d53a25b) C:\WINDOWS\system32\Drivers\NPDRIVER.SYS
17:32:26.0625 4312 NPDriver - ok
17:32:26.0625 4312 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
17:32:26.0625 4312 Npfs - ok
17:32:26.0671 4312 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
17:32:26.0687 4312 Ntfs - ok
17:32:26.0687 4312 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
17:32:26.0687 4312 Null - ok
17:32:26.0718 4312 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
17:32:26.0718 4312 NwlnkFlt - ok
17:32:26.0734 4312 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
17:32:26.0734 4312 NwlnkFwd - ok
17:32:26.0781 4312 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
17:32:26.0781 4312 NwlnkIpx - ok
17:32:26.0796 4312 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
17:32:26.0796 4312 NwlnkNb - ok
17:32:26.0828 4312 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
17:32:26.0828 4312 NwlnkSpx - ok
17:32:26.0859 4312 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
17:32:26.0875 4312 Parport - ok
17:32:26.0875 4312 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
17:32:26.0875 4312 PartMgr - ok
17:32:26.0937 4312 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
17:32:26.0937 4312 ParVdm - ok
17:32:26.0968 4312 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
17:32:26.0968 4312 PCI - ok
17:32:26.0968 4312 PCIDump - ok
17:32:26.0984 4312 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
17:32:26.0984 4312 PCIIde - ok
17:32:27.0015 4312 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
17:32:27.0015 4312 Pcmcia - ok
17:32:27.0031 4312 PDCOMP - ok
17:32:27.0031 4312 PDFRAME - ok
17:32:27.0046 4312 PDRELI - ok
17:32:27.0046 4312 PDRFRAME - ok
17:32:27.0046 4312 perc2 - ok
17:32:27.0062 4312 perc2hib - ok
17:32:27.0093 4312 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
17:32:27.0093 4312 PptpMiniport - ok
17:32:27.0109 4312 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
17:32:27.0109 4312 PSched - ok
17:32:27.0156 4312 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
17:32:27.0156 4312 Ptilink - ok
17:32:27.0171 4312 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
17:32:27.0187 4312 PxHelp20 - ok
17:32:27.0203 4312 ql1080 - ok
17:32:27.0203 4312 Ql10wnt - ok
17:32:27.0203 4312 ql12160 - ok
17:32:27.0218 4312 ql1240 - ok
17:32:27.0218 4312 ql1280 - ok
17:32:27.0250 4312 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
17:32:27.0250 4312 RasAcd - ok
17:32:27.0265 4312 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
17:32:27.0265 4312 Rasl2tp - ok
17:32:27.0281 4312 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
17:32:27.0281 4312 RasPppoe - ok
17:32:27.0281 4312 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
17:32:27.0281 4312 Raspti - ok
17:32:27.0296 4312 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
17:32:27.0296 4312 Rdbss - ok
17:32:27.0296 4312 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
17:32:27.0312 4312 RDPCDD - ok
17:32:27.0343 4312 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
17:32:27.0359 4312 rdpdr - ok
17:32:27.0390 4312 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
17:32:27.0390 4312 RDPWD - ok
17:32:27.0421 4312 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
17:32:27.0421 4312 redbook - ok
17:32:27.0468 4312 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
17:32:27.0468 4312 RFCOMM - ok
17:32:27.0500 4312 RMCAST (96f7a9a7bf0c9c0440a967440065d33c) C:\WINDOWS\system32\drivers\RMCast.sys
17:32:27.0500 4312 RMCAST - ok
17:32:27.0546 4312 SDdriver (11b5e1da4566a68a881a7d73222f4c78) C:\WINDOWS\system32\Drivers\sddriver.sys
17:32:27.0546 4312 SDdriver - ok
17:32:27.0562 4312 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
17:32:27.0578 4312 Secdrv - ok
17:32:27.0625 4312 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
17:32:27.0625 4312 serenum - ok
17:32:27.0625 4312 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
17:32:27.0640 4312 Serial - ok
17:32:27.0671 4312 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
17:32:27.0671 4312 Sfloppy - ok
17:32:27.0671 4312 Simbad - ok
17:32:27.0718 4312 snapman (c3bf55189aa92b8f919108ef9e4accae) C:\WINDOWS\system32\DRIVERS\snapman.sys
17:32:27.0718 4312 snapman - ok
17:32:27.0734 4312 Sparrow - ok
17:32:27.0796 4312 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
17:32:27.0796 4312 splitter - ok
17:32:27.0828 4312 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
17:32:27.0828 4312 sr - ok
17:32:27.0906 4312 SRTSP (2c5fbf6a00a4a3dcf643e46e8acb20c2) C:\WINDOWS\System32\Drivers\NIS\1301000.01C\SRTSP.SYS
17:32:27.0906 4312 SRTSP - ok
17:32:27.0984 4312 SRTSPX (9034ea58552b55f370e5293a7175c5ac) C:\WINDOWS\system32\drivers\NIS\1301010.003\SRTSPX.SYS
17:32:27.0984 4312 SRTSPX - ok
17:32:28.0015 4312 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
17:32:28.0031 4312 Srv - ok
17:32:28.0046 4312 SSPORT - ok
17:32:28.0078 4312 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
17:32:28.0078 4312 StillCam - ok
17:32:28.0125 4312 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
17:32:28.0125 4312 swenum - ok
17:32:28.0156 4312 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
17:32:28.0171 4312 swmidi - ok
17:32:28.0171 4312 symc810 - ok
17:32:28.0171 4312 symc8xx - ok
17:32:28.0265 4312 SymDS (690fa0e61b90084c4d9a721bd4f3d779) C:\WINDOWS\system32\drivers\NIS\1301010.003\SYMDS.SYS
17:32:28.0265 4312 SymDS - ok
17:32:28.0296 4312 SymEFA (a0c7005387bb6f055bb50bd8e779368b) C:\WINDOWS\system32\drivers\NIS\1301010.003\SYMEFA.SYS
17:32:28.0296 4312 SymEFA - ok
17:32:28.0328 4312 SymEvent (98d28d08e68145fb550ee7670b43baf2) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
17:32:28.0343 4312 SymEvent - ok
17:32:28.0406 4312 SymIRON (39c35ddbb570e9f334f239248e4de34d) C:\WINDOWS\system32\drivers\NIS\1301010.003\Ironx86.SYS
17:32:28.0406 4312 SymIRON - ok
17:32:28.0437 4312 symsnap (66918794b1701990be8510565fbd4bc4) C:\WINDOWS\system32\DRIVERS\symsnap.sys
17:32:28.0437 4312 symsnap - ok
17:32:28.0500 4312 SYMTDI (aaae36e8235dab7da8a64bd10de281e5) C:\WINDOWS\System32\Drivers\NIS\1301000.01C\SYMTDI.SYS
17:32:28.0500 4312 SYMTDI - ok
17:32:28.0515 4312 sym_hi - ok
17:32:28.0515 4312 sym_u3 - ok
17:32:28.0546 4312 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
17:32:28.0546 4312 sysaudio - ok
17:32:28.0593 4312 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
17:32:28.0593 4312 Tcpip - ok
17:32:28.0625 4312 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
17:32:28.0625 4312 TDPIPE - ok
17:32:28.0656 4312 tdrpman (3b7b6779eb231f731bba8f9fe67aadfc) C:\WINDOWS\system32\DRIVERS\tdrpman.sys
17:32:28.0656 4312 tdrpman - ok
17:32:28.0687 4312 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
17:32:28.0687 4312 TDTCP - ok
17:32:28.0718 4312 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
17:32:28.0718 4312 TermDD - ok
17:32:28.0750 4312 tifsfilter (b0b3122bff3910e0ba97014045467778) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
17:32:28.0750 4312 tifsfilter - ok
17:32:28.0781 4312 timounter (13bfe330880ac0ce8672d00aa5aff738) C:\WINDOWS\system32\DRIVERS\timntr.sys
17:32:28.0781 4312 timounter - ok
17:32:28.0781 4312 TosIde - ok
17:32:28.0828 4312 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
17:32:28.0828 4312 Udfs - ok
17:32:28.0843 4312 ultra - ok
17:32:28.0859 4312 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
17:32:28.0875 4312 Update - ok
17:32:28.0921 4312 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
17:32:28.0921 4312 USBAAPL - ok
17:32:28.0953 4312 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
17:32:28.0968 4312 usbccgp - ok
17:32:29.0000 4312 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
17:32:29.0000 4312 usbehci - ok
17:32:29.0015 4312 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
17:32:29.0015 4312 usbhub - ok
17:32:29.0031 4312 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
17:32:29.0046 4312 usbprint - ok
17:32:29.0046 4312 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
17:32:29.0046 4312 usbscan - ok
17:32:29.0078 4312 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:32:29.0078 4312 USBSTOR - ok
17:32:29.0093 4312 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
17:32:29.0093 4312 usbuhci - ok
17:32:29.0125 4312 v2imount (16662738e1ab857fb91ed2d4065440b0) C:\WINDOWS\system32\DRIVERS\v2imount.sys
17:32:29.0125 4312 v2imount - ok
17:32:29.0171 4312 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
17:32:29.0171 4312 VgaSave - ok
17:32:29.0171 4312 ViaIde - ok
17:32:29.0218 4312 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
17:32:29.0218 4312 VolSnap - ok
17:32:29.0234 4312 VProEventMonitor (e14b7ae35be1e97830d42ec191d0dea2) C:\WINDOWS\system32\DRIVERS\vproeventmonitor.sys
17:32:29.0234 4312 VProEventMonitor - ok
17:32:29.0250 4312 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
17:32:29.0250 4312 Wanarp - ok
17:32:29.0281 4312 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
17:32:29.0296 4312 WDC_SAM - ok
17:32:29.0296 4312 WDICA - ok
17:32:29.0328 4312 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
17:32:29.0328 4312 wdmaud - ok
17:32:29.0359 4312 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\WINDOWS\system32\DRIVERS\wimfltr.sys
17:32:29.0359 4312 WimFltr - ok
17:32:29.0390 4312 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
17:32:29.0500 4312 \Device\Harddisk0\DR0 - ok
17:32:29.0500 4312 MBR (0x1B8) (65e858a8a0293be11a920b0bc99d695e) \Device\Harddisk2\DR6
17:32:29.0593 4312 \Device\Harddisk2\DR6 - ok
17:32:29.0609 4312 Boot (0x1200) (b64bd410142bee92d0c9aae33bacee7c) \Device\Harddisk0\DR0\Partition0
17:32:29.0625 4312 \Device\Harddisk0\DR0\Partition0 - ok
17:32:29.0625 4312 Boot (0x1200) (2959fe191cb78a481d8d2a7c603fcd62) \Device\Harddisk2\DR6\Partition0
17:32:29.0625 4312 \Device\Harddisk2\DR6\Partition0 - ok
17:32:29.0625 4312 ============================================================
17:32:29.0625 4312 Scan finished
17:32:29.0625 4312 ============================================================
17:32:29.0625 6804 Detected object count: 0
17:32:29.0625 6804 Actual detected object count: 0
17:32:34.0515 5464 Deinitialize success

When I was waiting before I got your first reply to my topic, I had tried to install the Windows XP Recovery Console, according to theexcellent directions in the BP tutorial. I did not succeed, perhaps because my Windows XP install disk that came withmy Dell is "Reinstallation CD Microsoft Windows XP Professional Service Pack 3."
I was glad to see the ComboFix program ask and received my permission to install the Windows XP Recovery Console. When Ireboot, however, I do not see evidence that the recovery console is available. ComboFix did make a lot of changes,and I am sure you can tell a lot more from the log than I can. I did not reinstall Norton Internet Security 2012 until after ComboFixcompleted its work. The log follows:


ComboFix 11-09-24.04 - Mary 09/24/2011 17:59:22.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.2370 [GMT -4:00]
Running from: c:\documents and settings\Mary\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\Mary\LOCALS~1\Temp\7zS3391\HPHNDUSVC.dll
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\LnkFileRename.exe.db6f4065.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL34.tmp.57a113aa.ini
c:\documents and settings\Mary\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Mary\Local Settings\Application Data\ApplicationHistory\ConfigWizards.exe.7492e342.ini
c:\documents and settings\Mary\Local Settings\Application Data\ApplicationHistory\mmc.exe.959a7e97.ini
c:\documents and settings\Mary\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Mary\Local Settings\Application Data\ApplicationHistory\SL9D7.tmp.8c160143.ini
c:\documents and settings\Mary\Local Settings\Application Data\ApplicationHistory\sprtcmd.exe.1f9189c4.ini.inuse
c:\documents and settings\Mary\Local Settings\Temp\7zS3391\HPHNDUSVC.dll
c:\windows\system32\acfilechck.dll
c:\windows\system32\Cache
c:\windows\system32\comct332.ocx
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_HPHNDUSVC
-------\Service_HPHNDUSVC
.
.
((((((((((((((((((((((((( Files Created from 2011-08-24 to 2011-09-24 )))))))))))))))))))))))))))))))
.
.
2011-09-24 20:12 . 2011-09-24 20:12 -------- d-----w- c:\program files\iPod
2011-09-24 20:12 . 2011-09-24 20:12 -------- d-----w- c:\program files\iTunes
2011-09-24 20:09 . 2011-09-24 20:09 -------- d-----w- c:\program files\Bonjour
2011-09-18 20:29 . 2011-09-18 20:29 -------- d-----w- c:\windows\system32\drivers\NBRTWizard
2011-09-18 20:29 . 2011-09-18 20:29 -------- d-----w- c:\program files\Norton Bootable Recovery Tool Wizard
2011-09-14 04:26 . 2011-09-14 04:28 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-09-07 01:04 . 2011-09-18 19:05 -------- d-----w- c:\documents and settings\Mary\Local Settings\Application Data\NPE
2011-09-07 00:13 . 2011-09-07 00:14 -------- d-----w- c:\documents and settings\Mary\Local Settings\Application Data\Tific
2011-09-07 00:13 . 2011-09-07 00:13 -------- d-----w- c:\windows\system32\drivers\NortonPCCheckup
2011-09-07 00:13 . 2011-09-07 00:13 -------- d-----w- c:\program files\Norton PC Checkup
2011-08-31 03:53 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-08-31 03:53 . 2008-04-14 09:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-08-31 03:53 . 2008-04-14 04:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-08-31 03:53 . 2008-04-14 04:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-08-31 03:53 . 2011-08-31 03:53 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2011-08-31 02:36 . 2011-08-31 02:43 -------- d-----r- C:\DATA PICKETT & PRACTICE
2011-08-28 21:23 . 2011-08-28 21:23 -------- d-----w- c:\documents and settings\Mary\Application Data\Windows Search
2011-08-28 01:00 . 2011-08-28 01:00 -------- d-----w- c:\program files\WePrint
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-18 20:09 . 2010-12-12 16:53 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-09-18 20:09 . 2010-12-12 16:53 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-09-09 09:12 . 2008-04-14 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-15 07:30 . 2011-05-23 15:57 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-18 19:49 . 2011-07-18 19:49 1030024 ----a-w- c:\program files\SkypeSetup_2.exe
2011-07-15 13:29 . 2008-04-14 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20 . 2011-07-12 15:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll
[size="2"]2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\system32\dnssdX.dll[/size]
[size="2"]2011-07-08 14:02 . 2008-04-14 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys[/size]
[size="2"]2011-07-06 15:14 . 2011-03-10 15:47 101616 ----a-w- c:\windows\system32\drivers\idmtdi.sys[/size]
[size="2"]2011-07-05 22:37 . 2011-07-05 22:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx[/size]
[size="2"]2011-07-05 22:37 . 2011-07-05 22:37 69632 ----a-w- c:\windows\system32\QuickTime.qts[/size]
[size="2"]2011-06-17 19:34 . 2011-06-23 00:21 5585240 ----a-w- c:\program files\NortonOnlineBackup.exe[/size]
[size="2"]2011-05-23 14:36 . 2011-04-24 20:14 6943496 ----a-w- c:\program files\FCTB5Setup.exe[/size]
[size="2"]2011-04-24 20:13 . 2011-04-24 20:14 2591920 ----a-w- c:\program files\FLVPlayerSetup.exe[/size]
[size="2"]2011-04-24 20:09 . 2011-04-24 20:14 2899576 ----a-w- c:\program files\FFPsetup.exe[/size]
[size="2"]2011-04-24 19:24 . 2011-04-24 20:14 2832544 ----a-w- c:\program files\install_flash_player.exe[/size]
[size="2"]2011-04-11 20:38 . 2011-04-11 20:38 2740320 ----a-w- c:\program files\HPHNDU.exe[/size]
[size="2"]2010-04-15 21:17 . 2011-06-16 01:57 37450936 ----a-w- c:\program files\SanDiskBackup.exe[/size]
[size="2"]2009-11-12 21:13 . 2010-12-17 01:32 10270208 ----a-w- c:\program files\SeaToolsForWindowsSetup.exe[/size]
[size="2"]2009-11-03 17:03 . 2010-12-17 01:32 1445516 ----a-w- c:\program files\SeaToolsforWindows_Warranty.exe[/size]
[size="2"]2008-05-13 21:54 . 2011-03-21 17:46 50688 ----a-w- c:\program files\ATF-Cleaner.exe[/size]
[size="2"]2011-09-17 23:35 . 2011-08-27 23:56 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll[/size]
[size="2"].[/size]
[size="2"].[/size]
[size="2"]((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))[/size]
[size="2"].[/size]
[size="2"].[/size]
[size="2"]*Note* empty entries & legit default entries are not shown [/size]
[size="2"]REGEDIT4[/size]
[size="2"].[/size]
[size="2"][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1][/size]
[size="2"]@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"[/size]
[size="2"][HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}][/size]
[size="2"]2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Mary\Application Data\Dropbox\bin\DropboxExt.14.dll[/size]
[size="2"].[/size]
[size="2"][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2][/size]
[size="2"]@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"[/size]
[size="2"][HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}][/size]
[size="2"]2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Mary\Application Data\Dropbox\bin\DropboxExt.14.dll[/size]
[size="2"].[/size]
[size="2"][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3][/size]
[size="2"]@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"[/size]
[size="2"][HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}][/size]
[size="2"]2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Mary\Application Data\Dropbox\bin\DropboxExt.14.dll[/size]
[size="2"].[/size]
[size="2"][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4][/size]
[size="2"]@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"[/size]
[size="2"][HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}][/size]
[size="2"]2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Mary\Application Data\Dropbox\bin\DropboxExt.14.dll[/size]
[size="2"].[/size]
[size="2"][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension][/size]
[size="2"]@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"[/size]
[size="2"][HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}][/size]
[size="2"]2011-05-30 16:50 21864 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll[/size]
[size="2"].[/size]
[size="2"][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run][/size]
[size="2"]"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2011-09-15 3425688][/size]
[size="2"].[/size]
[size="2"][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run][/size]
[size="2"]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-06 141848][/size]
[size="2"]"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-06 137752][/size]
[size="2"]"Norton Save and Restore 2.0"="c:\program files\Norton Save and Restore\Agent\VProTray.exe" [2008-05-07 2037088][/size]
[size="2"]"MsmqIntCert"="mqrt.dll" [2008-04-14 177152][/size]
[size="2"]"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2009-10-16 1325936][/size]
[size="2"]"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592][/size]
[size="2"]"NSWosCheck"="c:\program files\Norton SystemWorks\osCheck.exe" [2008-09-25 160112][/size]
[size="2"]"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-12-18 197928][/size]
[size="2"]"NswUiTray"="c:\program files\Norton SystemWorks\NswUiTray.exe" [2008-09-25 85360][/size]
[size="2"]"Norton Online Backup"="c:\program files\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-08 968536][/size]
[size="2"]"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888][/size]
[size="2"]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736][/size]
[size="2"].[/size]
[size="2"]c:\documents and settings\Mary\Start Menu\Programs\Startup\[/size]
[size="2"]Dropbox.lnk - c:\documents and settings\Mary\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560][/size]
[size="2"]EvernoteClipper.lnk.disabled [2011-8-13 768][/size]
[size="2"].[/size]
[size="2"]c:\documents and settings\All Users\Start Menu\Programs\Startup\[/size]
[size="2"]Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904][/size]
[size="2"].[/size]
[size="2"][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer][/size]
[size="2"]"NoSMMyDocs"= 1 (0x1)[/size]
[size="2"]"NoSMMyPictures"= 1 (0x1)[/size]
[size="2"]"NoStartMenuMyMusic"= 1 (0x1)[/size]
[size="2"]"NoTaskGrouping"= 1 (0x1)[/size]
[size="2"].[/size]
[size="2"][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks][/size]
[size="2"]"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128][/size]
[size="2"].[/size]
[size="2"][HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager][/size]
[size="2"]BootExecute REG_MULTI_SZ autocheck autochk /p \??\J:\0autocheck autochk *[/size]
[size="2"].[/size]
[size="2"][HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^desktop.ini][/size]
[size="2"]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini[/size]
[size="2"]backup=c:\windows\pss\desktop.iniCommon Startup[/size]
[size="2"].[/size]
[size="2"][HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk][/size]
[size="2"]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk[/size]
[size="2"]backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup[/size]
[size="2"].[/size]
[size="2"][HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPZRCV01.LNK][/size]
[size="2"]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HPZRCV01.LNK[/size]
[size="2"]backup=c:\windows\pss\HPZRCV01.LNKCommon Startup[/size]
[size="2"].[/size]
[size="2"][HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk][/size]
[size="2"]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk[/size]
[size="2"]backup=c:\windows\pss\LaunchU3.exe.lnkCommon Startup[/size]
[size="2"].[/size]
[size="2"][HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk][/size]
[size="2"]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk[/size]
[size="2"]backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup[/size]
[size="2"].[/size]
[size="2"][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM][/size]
[size="2"]2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[/size]
[size="2"].[/size]
[size="2"][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher][/size]
[size="2"]2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe[/size]
[size="2"].[/size]
[size="2"][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds][/size]
[size="2"]2007-06-06 02:23 162328 ----a-w- c:\windows\system32\hkcmd.exe[/size]
[size="2"].[/size]
[size="2"][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch][/size]
[size="2"]2009-08-27 22:20 46368 ----a-w- c:\program files\Nuance\PaperPort\IndexSearch.exe[/size]
[size="2"].[/size]
[size="2"][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Online Backup][/size]
[size="2"]2010-06-08 15:25 968536 ----a-w- c:\program files\Symantec\Norton Online Backup\NOBuClient.exe[/size]
[size="2"].[/size]
[size="2"][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD][/size]
[size="2"]2009-08-27 22:22 29984 ----a-w- c:\program files\Nuance\PaperPort\pptd40nt.exe[/size]
[size="2"].[/size]
[size="2"][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF5 Registry Controller][/size]
[size="2"]2009-08-25 20:17 62752 ----a-w- c:\program files\Nuance\PDF Viewer Plus\RegistryController.exe[/size]
[size="2"].[/size]
[size="2"][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP][/size]
[size="2"]2009-03-05 07:41 1044480 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe[/size]
[size="2"].[/size]
[size="2"][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services][/size]
[size="2"]"iPod Service"=3 (0x3)[/size]
[size="2"]"Fax"=2 (0x2)[/size]
[size="2"]"Apple Mobile Device"=2 (0x2)[/size]
[size="2"]"AdobeActiveFileMonitor9.0"=2 (0x2)[/size]
[size="2"].[/size]
[size="2"][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-][/size]
[size="2"]"ISUSPM"=c:\documents and settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe -scheduler[/size]
[size="2"].[/size]
[size="2"][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-][/size]
[size="2"]"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"[/size]
[size="2"]"Freecorder FLV Service"="c:\program files\Freecorder 5\FLVSrvc.exe" /run[/size]
[size="2"]"PDFHook"=c:\program files\Nuance\PDF Viewer Plus\pdfpro5hook.exe[/size]
[size="2"]"PPort12reminder"="c:\program files\Nuance\PaperPort\Ereg\Ereg.exe" -r "c:\documents and settings\All Users\Application Data\ScanSoft\PaperPort\12\Config\Ereg\Ereg.ini"[/size]
[size="2"]"VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" /P VERIZONDM[/size]
[size="2"]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"[/size]
[size="2"]"AcronisTimounterMonitor"=c:\program files\Seagate\DiscWizard\TimounterMonitor.exe[/size]
[size="2"]"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"[/size]
[size="2"]"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe[/size]
[size="2"]"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900[/size]
[size="2"]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"[/size]
[size="2"]"Norton Online Backup"=c:\program files\Symantec\Norton Online Backup\NOBuClient.exe[/size]
[size="2"]"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime[/size]
[size="2"]"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe"[/size]
[size="2"]"SSBkgdUpdate"=c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot[/size]
[size="2"].[/size]
[size="2"][HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile][/size]
[size="2"]"EnableFirewall"= 0 (0x0)[/size]
[size="2"].[/size]
[size="2"][HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List][/size]
[size="2"]"%windir%\\Network Diagnostic\\xpnetdiag.exe"=[/size]
[size="2"]"%windir%\\system32\\sessmgr.exe"=[/size]
[size="2"]"c:\\Program Files\\Symantec\\Norton Online Backup\\NOBuClient.exe"=[/size]
[size="2"]"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=[/size]
[size="2"]"c:\\WINDOWS\\system32\\mqsvc.exe"=[/size]
[size="2"]"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=[/size]
[size="2"]"c:\\Program Files\\FinalMediaPlayer\\FMPCheckForUpdates.exe"=[/size]
[size="2"]"c:\\Program Files\\Skype\\Phone\\Skype.exe"=[/size]
[size="2"]"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=[/size]
[size="2"]"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=[/size]
[size="2"]"c:\\Program Files\\iTunes\\iTunes.exe"=[/size]
[size="2"].[/size]
[size="2"]R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [3/10/2011 11:47 AM 101616][/size]
[size="2"]R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 11:25 AM 189736][/size]
[size="2"]R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [5/23/2011 9:11 AM 63488][/size]
[size="2"]R2 NOBU;Norton Online Backup;c:\program files\Symantec\Norton Online Backup\NOBuAgent.exe [6/8/2010 11:20 AM 2057560][/size]
[size="2"]R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Engine\2.0.8.13\SymcPCCULaunchSvc.exe [9/6/2011 8:13 PM 120248][/size]
[size="2"]R2 Norton Save and Restore;Norton Save and Restore;c:\program files\Norton Save and Restore\Agent\VProSvc.exe [2/13/2007 7:57 PM 3425632][/size]
[size="2"]R2 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~4\NORTON~1\NPROTECT.EXE [9/25/2008 3:53 PM 95600][/size]
[size="2"]R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Engine\2.0.8.13\ccSvcHst.exe [9/6/2011 8:13 PM 126392][/size]
[size="2"]R2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files\Nuance\PaperPort\PDFProFiltSrvPP.exe [8/27/2009 6:21 PM 144672][/size]
[size="2"]R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [10/16/2009 7:39 PM 431456][/size]
[size="2"]R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [9/29/2010 7:00 AM 206120][/size]
[size="2"]R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [9/29/2010 7:00 AM 185640][/size]
[size="2"]S0 cerc6;cerc6; [x][/size]
[size="2"]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384][/size]
[size="2"]S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?][/size]
[size="2"]S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [4/14/2008 8:00 AM 14336][/size]
[size="2"]S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [1/9/2011 7:04 PM 11520][/size]
[size="2"]S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504][/size]
[size="2"]S4 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [9/6/2010 2:19 AM 169408][/size]
[size="2"].[/size]
[size="2"][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost][/size]
[size="2"]HPHNDUService REG_MULTI_SZ HPHNDUSVC[/size]
[size="2"]nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper[/size]
[size="2"].[/size]
[size="2"]Contents of the 'Scheduled Tasks' folder[/size]
[size="2"].[/size]
[size="2"]2011-09-18 c:\windows\Tasks\AdobeAAMUpdater-1.0-VIVADELLA-Mary.job[/size]
[size="2"]- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-07-29 05:25][/size]
[size="2"].[/size]
[size="2"]2011-07-20 c:\windows\Tasks\AppleSoftwareUpdate.job[/size]
[size="2"]- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57][/size]
[size="2"].[/size]
[size="2"]2011-09-24 c:\windows\Tasks\Final Media Player Update Checker.job[/size]
[size="2"]- c:\program files\FinalMediaPlayer\FMPCheckForUpdates.exe [2011-05-23 20:50][/size]
[size="2"].[/size]
[size="2"]2011-08-29 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job[/size]
[size="2"]- c:\program files\Norton SystemWorks\OBC.exe [2008-09-25 19:52][/size]
[size="2"].[/size]
[size="2"].[/size]
[size="2"]------- Supplementary Scan -------[/size]
[size="2"].[/size]
[size="2"]uStart Page = hxxp://www.nytimes.com/[/size]
[size="2"]uInternet Connection Wizard,ShellNext = https://nobu.backup.com/backup_agents/register/temp672DDFDE-C095-401E-9995-94635A56A0E0?display_name=dell&TZ=-300[/size]
[size="2"]uInternet Settings,ProxyOverride = *.local[/size]
[size="2"]IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204[/size]
[size="2"]IE: Append the content of the link to existing PDF file - c:\program files\Nuance\PDF Viewer Plus\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML[/size]
[size="2"]IE: Append the content of the selected links to existing PDF file - c:\program files\Nuance\PDF Viewer Plus\Bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML[/size]
[size="2"]IE: Append to existing PDF file - c:\program files\Nuance\PDF Viewer Plus\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML[/size]
[size="2"]IE: Create PDF file - c:\program files\Nuance\PDF Viewer Plus\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML[/size]
[size="2"]IE: Create PDF file from the content of the link - c:\program files\Nuance\PDF Viewer Plus\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML[/size]
[size="2"]IE: Create PDF files from the selected links - c:\program files\Nuance\PDF Viewer Plus\Bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML[/size]
[size="2"]IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm[/size]
[size="2"]IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm[/size]
[size="2"]IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000[/size]
[size="2"]IE: Open with PDF Viewer Plus - c:\program files\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm[/size]
[size="2"]IE: {{A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\Evernote\Evernote\EvernoteIE.dll/204[/size]
[size="2"]Trusted Zone: intuit.com\ttlc[/size]
[size="2"]TCP: DhcpNameServer = 192.168.1.2 71.252.0.12 68.237.161.12[/size]
[size="2"]FF - ProfilePath - c:\documents and settings\Mary\Application Data\Mozilla\Firefox\Profiles\4wsa42ax.default\[/size]
[size="2"]FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/[/size]
[size="2"]FF - prefs.js: network.proxy.type - 0[/size]
[size="2"].[/size]
[size="2"]- - - - ORPHANS REMOVED - - - -[/size]
[size="2"].[/size]
[size="2"]AddRemove-ScanWizFull14_is1 - c:\program files\ScanWizV14\unins000.exe[/size]
[size="2"].[/size]
[size="2"].[/size]
[size="2"].[/size]
[size="2"]**************************************************************************[/size]
[size="2"].[/size]
[size="2"]catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net[/size]
[size="2"]Rootkit scan 2011-09-24 18:04[/size]
[size="2"]Windows 5.1.2600 Service Pack 3 NTFS[/size]
[size="2"].[/size]
[size="2"]scanning hidden processes ... [/size]
[size="2"].[/size]
[size="2"]scanning hidden autostart entries ... [/size]
[size="2"].[/size]
[size="2"]scanning hidden files ... [/size]
[size="2"].[/size]
[size="2"].[/size]
[size="2"]c:\docume~1\Mary\LOCALS~1\Temp\etilqs_jE5aJSzltyM8qJM96mnv 0 bytes[/size]
[size="2"].[/size]
[size="2"]scan completed successfully[/size]
[size="2"]hidden files: 1[/size]
[size="2"].[/size]
[size="2"]**************************************************************************[/size]
[size="2"].[/size]
[size="2"][HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCCUJobMgr][/size]
[size="2"]"ImagePath"="\"c:\program files\Norton PC Checkup\Engine\2.0.8.13\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Engine\2.0.8.13\diMaster.dll\" /prefetch:1"[/size]
[size="2"].[/size]
[size="2"]--------------------- LOCKED REGISTRY KEYS ---------------------[/size]
[size="2"].[/size]
[size="2"][HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0528ae19-aaed-4930-b4ff-95e4098a6731}][/size]
[size="2"]@Denied: (Full) (Everyone)[/size]
[size="2"]"Model"=dword:0000000d[/size]
[size="2"]"Therad"=dword:00000010[/size]
[size="2"].[/size]
[size="2"][HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}][/size]
[size="2"]@Denied: (Full) (Everyone)[/size]
[size="2"]"scansk"=hex(0):70,aa,dc,63,02,8a,0c,03,14,cf,78,61,42,ba,f8,e1,2c,dd,df,b5,cb,[/size]
[size="2"] 93,46,df,ec,23,57,c4,27,65,39,b8,20,bb,39,1d,6b,99,f1,d2,00,00,00,00,00,00,\[/size]
[size="2"].[/size]
[size="2"][HKEY_LOCAL_MACHINE\software\Classes\CLSID\{764c7d92-d91c-4e72-b92d-319c39326101}][/size]
[size="2"]@Denied: (Full) (Everyone)[/size]
[size="2"]"Model"=dword:0000004f[/size]
[size="2"]"Therad"=dword:00000015[/size]
[size="2"]"MData"=hex(0):db,e2,a7,51,8d,2f,ce,9a,46,94,54,33,36,a0,8f,01,70,68,54,ac,74,[/size]
[size="2"] ad,53,86,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\[/size]
[size="2"].[/size]
[size="2"][HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}][/size]
[size="2"]@Denied: (Full) (Everyone)[/size]
[size="2"]"scansk"=hex(0):0f,85,31,a3,87,2a,69,33,1d,50,29,4b,2f,24,46,90,0f,aa,51,5d,0e,[/size]
[size="2"] 2d,09,7d,7e,ad,c5,e5,84,a6,55,e8,d7,32,be,6b,06,b0,5e,e3,00,00,00,00,00,00,\[/size]
[size="2"].[/size]
[size="2"]--------------------- DLLs Loaded Under Running Processes ---------------------[/size]
[size="2"].[/size]
[size="2"]- - - - - - - > 'explorer.exe'(1580)[/size]
[size="2"]c:\windows\system32\WININET.dll[/size]
[size="2"]c:\documents and settings\Mary\Application Data\Dropbox\bin\DropboxExt.14.dll[/size]
[size="2"]c:\program files\Internet Download Manager\IDMShellExt.dll[/size]
[size="2"]c:\program files\Internet Download Manager\IDMNetMon.DLL[/size]
[size="2"]c:\windows\system32\ieframe.dll[/size]
[size="2"]c:\windows\system32\webcheck.dll[/size]
[size="2"].[/size]
[size="2"]------------------------ Other Running Processes ------------------------[/size]
[size="2"].[/size]
[size="2"]c:\windows\system32\msdtc.exe[/size]
[size="2"]c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe[/size]
[size="2"]c:\program files\Bonjour\mDNSResponder.exe[/size]
[size="2"]c:\windows\system32\inetsrv\inetinfo.exe[/size]
[size="2"]c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe[/size]
[size="2"]c:\windows\system32\tcpsvcs.exe[/size]
[size="2"]c:\windows\System32\snmp.exe[/size]
[size="2"]c:\progra~1\NORTON~4\NORTON~1\SPEEDD~1\NOPDB.EXE[/size]
[size="2"]c:\windows\system32\wdfmgr.exe[/size]
[size="2"]c:\windows\system32\SearchIndexer.exe[/size]
[size="2"]c:\windows\system32\mqsvc.exe[/size]
[size="2"]c:\windows\system32\wscntfy.exe[/size]
[size="2"]c:\windows\system32\igfxsrvc.exe[/size]
[size="2"]c:\windows\system32\rundll32.exe[/size]
[size="2"]c:\windows\system32\SearchProtocolHost.exe[/size]
[size="2"]c:\program files\iPod\bin\iPodService.exe[/size]
[size="2"]c:\windows\system32\SearchFilterHost.exe[/size]
[size="2"].[/size]
[size="2"]**************************************************************************[/size]
[size="2"].[/size]
[size="2"]Completion time: 2011-09-24 18:08:15 - machine was rebooted[/size]
[size="2"]ComboFix-quarantined-files.txt 2011-09-24 22:08[/size]
[size="2"].[/size]
[size="2"]Pre-Run: 353,902,800,896 bytes free[/size]
[size="2"]Post-Run: 353,995,976,704 bytes free[/size]
[size="2"].[/size]
[size="2"]WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[/size]
[size="2"][boot loader][/size]
[size="2"]timeout=2[/size]
[size="2"]default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[/size]
[size="2"][operating systems][/size]
[size="2"]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons[/size]
[size="2"]UnsupportedDebug="do not select this" /debug[/size]
[size="2"]multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect[/size]
[size="2"].[/size]
[size="2"]- - End Of File - - 3E1B75DB9E018DA5B0B8A219008AA13D[/size][size=2]
[/size][size=2]
[/size][size=2]After finishing with ComboFix and re-installing NIS 2012, I rebooted and checked for the previous[/size][size=2]suspicious activity. The program calling itself "NuanceWDS.exe" began installing itself repeatedly,[/size][size=2]according to my view from Windows Task Manager. The Windows\Temp file also began generating[/size][size=2]multiple numbered files in Windows\Temp\Nuance\OmniPageCSDK16. However, these numbered files were[/size][size=2]empty rather than holding multi-GB files. Therefore, I deleted them and deleted NuanceWDS.exe after[/size][size=2]finding it in a global search, also a file with Nuanceprefetch.dat in its name. [/size][size=2]
[/size][size=2]Then I rebooted and ran your Security Check program. Its log follows:[/size][size=2]
[/size]

[size="2"] Results of screen317's Security Check version 0.99.18 [/size]
[size="2"] Windows XP Service Pack 3 [/size]
[size="2"] Internet Explorer 8 [/size]
[size="2"]`````````````````````````````` [/size]
[size="2"]Antivirus/Firewall Check:
[/size]
[size="2"] Windows Firewall Disabled! [/size]
[size="2"] Norton Internet Security [/size]
[size="2"] Antivirus up to date! [/size]
[size="2"]``````````````````````````````` [/size]
[size="2"]Anti-malware/Other Utilities Check:
[/size]
[size="2"] Adobe Flash Player 10.3.183.5 [/size]
[size="2"] Mozilla Firefox (x86 en-US..) [/size]
[size="2"]```````````````````````````````` [/size]
[size="2"]Process Check: [/size]
[size="2"]objlist.exe by Laurent
[/size]
[size="2"] Norton ccSvcHst.exe [/size]
[size="2"] Symantec Norton Online Backup NOBuAgent.exe [/size]
[size="2"] Symantec Norton Online Backup NOBuClient.exe [/size]
[size="2"]``````````End of Log```````````` [/size]
[size=2]
[/size][size=2]During the last hour, there have been no new starts of NuanceWDS.exe and no[/size][size=2]suspicious additions to the Windows\Temp file. I cannot tell whether there is any[/size][size=2]malware searching my computer for financial files, because I have not returned any of [/size][size=2]them to the computer.[/size][size=2]
[/size][size=2]Thank you for your directions and help, nasdaq. I look forward to hearing your opinion.[/size][size=2]
[/size][size=2]maggie2011[/size]

[size="2"][/size]
[size="2"]
[/size]
Computer: Dell Optiplex 755 Ultra Small Form Factor CPU: Core 2 Duo E8500/3.16GHz6M, VT, 1333FSB Ram: 4GB, Non-ECC, 800MHZ, DDR2.2 x2 GB Motherboard: Dell Optiplex 755 Storage: Seagate 500 GB internal SATA, External: Dell external RD1000 tape USB device with 320GB cartridges, and Seagate GoFlexPro 750GB for Mac & Win Video: Intel Q35 Express Chipset Family Integrated Video GMA3100 Network: Cisco Lynksys Ethernet home network, Intel 2GB Network Connection, DSLOS: Windows XP Professional SP 3, 5.1 Build 2600 Web & Email: Firefox 6.0.2, Google email Antivirus: Norton Internet Security 2012 Anti-Spyware: Spybot Search & Destroy Sound: SoundMAX HD Audio

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:12 AM

Posted 25 September 2011 - 07:35 AM

Good work.

Your ComboFix if clean.

Critical vulnerabilities have been identified in Adobe Flash Player 10.3.183.7 and earlier versions... being exploited in the wild in active targeted attacks... update to Adobe Flash Player 10.3.183.10 ... Flash Player for Android update to Adobe Flash Player for Android 10.3.186.7

Direct download current version - executable Flash Player installer... to your Desktop, then double-click to install.

Download for Internet Explorer

Download for Firefox and other browsers
<<<>>>

Let me know if there is any other issues.

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

Surf Safely, and Think Prevention!

#9 maggie2011

maggie2011
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Northern Virginia
  • Local time:04:12 AM

Posted 26 September 2011 - 07:21 PM

Dear nasdaq,

Thank you for all the help and the extensive work you did in analyzing my computer system.

I am a little confused about the results, because of my lack of knowledge. Did any of the tools you directed me to
use make any changes in my system? Eventually everything checked out as clean, but I do not know
what changed. I don't have to understand any change that was made, but I am afraid to put my patients'
data and my own personal and financial data back onto the computer until I have some reassurance that our process
got rid of some malware or dangerous settings. :mellow:

I still have to begin seeking help from government agencies for the identity theft that happened with
whatever malware I had. Whatever it was scoured my entire documents folder and published
extremely confidential information on a dubious [probably a financial scam] website.

I did remove the software programs you sent me. The uninstall of ComboFix got that program off my computer,
but it may not have given me the System Restore Point you expected it to set up. That is because Norton
Internet Security still will not allow me to disable the virus protection temporarily. I could not face uninstalling
and reinstalling NIS a second time in one day, because I was so tired, and I did not want to risk messing
up the system with new attackers. After uninstalling NIS earlier yesterday, I changed my password in my
Norton Account, but NIS still would not recognize my password.

I also downloaded and installed the latest Adobe Flash for the computer and for my Droid.

It seems lame just to thank you for your incredible expertise and devotion to helping others.
I pay Norton so many dollars for online backup, and many of its programs, but Norton gave
me no help, unlike you and your bleepingcomputer colleagues.

Can you use your imagination to receive from me a big fireworks display or huge bouquets of flowers?

maggie2011 :thumbsup:
Computer: Dell Optiplex 755 Ultra Small Form Factor CPU: Core 2 Duo E8500/3.16GHz6M, VT, 1333FSB Ram: 4GB, Non-ECC, 800MHZ, DDR2.2 x2 GB Motherboard: Dell Optiplex 755 Storage: Seagate 500 GB internal SATA, External: Dell external RD1000 tape USB device with 320GB cartridges, and Seagate GoFlexPro 750GB for Mac & Win Video: Intel Q35 Express Chipset Family Integrated Video GMA3100 Network: Cisco Lynksys Ethernet home network, Intel 2GB Network Connection, DSLOS: Windows XP Professional SP 3, 5.1 Build 2600 Web & Email: Firefox 6.0.2, Google email Antivirus: Norton Internet Security 2012 Anti-Spyware: Spybot Search & Destroy Sound: SoundMAX HD Audio

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:12 AM

Posted 27 September 2011 - 07:35 AM

I am a little confused about the results, because of my lack of knowledge. Did any of the tools you directed me to
use make any changes in my system? Eventually everything checked out as clean, but I do not know
what changed.

Credit goes to sUBs the owner of the ComboFix tool. Look what was removed in the Deletion Section.

After uninstalling NIS earlier yesterday, I changed my password in my Norton Account, but NIS still would not recognize my password.

Norton does not make it easy to uninstall their products.

Download and run the Norton Removal Tool FOR YOUR CURRENT PROGRAM.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039?Open&src=&docid=2001092114452606&nsf=nav.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=

Reinstall the application.
===

If that fails then a call to Norton is your best solution.

===

The following are two on-line scan you can do to remove anything that we do not see in the logs.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
===

Download the latest version of Kaspersky Virus Removal Tool
  • Close all other applications and double-click and run the installer.
  • When AVPTool starts, select all the scanable items except for CD-ROM drives.
  • Then please choose Security level: Recommended and perform the following actions.
    Posted Image
  • Click the Start scan button.
  • If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
  • In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
  • In the Scan window click the Reports button and select Save to file.
  • Name the report AVPT.txt, and save it to the Desktop.
  • Close AVPTool.
  • You will be prompted if you want to uninstall the program; click Yes.
  • You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
  • Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.


#11 maggie2011

maggie2011
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Northern Virginia
  • Local time:04:12 AM

Posted 27 September 2011 - 10:16 PM

Hi, nasdaq,

I am signing in here from a Mac computer, to let you know that I am not ignoring your next set of helpful steps. It just is taking hours
and hours, partly because I have so many Norton programs to document and backup before I could do the Removal Tool, which also
took a very long time to remove everything. I used to know that to REALLY fix a Norton problem, one has to remove every trace. The
first time I uninstalled NIS the other day, I allowed it to keep my information. In hindsight, of course that is why the Norton problem was not solved.
Thank you for reminding me to do THE WHOLE THING.

Fatigue and clumsiness on my part are not helping. I am downloading the ESET scanner, which took an hour to get up to 41%. I accidentally
bumped the spacebar, and it started all over again. I have patients to see all day tomorrow, so I may have to do the next stage tomorrow
after work.

Thank you for pointing out the "other deletions" section in the ComboFix log. Some of those .exe files sound pretty shady, and while ComboFix was running, it
did mention various removals, but faster than I could record them. Oh yes, I remind you that my Norton Internet Security interfered with the
complete removal of ComboFix, I searched and found one remainder of that program in my C: drive -- a folder, "ComboFix" / with one file
in it called "NircmdB.exe" size 60 KB. I removed it to a thumb drive, to get it away from my system, and I can erase it by using a Mac computer if
that is the right thing to do. If it is something terrible, of course, I can just throw out the thumb drive.

I appreciate your giving my security a second round. I will feel more confident and able to use my system if this second round has a good
outcome.

Gratefully, your erstwhile penpal,

maggie2011 Posted Image(me, not the computer)
Computer: Dell Optiplex 755 Ultra Small Form Factor CPU: Core 2 Duo E8500/3.16GHz6M, VT, 1333FSB Ram: 4GB, Non-ECC, 800MHZ, DDR2.2 x2 GB Motherboard: Dell Optiplex 755 Storage: Seagate 500 GB internal SATA, External: Dell external RD1000 tape USB device with 320GB cartridges, and Seagate GoFlexPro 750GB for Mac & Win Video: Intel Q35 Express Chipset Family Integrated Video GMA3100 Network: Cisco Lynksys Ethernet home network, Intel 2GB Network Connection, DSLOS: Windows XP Professional SP 3, 5.1 Build 2600 Web & Email: Firefox 6.0.2, Google email Antivirus: Norton Internet Security 2012 Anti-Spyware: Spybot Search & Destroy Sound: SoundMAX HD Audio

#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:12 AM

Posted 28 September 2011 - 09:37 AM

Norton Internet Security interfered with the
complete removal of ComboFix, I searched and found one remainder of that program in my C: drive -- a folder, "ComboFix" / with one file
in it called "NircmdB.exe" size 60 KB. I removed it to a thumb drive, to get it away from my system, and I can erase it by using a Mac computer if
that is the right thing to do. If it is something terrible, of course, I can just throw out the thumb drive.


That file came with ComboFix you can delete it.

#13 maggie2011

maggie2011
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Northern Virginia
  • Local time:04:12 AM

Posted 29 September 2011 - 11:55 AM

Dear Senior Member nasdaq,

The Eset online scan was thorough. After 20 hours of scanning my computer and its external drive, it deleted one file. Here is the log.


C:\Program Files\Freecorder 5\Uninstall\apptec-freecorder-us-dtx.exe Win32/Toolbar.Zugo application deleted - quarantined


I left the Kapersky virus checking scan, still running after several hours last night, when I went to bed. At that point it had identified no threats.
This morning, however, I found the dreaded Windows blue screen. It said:

"A problem has been detected and Windows shut down to protect your computer.
Driver -- IRQL--Not _Less_ or_Equal". (The current 500 GB Seagate hard drive is new. The original Dell hard drive failed after less
than a year, and Dell's refurbished replacement drive died after a month.). I do not know what the error message means.

I rebooted the computer and ejected the external hard drive. Kapersky reloaded automatically and began rescanning.

Automatic Spell check twice has changed my "rebooted" mention to "rebootied.". Maybe my iPad2's spell check engine has a dirty mind/ chip.

maggie2011
from my iPad2
Computer: Dell Optiplex 755 Ultra Small Form Factor CPU: Core 2 Duo E8500/3.16GHz6M, VT, 1333FSB Ram: 4GB, Non-ECC, 800MHZ, DDR2.2 x2 GB Motherboard: Dell Optiplex 755 Storage: Seagate 500 GB internal SATA, External: Dell external RD1000 tape USB device with 320GB cartridges, and Seagate GoFlexPro 750GB for Mac & Win Video: Intel Q35 Express Chipset Family Integrated Video GMA3100 Network: Cisco Lynksys Ethernet home network, Intel 2GB Network Connection, DSLOS: Windows XP Professional SP 3, 5.1 Build 2600 Web & Email: Firefox 6.0.2, Google email Antivirus: Norton Internet Security 2012 Anti-Spyware: Spybot Search & Destroy Sound: SoundMAX HD Audio

#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:12 AM

Posted 29 September 2011 - 01:33 PM

It could me some hardware or driver problems.

Most likely a driver problem if the Hard Drive was changed to an other model.

This article may give you some information.
http://www.tek-tips.com/viewthread.cfm?qid=308429

Run this SFC scan.

From the Start menu, select Run.
In the Open field, type sfc /scannow (Note: There is a space between sfc and /scannow)
Select the OK button.
Follow the prompts throughout the System File Checker process.
Reboot the computer when System File Checker completes.

Keep me posted on the results.

#15 maggie2011

maggie2011
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Northern Virginia
  • Local time:04:12 AM

Posted 29 September 2011 - 08:40 PM

Thank you, nasdaq,

It looks like there are a number of useful strategies in the article you linked for me, and I will go
through them carefully, plus the SFC scan --

--as soon as Kaspersky Virus Remover finishes its job. Unfortunately, it did not occur to me to
check whether any of my settings were changed during the blue screen event. Somehow the
system reverted to a power setting to go into standby after 15 minutes.

I left the computer running Kaspersky and went to my workplace for a long day, and discovered
this evening that standby went into effect. At present, Kaspersky is about 35% finished, finding no
threats so far. So tonight or tomorrow night after work, I hope to have good news to report to you.

maggie2011
Computer: Dell Optiplex 755 Ultra Small Form Factor CPU: Core 2 Duo E8500/3.16GHz6M, VT, 1333FSB Ram: 4GB, Non-ECC, 800MHZ, DDR2.2 x2 GB Motherboard: Dell Optiplex 755 Storage: Seagate 500 GB internal SATA, External: Dell external RD1000 tape USB device with 320GB cartridges, and Seagate GoFlexPro 750GB for Mac & Win Video: Intel Q35 Express Chipset Family Integrated Video GMA3100 Network: Cisco Lynksys Ethernet home network, Intel 2GB Network Connection, DSLOS: Windows XP Professional SP 3, 5.1 Build 2600 Web & Email: Firefox 6.0.2, Google email Antivirus: Norton Internet Security 2012 Anti-Spyware: Spybot Search & Destroy Sound: SoundMAX HD Audio




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users