Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TIDSERV Activity 2?


  • This topic is locked This topic is locked
28 replies to this topic

#1 Chesapeake Doug

Chesapeake Doug

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 19 December 2011 - 08:14 AM

This all started when I got a pop-up for my Norton Security Suite reporting "TIDSERV Activity 2" requiring manual removal. Here are the events as best I recall on 12/6/2011:

1. Followed the link to Symantec website and downloaded FixTDSS.exe.
2. Installed and attempted to run FixTDSS. Windows restarted but I saw nothing indicating the program ran.
3. Continued to use Windows XP Pro Version 2002, SP3. Windows ran slowly and I got warnings from Norton that PING.EXE was using excesive CPU. Got another "TIDSERV Activity 2" warning.
4. Ran FixTDSS.exe again. This time it did scan after restart and reported no infected files.
5. However, when using windows, I continued to get Norton reporting the TIDSERV infection and PING.EXE using excessive CPU.
6. Someplace around here I uninstalled Google Chrome, which I believe is the only program I installed that day for which I gave permission to modify the hard drive. (I don't think I installed any other programs prior to the report of infection.)
7. After reviewing the Symantec instructions for "Backdoor.Tidserv Removal Tool", I verified I had followed all the instructions, which included turning off the system restore (which deleted previous restore points -- go figure), and disabling shared files or making them read only (I did that). These were all accomplished prior to step 4 above. I ran "FixTDSS.exe" again thinking the system kept getting reinfected.
8. Once again the program (FixTDSS) reported no infected files. Some place in here I got a Blue Screen of Death (BSoD) before windows finished booting in the normal mode. I successfully booted to the safe mode, but was unable to boot with networking. After several tries I booted normally, still had the infection symptoms reported above and on a subsequent reboot could no longer boot Windows Normal mode, only to safe mode with no networking. That is my current status--I can now only boot in SAFE Mode with no networking.

When I try to boot to the Windows normal mode I get the Windows screen as in normal bootup, then after a few seconds I get a BSoD. The BSoD reads: A problem has been detected and windows has been shut down to prevent damage to your computer. If this is the first time ..." The technical information given is:
"*** STOP: 0x0000007E (0xC0000005, 0x00039800, 0xB84C34A4, 0xB84C31A0)". As previously stated I could not find a minidump file for this either with NirSoft BlueScreenView or by searching my drive for anything with "mini".

Throughout this process I updated Norton and ran complete scans. Seems like the worst I found was some tracking cookies. I am currently using a flash drive to transfer files to/from the infected computer.

I downloaded, installed and ran the NirSoft BlueScreenView hoping to gain insight on the cause of the BSoD. I appears that a minidump is not being created, even though it is turned on in Windows. I also downloaded GMER, dds, and defogger and ran them to comply with the preparation instructions and generate the logs below.

Once again please note: THE LOGS WERE PRODUCED WITH WINDOWS IN SAFE MODE, as the computer will not currently boot to normal mode!

Posted below is the DDS.txt file and attached are the Attach.txt and Ark.txt per the Preparation Guide.

I'm hopeful you can offer some help to stop the BSoD and restore my system to normal operation.

Thanks,
Doug


.
DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
Internet Explorer: 8.0.6001.18702
Run by Doug at 18:54:12 on 2011-12-18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3279 [GMT -5:00]
.
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\5.1.0.29\ips\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: {CE7C3CF0-4B15-11D1-ABED-709549C10000} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\5.1.0.29\coIEPlg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\acrobat\AdobeUpdateManager.exe AcStd7_0_0 -reboot 1
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [Google Update] "c:\documents and settings\doug\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Smad] "c:\documents and settings\doug\local settings\application data\sanctionedmedia\smad\Smad.exe"
mRun: [GEST]
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [kmw_run.exe] kmw_run.exe
mRun: [MSWheel]
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [EasyTuneVPro] c:\program files\gigabyte\et5pro\ETcall.exe
mRun: [WinSys2] c:\windows\system32\winsys2.exe
mRun: [boincmgr] "c:\program files\boinc\boincmgr.exe" /a /s
mRun: [boinctray] "c:\program files\boinc\boinctray.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [FixTDSS] cmd /c start /D "c:\documents and settings\doug\my documents\dloads" /B FixTDSS.exe -postboot
StartupFolder: c:\docume~1\doug\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\doug\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\doug\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-ba7e-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
LSP: mswsock.dll
LSP: c:\program files\vmware\vmware player\vsocklib.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: realtytools.com
Trusted Zone: toolkitcma.com
Trusted Zone: toolkitcma2.com
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxp://reports.longandfoster.com/ScriptX/ScriptX.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {27F3D5C7-9440-410F-AEDA-E37456121070} - hxxp://x.longandfoster.com/Xcelerate/ActiveXcomponent/eXcelerate.CAB
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1258978465734
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{6287A48C-FE3A-4F6F-A679-0A303F17E1A2} : DhcpNameServer = 192.168.1.1 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 FixTDSS;TDSS Fixtool driver;c:\windows\system32\drivers\FixTDSS.sys [2011-12-6 26872]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\symds.sys [2011-10-5 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\symefa.sys [2011-10-5 744568]
R2 HMuKstE;Kensington TrackballWorks Expert USB HID Device Filter Driver;c:\windows\system32\drivers\HMuKstE.sys [2010-5-20 51280]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20111123.001\BHDrvx86.sys [2011-11-29 819320]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\ironx86.sys [2011-10-5 136312]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 DirMngr;DirMngr;c:\program files\gnu\gnupg\dirmngr.exe [2011-3-2 224256]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]
S2 N360;Norton Security Suite;c:\program files\norton security suite\engine\5.1.0.29\ccsvchst.exe [2011-10-5 130008]
S2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2009-9-25 93960]
S2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2010-1-22 70704]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2010-1-22 563760]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-6-28 12672]
S3 EraserUtilDrv11113;EraserUtilDrv11113;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv11113.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv11113.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-10 106104]
S3 FLASHSYS;FLASHSYS;c:\program files\msi\live update 4\lu4\FlashSys.sys [2011-3-19 9216]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20111206.001\IDSXpx86.sys [2011-12-6 356280]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20111206.018\NAVENG.SYS [2011-12-6 86136]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20111206.018\NAVEX15.SYS [2011-12-6 1576312]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-12-18 17:49:07 -------- d-----w- c:\program files\NirSoft
2011-12-07 02:22:34 26872 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
2011-12-07 02:22:34 -------- d-----w- c:\documents and settings\doug\application data\FixTDSS
2011-12-06 20:17:15 -------- d-----w- c:\documents and settings\doug\local settings\application data\SanctionedMedia
2011-12-06 19:48:54 -------- d-----w- c:\documents and settings\doug\local settings\application data\Deployment
2011-11-29 21:42:05 4200024 ----a-w- c:\windows\system32\cdintf400.dll
2011-11-29 21:41:36 -------- d-----w- c:\program files\Quicken
.
==================== Find3M ====================
.
2011-12-18 23:49:48 7304 ----a-w- c:\windows\TMP0001.TMP
2011-12-07 02:03:23 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2011-11-19 03:50:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-05 17:42:12 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-10-05 17:42:12 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 18:55:24.01 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:28 PM

Posted 19 December 2011 - 04:03 PM

Hi

Please run this program on your USB so no infection is transferred:

Download Flash_Disinfector.exe from HERE and save it to your desktop.

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.


NEXT


Please transfer the following program to the infected computer and run it, (the recovery console may not install on the first run as it may not be able to establish a connection)


Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.



NEXT

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Chesapeake Doug

Chesapeake Doug
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 20 December 2011 - 11:04 AM

Catbyte,

Sorry, but I'm having problems. As I stated, I'm running in SAFE Mode. Combofix reported that Norton was running. There is nothing in the systray, so I went to msconfig and it looked like the service was stopped. I went to the administrative tools and it told me that "Norton Security Suite" was stopped.

As a finally, I uninstalled Norton Security Suite and rebooted. Combofix still says it detects Norton Security Suite as active.

Is it safe for me to continue with Combofix or do you have other suggestions?

Doug

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:28 PM

Posted 20 December 2011 - 11:16 AM

Hi,

Use the Norton Removal tool for your product, if it is still reported after that, then continue on:

Norton has a tool that will remove all of its products from failed uninstalls or installs
  • Download the appropriate Norton Removal Tool from HERE and save it to your desktop.
  • Next Double click on Norton_Removal_Tool.exe to run the tool.
  • Follow the on-screen instructions.
  • Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Chesapeake Doug

Chesapeake Doug
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 20 December 2011 - 01:03 PM

CatByte,

The task is done. Here are my observations:

- I was running in Window Safe Mode without networking (the only way I could boot), therefore, when running ComboFix I could not download and install the Repair Console (which I would like to do).
-- ComboFix said it would continue scanning and apparently did so even before I clicked "Okay"

- Combofix posted a window for a short time that said I was infected with Zero Access Root Kit (I think) and then continued working, and eventually rebooted and sucessfully loading Windows in the Normal mode.

- I have one window open from "NeroCheck" that says, (this appeared with the last Combofix reboot)

"The LowerFilter or UpperFilter registery key for CD-ROM was containing incorrect drivers. It has been corrected.

You must reboot your computer in order the changes are effective.

Until then, you may not be able to access your CD-ROM."

- I had one window automatically open while Combofix was greating its file that appeared to be updating Adobe Acrobat Standard 7, I cancelled that program/update since ComboFix said not to run any programs.

- The computer was disconnected from the network during all to this. After Combofix completed and I ran FSS I noticed it was checking network status. Therefore, I connected the computer to the network (plugged in the network cable) and re-ran DSS. The log file below is with the network connected.

Below are the ComboFix.txt and FSS.txt files. I have three questions:
1. The wording in the NeroCheck box is gramatically incorrect (suggesting it was written by a non-native speaker). Should I be concerned about it or is rebooting okay? I have not verified the operation of my CD-ROM.
2. When we are finished, I like to download and install the Windows Repair Console. Can you propose an easy approach to do that?
3. What's next?

Logs follow.

Doug



ComboFix 11-12-20.04 - Doug 12/20/2011 11:52:04.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3172 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\tmp101A.tmp
c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
c:\documents and settings\Doug\g2mdlhlpx.exe
c:\windows\$NtUninstallKB4588$
c:\windows\$NtUninstallKB4588$\1931633358\@
c:\windows\$NtUninstallKB4588$\1931633358\bckfg.tmp
c:\windows\$NtUninstallKB4588$\1931633358\cfg.ini
c:\windows\$NtUninstallKB4588$\1931633358\Desktop.ini
c:\windows\$NtUninstallKB4588$\1931633358\keywords
c:\windows\$NtUninstallKB4588$\1931633358\kwrd.dll
c:\windows\$NtUninstallKB4588$\1931633358\L\akygdmgo
c:\windows\$NtUninstallKB4588$\1931633358\U\00000001.@
c:\windows\$NtUninstallKB4588$\1931633358\U\00000002.@
c:\windows\$NtUninstallKB4588$\1931633358\U\00000004.@
c:\windows\$NtUninstallKB4588$\1931633358\U\80000000.@
c:\windows\$NtUninstallKB4588$\1931633358\U\80000004.@
c:\windows\$NtUninstallKB4588$\1931633358\U\80000032.@
c:\windows\$NtUninstallKB4588$\552662222
c:\windows\system32\WinSys.exe
.
Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2011-11-20 to 2011-12-20 )))))))))))))))))))))))))))))))
.
.
2011-12-20 16:47 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-20 16:40 . 2011-12-20 16:40 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-12-20 15:10 . 2011-12-20 15:10 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-12-18 17:49 . 2011-12-18 17:49 -------- d-----w- c:\program files\NirSoft
2011-12-07 02:22 . 2011-12-07 02:22 26872 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
2011-12-06 20:29 . 2011-12-06 20:29 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-11-29 21:42 . 2011-08-31 07:34 4200024 ----a-w- c:\windows\system32\cdintf400.dll
2011-11-29 21:41 . 2011-11-29 21:51 -------- d-----w- c:\program files\Quicken
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-20 17:03 . 2008-10-03 21:51 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2011-12-20 17:01 . 2008-10-04 00:48 7304 ----a-w- c:\windows\TMP0001.TMP
2011-11-19 03:50 . 2011-05-23 18:10 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-27 05:17 . 2011-10-27 05:17 10 ----a-w- c:\windows\Fonts\wfonts.key
2011-10-10 14:22 . 2008-10-03 15:56 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2001-08-23 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2001-08-23 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2001-08-23 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Doug\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Doug\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Doug\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Doug\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 313472]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-05-18 2363392]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]
"kmw_run.exe"="kmw_run.exe" [2006-08-03 106496]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"EasyTuneVPro"="c:\program files\Gigabyte\ET5Pro\ETcall.exe" [2007-07-26 20480]
"WinSys2"="c:\windows\system32\winsys2.exe" [2008-01-18 208896]
"boincmgr"="c:\program files\BOINC\boincmgr.exe" [2010-05-14 4825856]
"boinctray"="c:\program files\BOINC\boinctray.exe" [2010-05-14 58112]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2010-01-23 64048]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-02-23 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-02-23 13880424]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\documents and settings\Sherry\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2008-10-4 25214]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"N360"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Gigabyte\\ET5Pro\\update.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"c:\\Documents and Settings\\Doug\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
R0 FixTDSS;TDSS Fixtool driver;c:\windows\system32\drivers\FixTDSS.sys [12/6/2011 9:22 PM 26872]
R2 DirMngr;DirMngr;c:\program files\GNU\GnuPG\dirmngr.exe [3/2/2011 10:20 AM 224256]
R2 HMuKstE;Kensington TrackballWorks Expert USB HID Device Filter Driver;c:\windows\system32\drivers\HMuKstE.sys [5/20/2010 2:05 AM 51280]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672]
R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [9/25/2009 12:16 PM 93960]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [1/22/2010 8:57 PM 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [1/22/2010 8:00 PM 563760]
R3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [10/3/2008 4:51 PM 24944]
R3 MarkFun_NT;MarkFun_NT;c:\program files\Gigabyte\ET5Pro\MARKFUN.W32 [6/29/2009 7:23 PM 17912]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 EraserUtilDrv11113;EraserUtilDrv11113;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11113.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11113.sys [?]
S3 FLASHSYS;FLASHSYS;c:\program files\MSI\Live Update 4\LU4\FlashSys.sys [3/19/2011 8:38 AM 9216]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [6/12/2011 10:15 AM 31125880]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/22/2008 9:04 PM 717296]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MARKFUN_NT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-05-18 21:54 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-879983540-839522115-1003Core.job
- c:\documents and settings\Doug\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-06 19:49]
.
2011-12-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-879983540-839522115-1003UA.job
- c:\documents and settings\Doug\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-06 19:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: realtytools.com
Trusted Zone: toolkitcma.com
Trusted Zone: toolkitcma2.com
DPF: {27F3D5C7-9440-410F-AEDA-E37456121070} - hxxp://x.longandfoster.com/Xcelerate/ActiveXcomponent/eXcelerate.CAB
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Smad - c:\documents and settings\Doug\Local Settings\Application Data\SanctionedMedia\Smad\Smad.exe
HKLM-Run-GEST - (no file)
HKLM-Run-MSWheel - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-20 12:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MarkFun_NT]
"ImagePath"="\??\c:\program files\Gigabyte\ET5Pro\markfun.w32"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2856)
c:\windows\system32\WININET.dll
c:\windows\system32\kmw_dll.dll
c:\windows\system32\WOW32.dll
c:\documents and settings\Doug\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~3\Office14\1033\GrooveIntlResource.dll
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\kmw_run.exe
c:\windows\system32\KMW_SHOW.EXE
c:\program files\Gigabyte\ET5Pro\GUI.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\BOINC\boinc.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\system32\msiexec.exe
c:\documents and settings\Doug\Application Data\Dropbox\bin\Dropbox.exe
c:\program files\OpenOffice.org 2.4\program\soffice.exe
c:\program files\OpenOffice.org 2.4\program\soffice.BIN
c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2011-12-20 12:06:57 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-20 17:06
.
Pre-Run: 36,682,686,464 bytes free
Post-Run: 37,196,075,008 bytes free
.
- - End Of File - - B6CA411A92AE38F11D2FFCDE14D863EF



Farbar Service Scanner
Ran by Doug (administrator) on 20-12-2011 at 12:15:25
Microsoft Windows XP Professional Service Pack 3 (X86)
********************************************************

Service Check:
==============

File Check:
===========
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

**** End of log ****



Farbar Service Scanner
Ran by Doug (administrator) on 20-12-2011 at 12:15:25
Microsoft Windows XP Professional Service Pack 3 (X86)
********************************************************

Service Check:
==============

File Check:
===========
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

**** End of log ****

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:28 PM

Posted 20 December 2011 - 01:25 PM

Hi,

You machine is showing an internet connection now, so go ahead and reboot, then re-run ComboFix, it should install the Recovery Console for you (make sure your security programs are disabled)

If for some reason it doesn't do it automatically, then please follow these directions


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools


Posted Image


  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.


If you get another window from Nero check, please take a screen shot


please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Chesapeake Doug

Chesapeake Doug
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 20 December 2011 - 04:14 PM

CatByte,

Looks like all is running.
- Recovery Console installed okay
- ComboFix ran fine (log posted below)
- No new NeroCheck messages - I checked and the CD-ROM/DVD appears to be working (I didn't try writing a disk)

I'm anxious to reinstall my Anti-Virus software (Norton Security Suite), but am waiting on your okay since I had to uninstall it previously to get ComboFix to run.

What Next?

Doug

ComboFix 11-12-20.04 - Doug 12/20/2011 15:55:40.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2903 [GMT -5:00]
Running from: c:\documents and settings\Doug\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-20 to 2011-12-20 )))))))))))))))))))))))))))))))
.
.
2011-12-20 17:15 . 2011-12-20 17:15 -------- d-sh--w- c:\documents and settings\Doug\UserData
2011-12-20 16:47 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-20 16:40 . 2011-12-20 16:40 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-12-20 15:10 . 2011-12-20 15:10 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-12-18 17:49 . 2011-12-18 17:49 -------- d-----w- c:\program files\NirSoft
2011-12-07 02:22 . 2011-12-07 02:22 26872 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
2011-12-07 02:22 . 2011-12-07 02:22 -------- d-----w- c:\documents and settings\Doug\Application Data\FixTDSS
2011-12-06 20:29 . 2011-12-06 20:29 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-12-06 20:17 . 2011-12-06 20:17 -------- d-----w- c:\documents and settings\Doug\Local Settings\Application Data\SanctionedMedia
2011-12-06 19:48 . 2011-12-06 19:49 -------- d-----w- c:\documents and settings\Doug\Local Settings\Application Data\Deployment
2011-11-29 21:42 . 2011-08-31 07:34 4200024 ----a-w- c:\windows\system32\cdintf400.dll
2011-11-29 21:41 . 2011-11-29 21:51 -------- d-----w- c:\program files\Quicken
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-20 20:49 . 2008-10-03 21:51 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2011-12-20 20:47 . 2008-10-04 00:48 7304 ----a-w- c:\windows\TMP0001.TMP
2011-11-19 03:50 . 2011-05-23 18:10 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-27 05:17 . 2011-10-27 05:17 10 ----a-w- c:\windows\Fonts\wfonts.key
2011-10-10 14:22 . 2008-10-03 15:56 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2001-08-23 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2001-08-23 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2001-08-23 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-20_17.02.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-20 20:47 . 2011-12-20 20:47 16384 c:\windows\Temp\Perflib_Perfdata_cc.dat
+ 2011-12-20 20:48 . 2011-12-20 20:48 16384 c:\windows\Temp\Perflib_Perfdata_20c.dat
- 2008-10-04 16:08 . 2011-09-09 00:54 25214 c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Distiller.exe
+ 2008-10-04 16:08 . 2011-12-20 20:45 25214 c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Distiller.exe
+ 2008-10-04 16:08 . 2011-12-20 20:45 25214 c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat_Standard.exe
- 2008-10-04 16:08 . 2011-09-09 00:54 25214 c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat_Standard.exe
- 2008-10-04 16:08 . 2011-09-09 00:54 25214 c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe
+ 2008-10-04 16:08 . 2011-12-20 20:45 25214 c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe
+ 2008-10-04 16:08 . 2011-12-20 20:45 7278 c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_ELEMENTS_DT.exe
- 2008-10-04 16:08 . 2011-09-09 00:54 7278 c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_ELEMENTS_DT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Doug\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Doug\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Doug\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Doug\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 313472]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-05-18 2363392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]
"kmw_run.exe"="kmw_run.exe" [2006-08-03 106496]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"EasyTuneVPro"="c:\program files\Gigabyte\ET5Pro\ETcall.exe" [2007-07-26 20480]
"WinSys2"="c:\windows\system32\winsys2.exe" [2008-01-18 208896]
"boincmgr"="c:\program files\BOINC\boincmgr.exe" [2010-05-14 4825856]
"boinctray"="c:\program files\BOINC\boinctray.exe" [2010-05-14 58112]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2010-01-23 64048]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-02-23 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-02-23 13880424]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\documents and settings\Sherry\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]
.
c:\documents and settings\Doug\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Doug\Application Data\Dropbox\bin\Dropbox.exe [2011-12-5 24242056]
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2008-10-4 25214]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"N360"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Gigabyte\\ET5Pro\\update.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"c:\\Documents and Settings\\Doug\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
R0 FixTDSS;TDSS Fixtool driver;c:\windows\system32\drivers\FixTDSS.sys [12/6/2011 9:22 PM 26872]
R2 HMuKstE;Kensington TrackballWorks Expert USB HID Device Filter Driver;c:\windows\system32\drivers\HMuKstE.sys [5/20/2010 2:05 AM 51280]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672]
R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [9/25/2009 12:16 PM 93960]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [1/22/2010 8:57 PM 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [1/22/2010 8:00 PM 563760]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 DirMngr;DirMngr;c:\program files\GNU\GnuPG\dirmngr.exe [3/2/2011 10:20 AM 224256]
S3 EraserUtilDrv11113;EraserUtilDrv11113;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11113.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11113.sys [?]
S3 FLASHSYS;FLASHSYS;c:\program files\MSI\Live Update 4\LU4\FlashSys.sys [3/19/2011 8:38 AM 9216]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [6/12/2011 10:15 AM 31125880]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/22/2008 9:04 PM 717296]
SUnknown GVTDrv;GVTDrv; [x]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-05-18 21:54 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: realtytools.com
Trusted Zone: toolkitcma.com
Trusted Zone: toolkitcma2.com
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
DPF: {27F3D5C7-9440-410F-AEDA-E37456121070} - hxxp://x.longandfoster.com/Xcelerate/ActiveXcomponent/eXcelerate.CAB
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-20 15:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3724)
c:\windows\system32\WININET.dll
c:\windows\system32\kmw_dll.dll
c:\windows\system32\WOW32.dll
c:\documents and settings\Doug\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~3\Office14\1033\GrooveIntlResource.dll
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-12-20 16:00:41
ComboFix-quarantined-files.txt 2011-12-20 21:00
ComboFix2.txt 2011-12-20 17:06
.
Pre-Run: 37,252,640,768 bytes free
Post-Run: 37,253,177,344 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - EB9CEA917A86B7DC91FD0540279BA3F2

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:28 PM

Posted 20 December 2011 - 05:08 PM

Hi,

Yes, go ahead and reinstall your antivirus,

now please do the following:

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Chesapeake Doug

Chesapeake Doug
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 20 December 2011 - 07:17 PM

CatByte,

Yikes! Maybe I should have resolved everything before trying to install the Anti-Virus. I was installing the Comcast Constant Guard when things went wrong. This installs in two parts, one is some Comcast security stuff that includes a tool bar (which I don't want) and something like a password vault, and the second part is Norton Antivirus which says it the Norton Security Suite (powered by Norton 360).

In the first part of the installation I saw an "Access violation" while installing Comcast Constant Guard. But it appeared to complete installation okay. Then I went on to install the Norton piece. That seemed to install and then it said it was startin the services. I then got a Blue Screen of Death (BSoD) that said:
"PAGE_FAULT_IN_NONPAGED_AREA"
***STOP: 0x00000050 (0xB0470013, 0x00000000, 0xB1A80933, 0x00000000)
*** SYMDS.SYS ADDRESS B1AA80933 base B1A72000 Date Stamp 4cb8950b

I then tried rebooting (Normal mode) and got another BSoD with the following data:
*** STOP: 0x0000007E (0xC000007E, 0xB7E9095F, 0xB84C3528, 0xB84C3224
*** sr.sys - Address B7E9095F base at B7E82000 Datestamp 480252c2

I tried booting to SAFE Mode with networking and got:
"PAGE_FAULT_IN_NONPAGED_AREA"
*** STOP: 0x00000050 (0xF7BED95C, 0x00000000, 0xF7BED95C, 0x00000000)

Lastly I tried booting to SAFE Mode no networking and got the same info as for Safe Mode with networking.

So, where do I go from here? Shall I try booting to a restore point created by ComboFix?

I gotta admire your willingness to help folks like me resolve these problems. Thanks.

Doug

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:28 PM

Posted 20 December 2011 - 07:20 PM

yes, first try to restore to the "Last Known Good Configuration" (tap F8 on bootup > arrow up to "Last Known Good")

If that doesn't work > do a system restore to a restore point made by comboFix

sorry, I thought it was only the Norton Antivirus you were installing, I should have asked

Edited by CatByte, 20 December 2011 - 07:26 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Chesapeake Doug

Chesapeake Doug
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 20 December 2011 - 08:24 PM

Sorry. Last good configuration did not work. Got to Windows but got BSOD with following error:

DRIVER_IRQL_NOT_LESS_OR_EQUAL
*** STOP (WITH SOME ADDRESSES)
*** KMW_SYS.SYS (with some addresses)

Actually here is where I am. After a couple of attempts, I have it running Windows Normal mode. I have a window that says, "The system has recovered from a serious error." and wants to report that to Microsoft. I sent the report once and when it finished, I got another BSOD. So I'm leaving that window alone for now.

I see a restore point at 11:51 am today that is just after I ran the Norton Uninstaller. I think I can go to that. Or, I could try to run on of the scanners. I doesn't look like Norton Security Suite is running right now. (I quess I could also try uninstalling Norton and the Comcast "Constant Guard".

What do you think?

Doug

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:28 PM

Posted 20 December 2011 - 08:32 PM

Go to the restore point, see if you can successfully boot to that

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 Chesapeake Doug

Chesapeake Doug
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 20 December 2011 - 08:33 PM

BTW: The 11:51 restore will put me back before the installation of the Recovery Console and where I was having to boot in SAFE MODE with on network. Given a choice we might try working from here.

Doug

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:28 PM

Posted 20 December 2011 - 08:35 PM

OK, see if there is anything in add/remove programs relating to Comcast or Norton and uninstall

then give combofix a run, allow it to update if it requests to do so, at least the restore point is there if we need it

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 Chesapeake Doug

Chesapeake Doug
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 20 December 2011 - 09:22 PM

Okay. I deleted both the Comcast Constant Guard and the Norton installations.

I ran Combofix and the log is below.

I ran FSS and the log is below.

I'm guessing that you now want me to go on the run "mbam" and "ESET". Correct?

Doug

ComboFix 11-12-20.04 - Doug 12/20/2011 21:06:18.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2779 [GMT -5:00]
Running from: c:\documents and settings\Doug\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-21 to 2011-12-21 )))))))))))))))))))))))))))))))
.
.
2011-12-21 01:55 . 2011-12-21 01:55 -------- d-----w- c:\documents and settings\Doug\Application Data\comcasttb
2011-12-20 22:44 . 2011-12-21 01:11 -------- d-----w- c:\documents and settings\LocalService\Application Data\ID Vault
2011-12-20 22:39 . 2011-12-20 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\IsolatedStorage
2011-12-20 22:38 . 2011-12-20 22:39 -------- d-----w- c:\documents and settings\Doug\Local Settings\Application Data\ID Vault
2011-12-20 22:38 . 2011-12-20 22:46 -------- d-----w- c:\documents and settings\Doug\Application Data\ID Vault
2011-12-20 22:38 . 2011-12-21 02:02 -------- d-----w- c:\documents and settings\Doug\Application Data\CallingID
2011-12-20 22:38 . 2011-12-20 22:38 -------- d-----w- c:\program files\Common Files\scanner
2011-12-20 22:38 . 2011-12-20 22:38 -------- d-----w- c:\program files\comcasttb
2011-12-20 22:38 . 2011-12-20 22:38 -------- d-----w- c:\program files\CA
2011-12-20 22:37 . 2011-12-21 01:56 -------- d-----w- c:\documents and settings\Doug\Application Data\xfin_portal
2011-12-20 22:37 . 2011-12-20 22:38 -------- d-----w- c:\program files\xfin_portal
2011-12-20 22:37 . 2011-12-21 02:01 -------- d-----w- c:\program files\Constant Guard Protection Suite
2011-12-20 22:30 . 2011-12-20 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\White Sky, Inc
2011-12-20 17:15 . 2011-12-20 17:15 -------- d-sh--w- c:\documents and settings\Doug\UserData
2011-12-20 16:47 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-20 16:40 . 2011-12-20 16:40 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-12-20 15:10 . 2011-12-20 15:10 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-12-18 17:49 . 2011-12-18 17:49 -------- d-----w- c:\program files\NirSoft
2011-12-07 02:22 . 2011-12-07 02:22 26872 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
2011-12-07 02:22 . 2011-12-07 02:22 -------- d-----w- c:\documents and settings\Doug\Application Data\FixTDSS
2011-12-06 20:29 . 2011-12-06 20:29 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-12-06 20:17 . 2011-12-06 20:17 -------- d-----w- c:\documents and settings\Doug\Local Settings\Application Data\SanctionedMedia
2011-12-06 19:48 . 2011-12-06 19:49 -------- d-----w- c:\documents and settings\Doug\Local Settings\Application Data\Deployment
2011-11-29 21:42 . 2011-08-31 07:34 4200024 ----a-w- c:\windows\system32\cdintf400.dll
2011-11-29 21:41 . 2011-11-29 21:51 -------- d-----w- c:\program files\Quicken
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-21 01:59 . 2008-10-03 21:51 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2011-12-21 01:58 . 2008-10-04 00:48 7304 ----a-w- c:\windows\TMP0001.TMP
2011-11-19 03:50 . 2011-05-23 18:10 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-27 05:17 . 2011-10-27 05:17 10 ----a-w- c:\windows\Fonts\wfonts.key
2011-10-10 14:22 . 2008-10-03 15:56 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2001-08-23 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2001-08-23 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2001-08-23 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-20_17.02.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-21 01:59 . 2011-12-21 01:59 16384 c:\windows\Temp\Perflib_Perfdata_c0.dat
+ 2011-12-21 01:59 . 2011-12-21 01:59 16384 c:\windows\Temp\Perflib_Perfdata_1c8.dat
+ 2008-10-04 16:08 . 2011-12-20 20:45 25214 c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Distiller.exe
- 2008-10-04 16:08 . 2011-09-09 00:54 25214 c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Distiller.exe
+ 2008-10-04 16:08 . 2011-12-20 20:45 25214 c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat_Standard.exe
- 2008-10-04 16:08 . 2011-09-09 00:54 25214 c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat_Standard.exe
- 2008-10-04 16:08 . 2011-09-09 00:54 25214 c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe
+ 2008-10-04 16:08 . 2011-12-20 20:45 25214 c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe
+ 2011-12-20 22:38 . 2011-12-20 22:38 8854 c:\windows\Installer\{F05A5232-CE5E-4274-AB27-44EB8105898D}\ARPPRODUCTICON.exe
+ 2008-10-04 16:08 . 2011-12-20 20:45 7278 c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_ELEMENTS_DT.exe
- 2008-10-04 16:08 . 2011-09-09 00:54 7278 c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_ELEMENTS_DT.exe
+ 2011-12-21 00:58 . 2011-12-20 22:14 170846 c:\windows\PCHEALTH\HELPCTR\Config\Cache\Professional_32_1033.dat
+ 2011-12-20 22:38 . 2011-12-20 22:38 1100800 c:\windows\Installer\658bfe.msi
+ 2011-12-20 22:38 . 2011-12-20 22:38 7873024 c:\windows\Downloaded Installations\{BF9A5F93-0556-477E-951D-21856805F9EB}\CA Pest Patrol Realtime Protection.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Doug\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Doug\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Doug\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Doug\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 313472]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-05-18 2363392]
"ComcastAntispyClient"="c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-08-19 1589208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]
"kmw_run.exe"="kmw_run.exe" [2006-08-03 106496]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"EasyTuneVPro"="c:\program files\Gigabyte\ET5Pro\ETcall.exe" [2007-07-26 20480]
"WinSys2"="c:\windows\system32\winsys2.exe" [2008-01-18 208896]
"boincmgr"="c:\program files\BOINC\boincmgr.exe" [2010-05-14 4825856]
"boinctray"="c:\program files\BOINC\boinctray.exe" [2010-05-14 58112]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2010-01-23 64048]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-02-23 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-02-23 13880424]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\documents and settings\Sherry\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]
.
c:\documents and settings\Doug\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Doug\Application Data\Dropbox\bin\Dropbox.exe [2011-12-5 24242056]
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2008-10-4 25214]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"N360"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Gigabyte\\ET5Pro\\update.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"c:\\Documents and Settings\\Doug\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
R0 FixTDSS;TDSS Fixtool driver;c:\windows\system32\drivers\FixTDSS.sys [12/6/2011 9:22 PM 26872]
R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [6/17/2009 12:49 PM 616408]
R2 HMuKstE;Kensington TrackballWorks Expert USB HID Device Filter Driver;c:\windows\system32\drivers\HMuKstE.sys [5/20/2010 2:05 AM 51280]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672]
R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [9/25/2009 12:16 PM 93960]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [1/22/2010 8:57 PM 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [1/22/2010 8:00 PM 563760]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 DirMngr;DirMngr;c:\program files\GNU\GnuPG\dirmngr.exe [3/2/2011 10:20 AM 224256]
S3 EraserUtilDrv11113;EraserUtilDrv11113;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11113.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11113.sys [?]
S3 FLASHSYS;FLASHSYS;c:\program files\MSI\Live Update 4\LU4\FlashSys.sys [3/19/2011 8:38 AM 9216]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [6/12/2011 10:15 AM 31125880]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/22/2008 9:04 PM 717296]
SUnknown GVTDrv;GVTDrv; [x]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - MarkFun_NT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-05-18 21:54 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://xfinity.comcast.net/?cid=cgps12202011
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: realtytools.com
Trusted Zone: toolkitcma.com
Trusted Zone: toolkitcma2.com
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
DPF: {27F3D5C7-9440-410F-AEDA-E37456121070} - hxxp://x.longandfoster.com/Xcelerate/ActiveXcomponent/eXcelerate.CAB
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-20 21:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(868)
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll
.
- - - - - - - > 'explorer.exe'(3596)
c:\windows\system32\WININET.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll
c:\windows\system32\kmw_dll.dll
c:\windows\system32\WOW32.dll
c:\documents and settings\Doug\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~3\Office14\1033\GrooveIntlResource.dll
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-12-20 21:12:59
ComboFix-quarantined-files.txt 2011-12-21 02:12
ComboFix2.txt 2011-12-20 21:00
ComboFix3.txt 2011-12-20 17:06
.
Pre-Run: 36,727,283,712 bytes free
Post-Run: 36,740,337,664 bytes free
.
- - End Of File - - BF5F09564D67FF726C35579578F1B0E6



Farbar Service Scanner
Ran by Doug (administrator) on 20-12-2011 at 21:13:20
Microsoft Windows XP Professional Service Pack 3 (X86)
********************************************************

Service Check:
==============

File Check:
===========
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

**** End of log ****




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users