Win32.Zafi.B & Downloader.MisleadApp-HJT Scan

Symantec Instances

They are at:

c:\doccumentsandsettings\all users\application data\symantec\srtsp\quarantine\apg24.tmp

c:\doccumentsandsettings\all users\application data\symantec\srtsp\quarantine\apg25.tmp

c:\doccumentsandsettings\all users\application data\symantec\srtsp\quarantine\apg26.tmp

I scan with Symantec and delete them but they come back. All3 are named Backdoor.Tidserv

Thanks,

Mike
 
Looking through the screenshot you posted, the Trojan.Bris.A!nf files are the files we recently moved with OTMoveIT3, they are harmless where they are. We'll be removing them this post, along with the apgXX.tmp files as well. You also have some infected System Restore points, I'll have you clear those out in this post and set a new, clean one as well.

=======

Run OTMoveIt3

  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    :files
c:\Doccuments and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\apg24.tmp
c:\Doccuments and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\apg25.tmp
c:\Doccuments and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\apg26.tmp

  • Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


To clear your existing system restore points and establish a new clean restore point, do the following:

  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
  • This will remove all restore points except the new one you just created.
.

Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.


Be sure to post the lastest OTMoveIt3 Log before you do this next step:

Please open OTMoveIt3.

  • Click on the CleanUp! button. If your Firewall gives a warning about OTMoveIt wanting to download a file, allow it.
  • Answer Yes to the prompt.
  • The program will ask for a reboot. Answer Yes.


Finally, do another scan with Norton and let me know if Backdoor.Tidserv (or anything else shows up).
 
OTMove Log file

========== FILES ==========
File/Folder c:\Doccuments and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\apg24.tmp not found.
File/Folder c:\Doccuments and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\apg25.tmp not found.
File/Folder c:\Doccuments and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\apg26.tmp not found.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02072009_162254
 
Still Having Virus Detections

Virus detections are continuing. Have I missed something here?

Thanks-

Mike
 
Did you remove your old and infected System Restore points and set a new, clean one? And did you remove OTMoveIT3 after you last ran it?

The instructions for both are at the bottom of post #24 in the thread.
 
Please open OTMoveIt3.

  • Click on the CleanUp! button. If your Firewall gives a warning about OTMoveIt wanting to download a file, allow it.
  • Answer Yes to the prompt.
  • The program will ask for a reboot. Answer Yes.

After OTMoveIT3 is removed, run another scan with Norton. If anything is found, post back the results showing what was found. If nothing was found, let me know that too. :)
 
Symantec Scan 020909

Ok did as you said. Those 3 files are still found by Symantec. See the attached.

Thanks for everything,

Mike
 
When doing the scan with Norton, where does Norton say the original location (before they are sent to Norton's quarantine) of those three files are? Or do they appear in Norton's quarantine everytime you do delete them and then do a rescan?
 
Norton

I believe they live somewhere in the documents and settings but you are seeing what I am. I tell Norton to delete them but they keep coming back. Thanks.-Mike
 
Something is bringing those files back even though you tell Norton to delete them, let's see if we can find it:

Step # 1: Download and Run Gmer

Please download gmer.zip from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log.
  • Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.
 
GMER_log_021109

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-11 21:32:32
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT 86DE7090 ZwAlertResumeThread
SSDT 86E66798 ZwAlertThread
SSDT 86FC79C0 ZwAllocateVirtualMemory
SSDT 86CBACB8 ZwCreateMutant
SSDT 865ED108 ZwCreateThread
SSDT 86F60C80 ZwFreeVirtualMemory
SSDT 86E13090 ZwImpersonateAnonymousToken
SSDT 86E0E090 ZwImpersonateThread
SSDT 86D39B20 ZwMapViewOfSection
SSDT 86CF1E28 ZwOpenEvent
SSDT 86CC9A78 ZwOpenProcessToken
SSDT 86F709D8 ZwOpenThreadToken
SSDT 86C6CB60 ZwResumeThread
SSDT 86EC8AC8 ZwSetContextThread
SSDT 86AE4C28 ZwSetInformationProcess
SSDT 86EF8BF8 ZwSetInformationThread
SSDT 86CF5E28 ZwSuspendProcess
SSDT 86EC89F0 ZwSuspendThread
SSDT 86C6CB28 ZwTerminateProcess
SSDT 86EAA3F0 ZwTerminateThread
SSDT 86B9DA78 ZwUnmapViewOfSection
SSDT 86C5FAF8 ZwWriteVirtualMemory

---- EOF - GMER 1.0.14 ----
 
I'd like for you to delete ComboFix.exe from your computer.

Then dowload the latest version of ComboFix from one of the following links, save it to your Desktop, then run it:

Link 1
Link 2
Link 3

Post the ComboFix Log and a fresh HiJackThis Log in your next post.
 
Combofix_021209

ComboFix 09-02-12.03 - Thomas 2009-02-12 20:41:03.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.502 [GMT -5:00]
Running from: c:\documents and settings\Thomas\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-13 to 2009-02-13 )))))))))))))))))))))))))))))))
.

2009-02-11 21:58 . 2009-02-11 21:58 <DIR> d-------- c:\program files\iTunes
2009-02-11 21:58 . 2009-02-11 21:58 <DIR> d-------- c:\program files\iPod
2009-02-11 21:58 . 2009-02-11 21:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-11 21:56 . 2009-02-11 21:57 <DIR> d-------- c:\program files\QuickTime
2009-02-11 21:25 . 2009-02-11 21:25 250 --a------ c:\windows\gmer.ini
2009-02-11 20:48 . 2009-02-11 20:48 <DIR> d-------- c:\program files\Bonjour
2009-02-04 19:56 . 2009-02-04 19:56 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-04 19:56 . 2009-02-04 19:56 <DIR> d-------- c:\documents and settings\Thomas\Application Data\Malwarebytes
2009-02-04 19:56 . 2009-02-04 19:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-04 19:56 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-04 19:56 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-03 21:52 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-02-03 21:51 . 2008-04-13 20:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-01-19 15:21 . 2009-01-21 17:21 53,874 --a------ c:\windows\Sysvxd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-12 02:58 --------- d-----w c:\program files\Common Files\Apple
2009-01-19 18:39 --------- d-----w c:\documents and settings\Thomas\Application Data\ArcSoft
2009-01-19 18:39 --------- d-----w c:\documents and settings\Thomas\Application Data\Apple Computer
2009-01-19 18:39 --------- d-----w c:\documents and settings\Thomas\Application Data\acccore
2009-01-19 18:39 --------- d-----w c:\documents and settings\Thomas\Application Data\5000 Series
2009-01-01 04:23 --------- d-----w c:\program files\Common Files\Adobe
2008-12-31 23:39 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-31 23:39 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-31 23:38 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-12-31 23:38 60,800 ----a-w c:\windows\system32\S32EVNT1.DLL
2008-12-31 23:38 123,952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-31 23:38 10,563 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-31 23:38 --------- d-----w c:\program files\Symantec
2008-12-31 23:35 --------- d-----w c:\program files\Common Files\Software Center
2008-12-31 23:32 --------- d-----w c:\program files\Java
2008-12-31 23:31 --------- d-----w c:\program files\HP
2008-12-31 20:53 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-21 15:58 --------- d-----w c:\documents and settings\Thomas\Application Data\U3
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-12-12 16:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-12-12 16:11 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-02-16 19:28 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2008-10-26 17:34 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102620081027\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-31 136600]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-02-16 118784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-01-24 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-31 99376]
S3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\system32\drivers\WlanUIG.sys [2004-04-08 347648]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
*NewlyCreated* - IPOD_SERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-02-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?src=aim
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Thomas\Application Data\Mozilla\Firefox\Profiles\irdw59wb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com/
FF - plugin: c:\documents and settings\Thomas\Application Data\Mozilla\Firefox\Profiles\irdw59wb.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07075003.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npampx3.0.84.2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-12 20:42:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-12 20:43:25
ComboFix-quarantined-files.txt 2009-02-13 01:43:22

Pre-Run: 101,017,546,752 bytes free
Post-Run: 101,186,351,104 bytes free

131 --- E O F --- 2009-02-12 01:50:03
 
Hjt_021209

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:04 PM, on 2/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Thomas\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 6209 bytes
 
Both the ComboFix and the HJT log you posted look good.

I'm going to ask for some help on this as to why those 3 files keep coming back.

I'll be back ASAP.
 
Try emptying Norton's Quarantine and see if that stops the 3 files from coming back:

1. Open Symantec Endpoint Protection by double-clicking the yellow shield icon in the system tray or by clicking Start|Programs (or All Programs)|Symantec Endpoint Protection|Symantec Endpoint Protection.

2. Click View quarantine.

3. Highlight all items in Quarantine. You can highlight multiple files by clicking the first file, then holding the shift key while you click the last file.

4. Click Delete to delete the items.

Once the 3 files have been removed from Norton's Quarantine, reboot your computer and then rescan with Norton. Let me know if they come up again or if they are gone for good.
 
You must log in or register to reply here.
Back
Top