View Full Version : Help with this hijack log (Resolved)
Hello,
I believe this problem is going to need some assistance.
This is on my second rig in the home, primarily used by the kids/wife.
It started with something called Anti-virus Soft.. or maybe Soft Anti-virus.
It basically hijacked my system, lotta pop up windows, and it prevented me from running applications such as Malwarebytes' Anti-malware. I was able to run that program in safe-mode, and I thought the problem was solved. I then renewed Norton AV, and it was installed.
Now google comes up with this message:
We're sorry...
... but your computer or network may be sending automated queries. To protect our users, we can't process your request right now.
To continue searching, please type the characters you see below:
I did not enter anything, thinking it was something more, and decided to run Malwarebytes' program again. Nothing was found, but being stubborn, decided to try Lavasoft's Ad-aware, and was unable to run it due to something about Microsoft net app. I then remembered Spybot Search and Destroy. Spybot SND was installed, ran and it found numerous entries, however it couldn't fix them. This led to more reading, and eventually to here.
My apology for the long explanation, hope that it is of some assistance.
This hijack report is from a normal log on and not from safe-mode, and during the hijack report process prompted me about the host file, denied access, and if it had to be fixed, it would have to be opened with notepad.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:14 PM, on 2/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Napster\napster.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Norton SystemWorks\NswUiTray.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 188.124.7.190 www.google.com
O1 - Hosts: 188.124.7.190 google.com
O1 - Hosts: 188.124.7.190 google.com.au
O1 - Hosts: 188.124.7.190 www.google.com.au
O1 - Hosts: 188.124.7.190 google.be
O1 - Hosts: 188.124.7.190 www.google.be
O1 - Hosts: 188.124.7.190 google.com.br
O1 - Hosts: 188.124.7.190 www.google.com.br
O1 - Hosts: 188.124.7.190 google.ca
O1 - Hosts: 188.124.7.190 www.google.ca
O1 - Hosts: 188.124.7.190 google.ch
O1 - Hosts: 188.124.7.190 www.google.ch
O1 - Hosts: 188.124.7.190 google.de
O1 - Hosts: 188.124.7.190 www.google.de
O1 - Hosts: 188.124.7.190 google.dk
O1 - Hosts: 188.124.7.190 www.google.dk
O1 - Hosts: 188.124.7.190 google.fr
O1 - Hosts: 188.124.7.190 www.google.fr
O1 - Hosts: 188.124.7.190 google.ie
O1 - Hosts: 188.124.7.190 www.google.ie
O1 - Hosts: 188.124.7.190 google.it
O1 - Hosts: 188.124.7.190 www.google.it
O1 - Hosts: 188.124.7.190 google.co.jp
O1 - Hosts: 188.124.7.190 www.google.co.jp
O1 - Hosts: 188.124.7.190 google.nl
O1 - Hosts: 188.124.7.190 www.google.nl
O1 - Hosts: 188.124.7.190 google.no
O1 - Hosts: 188.124.7.190 www.google.no
O1 - Hosts: 188.124.7.190 google.co.nz
O1 - Hosts: 188.124.7.190 www.google.co.nz
O1 - Hosts: 188.124.7.190 google.pl
O1 - Hosts: 188.124.7.190 www.google.pl
O1 - Hosts: 188.124.7.190 google.se
O1 - Hosts: 188.124.7.190 www.google.se
O1 - Hosts: 188.124.7.190 google.co.uk
O1 - Hosts: 188.124.7.190 www.google.co.uk
O1 - Hosts: 188.124.7.190 google.co.za
O1 - Hosts: 188.124.7.190 www.google.co.za
O1 - Hosts: 188.124.7.190 www.google-analytics.com
O1 - Hosts: 188.124.7.190 www.bing.com
O1 - Hosts: 188.124.7.190 search.yahoo.com
O1 - Hosts: 188.124.7.190 www.search.yahoo.com
O1 - Hosts: 188.124.7.190 uk.search.yahoo.com
O1 - Hosts: 188.124.7.190 ca.search.yahoo.com
O1 - Hosts: 188.124.7.190 de.search.yahoo.com
O1 - Hosts: 188.124.7.190 fr.search.yahoo.com
O1 - Hosts: 188.124.7.190 au.search.yahoo.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\coIEPlg.dll
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NSWosCheck] "C:\Program Files\Norton SystemWorks\osCheck.exe"
O4 - HKLM\..\Run: [NswUiTray] C:\Program Files\Norton SystemWorks\NswUiTray.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Google Update Service (gupdate1c9664954f7bd1c) (gupdate1c9664954f7bd1c) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
--
End of file - 9600 bytes
I followed the instructions on the readme first.
Thanks for your time, any help would be appreciated.
Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post a log in the HJT forum and wait for help.
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Failure to reply within 5 days will result in the topic being closed.
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------
Step 1
Disable Teatimer
We need to disable Teatimer as it may interfere with the cleaning.
Please do not re-enable it until I give instructions.
First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident Second step, For Either Version : Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Click Link >>> HERE <<< Link (http://www.neoshine.co.uk/mina/Downloads/TTWipe.bat) and select "save as" and save it to your desktop
Double click TTWipe.bat
Reboot your machine for the changes to take effect.
----------------------------------------------------------------------------------------
Step 2
Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:
Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
For instructions on how to disable your security programs, please see this topic
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs (http://www.bleepingcomputer.com/forums/topic114351.html)
ComboFix 10-02-20.01 - Tool 01/01/2003 0:42.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.831 [GMT -7:00]
Running from: c:\documents and settings\Tool\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\recycler\NPROTECT
c:\recycler\NPROTECT\00000000.DAT
c:\recycler\NPROTECT\00000001.DAT
c:\recycler\NPROTECT\00000002
c:\recycler\NPROTECT\00000003
c:\recycler\NPROTECT\00000004
c:\recycler\NPROTECT\00000005
c:\recycler\NPROTECT\00000007
c:\recycler\NPROTECT\00000009
c:\recycler\NPROTECT\00000010
c:\recycler\NPROTECT\00000013.0
c:\recycler\NPROTECT\00000014
c:\recycler\NPROTECT\00000015
c:\recycler\NPROTECT\00000016.DAT
c:\recycler\NPROTECT\00000017
c:\recycler\NPROTECT\00000018
c:\recycler\NPROTECT\00000019
c:\recycler\NPROTECT\00000020
c:\recycler\NPROTECT\00000023
c:\recycler\NPROTECT\00000024.DAT
c:\recycler\NPROTECT\00000025
c:\recycler\NPROTECT\00000026
c:\recycler\NPROTECT\00000027.DAT
c:\recycler\NPROTECT\00000028
c:\recycler\NPROTECT\00000029
c:\recycler\NPROTECT\00000030
c:\recycler\NPROTECT\00000031
c:\recycler\NPROTECT\00000032
c:\recycler\NPROTECT\00000033
c:\recycler\NPROTECT\00000034
c:\recycler\NPROTECT\00000035
c:\recycler\NPROTECT\00000036
c:\recycler\NPROTECT\00000037
c:\recycler\NPROTECT\00000038
c:\recycler\NPROTECT\00000039
c:\recycler\NPROTECT\00000040
c:\recycler\NPROTECT\00000041.dat
c:\recycler\NPROTECT\00000042
c:\recycler\NPROTECT\00000043
c:\recycler\NPROTECT\00000046
c:\recycler\NPROTECT\00000047
c:\recycler\NPROTECT\00000048
c:\recycler\NPROTECT\00000049
c:\recycler\NPROTECT\00000050
c:\recycler\NPROTECT\00000051
c:\recycler\NPROTECT\00000052
c:\recycler\NPROTECT\00000053
c:\recycler\NPROTECT\00000054
c:\recycler\NPROTECT\00000056
c:\recycler\NPROTECT\00000058
c:\recycler\NPROTECT\00000059
c:\recycler\NPROTECT\00000060
c:\recycler\NPROTECT\00000061
c:\recycler\NPROTECT\00000062
c:\recycler\NPROTECT\00000063
c:\recycler\NPROTECT\00000064
c:\recycler\NPROTECT\00000065
c:\recycler\NPROTECT\00000066
c:\recycler\NPROTECT\00000067
c:\recycler\NPROTECT\00000068
c:\recycler\NPROTECT\00000069
c:\recycler\NPROTECT\00000070
c:\recycler\NPROTECT\00000071
c:\recycler\NPROTECT\00000072
c:\recycler\NPROTECT\00000073
c:\recycler\NPROTECT\00000074
c:\recycler\NPROTECT\00000075
c:\recycler\NPROTECT\00000076
c:\recycler\NPROTECT\00000078
c:\recycler\NPROTECT\00000079
c:\recycler\NPROTECT\00000080
c:\recycler\NPROTECT\00000082
c:\recycler\NPROTECT\00000083
c:\recycler\NPROTECT\00000084
c:\recycler\NPROTECT\00000085
c:\recycler\NPROTECT\00000087
c:\recycler\NPROTECT\00000089
c:\recycler\NPROTECT\00000090
c:\recycler\NPROTECT\00000092
c:\recycler\NPROTECT\00000093
c:\recycler\NPROTECT\00000094
c:\recycler\NPROTECT\00000095
c:\recycler\NPROTECT\00000096
c:\recycler\NPROTECT\00000098
c:\recycler\NPROTECT\00000099
c:\recycler\NPROTECT\00000100
c:\recycler\NPROTECT\00000101
c:\recycler\NPROTECT\00000103
c:\recycler\NPROTECT\00000104
c:\recycler\NPROTECT\00000105
c:\recycler\NPROTECT\00000107
c:\recycler\NPROTECT\00000108
c:\recycler\NPROTECT\00000109
c:\recycler\NPROTECT\00000111
c:\recycler\NPROTECT\00000112
c:\recycler\NPROTECT\00000113
c:\recycler\NPROTECT\00000114
c:\recycler\NPROTECT\00000115
c:\recycler\NPROTECT\00000116
c:\recycler\NPROTECT\00000117
c:\recycler\NPROTECT\00000118
c:\recycler\NPROTECT\00000119
c:\recycler\NPROTECT\00000120
c:\recycler\NPROTECT\00000121
c:\recycler\NPROTECT\00000122
c:\recycler\NPROTECT\00000123
c:\recycler\NPROTECT\00000125
c:\recycler\NPROTECT\00000126
c:\recycler\NPROTECT\00000127
c:\recycler\NPROTECT\00000128
c:\recycler\NPROTECT\00000130
c:\recycler\NPROTECT\00000131
c:\recycler\NPROTECT\00000132
c:\recycler\NPROTECT\00000133
c:\recycler\NPROTECT\00000134
c:\recycler\NPROTECT\00000135
c:\recycler\NPROTECT\00000136
c:\recycler\NPROTECT\00000137
c:\recycler\NPROTECT\00000138
c:\recycler\NPROTECT\00000140
c:\recycler\NPROTECT\00000141
c:\recycler\NPROTECT\00000143
c:\recycler\NPROTECT\00000144
c:\recycler\NPROTECT\00000146
c:\recycler\NPROTECT\00000147
c:\recycler\NPROTECT\00000148
c:\recycler\NPROTECT\00000149
c:\recycler\NPROTECT\00000150
c:\recycler\NPROTECT\00000152
c:\recycler\NPROTECT\00000153
c:\recycler\NPROTECT\00000154
c:\recycler\NPROTECT\00000156
c:\recycler\NPROTECT\00000157
c:\recycler\NPROTECT\00000159
c:\recycler\NPROTECT\00000160
c:\recycler\NPROTECT\00000162
c:\recycler\NPROTECT\00000163
c:\recycler\NPROTECT\00000164
c:\recycler\NPROTECT\00000165
c:\recycler\NPROTECT\00000166
c:\recycler\NPROTECT\00000167
c:\recycler\NPROTECT\00000168
c:\recycler\NPROTECT\00000169.DB-
c:\recycler\NPROTECT\00000170
c:\recycler\NPROTECT\00000171
c:\recycler\NPROTECT\00000172
c:\recycler\NPROTECT\00000173
c:\recycler\NPROTECT\00000174
c:\recycler\NPROTECT\00000175
c:\recycler\NPROTECT\00000176
c:\recycler\NPROTECT\00000177
c:\recycler\NPROTECT\00000178
c:\recycler\NPROTECT\00000180
c:\recycler\NPROTECT\00000182
c:\recycler\NPROTECT\00000183
c:\recycler\NPROTECT\00000184
c:\recycler\NPROTECT\00000185
c:\recycler\NPROTECT\00000187
c:\recycler\NPROTECT\00000188
c:\recycler\NPROTECT\00000189
c:\recycler\NPROTECT\00000191
c:\recycler\NPROTECT\00000192
c:\recycler\NPROTECT\00000194
c:\recycler\NPROTECT\00000195
c:\recycler\NPROTECT\00000196
c:\recycler\NPROTECT\00000197
c:\recycler\NPROTECT\00000198
c:\recycler\NPROTECT\00000200
c:\recycler\NPROTECT\00000201
c:\recycler\NPROTECT\00000202
c:\recycler\NPROTECT\00000203
c:\recycler\NPROTECT\00000204
c:\recycler\NPROTECT\00000205
c:\recycler\NPROTECT\00000206
c:\recycler\NPROTECT\00000208
c:\recycler\NPROTECT\00000210
c:\recycler\NPROTECT\00000211
c:\recycler\NPROTECT\00000212
c:\recycler\NPROTECT\00000213
c:\recycler\NPROTECT\00000214
c:\recycler\NPROTECT\00000215
c:\recycler\NPROTECT\00000216
c:\recycler\NPROTECT\00000217
c:\recycler\NPROTECT\00000218
c:\recycler\NPROTECT\00000220
c:\recycler\NPROTECT\00000222
c:\recycler\NPROTECT\00000223
c:\recycler\NPROTECT\00000224
c:\recycler\NPROTECT\00000225
c:\recycler\NPROTECT\00000226
c:\recycler\NPROTECT\00000228
c:\recycler\NPROTECT\00000229
c:\recycler\NPROTECT\00000231
c:\recycler\NPROTECT\00000232
c:\recycler\NPROTECT\00000233
c:\recycler\NPROTECT\00000234
c:\recycler\NPROTECT\00000236
c:\recycler\NPROTECT\00000237
c:\recycler\NPROTECT\00000240
c:\recycler\NPROTECT\00000241
c:\recycler\NPROTECT\00000242
c:\recycler\NPROTECT\00000244
c:\recycler\NPROTECT\00000246
c:\recycler\NPROTECT\00000247
c:\recycler\NPROTECT\00000248
c:\recycler\NPROTECT\00000249
c:\recycler\NPROTECT\00000250
c:\recycler\NPROTECT\00000251
c:\recycler\NPROTECT\00000252
c:\recycler\NPROTECT\00000253
c:\recycler\NPROTECT\00000254
c:\recycler\NPROTECT\00000255
c:\recycler\NPROTECT\00000256
c:\recycler\NPROTECT\00000257
c:\recycler\NPROTECT\00000259
c:\recycler\NPROTECT\00000260
c:\recycler\NPROTECT\00000262
c:\recycler\NPROTECT\00000263
c:\recycler\NPROTECT\00000264
c:\recycler\NPROTECT\00000266
c:\recycler\NPROTECT\00000267
c:\recycler\NPROTECT\00000268
c:\recycler\NPROTECT\00000269
c:\recycler\NPROTECT\00000270
c:\recycler\NPROTECT\00000272
c:\recycler\NPROTECT\00000273
c:\recycler\NPROTECT\00000274
c:\recycler\NPROTECT\00000275
c:\recycler\NPROTECT\00000277
c:\recycler\NPROTECT\00000278
c:\recycler\NPROTECT\00000279
c:\recycler\NPROTECT\00000280
c:\recycler\NPROTECT\00000281
c:\recycler\NPROTECT\00000282
c:\recycler\NPROTECT\00000283
c:\recycler\NPROTECT\00000284
c:\recycler\NPROTECT\00000285
c:\recycler\NPROTECT\00000286
c:\recycler\NPROTECT\00000290
c:\recycler\NPROTECT\00000291.dat
c:\recycler\NPROTECT\00000292.dat
c:\recycler\NPROTECT\00000293
c:\recycler\NPROTECT\00000294
c:\recycler\NPROTECT\00000295
c:\recycler\NPROTECT\00000296
c:\recycler\NPROTECT\00000297
c:\recycler\NPROTECT\00000298
c:\recycler\NPROTECT\00000299
c:\recycler\NPROTECT\00000301
c:\recycler\NPROTECT\00000303.dat
c:\recycler\NPROTECT\00000307
c:\recycler\NPROTECT\00000308.bat
c:\recycler\NPROTECT\00000309
c:\recycler\NPROTECT\00000310
c:\recycler\NPROTECT\00000312
c:\recycler\NPROTECT\00000314
c:\recycler\NPROTECT\00000315
c:\recycler\NPROTECT\00000316
c:\recycler\NPROTECT\00000319
c:\recycler\NPROTECT\00000320
c:\recycler\NPROTECT\00000321
c:\recycler\NPROTECT\00000322
c:\recycler\NPROTECT\00000324
c:\recycler\NPROTECT\00000325
c:\recycler\NPROTECT\00000326
c:\recycler\NPROTECT\00000327
c:\recycler\NPROTECT\00000328
c:\recycler\NPROTECT\00000329
c:\recycler\NPROTECT\00000330
c:\recycler\NPROTECT\00000331
c:\recycler\NPROTECT\00000332
c:\recycler\NPROTECT\00000333
c:\recycler\NPROTECT\00000334
c:\recycler\NPROTECT\00000335
c:\recycler\NPROTECT\00000336
c:\recycler\NPROTECT\00000337
c:\recycler\NPROTECT\00000338
c:\recycler\NPROTECT\00000340
c:\recycler\NPROTECT\00000341
c:\recycler\NPROTECT\00000344
c:\recycler\NPROTECT\00000347.SYS
c:\recycler\NPROTECT\00000348
c:\recycler\NPROTECT\00000349
c:\recycler\NPROTECT\00000350
c:\recycler\NPROTECT\00000351
c:\recycler\NPROTECT\00000352
c:\recycler\NPROTECT\00000353
c:\recycler\NPROTECT\00000354
c:\recycler\NPROTECT\00000355
c:\recycler\NPROTECT\00000356.dat
c:\recycler\NPROTECT\00000357
c:\recycler\NPROTECT\00000358
c:\recycler\NPROTECT\00000359.bad
c:\recycler\NPROTECT\00000360
c:\recycler\NPROTECT\00000361
c:\recycler\NPROTECT\00000362
c:\recycler\NPROTECT\00000363
c:\recycler\NPROTECT\00000364
c:\recycler\NPROTECT\00000370
c:\recycler\NPROTECT\00000372
c:\recycler\NPROTECT\00000374.md5
c:\recycler\NPROTECT\00000381
c:\recycler\NPROTECT\00000383
c:\recycler\NPROTECT\00000384
c:\recycler\NPROTECT\NPROTECT.LOG
c:\windows\$NtServicePackUninstall$\6to4svc.dll
----- BITS: Possible infected sites -----
hxxp://definitions.symantec.com
Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\msgsvc.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV.SYS
((((((((((((((((((((((((( Files Created from 2002-12-01 to 2003-01-01 )))))))))))))))))))))))))))))))
.
2010-02-20 19:16 . 2010-02-10 08:00 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100220.006\NAVENG.SYS
2010-02-20 19:16 . 2010-02-10 08:00 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100220.006\EECTRL.SYS
2010-02-20 19:16 . 2010-02-10 08:00 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100220.006\CCERASER.DLL
2010-02-20 19:16 . 2010-02-10 08:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100220.006\ECMSVR32.DLL
2010-02-20 19:16 . 2010-02-10 08:00 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100220.006\NAVENG32.DLL
2010-02-20 19:16 . 2010-02-10 08:00 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100220.006\NAVEX32A.DLL
2010-02-20 19:16 . 2010-02-10 08:00 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100220.006\NAVEX15.SYS
2010-02-20 19:16 . 2010-02-10 08:00 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100220.006\ERASER.SYS
2010-02-20 03:19 . 2009-11-17 00:51 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100218.001\Scxpx86.dll
2010-02-20 03:19 . 2009-11-17 00:51 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100218.001\IDSxpx86.dll
2010-02-20 03:19 . 2009-11-17 00:51 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100218.001\IDSviA64.sys
2010-02-20 03:19 . 2009-11-17 00:51 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100218.001\IDSvix86.sys
2010-02-20 03:19 . 2009-11-17 00:51 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100218.001\IDSXpx86.sys
2010-02-15 17:31 . 2010-02-15 17:31 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-02-14 21:40 . 2009-11-17 00:51 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100210.001\Scxpx86.dll
2010-02-14 21:40 . 2009-11-17 00:51 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100210.001\IDSxpx86.dll
2010-02-14 21:40 . 2009-11-17 00:51 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100210.001\IDSviA64.sys
2010-02-14 21:40 . 2009-11-17 00:51 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100210.001\IDSvix86.sys
2010-02-14 21:40 . 2009-11-17 00:51 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100210.001\IDSXpx86.sys
2010-02-14 04:33 . 2010-02-14 04:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-14 04:33 . 2003-01-01 07:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-13 18:24 . 2010-02-13 18:24 -------- dc----w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-13 14:48 . 2009-12-10 03:16 784752 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\coFFPlgn\components\coFFPlgn.dll
2010-02-13 14:48 . 2009-11-17 00:51 164216 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\IPSFFPlgn\components\IPSFFPl.dll
2010-02-13 14:46 . 2009-11-17 00:51 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\BinHub\IDSvia64.sys
2010-02-13 14:46 . 2009-11-17 00:51 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\BinHub\IDSvix86.sys
2010-02-13 14:46 . 2009-11-17 00:51 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\BinHub\IDSxpx86.sys
2010-02-13 14:46 . 2009-11-17 00:51 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\BinHub\scxpx86.dll
2010-02-13 14:46 . 2009-12-08 02:20 965488 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\OCS\hsplayer.dll
2010-02-13 14:46 . 2009-11-17 00:51 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\BinHub\idsxpx86.dll
2010-02-13 14:46 . 2009-12-17 06:31 893296 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\CLT\cltLMSx.dll
2010-02-13 14:46 . 2010-02-13 14:46 -------- d-----w- c:\windows\system32\drivers\NIS
2010-02-13 14:46 . 2010-02-13 14:46 -------- d-----w- c:\program files\Norton Internet Security
2010-02-13 14:46 . 2010-02-13 14:46 -------- d-----w- c:\program files\Windows Sidebar
2010-02-13 14:12 . 2010-02-13 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2010-02-11 18:44 . 2010-02-11 18:44 201616 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100211.001\BHRules.dll
2010-02-11 18:44 . 2010-02-11 18:44 1406352 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100211.001\BHEngine.dll
2010-02-11 18:44 . 2010-02-11 18:44 676912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100211.001\BHDrvx64.sys
2010-02-11 18:44 . 2010-02-11 18:44 536112 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100211.001\BHDrvx86.sys
2010-02-11 18:44 . 2010-02-11 18:44 611216 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100211.001\bbRGen.dll
2010-02-05 21:57 . 2010-02-13 13:38 -------- d-----w- c:\documents and settings\Tool\Local Settings\Application Data\fpidyb
2010-02-03 00:38 . 2010-02-03 00:38 -------- d-----w- c:\documents and settings\Tool\Application Data\Malwarebytes
2010-02-03 00:38 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-03 00:38 . 2010-02-03 00:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-03 00:38 . 2010-02-03 00:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-03 00:38 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-02 03:42 . 2010-02-02 03:42 -------- d-sh--w- c:\documents and settings\All Users\Application Data\LPOZLHTCG
2010-02-02 03:42 . 2009-06-25 17:02 435704 ----a-w- c:\documents and settings\All Users\Application Data\cdba3ff\sqlite3.dll
2010-02-02 03:42 . 2009-06-25 17:02 710136 ----a-w- c:\documents and settings\All Users\Application Data\cdba3ff\mozcrt19.dll
2010-02-02 03:42 . 2010-02-02 03:43 -------- d-sh--w- c:\documents and settings\All Users\Application Data\cdba3ff
2010-01-13 07:13 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-24 15:55 . 2009-12-24 15:55 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonIJScan
2009-12-24 15:55 . 2009-12-24 15:55 -------- d-----w- c:\documents and settings\Tool\Application Data\Canon
2009-12-16 18:43 . 2009-12-16 18:43 343040 -c----w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08 . 2009-12-14 07:08 33280 -c----w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-08 09:23 . 2009-12-08 09:23 474112 -c----w- c:\windows\system32\dllcache\shlwapi.dll
2009-11-27 17:11 . 2009-11-27 17:11 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
2009-11-27 16:07 . 2009-11-27 16:07 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
2009-11-27 16:07 . 2009-11-27 16:07 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
2009-11-27 16:07 . 2009-11-27 16:07 11264 -c----w- c:\windows\system32\dllcache\msrle32.dll
2009-11-11 10:26 . 2010-02-05 14:23 79488 ----a-w- c:\documents and settings\Tool\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-10-21 05:38 . 2009-10-21 05:38 75776 -c----w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38 . 2009-10-21 05:38 25088 -c----w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20 . 2009-10-20 16:20 265728 -c----w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30 . 2009-10-13 10:30 270336 -c----w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38 . 2009-10-12 13:38 149504 -c----w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38 . 2009-10-12 13:38 79872 -c----w- c:\windows\system32\dllcache\raschap.dll
2009-10-02 22:42 . 2009-10-02 22:42 -------- d-----w- c:\program files\EA Games
2009-10-02 03:50 . 2009-09-15 00:58 1291640 ----a-w- c:\documents and settings\Tool\Application Data\Mozilla\Firefox\Profiles\xltalngg.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe
2009-10-02 03:50 . 2009-09-15 00:58 729088 ----a-w- c:\documents and settings\Tool\Application Data\Mozilla\Firefox\Profiles\xltalngg.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
2009-09-26 17:51 . 2009-09-26 17:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-20 21:56 . 2009-09-20 21:56 -------- d-----w- c:\program files\Disney
2009-09-09 10:44 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-04 21:03 . 2009-09-04 21:03 58880 -c----w- c:\windows\system32\dllcache\msasn1.dll
2009-08-21 10:10 . 2009-08-21 10:10 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-21 10:10 . 2009-08-21 10:10 -------- d-----w- c:\program files\MSBuild
2009-08-21 10:10 . 2009-08-21 10:10 -------- d-----w- c:\program files\Reference Assemblies
2009-08-21 10:09 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2009-08-21 10:08 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-21 10:08 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-21 10:08 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-21 10:08 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2009-08-21 10:08 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-21 10:08 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-21 10:08 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-21 10:08 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-12 10:27 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-31 16:23 . 2009-07-31 16:23 -------- d-----w- c:\program files\Microsoft Games
2009-07-21 07:05 . 2009-07-21 07:05 1348432 ----a-w- c:\windows\system32\msxml4.dll
2009-07-17 22:55 . 2010-02-14 00:00 -------- d-----w- c:\documents and settings\Tool\Local Settings\Application Data\Temp
2009-07-17 19:01 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll
2009-07-17 16:22 . 2009-07-17 16:22 1435648 -c----w- c:\windows\system32\dllcache\query.dll
2009-07-12 17:17 . 2009-07-12 17:17 -------- d-----w- c:\program files\PopCap Games
2009-06-25 08:25 . 2009-09-11 14:18 136192 -c----w- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 08:25 . 2009-06-25 08:25 54272 -c----w- c:\windows\system32\dllcache\wdigest.dll
2009-06-25 08:25 . 2009-06-25 08:25 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll
2009-06-24 11:18 . 2009-06-24 11:18 92928 -c----w- c:\windows\system32\dllcache\ksecdd.sys
2009-06-16 14:36 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2009-06-16 14:36 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2009-06-12 12:31 . 2009-06-12 12:31 76288 -c----w- c:\windows\system32\dllcache\telnet.exe
2009-06-10 14:13 . 2009-11-27 16:07 84992 -c----w- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 06:14 . 2009-06-10 06:14 132096 -c----w- c:\windows\system32\dllcache\wkssvc.dll
2009-06-04 19:05 . 2009-06-04 19:05 -------- d--h--w- c:\windows\PIF
2009-05-07 15:32 . 2009-05-07 15:32 345600 -c----w- c:\windows\system32\dllcache\localspl.dll
2009-04-16 01:32 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-04-16 01:31 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-04-16 01:31 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-04-16 01:31 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-04-16 01:31 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-04-16 01:31 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-04-16 01:31 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 01:31 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 01:31 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-04-16 01:31 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 01:31 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-04-15 14:51 . 2009-04-15 14:51 585216 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2009-03-30 23:34 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-03-30 23:34 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-03-21 15:45 . 2009-03-21 15:45 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonIJEGV
2009-03-21 14:06 . 2009-03-21 14:06 989696 -c----w- c:\windows\system32\dllcache\kernel32.dll
2009-02-27 20:31 . 2009-02-27 20:37 -------- d-----w- c:\documents and settings\Tool\Application Data\SBTT
2009-02-27 20:26 . 2009-02-27 20:27 -------- d-----w- c:\program files\Nick Arcade
2009-02-27 14:10 . 2009-02-27 14:10 -------- d-----w- c:\program files\Common Files\CANON
2009-02-27 14:08 . 2009-02-27 14:08 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-13 14:55 . 2004-10-21 01:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-13 14:46 . 2009-01-14 19:31 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-13 14:46 . 2009-01-14 19:31 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-13 03:41 . 2010-02-13 03:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:21 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-16 18:43 . 2004-10-21 01:12 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 2004-08-04 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2004-08-04 12:00 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2004-08-04 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-15 16:28 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-10-15 16:28 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-10-13 10:30 . 2004-08-04 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 09:17 . 2004-08-04 12:00 354816 ----a-w- c:\windows\system32\winhttp.dll
2009-08-14 13:21 . 2004-08-04 12:00 1850624 ----a-w- c:\windows\system32\win32k.sys
2009-08-07 02:24 . 2004-10-21 01:14 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2004-10-21 01:14 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2004-10-21 01:14 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2004-08-04 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2004-10-21 01:14 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2004-10-21 01:14 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 03:44 . 2004-08-04 12:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-31 17:05 . 2008-09-04 03:41 1372672 ------w- c:\windows\system32\msxml6.dll
2009-07-31 04:35 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 16:22 . 2004-08-04 12:00 1435648 ----a-w- c:\windows\system32\query.dll
2009-07-14 06:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 16:19 . 2004-10-21 01:12 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-02 06:02 . 2004-08-04 12:00 604160 ----a-w- c:\windows\system32\wmspdmod.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w- c:\windows\system32\pdh.dll
2009-02-09 12:10 . 2004-10-21 01:12 453120 ----a-w- c:\windows\system32\wbem\wmiprvsd.dll
2009-02-09 12:10 . 2004-10-21 01:12 473600 ----a-w- c:\windows\system32\wbem\fastprox.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w- c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w- c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w- c:\windows\system32\rpcss.dll
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w- c:\windows\system32\services.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w- c:\windows\system32\sc.exe
2009-02-06 10:10 . 2004-10-21 01:12 227840 ----a-w- c:\windows\system32\wbem\wmiprvse.exe
2009-01-29 23:05 . 2009-01-29 23:05 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-01-29 23:05 . 2009-01-29 23:05 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-01-15 01:10 . 2003-01-01 07:07 -------- d-----w- c:\program files\Common Files\Adobe
2009-01-14 20:25 . 2004-10-21 01:58 -------- d-----w- c:\documents and settings\Tool\Application Data\Symantec
2009-01-14 20:25 . 2004-10-21 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2008-10-23 12:36 . 2004-08-04 12:00 286720 ----a-w- c:\windows\system32\gdi32.dll
2008-09-15 11:21 . 2009-06-04 19:05 142794 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2008-09-15 11:20 . 2004-10-21 01:16 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2008-08-14 10:04 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2008-07-07 20:26 . 2004-08-04 12:00 253952 ----a-w- c:\windows\system32\es.dll
2008-06-25 01:12 . 2006-10-19 04:47 295936 ----a-w- c:\windows\system32\wmpeffects.dll
2008-06-24 16:43 . 2004-08-04 12:00 74240 ----a-w- c:\windows\system32\mscms.dll
2008-06-20 17:46 . 2004-08-04 12:00 245248 ----a-w- c:\windows\system32\mswsock.dll
2008-06-20 11:51 . 2004-08-04 12:00 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2008-06-20 11:08 . 2004-08-04 12:00 225856 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2008-06-18 12:03 . 2004-08-04 12:00 938496 ----a-w- c:\windows\system32\WMNetmgr.dll
2008-06-18 08:09 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\logagent.exe
2008-06-12 14:23 . 2004-10-21 01:12 91648 ----a-w- c:\windows\system32\mtxoci.dll
2008-06-12 14:23 . 2004-10-21 01:12 161792 ----a-w- c:\windows\system32\msdtcuiu.dll
2008-06-12 14:23 . 2004-10-21 01:12 956928 ----a-w- c:\windows\system32\msdtctm.dll
2008-06-12 14:23 . 2004-10-21 01:12 58880 ----a-w- c:\windows\system32\msdtclog.dll
2008-06-12 14:23 . 2004-10-21 01:12 428032 ----a-w- c:\windows\system32\msdtcprx.dll
2008-06-12 14:23 . 2004-08-04 12:00 66560 ----a-w- c:\windows\system32\mtxclu.dll
2008-06-03 06:20 . 2004-10-20 18:07 3100160 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2008-06-03 03:21 . 2004-10-20 18:07 306688 ----a-w- c:\windows\system32\ati2dvag.dll
2008-06-03 02:59 . 2004-10-20 18:07 3500352 ----a-w- c:\windows\system32\ati3duag.dll
2008-06-03 02:48 . 2004-10-20 18:07 2120832 ----a-w- c:\windows\system32\ativvaxx.dll
2008-06-03 02:21 . 2004-10-20 18:07 557056 ----a-w- c:\windows\system32\ati2cqag.dll
2008-05-30 21:19 . 2008-07-15 17:06 507400 ----a-w- c:\windows\system32\XAudio2_1.dll
2008-05-30 21:18 . 2008-07-15 17:06 238088 ----a-w- c:\windows\system32\xactengine3_1.dll
2008-05-30 21:17 . 2008-07-15 17:06 65032 ----a-w- c:\windows\system32\XAPOFX1_0.dll
2008-05-30 21:17 . 2008-07-15 17:06 25608 ----a-w- c:\windows\system32\X3DAudio1_4.dll
2008-05-30 21:11 . 2008-07-15 17:06 467984 ----a-w- c:\windows\system32\d3dx10_38.dll
2008-05-30 21:11 . 2008-07-15 17:06 1491992 ----a-w- c:\windows\system32\D3DCompiler_38.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bandwidth Monitor Pro"="c:\program files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" [2003-12-03 182272]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NapsterShell"="c:\program files\Napster\napster.exe" [2008-05-09 323216]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NSWosCheck"="c:\program files\Norton SystemWorks\osCheck.exe" [2008-09-25 160112]
"NswUiTray"="c:\program files\Norton SystemWorks\NswUiTray.exe" [2008-09-25 85360]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-04 1848648]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\InterVideo\\WinDVD4PR\\WinDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Microsoft Games\\Dungeon Siege 2\\DungeonSiege2.exe"=
"c:\\Program Files\\Napster\\napster.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9990:TCP"= 9990:TCP:a
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/12/2008 4:02 PM 29808]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1105000.07F\SymDS.sys [2/13/2010 7:46 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1105000.07F\SymEFA.sys [2/13/2010 7:46 AM 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100211.001\BHDrvx86.sys [2/11/2010 11:44 AM 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1105000.07F\cchpx86.sys [2/13/2010 7:46 AM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1105000.07F\Ironx86.sys [2/13/2010 7:46 AM 116272]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe [2/13/2010 7:46 AM 126392]
R2 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~3\NORTON~1\NPROTECT.EXE [9/25/2008 2:53 PM 95600]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [1/14/2009 2:54 PM 1086840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/14/2010 1:19 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100218.001\IDSXpx86.sys [2/19/2010 8:19 PM 329592]
S2 gupdate1c9664954f7bd1c;Google Update Service (gupdate1c9664954f7bd1c);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2008 9:29 PM 133104]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2003-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-25 06:10]
2010-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-25 06:10]
2010-02-15 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2008-09-25 21:52]
.
.
------- Supplementary Scan -------
.
IE: &NeoTrace It! - c:\progra~1\NEOTRA~1\NTXcontext.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Tool\Application Data\Mozilla\Firefox\Profiles\xltalngg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\Tool\Application Data\Mozilla\Firefox\Profiles\xltalngg.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Cmaudio - cmicnfg.cpl
MSConfigStartUp-SVCHOST - c:\windows\system32\drivers\svchost.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2003-01-01 00:54
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.5.0.127\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\msv1_0.dll
- - - - - - - > 'explorer.exe'(548)
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\progra~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2003-01-01 00:58:28 - machine was rebooted
ComboFix-quarantined-files.txt 2003-01-01 07:58
Pre-Run: 9,902,997,504 bytes free
Post-Run: 10,112,544,768 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 4E8351BC03E586D6AF4C4C346F1B33DE
Step 1
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
DirLook::
c:\documents and settings\Tool\Local Settings\Application Data\fpidyb
File::
c:\windows\system32\drivers\etc\hosts
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-
ADS::
Save this as CFScript.txt and place it on your desktop.
http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
----------------------------------------------------------------------------------------
Step 2
Malwarebytes' Anti-Malware
I notice that you have MBAM installed, please do the following
Start MalwareBytes AntiMalware
Update Malwarebytes' Anti-Malware
Select the Update tab
Click Update
When the update is complete, select the Scanner tab
Select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
----------------------------------------------------------------------------------------
Step 3
Restore Host File
Download HostsXpert v4.1 (http://www.funkytoad.com/download/HostsXpert.zip) and unzip it to your desktop.
Double click on HostsXpert.exe to launch the program.
Click on Restore MS Hosts File to restore your Hosts file to its default condition.
Click on Make ReadOnly to secure it against further infection. (unless you plan to use another host file)
Exit the program.
Visit the Website (http://www.funkytoad.com/content/view/13/31/) for more information.
----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
Combofix Log
Contents of C:\Qoobox\Add Remove Programs.txt
MalwareBytes Log
How are things running now ?
Question,
When I did the dragndrop of the txt file onto Combofix, Norton popped up with the Insight window.
I had Norton disabled for the first steps, but at the end of that first post it said to re-enable everything that was disabled.
Should I have Norton Internet Security disabled for this? Or should I just click the "Run this program anyway" button on Norton insight?
You need to disable Norton before running Combofix.
ComboFix 10-02-20.03 - Tool 01/01/2003 3:32.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.883 [GMT -7:00]
Running from: c:\documents and settings\Tool\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tool\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FILE ::
"c:\windows\system32\drivers\etc\hosts"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\NPROTECT
c:\recycler\NPROTECT\00000000.DAT
c:\recycler\NPROTECT\00000001.DAT
c:\recycler\NPROTECT\00000002
c:\recycler\NPROTECT\00000003
c:\recycler\NPROTECT\00000004
c:\recycler\NPROTECT\00000005
c:\recycler\NPROTECT\00000007
c:\recycler\NPROTECT\00000009
c:\recycler\NPROTECT\00000010
c:\recycler\NPROTECT\00000013.DAT
c:\recycler\NPROTECT\00000014
c:\recycler\NPROTECT\00000015
c:\recycler\NPROTECT\00000016
c:\recycler\NPROTECT\00000017
c:\recycler\NPROTECT\00000020
c:\recycler\NPROTECT\00000021.DAT
c:\recycler\NPROTECT\00000022
c:\recycler\NPROTECT\00000023
c:\recycler\NPROTECT\00000024.DAT
c:\recycler\NPROTECT\00000025
c:\recycler\NPROTECT\00000026
c:\recycler\NPROTECT\00000027
c:\recycler\NPROTECT\00000028
c:\recycler\NPROTECT\00000029
c:\recycler\NPROTECT\00000030
c:\recycler\NPROTECT\00000031
c:\recycler\NPROTECT\00000032
c:\recycler\NPROTECT\00000033
c:\recycler\NPROTECT\00000034
c:\recycler\NPROTECT\00000035
c:\recycler\NPROTECT\00000036
c:\recycler\NPROTECT\00000037
c:\recycler\NPROTECT\00000038.dat
c:\recycler\NPROTECT\00000039
c:\recycler\NPROTECT\00000040
c:\recycler\NPROTECT\00000043
c:\recycler\NPROTECT\00000044
c:\recycler\NPROTECT\00000045
c:\recycler\NPROTECT\00000046
c:\recycler\NPROTECT\00000047
c:\recycler\NPROTECT\00000048
c:\recycler\NPROTECT\00000049
c:\recycler\NPROTECT\00000050
c:\recycler\NPROTECT\00000051
c:\recycler\NPROTECT\00000053
c:\recycler\NPROTECT\00000055
c:\recycler\NPROTECT\00000056
c:\recycler\NPROTECT\00000057
c:\recycler\NPROTECT\00000058
c:\recycler\NPROTECT\00000059
c:\recycler\NPROTECT\00000060
c:\recycler\NPROTECT\00000061
c:\recycler\NPROTECT\00000062
c:\recycler\NPROTECT\00000063
c:\recycler\NPROTECT\00000064
c:\recycler\NPROTECT\00000065
c:\recycler\NPROTECT\00000066
c:\recycler\NPROTECT\00000067
c:\recycler\NPROTECT\00000068
c:\recycler\NPROTECT\00000069
c:\recycler\NPROTECT\00000070
c:\recycler\NPROTECT\00000071
c:\recycler\NPROTECT\00000072
c:\recycler\NPROTECT\00000073
c:\recycler\NPROTECT\00000075
c:\recycler\NPROTECT\00000076
c:\recycler\NPROTECT\00000077
c:\recycler\NPROTECT\00000079
c:\recycler\NPROTECT\00000080
c:\recycler\NPROTECT\00000081
c:\recycler\NPROTECT\00000082
c:\recycler\NPROTECT\00000084
c:\recycler\NPROTECT\00000086
c:\recycler\NPROTECT\00000087
c:\recycler\NPROTECT\00000089
c:\recycler\NPROTECT\00000090
c:\recycler\NPROTECT\00000091
c:\recycler\NPROTECT\00000092
c:\recycler\NPROTECT\00000093
c:\recycler\NPROTECT\00000095
c:\recycler\NPROTECT\00000096
c:\recycler\NPROTECT\00000097
c:\recycler\NPROTECT\00000098
c:\recycler\NPROTECT\00000100
c:\recycler\NPROTECT\00000101
c:\recycler\NPROTECT\00000102
c:\recycler\NPROTECT\00000104
c:\recycler\NPROTECT\00000105
c:\recycler\NPROTECT\00000106.DB~
c:\recycler\NPROTECT\00000107
c:\recycler\NPROTECT\00000109
c:\recycler\NPROTECT\00000110
c:\recycler\NPROTECT\00000111
c:\recycler\NPROTECT\00000112
c:\recycler\NPROTECT\00000113
c:\recycler\NPROTECT\00000114
c:\recycler\NPROTECT\00000115
c:\recycler\NPROTECT\00000116
c:\recycler\NPROTECT\00000117
c:\recycler\NPROTECT\00000118
c:\recycler\NPROTECT\00000119
c:\recycler\NPROTECT\00000120
c:\recycler\NPROTECT\00000121
c:\recycler\NPROTECT\00000123
c:\recycler\NPROTECT\00000124
c:\recycler\NPROTECT\00000125
c:\recycler\NPROTECT\00000126
c:\recycler\NPROTECT\00000128
c:\recycler\NPROTECT\00000129
c:\recycler\NPROTECT\00000130
c:\recycler\NPROTECT\00000131
c:\recycler\NPROTECT\00000132
c:\recycler\NPROTECT\00000133
c:\recycler\NPROTECT\00000134
c:\recycler\NPROTECT\00000135
c:\recycler\NPROTECT\00000136
c:\recycler\NPROTECT\00000138
c:\recycler\NPROTECT\00000139
c:\recycler\NPROTECT\00000141
c:\recycler\NPROTECT\00000142
c:\recycler\NPROTECT\00000144
c:\recycler\NPROTECT\00000145
c:\recycler\NPROTECT\00000146
c:\recycler\NPROTECT\00000147
c:\recycler\NPROTECT\00000148
c:\recycler\NPROTECT\00000150
c:\recycler\NPROTECT\00000151
c:\recycler\NPROTECT\00000152
c:\recycler\NPROTECT\00000154
c:\recycler\NPROTECT\00000155
c:\recycler\NPROTECT\00000157
c:\recycler\NPROTECT\00000158
c:\recycler\NPROTECT\00000160
c:\recycler\NPROTECT\00000161
c:\recycler\NPROTECT\00000162
c:\recycler\NPROTECT\00000163
c:\recycler\NPROTECT\00000164
c:\recycler\NPROTECT\00000165
c:\recycler\NPROTECT\00000166
c:\recycler\NPROTECT\00000167
c:\recycler\NPROTECT\00000168
c:\recycler\NPROTECT\00000169
c:\recycler\NPROTECT\00000170
c:\recycler\NPROTECT\00000171
c:\recycler\NPROTECT\00000172
c:\recycler\NPROTECT\00000173
c:\recycler\NPROTECT\00000174
c:\recycler\NPROTECT\00000175
c:\recycler\NPROTECT\00000177
c:\recycler\NPROTECT\00000179
c:\recycler\NPROTECT\00000180
c:\recycler\NPROTECT\00000181
c:\recycler\NPROTECT\00000182
c:\recycler\NPROTECT\00000184
c:\recycler\NPROTECT\00000185
c:\recycler\NPROTECT\00000186
c:\recycler\NPROTECT\00000188
c:\recycler\NPROTECT\00000189
c:\recycler\NPROTECT\00000191
c:\recycler\NPROTECT\00000192
c:\recycler\NPROTECT\00000193
c:\recycler\NPROTECT\00000194
c:\recycler\NPROTECT\00000195
c:\recycler\NPROTECT\00000197
c:\recycler\NPROTECT\00000198
c:\recycler\NPROTECT\00000199
c:\recycler\NPROTECT\00000200
c:\recycler\NPROTECT\00000201
c:\recycler\NPROTECT\00000202
c:\recycler\NPROTECT\00000203
c:\recycler\NPROTECT\00000205
c:\recycler\NPROTECT\00000207
c:\recycler\NPROTECT\00000208
c:\recycler\NPROTECT\00000209
c:\recycler\NPROTECT\00000210
c:\recycler\NPROTECT\00000211
c:\recycler\NPROTECT\00000212
c:\recycler\NPROTECT\00000213
c:\recycler\NPROTECT\00000214
c:\recycler\NPROTECT\00000215
c:\recycler\NPROTECT\00000217
c:\recycler\NPROTECT\00000219
c:\recycler\NPROTECT\00000220
c:\recycler\NPROTECT\00000221
c:\recycler\NPROTECT\00000222
c:\recycler\NPROTECT\00000223
c:\recycler\NPROTECT\00000225
c:\recycler\NPROTECT\00000226
c:\recycler\NPROTECT\00000228
c:\recycler\NPROTECT\00000229
c:\recycler\NPROTECT\00000230
c:\recycler\NPROTECT\00000231
c:\recycler\NPROTECT\00000233
c:\recycler\NPROTECT\00000234
c:\recycler\NPROTECT\00000237
c:\recycler\NPROTECT\00000238
c:\recycler\NPROTECT\00000239
c:\recycler\NPROTECT\00000241
c:\recycler\NPROTECT\00000243
c:\recycler\NPROTECT\00000244
c:\recycler\NPROTECT\00000245
c:\recycler\NPROTECT\00000246
c:\recycler\NPROTECT\00000247
c:\recycler\NPROTECT\00000248
c:\recycler\NPROTECT\00000249
c:\recycler\NPROTECT\00000250
c:\recycler\NPROTECT\00000251
c:\recycler\NPROTECT\00000252
c:\recycler\NPROTECT\00000253
c:\recycler\NPROTECT\00000255
c:\recycler\NPROTECT\00000256
c:\recycler\NPROTECT\00000258
c:\recycler\NPROTECT\00000259
c:\recycler\NPROTECT\00000260
c:\recycler\NPROTECT\00000262
c:\recycler\NPROTECT\00000263
c:\recycler\NPROTECT\00000264
c:\recycler\NPROTECT\00000265
c:\recycler\NPROTECT\00000266
c:\recycler\NPROTECT\00000268
c:\recycler\NPROTECT\00000269
c:\recycler\NPROTECT\00000270
c:\recycler\NPROTECT\00000271
c:\recycler\NPROTECT\00000273
c:\recycler\NPROTECT\00000274
c:\recycler\NPROTECT\00000275
c:\recycler\NPROTECT\00000276
c:\recycler\NPROTECT\00000277
c:\recycler\NPROTECT\00000278
c:\recycler\NPROTECT\00000279
c:\recycler\NPROTECT\00000280
c:\recycler\NPROTECT\00000281
c:\recycler\NPROTECT\00000282
c:\recycler\NPROTECT\00000283
c:\recycler\NPROTECT\00000284
c:\recycler\NPROTECT\00000285
c:\recycler\NPROTECT\00000289
c:\recycler\NPROTECT\00000290.dat
c:\recycler\NPROTECT\00000291.dat
c:\recycler\NPROTECT\00000293
c:\recycler\NPROTECT\00000294
c:\recycler\NPROTECT\00000295
c:\recycler\NPROTECT\00000296
c:\recycler\NPROTECT\00000297
c:\recycler\NPROTECT\00000298
c:\recycler\NPROTECT\00000299
c:\recycler\NPROTECT\00000301
c:\recycler\NPROTECT\00000303.dat
c:\recycler\NPROTECT\00000306
c:\recycler\NPROTECT\00000307.bat
c:\recycler\NPROTECT\00000308
c:\recycler\NPROTECT\00000309
c:\recycler\NPROTECT\00000311
c:\recycler\NPROTECT\00000313
c:\recycler\NPROTECT\00000314
c:\recycler\NPROTECT\00000317
c:\recycler\NPROTECT\00000318
c:\recycler\NPROTECT\00000319
c:\recycler\NPROTECT\00000320
c:\recycler\NPROTECT\00000322
c:\recycler\NPROTECT\00000323
c:\recycler\NPROTECT\00000324
c:\recycler\NPROTECT\00000325
c:\recycler\NPROTECT\00000326
c:\recycler\NPROTECT\00000327
c:\recycler\NPROTECT\00000328
c:\recycler\NPROTECT\00000329
c:\recycler\NPROTECT\00000330
c:\recycler\NPROTECT\00000331
c:\recycler\NPROTECT\00000332
c:\recycler\NPROTECT\00000333
c:\recycler\NPROTECT\00000334
c:\recycler\NPROTECT\00000335
c:\recycler\NPROTECT\00000336
c:\recycler\NPROTECT\00000338
c:\recycler\NPROTECT\00000339
c:\recycler\NPROTECT\00000342
c:\recycler\NPROTECT\00000345.SY~
c:\recycler\NPROTECT\00000346
c:\recycler\NPROTECT\00000347
c:\recycler\NPROTECT\00000348
c:\recycler\NPROTECT\00000349
c:\recycler\NPROTECT\00000350
c:\recycler\NPROTECT\00000351
c:\recycler\NPROTECT\00000352
c:\recycler\NPROTECT\00000353
c:\recycler\NPROTECT\00000354.dat
c:\recycler\NPROTECT\00000355
c:\recycler\NPROTECT\00000356.bad
c:\recycler\NPROTECT\00000357
c:\recycler\NPROTECT\00000358
c:\recycler\NPROTECT\00000359
c:\recycler\NPROTECT\00000360
c:\recycler\NPROTECT\00000361
c:\recycler\NPROTECT\00000367
c:\recycler\NPROTECT\00000369
c:\recycler\NPROTECT\00000371.md5
c:\recycler\NPROTECT\00000378
c:\recycler\NPROTECT\00000380
c:\recycler\NPROTECT\00000381
c:\recycler\NPROTECT\NPROTECT.LOG
c:\windows\system32\drivers\etc\hosts
Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\msgsvc.dll
.
((((((((((((((((((((((((( Files Created from 2002-12-01 to 2003-01-01 )))))))))))))))))))))))))))))))
.
2010-02-20 19:16 . 2010-02-10 08:00 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100220.006\NAVENG.SYS
2010-02-20 19:16 . 2010-02-10 08:00 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100220.006\EECTRL.SYS
2010-02-20 19:16 . 2010-02-10 08:00 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100220.006\CCERASER.DLL
2010-02-20 19:16 . 2010-02-10 08:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100220.006\ECMSVR32.DLL
2010-02-20 19:16 . 2010-02-10 08:00 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100220.006\NAVENG32.DLL
2010-02-20 19:16 . 2010-02-10 08:00 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100220.006\NAVEX32A.DLL
2010-02-20 19:16 . 2010-02-10 08:00 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100220.006\NAVEX15.SYS
2010-02-20 19:16 . 2010-02-10 08:00 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100220.006\ERASER.SYS
2010-02-20 03:19 . 2009-11-17 00:51 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100218.001\Scxpx86.dll
2010-02-20 03:19 . 2009-11-17 00:51 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100218.001\IDSxpx86.dll
2010-02-20 03:19 . 2009-11-17 00:51 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100218.001\IDSviA64.sys
2010-02-20 03:19 . 2009-11-17 00:51 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100218.001\IDSvix86.sys
2010-02-20 03:19 . 2009-11-17 00:51 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100218.001\IDSXpx86.sys
2010-02-15 17:31 . 2010-02-15 17:31 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-02-14 21:40 . 2009-11-17 00:51 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100210.001\Scxpx86.dll
2010-02-14 21:40 . 2009-11-17 00:51 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100210.001\IDSxpx86.dll
2010-02-14 21:40 . 2009-11-17 00:51 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100210.001\IDSviA64.sys
2010-02-14 21:40 . 2009-11-17 00:51 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100210.001\IDSvix86.sys
2010-02-14 21:40 . 2009-11-17 00:51 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100210.001\IDSXpx86.sys
2010-02-14 04:33 . 2010-02-14 04:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-14 04:33 . 2003-01-01 07:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-13 18:24 . 2010-02-13 18:24 -------- dc----w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-13 14:48 . 2009-12-10 03:16 784752 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\coFFPlgn\components\coFFPlgn.dll
2010-02-13 14:48 . 2009-11-17 00:51 164216 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\IPSFFPlgn\components\IPSFFPl.dll
2010-02-13 14:46 . 2009-11-17 00:51 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\BinHub\IDSvia64.sys
2010-02-13 14:46 . 2009-11-17 00:51 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\BinHub\IDSvix86.sys
2010-02-13 14:46 . 2009-11-17 00:51 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\BinHub\IDSxpx86.sys
2010-02-13 14:46 . 2009-11-17 00:51 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\BinHub\scxpx86.dll
2010-02-13 14:46 . 2009-12-08 02:20 965488 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\OCS\hsplayer.dll
2010-02-13 14:46 . 2009-11-17 00:51 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\BinHub\idsxpx86.dll
2010-02-13 14:46 . 2009-12-17 06:31 893296 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\CLT\cltLMSx.dll
2010-02-13 14:46 . 2010-02-13 14:46 -------- d-----w- c:\windows\system32\drivers\NIS
2010-02-13 14:46 . 2010-02-13 14:46 -------- d-----w- c:\program files\Norton Internet Security
2010-02-13 14:46 . 2010-02-13 14:46 -------- d-----w- c:\program files\Windows Sidebar
2010-02-13 14:12 . 2010-02-13 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2010-02-11 18:44 . 2010-02-11 18:44 201616 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100211.001\BHRules.dll
2010-02-11 18:44 . 2010-02-11 18:44 1406352 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100211.001\BHEngine.dll
2010-02-11 18:44 . 2010-02-11 18:44 676912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100211.001\BHDrvx64.sys
2010-02-11 18:44 . 2010-02-11 18:44 536112 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100211.001\BHDrvx86.sys
2010-02-11 18:44 . 2010-02-11 18:44 611216 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100211.001\bbRGen.dll
2010-02-05 21:57 . 2010-02-13 13:38 -------- d-----w- c:\documents and settings\Tool\Local Settings\Application Data\fpidyb
2010-02-03 00:38 . 2010-02-03 00:38 -------- d-----w- c:\documents and settings\Tool\Application Data\Malwarebytes
2010-02-03 00:38 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-03 00:38 . 2010-02-03 00:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-03 00:38 . 2010-02-03 00:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-03 00:38 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-02 03:42 . 2010-02-02 03:42 -------- d-sh--w- c:\documents and settings\All Users\Application Data\LPOZLHTCG
2010-02-02 03:42 . 2009-06-25 17:02 435704 ----a-w- c:\documents and settings\All Users\Application Data\cdba3ff\sqlite3.dll
2010-02-02 03:42 . 2009-06-25 17:02 710136 ----a-w- c:\documents and settings\All Users\Application Data\cdba3ff\mozcrt19.dll
2010-02-02 03:42 . 2010-02-02 03:43 -------- d-sh--w- c:\documents and settings\All Users\Application Data\cdba3ff
2010-01-13 07:13 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-24 15:55 . 2009-12-24 15:55 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonIJScan
2009-12-24 15:55 . 2009-12-24 15:55 -------- d-----w- c:\documents and settings\Tool\Application Data\Canon
2009-12-16 18:43 . 2009-12-16 18:43 343040 -c----w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08 . 2009-12-14 07:08 33280 -c----w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-08 09:23 . 2009-12-08 09:23 474112 -c----w- c:\windows\system32\dllcache\shlwapi.dll
2009-11-27 17:11 . 2009-11-27 17:11 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
2009-11-27 16:07 . 2009-11-27 16:07 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
2009-11-27 16:07 . 2009-11-27 16:07 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
2009-11-27 16:07 . 2009-11-27 16:07 11264 -c----w- c:\windows\system32\dllcache\msrle32.dll
2009-11-11 10:26 . 2010-02-05 14:23 79488 ----a-w- c:\documents and settings\Tool\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-10-21 05:38 . 2009-10-21 05:38 75776 -c----w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38 . 2009-10-21 05:38 25088 -c----w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20 . 2009-10-20 16:20 265728 -c----w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30 . 2009-10-13 10:30 270336 -c----w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38 . 2009-10-12 13:38 149504 -c----w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38 . 2009-10-12 13:38 79872 -c----w- c:\windows\system32\dllcache\raschap.dll
2009-10-02 22:42 . 2009-10-02 22:42 -------- d-----w- c:\program files\EA Games
2009-10-02 03:50 . 2009-09-15 00:58 1291640 ----a-w- c:\documents and settings\Tool\Application Data\Mozilla\Firefox\Profiles\xltalngg.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe
2009-10-02 03:50 . 2009-09-15 00:58 729088 ----a-w- c:\documents and settings\Tool\Application Data\Mozilla\Firefox\Profiles\xltalngg.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
2009-09-26 17:51 . 2009-09-26 17:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-20 21:56 . 2009-09-20 21:56 -------- d-----w- c:\program files\Disney
2009-09-09 10:44 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-04 21:03 . 2009-09-04 21:03 58880 -c----w- c:\windows\system32\dllcache\msasn1.dll
2009-08-21 10:10 . 2009-08-21 10:10 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-21 10:10 . 2009-08-21 10:10 -------- d-----w- c:\program files\MSBuild
2009-08-21 10:10 . 2009-08-21 10:10 -------- d-----w- c:\program files\Reference Assemblies
2009-08-21 10:09 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2009-08-21 10:08 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-21 10:08 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-21 10:08 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-21 10:08 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2009-08-21 10:08 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-21 10:08 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-21 10:08 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-21 10:08 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-12 10:27 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-31 16:23 . 2009-07-31 16:23 -------- d-----w- c:\program files\Microsoft Games
2009-07-21 07:05 . 2009-07-21 07:05 1348432 ----a-w- c:\windows\system32\msxml4.dll
2009-07-17 22:55 . 2010-02-14 00:00 -------- d-----w- c:\documents and settings\Tool\Local Settings\Application Data\Temp
2009-07-17 19:01 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll
2009-07-17 16:22 . 2009-07-17 16:22 1435648 -c----w- c:\windows\system32\dllcache\query.dll
2009-07-12 17:17 . 2009-07-12 17:17 -------- d-----w- c:\program files\PopCap Games
2009-06-25 08:25 . 2009-09-11 14:18 136192 -c----w- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 08:25 . 2009-06-25 08:25 54272 -c----w- c:\windows\system32\dllcache\wdigest.dll
2009-06-25 08:25 . 2009-06-25 08:25 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll
2009-06-24 11:18 . 2009-06-24 11:18 92928 -c----w- c:\windows\system32\dllcache\ksecdd.sys
2009-06-16 14:36 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2009-06-16 14:36 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2009-06-12 12:31 . 2009-06-12 12:31 76288 -c----w- c:\windows\system32\dllcache\telnet.exe
2009-06-10 14:13 . 2009-11-27 16:07 84992 -c----w- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 06:14 . 2009-06-10 06:14 132096 -c----w- c:\windows\system32\dllcache\wkssvc.dll
2009-06-04 19:05 . 2009-06-04 19:05 -------- d--h--w- c:\windows\PIF
2009-05-07 15:32 . 2009-05-07 15:32 345600 -c----w- c:\windows\system32\dllcache\localspl.dll
2009-04-16 01:32 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-04-16 01:31 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-04-16 01:31 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-04-16 01:31 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-04-16 01:31 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-04-16 01:31 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-04-16 01:31 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 01:31 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 01:31 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-04-16 01:31 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 01:31 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-04-15 14:51 . 2009-04-15 14:51 585216 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2009-03-30 23:34 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-03-30 23:34 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-03-21 15:45 . 2009-03-21 15:45 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonIJEGV
2009-03-21 14:06 . 2009-03-21 14:06 989696 -c----w- c:\windows\system32\dllcache\kernel32.dll
2009-02-27 20:31 . 2009-02-27 20:37 -------- d-----w- c:\documents and settings\Tool\Application Data\SBTT
2009-02-27 20:26 . 2009-02-27 20:27 -------- d-----w- c:\program files\Nick Arcade
2009-02-27 14:10 . 2009-02-27 14:10 -------- d-----w- c:\program files\Common Files\CANON
2009-02-27 14:08 . 2009-02-27 14:08 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-13 14:55 . 2004-10-21 01:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-13 14:46 . 2009-01-14 19:31 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-13 14:46 . 2009-01-14 19:31 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-13 03:41 . 2010-02-13 03:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:21 . 2004-08-04 12:00 667136 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-16 18:43 . 2004-10-21 01:12 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 2004-08-04 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2004-08-04 12:00 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2004-08-04 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-15 16:28 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-10-15 16:28 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-10-13 10:30 . 2004-08-04 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 09:17 . 2004-08-04 12:00 354816 ----a-w- c:\windows\system32\winhttp.dll
2009-08-14 13:21 . 2004-08-04 12:00 1850624 ----a-w- c:\windows\system32\win32k.sys
2009-08-07 02:24 . 2004-10-21 01:14 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2004-10-21 01:14 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2004-10-21 01:14 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2004-08-04 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2004-10-21 01:14 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2004-10-21 01:14 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 03:44 . 2004-08-04 12:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-07-31 17:05 . 2008-09-04 03:41 1372672 ------w- c:\windows\system32\msxml6.dll
2009-07-31 04:35 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 16:22 . 2004-08-04 12:00 1435648 ----a-w- c:\windows\system32\query.dll
2009-07-14 06:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 16:19 . 2004-10-21 01:12 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-02 06:02 . 2004-08-04 12:00 604160 ----a-w- c:\windows\system32\wmspdmod.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w- c:\windows\system32\pdh.dll
2009-02-09 12:10 . 2004-10-21 01:12 453120 ----a-w- c:\windows\system32\wbem\wmiprvsd.dll
2009-02-09 12:10 . 2004-10-21 01:12 473600 ----a-w- c:\windows\system32\wbem\fastprox.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w- c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w- c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ------w- c:\windows\system32\rpcss.dll
2009-02-06 11:11 . 2004-08-04 12:00 110592 ------w- c:\windows\system32\services.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w- c:\windows\system32\sc.exe
2009-02-06 10:10 . 2004-10-21 01:12 227840 ----a-w- c:\windows\system32\wbem\wmiprvse.exe
2009-01-29 23:05 . 2009-01-29 23:05 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-01-29 23:05 . 2009-01-29 23:05 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-01-15 01:10 . 2003-01-01 07:07 -------- d-----w- c:\program files\Common Files\Adobe
2009-01-14 20:25 . 2004-10-21 01:58 -------- d-----w- c:\documents and settings\Tool\Application Data\Symantec
2009-01-14 20:25 . 2004-10-21 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2008-10-23 12:36 . 2004-08-04 12:00 286720 ----a-w- c:\windows\system32\gdi32.dll
2008-09-15 11:21 . 2009-06-04 19:05 142794 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2008-09-15 11:20 . 2004-10-21 01:16 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2008-08-14 10:04 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2008-07-07 20:26 . 2004-08-04 12:00 253952 ------w- c:\windows\system32\es.dll
2008-06-25 01:12 . 2006-10-19 04:47 295936 ----a-w- c:\windows\system32\wmpeffects.dll
2008-06-24 16:43 . 2004-08-04 12:00 74240 ----a-w- c:\windows\system32\mscms.dll
2008-06-20 17:46 . 2004-08-04 12:00 245248 ------w- c:\windows\system32\mswsock.dll
2008-06-20 11:51 . 2004-08-04 12:00 361600 ------w- c:\windows\system32\drivers\tcpip.sys
2008-06-20 11:08 . 2004-08-04 12:00 225856 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2008-06-18 12:03 . 2004-08-04 12:00 938496 ----a-w- c:\windows\system32\WMNetmgr.dll
2008-06-18 08:09 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\logagent.exe
2008-06-12 14:23 . 2004-10-21 01:12 91648 ----a-w- c:\windows\system32\mtxoci.dll
2008-06-12 14:23 . 2004-10-21 01:12 161792 ----a-w- c:\windows\system32\msdtcuiu.dll
2008-06-12 14:23 . 2004-10-21 01:12 956928 ----a-w- c:\windows\system32\msdtctm.dll
2008-06-12 14:23 . 2004-10-21 01:12 58880 ----a-w- c:\windows\system32\msdtclog.dll
2008-06-12 14:23 . 2004-10-21 01:12 428032 ----a-w- c:\windows\system32\msdtcprx.dll
2008-06-12 14:23 . 2004-08-04 12:00 66560 ----a-w- c:\windows\system32\mtxclu.dll
2008-06-03 06:20 . 2004-10-20 18:07 3100160 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2008-06-03 03:21 . 2004-10-20 18:07 306688 ----a-w- c:\windows\system32\ati2dvag.dll
2008-06-03 02:59 . 2004-10-20 18:07 3500352 ----a-w- c:\windows\system32\ati3duag.dll
2008-06-03 02:48 . 2004-10-20 18:07 2120832 ----a-w- c:\windows\system32\ativvaxx.dll
2008-06-03 02:21 . 2004-10-20 18:07 557056 ----a-w- c:\windows\system32\ati2cqag.dll
2008-05-30 21:19 . 2008-07-15 17:06 507400 ----a-w- c:\windows\system32\XAudio2_1.dll
2008-05-30 21:18 . 2008-07-15 17:06 238088 ----a-w- c:\windows\system32\xactengine3_1.dll
2008-05-30 21:17 . 2008-07-15 17:06 65032 ----a-w- c:\windows\system32\XAPOFX1_0.dll
2008-05-30 21:17 . 2008-07-15 17:06 25608 ----a-w- c:\windows\system32\X3DAudio1_4.dll
2008-05-30 21:11 . 2008-07-15 17:06 467984 ----a-w- c:\windows\system32\d3dx10_38.dll
2008-05-30 21:11 . 2008-07-15 17:06 1491992 ----a-w- c:\windows\system32\D3DCompiler_38.dll
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Tool\Local Settings\Application Data\fpidyb ----
((((((((((((((((((((((((((((( SnapShot@2003-01-01_07.54.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-01-01 10:44 . 2003-01-01 10:44 16384 c:\windows\Temp\Perflib_Perfdata_748.dat
+ 2003-01-01 10:45 . 2003-01-01 10:45 16384 c:\windows\Temp\Perflib_Perfdata_6c.dat
- 2003-01-01 07:53 . 2003-01-01 07:53 16384 c:\windows\Temp\Perflib_Perfdata_6c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bandwidth Monitor Pro"="c:\program files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" [2003-12-03 182272]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NapsterShell"="c:\program files\Napster\napster.exe" [2008-05-09 323216]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NSWosCheck"="c:\program files\Norton SystemWorks\osCheck.exe" [2008-09-25 160112]
"NswUiTray"="c:\program files\Norton SystemWorks\NswUiTray.exe" [2008-09-25 85360]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-04 1848648]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\InterVideo\\WinDVD4PR\\WinDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Microsoft Games\\Dungeon Siege 2\\DungeonSiege2.exe"=
"c:\\Program Files\\Napster\\napster.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9990:TCP"= 9990:TCP:a
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/12/2008 4:02 PM 29808]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1105000.07F\SymDS.sys [2/13/2010 7:46 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1105000.07F\SymEFA.sys [2/13/2010 7:46 AM 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100211.001\BHDrvx86.sys [2/11/2010 11:44 AM 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1105000.07F\cchpx86.sys [2/13/2010 7:46 AM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1105000.07F\Ironx86.sys [2/13/2010 7:46 AM 116272]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe [2/13/2010 7:46 AM 126392]
R2 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~3\NORTON~1\NPROTECT.EXE [9/25/2008 2:53 PM 95600]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [1/14/2009 2:54 PM 1086840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/14/2010 1:19 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100218.001\IDSXpx86.sys [2/19/2010 8:19 PM 329592]
S2 gupdate1c9664954f7bd1c;Google Update Service (gupdate1c9664954f7bd1c);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2008 9:29 PM 133104]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2003-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-25 06:10]
2010-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-25 06:10]
2010-02-15 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2008-09-25 21:52]
.
.
------- Supplementary Scan -------
.
IE: &NeoTrace It! - c:\progra~1\NEOTRA~1\NTXcontext.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Tool\Application Data\Mozilla\Firefox\Profiles\xltalngg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2003-01-01 03:44
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.5.0.127\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3164)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\progra~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
c:\windows\system32\wscntfy.exe
c:\program files\NORTON INTERNET SECURITY\ENGINE\17.5.0.127\cltLMH.exe
.
**************************************************************************
.
Completion time: 2003-01-01 03:49:43 - machine was rebooted
ComboFix-quarantined-files.txt 2003-01-01 10:49
ComboFix2.txt 2003-01-01 07:58
Pre-Run: 9,976,389,632 bytes free
Post-Run: 10,056,740,864 bytes free
- - End Of File - - AEC21D559A8420F387D2B27C1FA91698
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Reader 9
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AutoUpdate
Bandwidth Monitor Pro
Battlefield Heroes (Tool)
C-Media 3D Audio
Canon iP1800 series User Registration
Canon MP Navigator EX 2.0
Canon MP240 series MP Drivers
Canon MP240 series User Registration
Canon Utilities Easy-LayoutPrint
Canon Utilities Easy-PhotoPrint
Canon Utilities My Printer
Canon Utilities Solution Menu
Cars - Radiator Springs Adventures
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
CCleaner (remove only)
CheckIt Diagnostics
Connection Keep Alive
Critical Update for Windows Media Player 11 (KB959772)
DH Driver Cleaner Professional Edition
Disney Pirates of the Caribbean Online
DivX
DivX Content Uploader
DivX Web Player
Driver Installer
Dungeon Siege 2
Finding Nemo: Nemo's Underwater World of Fun Special Edition
Google Chrome
Google Earth
Google Update Helper
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
InterVideo WinDVD Platinum
IrfanView (remove only)
iTunes
Japanese Fonts Support For Adobe Reader 8
Java(TM) 6 Update 11
LiveUpdate (Symantec Corporation)
Malwarebytes' Anti-Malware
MechCommander
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office XP Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.6)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MWSnap 3
MyDVD-VR Recorder
Napster
Napster 3.5 MP3 Encoder
Napster Burn Engine
NeoTrace Pro 3.25
Nero 6 Demo
Norton Cleanup
Norton Internet Security
Norton SystemWorks
Norton SystemWorks (Symantec Corporation)
Norton Utilities
NVIDIA nForce Drivers
PartitionMagic
Peggle World of Warcraft Edition
PowerQuest PartitionMagic 8.0
QuickTime
RealPlayer
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Skins
Sonic MyDVD-VR
SpongeBob SquarePants Obstacle Odyssey 2
Spy Sweeper Core
Spybot - Search & Destroy
Star Wars Empire at War
Star Wars Empire at War Forces of Corruption
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Ventrilo Client
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
World of Warcraft
Xingtone Ringtone Maker
Malwarebytes' Anti-Malware 1.44
Database version: 3768
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
1/1/2003 5:01:23 AM
mbam-log-2003-01-01 (05-01-23).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 228687
Time elapsed: 38 minute(s), 43 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Thank you for your time and assistance in this matter. This machine has started to have severe graphical glitching during this process, and I will be replacing the card with an older one I have stored. I will reply within a day unless I see you mention something about the logs I just posted.
It looks like something reinfected one of your system files, we need to make sure it isn't still happening
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
**Note**
To optimize scanning time and produce a more sensible report for review: Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
Kaspersky Log
A fresh HJT log
How are things running now ?
Hello again Katana, thanks for the last catch. Kaspersky found something, here's the logs you asked for.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, February 21, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, February 21, 2010 20:49:11
Records in database: 3610312
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
Scan statistics:
Objects scanned: 86397
Threats found: 1
Infected objects found: 7
Suspicious objects found: 0
Scan duration: 02:22:36
File name / Threat / Threats count
E:\RECYCLER\NPROTECT\00000001.ISO Infected: Trojan-PSW.Win32.GinaPass.i 7
Selected area has been scanned.
Here's the HJT log after:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:20:36 PM, on 2/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Norton SystemWorks\NswUiTray.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\coIEPlg.dll
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NSWosCheck] "C:\Program Files\Norton SystemWorks\osCheck.exe"
O4 - HKLM\..\Run: [NswUiTray] C:\Program Files\Norton SystemWorks\NswUiTray.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Google Update Service (gupdate1c9664954f7bd1c) (gupdate1c9664954f7bd1c) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
--
End of file - 6824 bytes
Kaspersky found something,
Nothing to worry about there, it's an ISO in the recycle bin. That won't be causing any problems.
How are things running now, any problems still ?
----------------------------------------------------------------------------------------
Step 1
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
File::
E:\RECYCLER\NPROTECT\00000001.ISO
Folder::
c:\documents and settings\Tool\Local Settings\Application Data\fpidyb
ADS::
Save this as CFScript.txt and place it on your desktop.
http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
----------------------------------------------------------------------------------------
Step 2
Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines IF still present
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
--- If you didn't set this restriction, please include this line to fix ---
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis
----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
Combofix Log
How are things running now ?
---------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------
Additional Notes
Your Java and Adobe are out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java and Adobe components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) from HERE (http://java.sun.com/javase/downloads/index.jsp)
Scroll down to where it says "Java SE Runtime Environment (JRE)".
Click the "Download" button to the right.
Platform = Windows Language = Multi Language
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Update Adobe Acrobat Reader
Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended
Please go to this link Adobe Acrobat Reader Download Link (http://www.adobe.com/products/acrobat/readstep2.html)
Cllick Download
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts
Now close all windows, including your browser.
Double click on the Java installation that you downloaded and follow the prompts.
Remove Programs
Now click Start---Control Panel. Double click Add or Remove Programs. If any of the following programs are listed there,
click on the program to highlight it, and click on remove.
Adobe Reader 9
Java(TM) 6 Update 11
Now close the Control Panel.
Reboot your machine.
ComboFix 10-02-21.02 - Tool 02/22/2010 9:39.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.846 [GMT -7:00]
Running from: c:\documents and settings\Tool\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tool\Desktop\cfscript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FILE ::
"e:\recycler\NPROTECT\00000001.ISO"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Tool\Local Settings\Application Data\fpidyb
c:\recycler\NPROTECT
c:\recycler\NPROTECT\00000000.DAT
c:\recycler\NPROTECT\00000001.DAT
c:\recycler\NPROTECT\00000002
c:\recycler\NPROTECT\00000003
c:\recycler\NPROTECT\00000004
c:\recycler\NPROTECT\00000005
c:\recycler\NPROTECT\00000007
c:\recycler\NPROTECT\00000009
c:\recycler\NPROTECT\00000010
c:\recycler\NPROTECT\00000013.DAT
c:\recycler\NPROTECT\00000014
c:\recycler\NPROTECT\00000015
c:\recycler\NPROTECT\00000016
c:\recycler\NPROTECT\00000017
c:\recycler\NPROTECT\00000019
c:\recycler\NPROTECT\00000020.DAT
c:\recycler\NPROTECT\00000021
c:\recycler\NPROTECT\00000022
c:\recycler\NPROTECT\00000023.DAT
c:\recycler\NPROTECT\00000024
c:\recycler\NPROTECT\00000025
c:\recycler\NPROTECT\00000026
c:\recycler\NPROTECT\00000027
c:\recycler\NPROTECT\00000028
c:\recycler\NPROTECT\00000029
c:\recycler\NPROTECT\00000030
c:\recycler\NPROTECT\00000031
c:\recycler\NPROTECT\00000032
c:\recycler\NPROTECT\00000033
c:\recycler\NPROTECT\00000034
c:\recycler\NPROTECT\00000035
c:\recycler\NPROTECT\00000036.dat
c:\recycler\NPROTECT\00000037
c:\recycler\NPROTECT\00000038
c:\recycler\NPROTECT\00000041
c:\recycler\NPROTECT\00000042
c:\recycler\NPROTECT\00000043
c:\recycler\NPROTECT\00000044
c:\recycler\NPROTECT\00000046
c:\recycler\NPROTECT\00000047
c:\recycler\NPROTECT\00000048
c:\recycler\NPROTECT\00000050
c:\recycler\NPROTECT\00000051
c:\recycler\NPROTECT\00000052.DB~
c:\recycler\NPROTECT\00000053
c:\recycler\NPROTECT\00000055.DB~
c:\recycler\NPROTECT\00000056
c:\recycler\NPROTECT\00000058.DB~
c:\recycler\NPROTECT\00000059
c:\recycler\NPROTECT\00000060.DB~
c:\recycler\NPROTECT\00000061
c:\recycler\NPROTECT\00000062
c:\recycler\NPROTECT\00000063.DB~
c:\recycler\NPROTECT\00000064
c:\recycler\NPROTECT\00000065.DB~
c:\recycler\NPROTECT\00000066
c:\recycler\NPROTECT\00000067.DB~
c:\recycler\NPROTECT\00000070.DB~
c:\recycler\NPROTECT\00000071
c:\recycler\NPROTECT\00000072
c:\recycler\NPROTECT\00000073
c:\recycler\NPROTECT\00000074.DB~
c:\recycler\NPROTECT\00000076
c:\recycler\NPROTECT\00000077.DB~
c:\recycler\NPROTECT\00000078.DB~
c:\recycler\NPROTECT\00000079.DB~
c:\recycler\NPROTECT\00000080.DB~
c:\recycler\NPROTECT\00000081.DB~
c:\recycler\NPROTECT\00000082.DB~
c:\recycler\NPROTECT\00000083.DB~
c:\recycler\NPROTECT\00000084.DB~
c:\recycler\NPROTECT\00000086.DB~
c:\recycler\NPROTECT\00000087.DB~
c:\recycler\NPROTECT\00000088.DB~
c:\recycler\NPROTECT\00000089
c:\recycler\NPROTECT\00000090
c:\recycler\NPROTECT\00000091.DB~
c:\recycler\NPROTECT\00000092.DB~
c:\recycler\NPROTECT\00000093
c:\recycler\NPROTECT\00000094
c:\recycler\NPROTECT\00000095
c:\recycler\NPROTECT\00000096
c:\recycler\NPROTECT\00000097
c:\recycler\NPROTECT\00000098
c:\recycler\NPROTECT\00000099
c:\recycler\NPROTECT\00000101
c:\recycler\NPROTECT\00000102
c:\recycler\NPROTECT\00000104
c:\recycler\NPROTECT\00000105
c:\recycler\NPROTECT\00000107
c:\recycler\NPROTECT\00000108
c:\recycler\NPROTECT\00000109
c:\recycler\NPROTECT\00000110
c:\recycler\NPROTECT\00000111
c:\recycler\NPROTECT\00000113
c:\recycler\NPROTECT\00000114
c:\recycler\NPROTECT\00000115
c:\recycler\NPROTECT\00000116
c:\recycler\NPROTECT\00000118
c:\recycler\NPROTECT\00000119
c:\recycler\NPROTECT\00000120
c:\recycler\NPROTECT\00000121
c:\recycler\NPROTECT\00000122
c:\recycler\NPROTECT\00000123
c:\recycler\NPROTECT\00000124
c:\recycler\NPROTECT\00000125
c:\recycler\NPROTECT\00000126
c:\recycler\NPROTECT\00000127
c:\recycler\NPROTECT\00000128
c:\recycler\NPROTECT\00000129
c:\recycler\NPROTECT\00000130
c:\recycler\NPROTECT\00000134
c:\recycler\NPROTECT\00000135.dat
c:\recycler\NPROTECT\00000136.dat
c:\recycler\NPROTECT\00000138
c:\recycler\NPROTECT\00000139
c:\recycler\NPROTECT\00000140
c:\recycler\NPROTECT\00000141
c:\recycler\NPROTECT\00000142
c:\recycler\NPROTECT\00000143
c:\recycler\NPROTECT\00000144
c:\recycler\NPROTECT\00000146
c:\recycler\NPROTECT\00000148.dat
c:\recycler\NPROTECT\00000150
c:\recycler\NPROTECT\00000151.bat
c:\recycler\NPROTECT\00000152
c:\recycler\NPROTECT\00000153
c:\recycler\NPROTECT\00000155
c:\recycler\NPROTECT\00000157
c:\recycler\NPROTECT\00000158
c:\recycler\NPROTECT\00000159
c:\recycler\NPROTECT\00000162
c:\recycler\NPROTECT\00000163
c:\recycler\NPROTECT\00000164
c:\recycler\NPROTECT\00000165
c:\recycler\NPROTECT\00000167
c:\recycler\NPROTECT\00000168
c:\recycler\NPROTECT\00000169
c:\recycler\NPROTECT\00000170
c:\recycler\NPROTECT\00000171
c:\recycler\NPROTECT\00000172
c:\recycler\NPROTECT\00000173
c:\recycler\NPROTECT\00000174
c:\recycler\NPROTECT\00000175
c:\recycler\NPROTECT\00000176
c:\recycler\NPROTECT\00000177
c:\recycler\NPROTECT\00000178
c:\recycler\NPROTECT\00000179
c:\recycler\NPROTECT\00000180
c:\recycler\NPROTECT\00000181
c:\recycler\NPROTECT\00000183
c:\recycler\NPROTECT\00000184
c:\recycler\NPROTECT\00000187
c:\recycler\NPROTECT\00000190.SY~
c:\recycler\NPROTECT\00000191
c:\recycler\NPROTECT\00000192
c:\recycler\NPROTECT\00000193
c:\recycler\NPROTECT\00000194
c:\recycler\NPROTECT\00000195
c:\recycler\NPROTECT\00000196
c:\recycler\NPROTECT\00000197
c:\recycler\NPROTECT\00000198
c:\recycler\NPROTECT\00000199.dat
c:\recycler\NPROTECT\00000200
c:\recycler\NPROTECT\00000201.bad
c:\recycler\NPROTECT\00000202
c:\recycler\NPROTECT\00000203
c:\recycler\NPROTECT\00000204
c:\recycler\NPROTECT\00000205
c:\recycler\NPROTECT\00000206
c:\recycler\NPROTECT\00000212
c:\recycler\NPROTECT\00000213.md5
c:\recycler\NPROTECT\00000220.DB~
c:\recycler\NPROTECT\00000221
c:\recycler\NPROTECT\00000223
c:\recycler\NPROTECT\00000224
c:\recycler\NPROTECT\NPROTECT.LOG
.
((((((((((((((((((((((((( Files Created from 2010-01-22 to 2010-02-22 )))))))))))))))))))))))))))))))
.
2010-02-20 03:19 . 2009-11-17 00:51 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100218.001\Scxpx86.dll
2010-02-20 03:19 . 2009-11-17 00:51 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100218.001\IDSxpx86.dll
2010-02-20 03:19 . 2009-11-17 00:51 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100218.001\IDSviA64.sys
2010-02-20 03:19 . 2009-11-17 00:51 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100218.001\IDSvix86.sys
2010-02-20 03:19 . 2009-11-17 00:51 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100218.001\IDSXpx86.sys
2010-02-15 17:31 . 2010-02-15 17:31 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-02-14 21:40 . 2009-11-17 00:51 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100210.001\Scxpx86.dll
2010-02-14 21:40 . 2009-11-17 00:51 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100210.001\IDSxpx86.dll
2010-02-14 21:40 . 2009-11-17 00:51 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100210.001\IDSviA64.sys
2010-02-14 21:40 . 2009-11-17 00:51 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100210.001\IDSvix86.sys
2010-02-14 21:40 . 2009-11-17 00:51 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100210.001\IDSXpx86.sys
2010-02-14 04:33 . 2010-02-14 04:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-14 04:33 . 2003-01-01 07:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-13 18:24 . 2010-02-13 18:24 -------- dc----w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-13 14:48 . 2009-12-10 03:16 784752 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\coFFPlgn\components\coFFPlgn.dll
2010-02-13 14:48 . 2009-11-17 00:51 164216 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\IPSFFPlgn\components\IPSFFPl.dll
2010-02-13 14:46 . 2009-11-17 00:51 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\BinHub\IDSvia64.sys
2010-02-13 14:46 . 2009-11-17 00:51 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\BinHub\IDSvix86.sys
2010-02-13 14:46 . 2009-11-17 00:51 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\BinHub\IDSxpx86.sys
2010-02-13 14:46 . 2009-11-17 00:51 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\BinHub\scxpx86.dll
2010-02-13 14:46 . 2009-12-08 02:20 965488 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\OCS\hsplayer.dll
2010-02-13 14:46 . 2009-11-17 00:51 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\BinHub\idsxpx86.dll
2010-02-13 14:46 . 2009-12-17 06:31 893296 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\CLT\cltLMSx.dll
2010-02-13 14:46 . 2010-02-13 14:46 -------- d-----w- c:\windows\system32\drivers\NIS
2010-02-13 14:46 . 2010-02-13 14:46 -------- d-----w- c:\program files\Norton Internet Security
2010-02-13 14:46 . 2010-02-13 14:46 -------- d-----w- c:\program files\Windows Sidebar
2010-02-13 14:12 . 2010-02-13 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2010-02-11 18:44 . 2010-02-11 18:44 201616 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100211.001\BHRules.dll
2010-02-11 18:44 . 2010-02-11 18:44 1406352 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100211.001\BHEngine.dll
2010-02-11 18:44 . 2010-02-11 18:44 676912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100211.001\BHDrvx64.sys
2010-02-11 18:44 . 2010-02-11 18:44 536112 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100211.001\BHDrvx86.sys
2010-02-11 18:44 . 2010-02-11 18:44 611216 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100211.001\bbRGen.dll
2010-02-03 00:38 . 2010-02-03 00:38 -------- d-----w- c:\documents and settings\Tool\Application Data\Malwarebytes
2010-02-03 00:38 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-03 00:38 . 2010-02-03 00:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-03 00:38 . 2010-02-03 00:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-03 00:38 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-02 03:42 . 2010-02-02 03:42 -------- d-sh--w- c:\documents and settings\All Users\Application Data\LPOZLHTCG
2010-02-02 03:42 . 2009-06-25 17:02 435704 ----a-w- c:\documents and settings\All Users\Application Data\cdba3ff\sqlite3.dll
2010-02-02 03:42 . 2009-06-25 17:02 710136 ----a-w- c:\documents and settings\All Users\Application Data\cdba3ff\mozcrt19.dll
2010-02-02 03:42 . 2010-02-02 03:43 -------- d-sh--w- c:\documents and settings\All Users\Application Data\cdba3ff
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-15 19:10 . 2009-01-14 20:18 -------- d-----w- c:\program files\Norton SystemWorks
2010-02-13 14:55 . 2004-10-21 01:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-13 14:49 . 2009-01-14 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-13 14:47 . 2009-01-14 19:31 -------- d-----w- c:\program files\Symantec
2010-02-13 14:46 . 2009-01-14 19:31 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-13 14:46 . 2009-01-14 19:31 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-13 14:46 . 2009-01-14 19:31 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-13 14:46 . 2009-01-14 19:31 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-13 14:12 . 2009-01-14 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-13 03:41 . 2010-02-13 03:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-10 08:00 . 2003-01-01 12:12 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100220.022\NAVENG.SYS
2010-02-10 08:00 . 2003-01-01 12:12 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100220.022\NAVENG32.DLL
2010-02-10 08:00 . 2003-01-01 12:12 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100220.022\NAVEX32A.DLL
2010-02-10 08:00 . 2003-01-01 12:12 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100220.022\NAVEX15.SYS
2010-02-10 08:00 . 2003-01-01 12:12 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100220.022\EECTRL.SYS
2010-02-10 08:00 . 2003-01-01 12:12 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100220.022\CCERASER.DLL
2010-02-10 08:00 . 2003-01-01 12:12 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100220.022\ECMSVR32.DLL
2010-02-10 08:00 . 2003-01-01 12:12 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100220.022\ERASER.SYS
2010-02-05 14:23 . 2009-11-11 10:26 79488 ----a-w- c:\documents and settings\Tool\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:21 . 2004-08-04 12:00 667136 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-16 18:43 . 2004-10-21 01:12 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 2004-08-04 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2004-08-04 12:00 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2004-08-04 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 12:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
.
((((((((((((((((((((((((((((( SnapShot@2003-01-01_07.54.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-22 16:49 . 2010-02-22 16:49 16384 c:\windows\Temp\Perflib_Perfdata_788.dat
+ 2010-02-22 16:47 . 2010-02-22 16:47 16384 c:\windows\Temp\Perflib_Perfdata_6d0.dat
+ 2004-10-20 18:07 . 2004-08-04 05:29 701440 c:\windows\system32\drivers\ati2mtag.sys
+ 2004-10-20 18:07 . 2008-04-14 00:11 516768 c:\windows\system32\dllcache\ativvaxx.dll
+ 2004-10-20 18:07 . 2004-08-04 05:29 701440 c:\windows\system32\dllcache\ati2mtag.sys
+ 2004-10-20 18:07 . 2008-04-14 00:11 201728 c:\windows\system32\dllcache\ati2dvag.dll
+ 2004-10-20 18:07 . 2008-04-14 00:11 229376 c:\windows\system32\dllcache\ati2cqag.dll
+ 2004-10-20 18:07 . 2008-04-14 00:11 516768 c:\windows\system32\ativvaxx.dll
+ 2004-10-20 18:07 . 2008-04-14 00:11 201728 c:\windows\system32\ati2dvag.dll
+ 2004-10-20 18:07 . 2008-04-14 00:11 229376 c:\windows\system32\ati2cqag.dll
+ 2004-10-20 18:07 . 2008-04-14 00:11 1888992 c:\windows\system32\dllcache\ati3duag.dll
+ 2004-10-20 18:07 . 2008-04-14 00:11 1888992 c:\windows\system32\ati3duag.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bandwidth Monitor Pro"="c:\program files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" [2003-12-03 182272]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NapsterShell"="c:\program files\Napster\napster.exe" [2008-05-09 323216]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NSWosCheck"="c:\program files\Norton SystemWorks\osCheck.exe" [2008-09-25 160112]
"NswUiTray"="c:\program files\Norton SystemWorks\NswUiTray.exe" [2008-09-25 85360]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-04 1848648]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\InterVideo\\WinDVD4PR\\WinDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Microsoft Games\\Dungeon Siege 2\\DungeonSiege2.exe"=
"c:\\Program Files\\Napster\\napster.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9990:TCP"= 9990:TCP:a
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/12/2008 4:02 PM 29808]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1105000.07F\SymDS.sys [2/13/2010 7:46 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1105000.07F\SymEFA.sys [2/13/2010 7:46 AM 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100211.001\BHDrvx86.sys [2/11/2010 11:44 AM 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1105000.07F\cchpx86.sys [2/13/2010 7:46 AM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1105000.07F\Ironx86.sys [2/13/2010 7:46 AM 116272]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe [2/13/2010 7:46 AM 126392]
R2 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~3\NORTON~1\NPROTECT.EXE [9/25/2008 2:53 PM 95600]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [1/14/2009 2:54 PM 1086840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/14/2010 1:19 AM 102448]
S2 gupdate1c9664954f7bd1c;Google Update Service (gupdate1c9664954f7bd1c);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2008 9:29 PM 133104]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100218.001\IDSXpx86.sys [2/19/2010 8:19 PM 329592]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-25 06:10]
2010-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-25 06:10]
2010-02-15 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2008-09-25 21:52]
.
.
------- Supplementary Scan -------
.
IE: &NeoTrace It! - c:\progra~1\NEOTRA~1\NTXcontext.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Tool\Application Data\Mozilla\Firefox\Profiles\xltalngg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-22 09:48
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.5.0.127\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3204)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\progra~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
How are things running now, any problems still ?
The only thing now is that the Norton Internet Security is now saying that I need to renew, even tho I renewed it about a week ago. So, when I rclick the Norton icon, the "enable smart firewall" and "enable antivirus auto-protect" are greyed out. The windows security alert icon is there confirming that there's no av or firewall.
If you have any input on Norton that would be of help, cool.
I am not upset about this, I am guessing that it had something to do with the fixes. Pretty sure I can contact them through the Norton account, explain what happened and have it re-activated.
No one is using this rig till I give the green light, so there's nothing online other than this forum activity going on with it.
I am just glad that there's people out there with the know-how, the time, the patience and "want" to help others when this crap happens. Rather tough explaining to one of our preteen daughters what it was she just saw from one of those damn pop-ups.
If you have any input on Norton that would be of help, cool.
I am not upset about this, I am guessing that it had something to do with the fixes. Pretty sure I can contact them through the Norton account, explain what happened and have it re-activated.
I can't see anything in the logs that would cause this problem with Norton,
To be honest, if you have a new subscription then I recommend that you contact them to resolve this. They could refuse to help you if I start poking around with it.
Rather tough explaining to one of our preteen daughters what it was she just saw from one of those damn pop-ups.
I can imagine :(
Congratulations your logs look clean :)
Let's see if I can help you keep it that way
First lets tidy up
Uninstall Combofix
This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
http://neoshine.co.uk/mina/Katana/CFU.gif
You can also delete any logs we have produced and any other tools we have downloaded.
----------------------------------------------------------- -----------------------------------------------------------
The following is some info to help you stay safe and clean.
You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )
Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.
http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html
!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE (http://secunia.com/software_inspector/) for details
AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) <<< A New and effective program
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner
Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 4.0 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/index.php?option=com_content&view=article&id=15&Itemid=33) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections
Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available
Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.
Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep
Also PLEASE read this article.....So How Did I Get Infected In The First Place (http://forum.malwareremoval.com/viewtopic.php?t=4959)
The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.
If you follow this advice then (with a bit of luck) you will never have to hear from me again :D
If you could post back one more time to let me know everything is OK, then I can have this thread archived.
Happy surfing K'