PDA

View Full Version : Intrusion + Pop-ups



Lelldorianx
2010-06-28, 20:31
Hello Lelldorianx,

Please start a new topic providing the DDS log only and turn off word wrap so that the log isn't double spaced. Makes logs easier to read.
->The file was generated as a .txt, I am reading it on a linux box (to prevent spreading viruses ;) ). Had to manually fix the spacing, hopefully it's ok. If it isn't, I attached the txt in case.

I've been battling this issue for about a full week now, luckily installing Norton has helped get me to the point where I can use the computer again. I've already changed all my passwords and stuff, but here are my symptoms:

OS - Win XP Pro SP3

1 - Occasional (down about 50% since installing Norton) pop-ups that are often very similar to search terms I enter. i.e., I searched for a Creative driver and had a search engine redirect to some BS page.
2 - Constant intrusion attempts blocked by Norton. I am assuming this is due to some sort of rootkit. A JPG of this is attached (the attackers vary).
3 - Decreased start-up performance
4 - A background SVCHost which does not belong - ending the process results in a cmd prompt initiated shutdown sequence, something about NT Authority \ DCOM or RPC (or RCP, something like that). Typing shutdown /a stops this.

What I have done:

Run Spybot S&D, Malwarebytes' Anti-Malware, SUPERAntiSpyware, Norton 360 4.0, Avast pre-boot scans.

Spybot removed all issues but one, it finds a cookie of some sort called MediaPlex. When I try to 'fix' this problem using Spybot, the program freezes and must be closed by ending the process.

Norton fixed several trojans and backdoors, but some reason is not removing whatever is attempting to intrude.

Uninstalled all web-browsers as many of the issues were rooted within them (for future information, visiting a gaming website which is normally safe on FireFox proved unsafe on Chrome).

DDS Logs

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 19:17:12.60 on Sun 06/27/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2929 [GMT -4:00]
AV: Norton 360 Premier Edition *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton 360 Premier Edition *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\Program Files\Norton 360 Premier Edition\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Norton 360 Premier Edition\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Xfire\xfire.exe
I:\virus\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360 premier edition\engine\4.2.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360 premier edition\engine\4.2.0.12\IPSBHO.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360 premier edition\engine\4.2.0.12\coIEPlg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SkyTel] SkyTel.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\administrator\start menu\programs\imvu\Run IMVU.lnk
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0402000.00c\symds.sys [2010-6-27 328752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-17 164048]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-17 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-17 40384]
R2 HPW5ECP;HPW5ECP;c:\windows\system32\drivers\HPW5ECP.sys [1999-12-17 44032]
R2 N360;Norton 360;c:\program files\norton 360 premier edition\engine\4.2.0.12\ccsvchst.exe [2010-6-27 126392]
R2 Prvflder;Prvflder;c:\windows\system32\drivers\prvflder.sys [2006-4-21 70912]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-17 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-17 40384]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-27 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100625.001\IDSXpx86.sys [2010-6-27 331640]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100627.003\naveng.sys [2010-6-27 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100627.003\navex15.sys [2010-6-27 1347504]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2007-8-24 21920]
S0 igsvcngq;igsvcngq;c:\windows\system32\drivers\hxhxrfau.sys --> c:\windows\system32\drivers\hxhxrfau.sys [?]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0400000.07f\symefa.sys --> c:\windows\system32\drivers\n360\0400000.07f\SYMEFA.SYS [?]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100619.001\BHDrvx86.sys [2010-6-19 691248]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0400000.07f\cchpx86.sys --> c:\windows\system32\drivers\n360\0400000.07f\ccHPx86.sys [?]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0402000.00c\ironx86.sys [2010-6-27 116784]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\documents and settings\administrator\desktop\vcdrom.sys --> c:\documents and settings\administrator\desktop\VCdRom.sys [?]
S2 chhrwx;Shell Image;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;e:\games\steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [2010-4-2 25832]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-6-18 38224]
S3 rindar;rindar;c:\windows\system32\rindar.sys [2010-6-23 2304]
S3 SJMTIDWPNL;SJMTIDWPNL;c:\docume~1\admini~1\locals~1\temp\sjmtidwpnl.exe --> c:\docume~1\admini~1\locals~1\temp\SJMTIDWPNL.exe [?]
S4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-6-15 79360]
S4 gupdate1c98670ad476eee;Google Update Service (gupdate1c98670ad476eee);c:\program files\google\update\GoogleUpdate.exe [2009-2-3 133104]
S4 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\autodesk\3ds max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-3-10 65536]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-23 24652]

=============== Created Last 30 ================

2010-06-27 22:30:59 38912 -c--a-w- c:\windows\system32\dllcache\sm9aw.dll
2010-06-27 22:29:56 8192 -c--a-w- c:\windows\system32\dllcache\httpmb51.dll
2010-06-27 22:26:51 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-06-27 22:26:44 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-06-27 22:26:44 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-06-27 22:26:44 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-06-27 22:26:44 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest
2010-06-27 22:26:44 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-06-27 22:26:21 7168 -c--a-w- c:\windows\system32\dllcache\bitsprx4.dll
2010-06-27 22:26:21 7168 ----a-w- c:\windows\system32\bitsprx4.dll
2010-06-27 22:26:21 162304 -c--a-w- c:\windows\system32\dllcache\wuaucpl.cpl
2010-06-27 22:26:21 162304 ----a-w- c:\windows\system32\wuaucpl.cpl
2010-06-27 22:24:49 53248 -c--a-w- c:\windows\system32\dllcache\tsgqec.dll
2010-06-27 22:24:49 53248 ----a-w- c:\windows\system32\tsgqec.dll
2010-06-27 22:24:49 290304 -c--a-w- c:\windows\system32\dllcache\rhttpaa.dll
2010-06-27 22:24:49 290304 ----a-w- c:\windows\system32\rhttpaa.dll
2010-06-27 22:24:49 136192 -c--a-w- c:\windows\system32\dllcache\aaclient.dll
2010-06-27 22:24:49 136192 ----a-w- c:\windows\system32\aaclient.dll
2010-06-27 22:14:38 4444 ----a-w- c:\windows\system32\pid.PNF
2010-06-27 21:59:44 0 d-----w- c:\program files\common files\ODBC
2010-06-27 21:58:56 1088840 ----a-r- c:\windows\SETE5.tmp
2010-06-27 21:58:50 1296669 ----a-r- c:\windows\SETE4.tmp
2010-06-27 21:27:39 0 d-----w- c:\docume~1\admini~1\applic~1\Tific
2010-06-27 20:25:59 536576 -c--a-w- c:\windows\system32\dllcache\msado15.dll
2010-06-27 20:25:59 331776 -c--a-w- c:\windows\system32\dllcache\msadce.dll
2010-06-27 20:25:59 200704 -c--a-w- c:\windows\system32\dllcache\msadox.dll
2010-06-27 20:25:59 180224 -c--a-w- c:\windows\system32\dllcache\msadomd.dll
2010-06-27 20:25:59 153088 -c--a-w- c:\windows\system32\dllcache\triedit.dll
2010-06-27 20:25:59 143360 -c--a-w- c:\windows\system32\dllcache\msadco.dll
2010-06-27 20:25:59 102400 -c--a-w- c:\windows\system32\dllcache\msjro.dll
2010-06-27 20:25:58 128512 -c--a-w- c:\windows\system32\dllcache\dhtmled.ocx
2010-06-27 20:24:53 0 d--h--w- c:\program files\WindowsUpdate
2010-06-27 20:07:39 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-06-27 19:57:07 13608 ----a-r- c:\windows\SET178.tmp
2010-06-27 19:57:03 1086182 ----a-r- c:\windows\SET163.tmp
2010-06-26 15:51:13 118 ----a-w- C:\norton.bat
2010-06-26 15:34:58 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-26 15:34:58 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-26 15:34:58 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-26 15:34:58 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-26 15:34:58 0 d-----w- c:\program files\Symantec
2010-06-26 15:33:04 0 d-----w- c:\windows\system32\drivers\N360
2010-06-26 15:33:02 0 d-----w- c:\program files\Norton 360 Premier Edition
2010-06-26 15:21:18 0 d-----w- c:\docume~1\alluse~1\applic~1\PCSettings
2010-06-26 15:19:10 0 d-----w- c:\program files\NortonInstaller
2010-06-26 15:19:10 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-06-26 07:33:08 0 --sh--w- c:\windows\S2A9329DB.tmp
2010-06-25 19:28:07 0 d-----w- c:\program files\CleanUp!
2010-06-25 15:35:22 419451 ----a-w- c:\windows\setupapi.old
2010-06-23 19:26:26 2304 ----a-w- c:\windows\system32\rindar.sys
2010-06-23 01:55:39 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-06-23 01:55:39 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-06-23 01:55:31 0 d-----w- c:\program files\SUPERAntiSpyware
2010-06-21 05:47:33 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-21 05:47:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-06-20 23:27:09 0 d-sha-r- C:\cmdcons
2010-06-20 17:25:22 98816 ----a-w- c:\windows\sed.exe
2010-06-20 17:25:22 77312 ----a-w- c:\windows\MBR.exe
2010-06-20 17:25:22 256512 ----a-w- c:\windows\PEV.exe
2010-06-20 17:25:22 161792 ----a-w- c:\windows\SWREG.exe
2010-06-20 17:22:11 388608 ----a-w- c:\windows\system32\CF4850.exe
2010-06-20 17:17:12 0 d-----w- c:\program files\Trend Micro
2010-06-19 02:07:11 0 d-----w- c:\documents and settings\administrator\Saved Games
2010-06-18 14:37:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-18 14:37:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-18 14:37:44 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-18 14:26:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-06-17 19:41:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-06-17 19:17:59 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-15 17:18:31 31056 ----a-w- c:\windows\system32\BMXStateBkp-{00000003-00000000-00000007-00001102-00000004-20021102}.rfx
2010-06-15 17:18:31 31056 ----a-w- c:\windows\system32\BMXState-{00000003-00000000-00000007-00001102-00000004-20021102}.rfx
2010-06-15 17:18:31 30528 ----a-w- c:\windows\system32\BMXCtrlState-{00000003-00000000-00000007-00001102-00000004-20021102}.rfx
2010-06-15 17:18:31 30528 ----a-w- c:\windows\system32\BMXBkpCtrlState-{00000003-00000000-00000007-00001102-00000004-20021102}.rfx
2010-06-15 17:18:31 11564 ----a-w- c:\windows\system32\DVCState-{00000003-00000000-00000007-00001102-00000004-20021102}.rfx
2010-06-15 17:18:15 4931715 ----a-w- c:\windows\{00000003-00000000-00000007-00001102-00000004-20021102}.BAK
2010-06-15 17:17:18 4174814 ------w- c:\windows\system32\CT4MGM.SF2
2010-06-15 17:17:18 0 d-----w- c:\windows\system32\Defaults
2010-06-15 17:12:54 4931715 ----a-w- c:\windows\{00000003-00000000-00000007-00001102-00000004-20021102}.CDF
2010-06-15 17:12:51 7062 ----a-w- c:\windows\system32\audiopid.vxd
2010-06-15 17:12:36 0 d-----w- c:\program files\common files\Creative Labs Shared
2010-06-15 17:10:50 0 d-----w- c:\windows\system32\Data
2010-06-15 15:03:18 0 d-----w- c:\program files\Vizati
2010-06-14 05:57:23 0 d-----w- c:\docume~1\admini~1\applic~1\Titanium
2010-06-14 05:29:03 0 d-----w- c:\program files\Akeeba eXtract Wizard
2010-06-13 20:28:09 2444656 ----a-w- c:\windows\system32\pbsvc_apb.exe
2010-06-12 18:52:49 87 ----a-w- c:\documents and settings\administrator\jagex_runescape_preferences2.dat
2010-06-12 18:52:49 0 ----a-w- c:\documents and settings\administrator\jagex__preferences3.dat
2010-06-11 04:49:44 0 d-----w- c:\docume~1\admini~1\applic~1\ICE Game Studios AB
2010-06-10 18:19:19 0 d-----w- c:\docume~1\alluse~1\applic~1\DinsCurse
2010-06-10 18:18:50 0 d-----w- c:\program files\Din's Curse

==================== Find3M ====================

2010-06-27 22:25:19 23348 ----a-w- c:\windows\system32\emptyregdb.dat
2010-06-27 17:02:55 138056 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-06-27 17:02:55 138056 ----a-w- c:\docume~1\admini~1\applic~1\PnkBstrK.sys
2010-06-27 17:02:39 189248 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-06-27 17:02:28 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-06-19 02:53:53 45 ----a-w- c:\documents and settings\administrator\jagex_runescape_preferences.dat
2010-06-15 17:11:50 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2010-06-15 17:11:50 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2010-05-28 00:09:00 41872 ----a-w- c:\windows\system32\xfcodec.dll
2008-02-05 22:16:40 114349681 ----a-w- c:\program files\Starcraft.rar
2007-12-30 08:55:07 8 --sha-r- c:\windows\system32\3289F22200.sys

============= FINISH: 19:18:11.20 ===============

shelf life
2010-07-03, 01:24
hi,

You have a root kit on your machine. If you still need help simply reply back.

Lelldorianx
2010-07-03, 01:49
Still need help. I have constant intrusion attempts. I have changed all of my important passwords and do not log into any websites on the machine.

Thanks! Glad someone found my post ;)

shelf life
2010-07-03, 04:42
hi,

Ok. We will get two downloads to use. The first is combofix. There is a short guide to read first before you use it. Read the guide then apply the directions on your own machine. The next is TDSSkiller. Link and directions for both:

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

TDSSKiller:
Please download TDSS Killer.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your desktop
Extract the zip file to your desktop. Double click to start the utility, follow the prompts.

Please post the report.txt that will be generated in your root drive C:

Lelldorianx
2010-07-03, 05:51
Here is the TDSS log. Looks like it killed something. I will post the other log next. Note: I noticed new symptoms 2 days ago that are not in the original post, and I haven't yet checked to see if ComboFix and TDSS have fixed these issues. The symptoms are: an SVChost file that gets very large and consumes a lot of CPU over the course of many hours. Other than that, here's TDSS:

22:17:48:500 5672 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
22:17:48:500 5672 ================================================================================
22:17:48:500 5672 SystemInfo:

22:17:48:500 5672 OS Version: 5.1.2600 ServicePack: 3.0
22:17:48:500 5672 Product type: Workstation
22:17:48:500 5672 ComputerName: PHOENIX
22:17:48:500 5672 UserName: Administrator
22:17:48:500 5672 Windows directory: C:\WINDOWS
22:17:48:500 5672 System windows directory: C:\WINDOWS
22:17:48:500 5672 Processor architecture: Intel x86
22:17:48:500 5672 Number of processors: 4
22:17:48:500 5672 Page size: 0x1000
22:17:48:500 5672 Boot type: Normal boot
22:17:48:500 5672 ================================================================================
22:17:49:656 5672 Initialize success
22:17:49:656 5672
22:17:49:656 5672 Scanning Services ...
22:17:50:203 5672 Raw services enum returned 459 services
22:17:50:218 5672
22:17:50:218 5672 Scanning Drivers ...
22:17:51:640 5672 61883 (86d7b1e70661d754685b9ac6d749aae5) C:\WINDOWS\system32\DRIVERS\61883.sys
22:17:51:859 5672 Aavmker4 (a5246ed2586aa807af0bcf63165a71cc) C:\WINDOWS\system32\drivers\Aavmker4.sys
22:17:52:343 5672 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
22:17:52:406 5672 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
22:17:52:562 5672 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
22:17:52:640 5672 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
22:17:52:890 5672 AN983 (116bff96077a4a724e0aab800525ceb5) C:\WINDOWS\system32\DRIVERS\AN983.sys
22:17:53:171 5672 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
22:17:53:390 5672 ASAPIW2K (875f9079cabee679d34b49e466b61701) C:\WINDOWS\system32\Drivers\ASAPIW2K.sys
22:17:53:671 5672 aswFsBlk (1b6ed99291ddf5d2501554cc5757aab6) C:\WINDOWS\system32\drivers\aswFsBlk.sys
22:17:53:703 5672 aswMon2 (81432b1a4b31036c822eb967decf613c) C:\WINDOWS\system32\drivers\aswMon2.sys
22:17:53:750 5672 aswRdr (3e2b6112d2766f87eda8466fde86a986) C:\WINDOWS\system32\drivers\aswRdr.sys
22:17:53:828 5672 aswSP (d78b644816db540e103d0b0766fd9967) C:\WINDOWS\system32\drivers\aswSP.sys
22:17:54:000 5672 aswTdi (606d731008d98b6ef946730c597c1642) C:\WINDOWS\system32\drivers\aswTdi.sys
22:17:54:312 5672 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
22:17:54:484 5672 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
22:17:54:734 5672 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
22:17:54:796 5672 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
22:17:54:984 5672 Avc (87c223adb8f7596b31caae3c67b16ddd) C:\WINDOWS\system32\DRIVERS\avc.sys
22:17:55:500 5672 AVCSTRM (867d73a2e43b2ddaf0b0263f88e217ac) C:\WINDOWS\system32\DRIVERS\avcstrm.sys
22:17:55:625 5672 AvgLdx86 (9c0a7e6d3cb9a8a7ad4e4575d9a42e94) C:\WINDOWS\system32\Drivers\avgldx86.sys
22:17:56:000 5672 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\system32\Drivers\avgmfx86.sys
22:17:56:312 5672 AvgTdiX (6e11bbc8dc5af836adc9c5f682fa3186) C:\WINDOWS\system32\Drivers\avgtdix.sys
22:17:56:515 5672 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
22:17:57:390 5672 BHDrvx86 (87c00decc19bd995217a4a5fdd4d638c) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100619.001\BHDrvx86.sys
22:17:57:671 5672 BootScreen (0a694e8fcc5f29c1f40b4d9a4c853d4c) C:\WINDOWS\System32\drivers\vidstub.sys
22:17:57:750 5672 BVRPMPR5 (6598d078d5446197aed6b46c6a2a3431) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
22:17:57:812 5672 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
22:17:57:921 5672 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
22:17:58:140 5672 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
22:17:58:234 5672 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
22:17:58:281 5672 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
22:17:58:375 5672 COMMONFX (ef44c32b1aef62380426b260bf2c66f1) C:\WINDOWS\system32\drivers\COMMONFX.SYS
22:17:58:390 5672 COMMONFX.SYS (ef44c32b1aef62380426b260bf2c66f1) C:\WINDOWS\System32\drivers\COMMONFX.SYS
22:17:58:468 5672 ctac32k (357c534b38019b597f51c8bf7186c118) C:\WINDOWS\system32\drivers\ctac32k.sys
22:17:58:500 5672 ctaud2k (691f8259a1f9c983356d8db2cde8043c) C:\WINDOWS\system32\drivers\ctaud2k.sys
22:17:58:546 5672 CTAUDFX (7fc78aa6521ef3d9f16e51efab0bf13b) C:\WINDOWS\system32\drivers\CTAUDFX.SYS
22:17:58:609 5672 CTAUDFX.SYS (7fc78aa6521ef3d9f16e51efab0bf13b) C:\WINDOWS\System32\drivers\CTAUDFX.SYS
22:17:58:703 5672 ctdvda2k (8545d70b0335a05498f34e7e3f8ca9a2) C:\WINDOWS\system32\drivers\ctdvda2k.sys
22:17:58:781 5672 CTERFXFX (16f448354067914e7deaea709011bd60) C:\WINDOWS\system32\drivers\CTERFXFX.SYS
22:17:58:828 5672 CTERFXFX.SYS (16f448354067914e7deaea709011bd60) C:\WINDOWS\System32\drivers\CTERFXFX.SYS
22:17:58:890 5672 ctprxy2k (4d71541283aea28fb839007be90b5fc7) C:\WINDOWS\system32\drivers\ctprxy2k.sys
22:17:58:937 5672 CTSBLFX (64c83684661be137023f5186a612cf34) C:\WINDOWS\system32\drivers\CTSBLFX.SYS
22:17:58:984 5672 CTSBLFX.SYS (64c83684661be137023f5186a612cf34) C:\WINDOWS\System32\drivers\CTSBLFX.SYS
22:17:59:031 5672 ctsfm2k (632194572ebde8d461728cf382a7e964) C:\WINDOWS\system32\drivers\ctsfm2k.sys
22:17:59:109 5672 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
22:17:59:218 5672 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
22:17:59:265 5672 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
22:17:59:296 5672 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
22:17:59:375 5672 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
22:17:59:437 5672 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
22:17:59:578 5672 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
22:17:59:640 5672 ElbyCDFL (c61c83501268b0110b5c5db7e63dee0c) C:\WINDOWS\system32\Drivers\ElbyCDFL.sys
22:17:59:703 5672 ElbyCDIO (aaa8999a169e39fb8b48ae49cd6ac30a) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
22:17:59:750 5672 ElbyDelay (e205c313417da6fa7afe85912a310a65) C:\WINDOWS\system32\Drivers\ElbyDelay.sys
22:17:59:812 5672 emupia (bacd9cc06d7a787e529e7ebf56b671aa) C:\WINDOWS\system32\drivers\emupia2k.sys
22:17:59:843 5672 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
22:17:59:921 5672 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
22:17:59:937 5672 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
22:18:00:031 5672 FilterService (a10442db6c979d658f2430ec2156e603) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
22:18:00:093 5672 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
22:18:00:203 5672 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
22:18:00:250 5672 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
22:18:00:328 5672 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
22:18:00:359 5672 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
22:18:00:421 5672 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
22:18:00:484 5672 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
22:18:00:531 5672 giveio (77ebf3e9386daa51551af429052d88d0) C:\WINDOWS\system32\giveio.sys
22:18:00:609 5672 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
22:18:00:703 5672 ha10kx2k (70606233f3ed0e53cb3ea17f846d6a4f) C:\WINDOWS\system32\drivers\ha10kx2k.sys
22:18:00:765 5672 hamachi (7929a161f9951d173ca9900fe7067391) C:\WINDOWS\system32\DRIVERS\hamachi.sys
22:18:00:796 5672 hap16v2k (a0c69ad2a61e576b0207acdd9626e167) C:\WINDOWS\system32\drivers\hap16v2k.sys
22:18:00:875 5672 hap17v2k (2ee89452c574d259ada4fc9fc1c07243) C:\WINDOWS\system32\drivers\hap17v2k.sys
22:18:00:937 5672 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
22:18:00:984 5672 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
22:18:01:062 5672 HPW5ECP (930f1cdf865346cb6746ba87de7df717) C:\WINDOWS\System32\drivers\HPW5ECP.SYS
22:18:01:140 5672 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
22:18:01:250 5672 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
22:18:01:515 5672 IDSxpx86 (231c3f6d5c520e99924e1e37401a90c4) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100702.001\IDSxpx86.sys
22:18:01:562 5672 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
22:18:01:734 5672 IntcAzAudAddService (60d7460b07012d364ced11dd9fd83e1f) C:\WINDOWS\system32\drivers\RtkHDAud.sys
22:18:01:937 5672 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
22:18:01:984 5672 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
22:18:02:078 5672 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
22:18:02:125 5672 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
22:18:02:203 5672 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
22:18:02:234 5672 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
22:18:02:296 5672 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
22:18:02:343 5672 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
22:18:02:406 5672 Iviaspi (4ac11b2250106774f694df2db4ffed61) C:\WINDOWS\system32\drivers\iviaspi.sys
22:18:02:437 5672 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
22:18:02:500 5672 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
22:18:02:546 5672 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys
22:18:02:625 5672 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
22:18:02:656 5672 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
22:18:02:718 5672 L8042Kbd (ac728768de636093b4d5ae6361cfadae) C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
22:18:02:812 5672 LHidFilt (75415a95c589a07d6c97baa2d4143916) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
22:18:02:828 5672 LMouFilt (fcb3f81ac07b8608f921134237823b88) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
22:18:02:859 5672 LUsbFilt (ff1c2f90d40a2e52649937854e175987) C:\WINDOWS\system32\Drivers\LUsbFilt.Sys
22:18:02:937 5672 Lvckap (e14bb5b8123913a45f979ae8ec131a89) C:\WINDOWS\system32\drivers\Lvckap.sys
22:18:03:140 5672 lvmvdrv (d20f9b5f9a5d41f64601a38284f68c48) C:\WINDOWS\system32\drivers\lvmvdrv.sys
22:18:03:234 5672 LVPrcMon (c9c06cd6462136bf4028fec33549c43b) C:\WINDOWS\system32\drivers\LVPrcMon.sys
22:18:03:281 5672 LVUSBSta (f2266299597815326b0703476939bfcb) C:\WINDOWS\system32\drivers\lvusbsta.sys
22:18:03:359 5672 LVUVC (69c00133341c2299b3c57be86c9da9ba) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
22:18:03:453 5672 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
22:18:03:500 5672 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
22:18:03:546 5672 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
22:18:03:609 5672 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
22:18:03:687 5672 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
22:18:03:750 5672 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
22:18:03:875 5672 MREMP50 (80b2ec735495823ae5771a5f603e73bd) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
22:18:03:921 5672 MRESP50 (37d7c22f7e26da90e2d2d260e5d27846) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
22:18:04:000 5672 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
22:18:04:078 5672 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
22:18:04:109 5672 MSDV (6dd721dfd2648f3f6d5808b5ba6cb095) C:\WINDOWS\system32\DRIVERS\msdv.sys
22:18:04:140 5672 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
22:18:04:171 5672 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
22:18:04:187 5672 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
22:18:04:218 5672 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
22:18:04:250 5672 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
22:18:04:312 5672 MSTAPE (74a538deade5ea5f9762f488c7904127) C:\WINDOWS\system32\DRIVERS\mstape.sys
22:18:04:343 5672 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
22:18:04:390 5672 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
22:18:04:421 5672 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
22:18:04:468 5672 MXOPSWD (216ac775320f64de28cfeb7c179c4ff9) C:\WINDOWS\system32\DRIVERS\mxopswd.sys
22:18:04:546 5672 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
22:18:04:937 5672 NAVENG (83518e6cc82bdc3c3db0c12d1c9a2275) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100702.021\NAVENG.SYS
22:18:05:031 5672 NAVEX15 (85cf37740fe06c7a2eaa7f6c81f0819c) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100702.021\NAVEX15.SYS
22:18:05:140 5672 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
22:18:05:171 5672 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
22:18:05:234 5672 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
22:18:05:921 5672 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
22:18:06:031 5672 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
22:18:06:109 5672 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
22:18:06:140 5672 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
22:18:06:156 5672 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
22:18:06:218 5672 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
22:18:06:250 5672 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
22:18:06:312 5672 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
22:18:06:343 5672 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
22:18:06:625 5672 nv (f8be83f0c686533170f7537e94bf411a) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
22:18:06:890 5672 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
22:18:06:921 5672 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
22:18:06:984 5672 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
22:18:07:046 5672 ossrv (ae896073e1bbf98fefc2ec52f62c0fba) C:\WINDOWS\system32\drivers\ctoss2k.sys
22:18:07:109 5672 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
22:18:07:140 5672 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
22:18:07:234 5672 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
22:18:07:250 5672 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
22:18:07:281 5672 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
22:18:07:328 5672 PCLEPCI (1bebe7de8508a02650cdce45c664c2a2) C:\WINDOWS\system32\drivers\pclepci.sys
22:18:07:390 5672 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
22:18:07:531 5672 PenClass (4a108cc9cc0e0605e68cce7021479879) C:\WINDOWS\system32\Drivers\PenClass.sys
22:18:07:671 5672 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
22:18:07:765 5672 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
22:18:07:812 5672 Prvflder (6395877be921df88f7ac298f5a7ec1be) C:\WINDOWS\system32\DRIVERS\prvflder.sys
22:18:07:828 5672 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
22:18:07:859 5672 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
22:18:07:890 5672 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
22:18:08:046 5672 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
22:18:08:078 5672 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
22:18:08:109 5672 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
22:18:08:140 5672 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
22:18:08:187 5672 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
22:18:08:203 5672 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
22:18:08:265 5672 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
22:18:08:328 5672 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
22:18:08:390 5672 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
22:18:08:531 5672 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
22:18:08:578 5672 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
22:18:08:640 5672 SCREAMINGBDRIVER (024411d283226deb158b88a465cb555c) C:\WINDOWS\system32\drivers\ScreamingBAudio.sys
22:18:08:968 5672 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
22:18:09:031 5672 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
22:18:09:093 5672 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
22:18:09:156 5672 sfdrv01 (4c0d673281178cb496011a2e28571fc8) C:\WINDOWS\system32\drivers\sfdrv01.sys
22:18:09:171 5672 sfhlp02 (15be2b5e4dc5b8623cf167720682abc9) C:\WINDOWS\system32\drivers\sfhlp02.sys
22:18:09:203 5672 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
22:18:09:218 5672 sfvfs02 (d5a7e09d2c6a702809e49190d52adc9f) C:\WINDOWS\system32\drivers\sfvfs02.sys
22:18:09:265 5672 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
22:18:09:312 5672 snapman (b6aa9bbff890ffea333ffe81d0b888ff) C:\WINDOWS\system32\DRIVERS\snapman.sys
22:18:09:390 5672 speedfan (5d6401db90ec81b71f8e2c5c8f0fef23) C:\WINDOWS\system32\speedfan.sys
22:18:09:468 5672 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
22:18:09:515 5672 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
22:18:09:640 5672 SRTSP (ec5c3c6260f4019b03dfaa03ec8cbf6a) C:\WINDOWS\System32\Drivers\N360\0402000.00C\SRTSP.SYS
22:18:09:656 5672 SRTSPX (55d5c37ed41231e3ac2063d16df50840) C:\WINDOWS\System32\drivers\N360\0402000.00C\SRTSPX.SYS
22:18:09:718 5672 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
22:18:09:750 5672 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
22:18:09:812 5672 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
22:18:09:828 5672 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
22:18:09:953 5672 SymDS (56890bf9d9204b93042089d4b45ae671) C:\WINDOWS\system32\drivers\N360\0402000.00C\SYMDS.SYS
22:18:10:062 5672 SymEvent (961b48b86f94d4cc8ceb483f8aa89374) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
22:18:10:140 5672 SymIRON (dc80fbf0a348e54853ef82eed4e11e35) C:\WINDOWS\System32\drivers\N360\0402000.00C\Ironx86.SYS
22:18:10:218 5672 SYMTDI (41aad61f87ca8e3b5d0f7fe7fba0797d) C:\WINDOWS\System32\Drivers\N360\0402000.00C\SYMTDI.SYS
22:18:10:328 5672 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
22:18:10:359 5672 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
22:18:10:437 5672 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
22:18:10:468 5672 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
22:18:10:500 5672 TermDD (43467a43c8f2be5405e6f4af496be671) C:\WINDOWS\system32\DRIVERS\termdd.sys
22:18:10:500 5672 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\termdd.sys. Real md5: 43467a43c8f2be5405e6f4af496be671, Fake md5: a540a99c281d933f3d69d55e48727f47
22:18:10:515 5672 File "C:\WINDOWS\system32\DRIVERS\termdd.sys" infected by TDSS rootkit ... 22:18:11:875 5672 Backup copy found, using it..
22:18:11:921 5672 will be cured on next reboot
22:18:12:031 5672 tifsfilter (b84b82c0cbeb1b0d7eb7a946bade5830) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
22:18:12:062 5672 timounter (74711884439bdf9ccf446c79cb05fac0) C:\WINDOWS\system32\DRIVERS\timntr.sys
22:18:12:171 5672 TPkd (5f226c681049fb1df1578af32bb641f1) C:\WINDOWS\system32\drivers\TPkd.sys
22:18:12:218 5672 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
22:18:12:328 5672 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
22:18:12:406 5672 USB28xxBGA (56b0b784e0ed3b6a9beb67f63cd6d4a2) C:\WINDOWS\system32\DRIVERS\emBDA.sys
22:18:12:437 5672 USB28xxOEM (d74634509e22ea69692ea173586db8e6) C:\WINDOWS\system32\DRIVERS\emOEM.sys
22:18:12:531 5672 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
22:18:12:640 5672 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
22:18:12:718 5672 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
22:18:12:750 5672 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
22:18:12:796 5672 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
22:18:12:953 5672 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
22:18:13:015 5672 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:18:13:218 5672 VClone (e986f81fa0b3aed21f188a0fd044d80e) C:\WINDOWS\system32\DRIVERS\VClone.sys
22:18:13:281 5672 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
22:18:13:359 5672 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
22:18:13:390 5672 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
22:18:13:500 5672 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
22:18:13:578 5672 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
22:18:13:656 5672 WpdUsb (c1b3d9d75c3fb735f5fa3a5806aded57) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
22:18:13:734 5672 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
22:18:13:828 5672 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
22:18:13:843 5672 zumbus (f8b34c0d36164a44d05ce2082b6a9350) C:\WINDOWS\system32\DRIVERS\zumbus.sys
22:18:13:859 5672 Reboot required for cure complete..
22:18:14:453 5672 Cure on reboot scheduled successfully
22:18:14:453 5672
22:18:14:453 5672 Completed
22:18:14:453 5672
22:18:14:453 5672 Results:
22:18:14:453 5672 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
22:18:14:453 5672 File objects infected / cured / cured on reboot: 1 / 0 / 1
22:18:14:453 5672
22:18:14:453 5672 KLMD(ARK) unloaded successfully

Lelldorianx
2010-07-03, 06:15
Had to uninstall avast for this, the self-defense feature in Avast would not allow me to disable it. It says my Combofix Logs are too long. I can't even post it in parts, as it is over 630,000 characters long (yeah, no joke). Likely a result of my 1.5TB? So... I am uploading it to my website so you can view it. http://gamersnexus.net/files/lelldorianx/combofixlog.txt

Hope this helps, of course you can copy & paste this text into your own txt file to enable word wrapping. I have also attached the file to this post.

shelf life
2010-07-03, 16:39
TDSSkiller removed a file so see if things are better now. I will get a better look at the combofix log.

Looks like you have more than 1 antivirus installed. Only need one (active) AV on a machine. More is not better in this case.

Lelldorianx
2010-07-03, 17:35
I still feel like my system is a little slower than normally when I start launching web browsers, but Norton has not warned me about any infiltrations. Thanks for the advice, if you don't mind, which resident shield AV do you prefer? Norton, Avast, AVG...?

Thanks a lot for the help! If nothing else, TDSSKiller seems to have stopped the intrusions. I'll keep an eye out for the SVC issue I spoke of.

Thanks!!! I'll check back as soon as I find something (or if you post another reply, of course).

shelf life
2010-07-03, 23:15
ok good. For sure remove two of your AV using the add/remove programs panel. Which one to keep? I really have no preference for one over the other two. There is no magic AV solution.

A big part of any 'resident shield' is simply practicing a few good computer habits.

We will use combofix:

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:



File::
c:\windows\system32\drivers\hxhxrfau.sys
c:\windows\system32\rindar.sys
c:\docume~1\ADMINI~1\LOCALS~1\Temp\SJMTIDWPNL.exe

Driver::
igsvcngq
rindar
SJMTIDWPNL
chhrwx


Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log and a new hjt log.

Lelldorianx
2010-07-04, 18:47
Now it's only 140,000 characters. Attached once again.

I noticed something weird with google yesterday - I doubt it is my browser (FireFox 3.6.x), but it may be. I ran several dozen searches to ensure I no longer had the redirect malware, and I noticed that if I open a result in a new tab and then go back to the google tab, I can't use the search button on the page anymore. I have to reload google to do so. Maybe it's a scripting error? The search button is probably JS or something.

Don't worry about it too much. I'll attach HJT next.

Lelldorianx
2010-07-04, 18:48
HJT log to supplement the above ComboFix log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:25 AM, on 7/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Norton 360 Premier Edition\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\Norton 360 Premier Edition\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Norton 360 Premier Edition\Engine\4.2.0.12\MCUI32.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360 Premier Edition\Engine\4.2.0.12\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360 Premier Edition\Engine\4.2.0.12\IPSBHO.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360 Premier Edition\Engine\4.2.0.12\coIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15112/CTPID.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - e:\games\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360 Premier Edition\Engine\4.2.0.12\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 9522 bytes

shelf life
2010-07-04, 22:41
hi,

not sure about the google problem. As long as you dont end up at some strange site. The combofix log and the hjt log look ok as far as malware goes. Removing 2 AV has had to help system resources for the better.

Lelldorianx
2010-07-05, 01:04
Yeah, for sure. I have a decent machine, but I guess the way those programs work it still slowed down. I've decided to stick with Avast for now with Malwarebytes on leash in case.

Thanks a lot for your help! I re-installed firefox, appears it was just some sort of plugin conflict, no viruses. Before this thread is closed... could you point me to a place where I can read about how you (the experts on this forum) know what looks good and bad in things like HJT and ComboFix? It's a great skill to learn!

Thank you!!!

shelf life
2010-07-05, 03:49
ok good. Couple of things you can do. You can remove combofix like this:

start>run and type in combofix /uninstall
note the space after the x and before the /

Since you are keeping Avast as your AV you might want to run this Norton uninstaller, it may do a better job for some left overs.I think it covers your version. Its here. (http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039)

Note that the free version of Malwarebytes must be updated manually and a scan started manually. The paid version offers real time protection that runs in the background and auto updating.

Last you can make a new restore point. The how and the why:

One of the features of Windows XP,Vista and Windows 7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(creates a new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

There are some sites that offer 'schools' one can attend. There is a rather long thread about it here. (http://forums.spybot.info/showthread.php?t=10777)

And last some tips to help you remain malware free:

10 Tips for Reducing/Preventing Your Risk To Malware:

In no special order

1) It is essential to keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the Windows auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there current version status here. (http://secunia.com/vulnerability_scanning/online/)

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs (http://www.virusvault.us/signs1.html)that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*. *There is no reason why your computer can not stay malware free.*

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks (http://www.fraud.org/tips/internet/phishing.htm).

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) A tool (http://nsslabs.com/general/ie8-hardening-tool.html)for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's. Or see a slide show Here (http://threatpost.com/en_us/slideshow/How%20to%20configure%20Internet%20Explorer%20for%20secure%20surfing) and do it yourself.

10) Warez, cracks etc are very popular for carrying all kinds of malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks, then you are also much more likely to encounter malicious code in a downloaded file. Can you really trust the source of the file? Do you really need another malware source?

Longer version in links below.

Happy Safe Surfing.