Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Antivirus Soft

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Antivirus Soft

Unread postby dalilbunnifufu » March 12th, 2010, 2:19 pm

I ran the Malwarebytes' Anti-Malware in safe mode. I also ran Rkill in normal, but the results were different this time. After that, I ran the Malewarebytes' Anti-Malware in normal mode. Here are the three logs:


Malwarebytes' Anti-Malware in safe mode (Quick Scan):


Malwarebytes' Anti-Malware 1.44
Database version: 3826
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

3/11/2010 3:59:57 PM
mbam-log-2010-03-11 (15-59-57).txt

Scan type: Quick Scan
Objects scanned: 139088
Time elapsed: 5 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oaemkplf (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Rkill in normal mode:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Francine Fua on 03/12/2010 at 8:25:06.


Processes terminated by Rkill or while it was running:


C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\vsnp325.exe
C:\Program Files\PCPitstop\DiskMD3\Reminder-Diskmd3.exe
C:\DOCUME~1\FRANCI~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Documents and Settings\Francine Fua\Desktop\rkill.exe


Rkill completed on 03/12/2010 at 8:25:38.


Malwarebytes' Anti-Malware in normal mode:


Malwarebytes' Anti-Malware 1.44
Database version: 3826
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/12/2010 8:48:55 AM
mbam-log-2010-03-12 (08-48-55).txt

Scan type: Quick Scan
Objects scanned: 125455
Time elapsed: 20 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
dalilbunnifufu
Regular Member
 
Posts: 20
Joined: February 25th, 2010, 6:12 pm
Advertisement
Register to Remove

Re: Antivirus Soft

Unread postby deltalima » March 12th, 2010, 3:18 pm

Hi dalilbunnifufu,

After that, I ran the Malewarebytes' Anti-Malware in normal mode


That's good.

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    :otl
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 0
    
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply and also let me know how your computer is running now.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Antivirus Soft

Unread postby dalilbunnifufu » March 12th, 2010, 4:40 pm

When I do the OTL custom scan, it says Processing O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) on the bottom. After awhile, then it says Not Responding at the top and I have to close it down.

Also, when I go to the website, it won't let me click on Accept.
dalilbunnifufu
Regular Member
 
Posts: 20
Joined: February 25th, 2010, 6:12 pm

Re: Antivirus Soft

Unread postby deltalima » March 12th, 2010, 5:22 pm

Hi dalilbunnifufu,

it says Not Responding at the top and I have to close it down


OK, try this

Please re-open HijackThis and select Scan. Check the boxes next to all the entries listed below (if present):

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k


Now close all other open windows and then click on Fix Checked. Close HijackThis.

ESET online scannner

  • Please go Here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Please also let me know how the computer is running now.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Antivirus Soft

Unread postby dalilbunnifufu » March 13th, 2010, 2:56 pm

I did Hijack This.

However, when I did the ESET Online Scanner and after I clicked on Yes. I accept Terms of Use, It says it can't update. Is proxy configured? When I try to configure the proxy settings, it asks for the proxy address, port, username, and password. How do I look these up?
dalilbunnifufu
Regular Member
 
Posts: 20
Joined: February 25th, 2010, 6:12 pm

Re: Antivirus Soft

Unread postby deltalima » March 13th, 2010, 4:28 pm

Hi dalilbunnifufu,

When I try to configure the proxy settings, it asks for the proxy address, port, username, and password


Please give me more information as to how you are connected to the Internet, dialup, ADSL or cable ? direct or through a router ? Your router or shared with someone else? Home network or company network? Normally there should be no reason to configure a proxy server so I need to work out why.

Please also post a new HijackThis log.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Antivirus Soft

Unread postby dalilbunnifufu » March 13th, 2010, 5:59 pm

I have cable, it's through my wireless outer, and home network. There's other computers connected through the router at home.

Here's the Hijack Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:42:52 PM, on 3/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Francine Fua\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\coIEPlg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [snp325] C:\WINDOWS\vsnp325.exe
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [PC Pitstop Diskmd3 Reminder] C:\Program Files\PCPitstop\DiskMD3\Reminder-Diskmd3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Extermin ... iVirus.dll
O16 - DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} (diskhealth Class) - http://utilities.pcpitstop.com/DiskMD3/DiskMD3Ctrl.dll
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\coIEPlg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: dlcd_device - - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9206 bytes
dalilbunnifufu
Regular Member
 
Posts: 20
Joined: February 25th, 2010, 6:12 pm

Re: Antivirus Soft

Unread postby dalilbunnifufu » March 13th, 2010, 6:17 pm

The previous log wasn't right. The two files that you told me to fix were still there. Here's the new one:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:17 PM, on 3/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Francine Fua\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\coIEPlg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [snp325] C:\WINDOWS\vsnp325.exe
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [PC Pitstop Diskmd3 Reminder] C:\Program Files\PCPitstop\DiskMD3\Reminder-Diskmd3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Extermin ... iVirus.dll
O16 - DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} (diskhealth Class) - http://utilities.pcpitstop.com/DiskMD3/DiskMD3Ctrl.dll
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\coIEPlg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: dlcd_device - - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9101 bytes
dalilbunnifufu
Regular Member
 
Posts: 20
Joined: February 25th, 2010, 6:12 pm

Re: Antivirus Soft

Unread postby deltalima » March 13th, 2010, 6:25 pm

Hi dalilbunnifufu,

Please boot into Safe mode with network support

Please re-open HijackThis and select Scan. Check the boxes next to all the entries listed below (if present):

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

Now close all other open windows and then click on Fix Checked. Close HijackThis.

Now please reboot into normal mode.

Run Rkill

TDSSKiller
  • Download the file TDSSKiller.zip and save it on your desktop
  • Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop
  • Next double-click the tdsskiller Folder on your desktop.
  • Next right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy the text in the codebox below.
    Code: Select all
    "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"
  • Click Start, click Run... and paste the text above into the Open: line and click OK.
  • Wait for the scan and disinfection process to be over.
  • Open tdskiller.txt on your desktop and post the contents in your next reply

Now run Malwarebytes Antimalware, update then run a quick scan and post the log and the tdsskiller log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Antivirus Soft

Unread postby dalilbunnifufu » March 15th, 2010, 2:16 am

Hijack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:49:05 PM, on 3/14/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Francine Fua\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\coIEPlg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [snp325] C:\WINDOWS\vsnp325.exe
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [PC Pitstop Diskmd3 Reminder] C:\Program Files\PCPitstop\DiskMD3\Reminder-Diskmd3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Extermin ... iVirus.dll
O16 - DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} (diskhealth Class) - http://utilities.pcpitstop.com/DiskMD3/DiskMD3Ctrl.dll
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\coIEPlg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: dlcd_device - - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9101 bytes

Tdsskiller


14:07:51:731 1604 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
14:07:51:731 1604 ================================================================================
14:07:51:731 1604 SystemInfo:

14:07:51:731 1604 OS Version: 5.1.2600 ServicePack: 3.0
14:07:51:731 1604 Product type: Workstation
14:07:51:731 1604 ComputerName: FRANCINE
14:07:51:731 1604 UserName: Francine
14:07:51:731 1604 Windows directory: C:\WINDOWS
14:07:51:731 1604 Processor architecture: Intel x86
14:07:51:731 1604 Number of processors: 2
14:07:51:731 1604 Page size: 0x1000
14:07:51:731 1604 Boot type: Normal boot
14:07:51:731 1604 ================================================================================
14:07:51:746 1604 UnloadDriverW: NtUnloadDriver error 2
14:07:51:746 1604 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
14:08:00:809 1604 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
14:08:00:809 1604 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:08:00:809 1604 wfopen_ex: Trying to KLMD file open
14:08:00:809 1604 wfopen_ex: File opened ok (Flags 2)
14:08:00:809 1604 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
14:08:00:809 1604 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:08:00:809 1604 wfopen_ex: Trying to KLMD file open
14:08:00:809 1604 wfopen_ex: File opened ok (Flags 2)
14:08:00:809 1604 Initialize success
14:08:00:809 1604
14:08:00:809 1604 Scanning Services ...
14:08:05:387 1604 GetAdvancedServicesInfo: Raw services enum returned 415 services
14:08:05:434 1604
14:08:05:434 1604 Scanning Kernel memory ...
14:08:05:434 1604 Devices to scan: 5
14:08:05:434 1604
14:08:05:434 1604 Driver Name: Disk
14:08:05:434 1604 IRP_MJ_CREATE : BA0EEBB0
14:08:05:434 1604 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
14:08:05:434 1604 IRP_MJ_CLOSE : BA0EEBB0
14:08:05:434 1604 IRP_MJ_READ : BA0E8D1F
14:08:05:434 1604 IRP_MJ_WRITE : BA0E8D1F
14:08:05:434 1604 IRP_MJ_QUERY_INFORMATION : 804F4562
14:08:05:434 1604 IRP_MJ_SET_INFORMATION : 804F4562
14:08:05:434 1604 IRP_MJ_QUERY_EA : 804F4562
14:08:05:434 1604 IRP_MJ_SET_EA : 804F4562
14:08:05:434 1604 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
14:08:05:434 1604 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
14:08:05:434 1604 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
14:08:05:434 1604 IRP_MJ_DIRECTORY_CONTROL : 804F4562
14:08:05:434 1604 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
14:08:05:434 1604 IRP_MJ_DEVICE_CONTROL : BA0E93BB
14:08:05:434 1604 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
14:08:05:434 1604 IRP_MJ_SHUTDOWN : BA0E92E2
14:08:05:434 1604 IRP_MJ_LOCK_CONTROL : 804F4562
14:08:05:434 1604 IRP_MJ_CLEANUP : 804F4562
14:08:05:434 1604 IRP_MJ_CREATE_MAILSLOT : 804F4562
14:08:05:434 1604 IRP_MJ_QUERY_SECURITY : 804F4562
14:08:05:434 1604 IRP_MJ_SET_SECURITY : 804F4562
14:08:05:434 1604 IRP_MJ_POWER : BA0EAC82
14:08:05:434 1604 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
14:08:05:434 1604 IRP_MJ_DEVICE_CHANGE : 804F4562
14:08:05:434 1604 IRP_MJ_QUERY_QUOTA : 804F4562
14:08:05:434 1604 IRP_MJ_SET_QUOTA : 804F4562
14:08:05:496 1604 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:08:05:496 1604
14:08:05:496 1604 Driver Name: Disk
14:08:05:496 1604 IRP_MJ_CREATE : BA0EEBB0
14:08:05:496 1604 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
14:08:05:496 1604 IRP_MJ_CLOSE : BA0EEBB0
14:08:05:496 1604 IRP_MJ_READ : BA0E8D1F
14:08:05:496 1604 IRP_MJ_WRITE : BA0E8D1F
14:08:05:496 1604 IRP_MJ_QUERY_INFORMATION : 804F4562
14:08:05:496 1604 IRP_MJ_SET_INFORMATION : 804F4562
14:08:05:496 1604 IRP_MJ_QUERY_EA : 804F4562
14:08:05:496 1604 IRP_MJ_SET_EA : 804F4562
14:08:05:496 1604 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
14:08:05:496 1604 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
14:08:05:496 1604 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
14:08:05:496 1604 IRP_MJ_DIRECTORY_CONTROL : 804F4562
14:08:05:496 1604 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
14:08:05:496 1604 IRP_MJ_DEVICE_CONTROL : BA0E93BB
14:08:05:496 1604 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
14:08:05:496 1604 IRP_MJ_SHUTDOWN : BA0E92E2
14:08:05:496 1604 IRP_MJ_LOCK_CONTROL : 804F4562
14:08:05:496 1604 IRP_MJ_CLEANUP : 804F4562
14:08:05:496 1604 IRP_MJ_CREATE_MAILSLOT : 804F4562
14:08:05:496 1604 IRP_MJ_QUERY_SECURITY : 804F4562
14:08:05:496 1604 IRP_MJ_SET_SECURITY : 804F4562
14:08:05:496 1604 IRP_MJ_POWER : BA0EAC82
14:08:05:496 1604 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
14:08:05:496 1604 IRP_MJ_DEVICE_CHANGE : 804F4562
14:08:05:496 1604 IRP_MJ_QUERY_QUOTA : 804F4562
14:08:05:496 1604 IRP_MJ_SET_QUOTA : 804F4562
14:08:05:543 1604 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:08:05:543 1604
14:08:05:543 1604 Driver Name: Disk
14:08:05:543 1604 IRP_MJ_CREATE : BA0EEBB0
14:08:05:543 1604 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
14:08:05:543 1604 IRP_MJ_CLOSE : BA0EEBB0
14:08:05:543 1604 IRP_MJ_READ : BA0E8D1F
14:08:05:543 1604 IRP_MJ_WRITE : BA0E8D1F
14:08:05:543 1604 IRP_MJ_QUERY_INFORMATION : 804F4562
14:08:05:543 1604 IRP_MJ_SET_INFORMATION : 804F4562
14:08:05:543 1604 IRP_MJ_QUERY_EA : 804F4562
14:08:05:543 1604 IRP_MJ_SET_EA : 804F4562
14:08:05:543 1604 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
14:08:05:543 1604 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
14:08:05:543 1604 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
14:08:05:543 1604 IRP_MJ_DIRECTORY_CONTROL : 804F4562
14:08:05:543 1604 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
14:08:05:543 1604 IRP_MJ_DEVICE_CONTROL : BA0E93BB
14:08:05:543 1604 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
14:08:05:543 1604 IRP_MJ_SHUTDOWN : BA0E92E2
14:08:05:543 1604 IRP_MJ_LOCK_CONTROL : 804F4562
14:08:05:543 1604 IRP_MJ_CLEANUP : 804F4562
14:08:05:543 1604 IRP_MJ_CREATE_MAILSLOT : 804F4562
14:08:05:543 1604 IRP_MJ_QUERY_SECURITY : 804F4562
14:08:05:543 1604 IRP_MJ_SET_SECURITY : 804F4562
14:08:05:543 1604 IRP_MJ_POWER : BA0EAC82
14:08:05:543 1604 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
14:08:05:543 1604 IRP_MJ_DEVICE_CHANGE : 804F4562
14:08:05:543 1604 IRP_MJ_QUERY_QUOTA : 804F4562
14:08:05:543 1604 IRP_MJ_SET_QUOTA : 804F4562
14:08:05:590 1604 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:08:05:590 1604
14:08:05:590 1604 Driver Name: Disk
14:08:05:590 1604 IRP_MJ_CREATE : BA0EEBB0
14:08:05:590 1604 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
14:08:05:590 1604 IRP_MJ_CLOSE : BA0EEBB0
14:08:05:590 1604 IRP_MJ_READ : BA0E8D1F
14:08:05:590 1604 IRP_MJ_WRITE : BA0E8D1F
14:08:05:590 1604 IRP_MJ_QUERY_INFORMATION : 804F4562
14:08:05:590 1604 IRP_MJ_SET_INFORMATION : 804F4562
14:08:05:590 1604 IRP_MJ_QUERY_EA : 804F4562
14:08:05:590 1604 IRP_MJ_SET_EA : 804F4562
14:08:05:590 1604 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
14:08:05:590 1604 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
14:08:05:590 1604 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
14:08:05:590 1604 IRP_MJ_DIRECTORY_CONTROL : 804F4562
14:08:05:590 1604 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
14:08:05:590 1604 IRP_MJ_DEVICE_CONTROL : BA0E93BB
14:08:05:590 1604 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
14:08:05:590 1604 IRP_MJ_SHUTDOWN : BA0E92E2
14:08:05:590 1604 IRP_MJ_LOCK_CONTROL : 804F4562
14:08:05:590 1604 IRP_MJ_CLEANUP : 804F4562
14:08:05:590 1604 IRP_MJ_CREATE_MAILSLOT : 804F4562
14:08:05:590 1604 IRP_MJ_QUERY_SECURITY : 804F4562
14:08:05:590 1604 IRP_MJ_SET_SECURITY : 804F4562
14:08:05:590 1604 IRP_MJ_POWER : BA0EAC82
14:08:05:590 1604 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
14:08:05:590 1604 IRP_MJ_DEVICE_CHANGE : 804F4562
14:08:05:590 1604 IRP_MJ_QUERY_QUOTA : 804F4562
14:08:05:590 1604 IRP_MJ_SET_QUOTA : 804F4562
14:08:05:668 1604 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:08:05:668 1604
14:08:05:668 1604 Driver Name: atapi
14:08:05:668 1604 IRP_MJ_CREATE : B9E34B40
14:08:05:668 1604 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
14:08:05:668 1604 IRP_MJ_CLOSE : B9E34B40
14:08:05:668 1604 IRP_MJ_READ : 804F4562
14:08:05:668 1604 IRP_MJ_WRITE : 804F4562
14:08:05:668 1604 IRP_MJ_QUERY_INFORMATION : 804F4562
14:08:05:668 1604 IRP_MJ_SET_INFORMATION : 804F4562
14:08:05:668 1604 IRP_MJ_QUERY_EA : 804F4562
14:08:05:668 1604 IRP_MJ_SET_EA : 804F4562
14:08:05:668 1604 IRP_MJ_FLUSH_BUFFERS : 804F4562
14:08:05:668 1604 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
14:08:05:668 1604 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
14:08:05:668 1604 IRP_MJ_DIRECTORY_CONTROL : 804F4562
14:08:05:668 1604 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
14:08:05:668 1604 IRP_MJ_DEVICE_CONTROL : B9E34B40
14:08:05:668 1604 IRP_MJ_INTERNAL_DEVICE_CONTROL : B9E34B40
14:08:05:668 1604 IRP_MJ_SHUTDOWN : 804F4562
14:08:05:668 1604 IRP_MJ_LOCK_CONTROL : 804F4562
14:08:05:668 1604 IRP_MJ_CLEANUP : 804F4562
14:08:05:668 1604 IRP_MJ_CREATE_MAILSLOT : 804F4562
14:08:05:668 1604 IRP_MJ_QUERY_SECURITY : 804F4562
14:08:05:668 1604 IRP_MJ_SET_SECURITY : 804F4562
14:08:05:668 1604 IRP_MJ_POWER : B9E34B40
14:08:05:668 1604 IRP_MJ_SYSTEM_CONTROL : B9E34B40
14:08:05:668 1604 IRP_MJ_DEVICE_CHANGE : 804F4562
14:08:05:668 1604 IRP_MJ_QUERY_QUOTA : 804F4562
14:08:05:668 1604 IRP_MJ_SET_QUOTA : 804F4562
14:08:05:731 1604 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
14:08:05:731 1604
14:08:06:027 1604 Completed
14:08:06:043 1604
14:08:06:043 1604 Results:
14:08:06:043 1604 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
14:08:06:043 1604 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
14:08:06:043 1604 File objects infected / cured / cured on reboot: 0 / 0 / 0
14:08:06:043 1604
14:08:06:059 1604 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
14:08:06:059 1604 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
14:08:06:059 1604 KLMD(ARK) unloaded successfully

Malwarebytes Anti-Malware

Malwarebytes' Anti-Malware 1.44
Database version: 3868
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/14/2010 10:33:29 PM
mbam-log-2010-03-14 (22-33-29).txt

Scan type: Quick Scan
Objects scanned: 127672
Time elapsed: 6 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
dalilbunnifufu
Regular Member
 
Posts: 20
Joined: February 25th, 2010, 6:12 pm

Re: Antivirus Soft

Unread postby deltalima » March 15th, 2010, 4:25 am

Hi dalilbunnifufu,

Now please reboot into normal mode.

Run Rkill

Run Combofix:

Temporarily disable any antispyware, antivirus and or antimalware real-time protection as they may interfere with running of ComboFix.

Download ComboFix from here to your Desktop.

For more information about Combofix please see here.

Close all programs.

Double click combofix.exe and follow the prompts.

If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures, if not, then follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Once installed, you should see the following message:

The recovery console was successfuly installed.
Click ‘YES’ to continue scanning for malware
Click ‘NO’ for exit

Click the YES button.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your “drive access” light. If it is flashing, Combofix is still at work.

When finished ComboFix will produce a log file. Please post the contents of this log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Antivirus Soft

Unread postby dalilbunnifufu » March 16th, 2010, 1:35 am

ComboFix 10-03-15.04 - Francine Fua 03/15/2010 22:14:09.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1583 [GMT -7:00]
Running from: c:\documents and settings\Francine Fua\Desktop\ComboFix.exe
AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2010-02-16 to 2010-03-16 )))))))))))))))))))))))))))))))
.

2010-03-16 05:12 . 2010-02-13 01:41 558448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-03-16 05:12 . 2010-02-02 03:20 165240 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2010-03-16 02:32 . 2010-03-16 02:32 -------- d-----w- c:\windows\CKS08GOW4CKS08GO
2010-03-14 21:10 . 2010-02-27 20:10 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100314.003\NAVENG.SYS
2010-03-14 21:10 . 2010-02-27 20:10 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100314.003\NAVENG32.DLL
2010-03-14 21:10 . 2010-02-27 20:10 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100314.003\NAVEX32A.DLL
2010-03-14 21:10 . 2010-02-27 20:10 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100314.003\NAVEX15.SYS
2010-03-14 21:10 . 2010-02-27 20:10 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100314.003\ERASER.SYS
2010-03-14 21:10 . 2010-02-27 20:10 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100314.003\EECTRL.SYS
2010-03-14 21:10 . 2010-02-27 20:10 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100314.003\CCERASER.DLL
2010-03-14 21:10 . 2010-02-27 20:10 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100314.003\ECMSVR32.DLL
2010-03-12 22:57 . 2010-03-12 22:57 -------- d-----w- c:\program files\ESET
2010-03-12 20:01 . 2010-03-12 20:01 -------- d-----w- C:\_OTL
2010-03-11 23:07 . 2010-03-11 23:07 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2010-03-11 23:07 . 2010-03-11 23:07 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-03-11 23:07 . 2007-01-19 01:20 968448 ----a-w- c:\documents and settings\HelpAssistant\USBKeyPrepF6.exe
2010-03-11 23:07 . 2010-03-11 23:07 -------- d-----w- c:\documents and settings\HelpAssistant\Shared
2010-03-11 23:07 . 2010-03-11 23:07 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-03-11 03:10 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\Scxpx86.dll
2010-03-11 03:10 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\IDSXpx86.sys
2010-03-11 03:10 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\IDSxpx86.dll
2010-03-11 03:10 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\IDSvix86.sys
2010-03-11 03:10 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\IDSviA64.sys
2010-03-11 02:43 . 2010-03-11 02:43 -------- d-----w- c:\documents and settings\All Users\Symantec Temporary Files
2010-03-09 23:24 . 2010-03-09 23:24 -------- d-----w- c:\program files\Norton Support
2010-03-09 23:24 . 2010-03-09 23:24 -------- d-----w- c:\documents and settings\Francine Fua\Local Settings\Application Data\Symantec
2010-02-28 05:00 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSvix86.sys
2010-02-28 05:00 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSXpx86.sys
2010-02-28 05:00 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\Scxpx86.dll
2010-02-28 05:00 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSxpx86.dll
2010-02-28 05:00 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSviA64.sys
2010-02-28 04:37 . 2010-02-28 04:37 -------- d-----w- c:\documents and settings\Francine Fua\Application Data\Malwarebytes
2010-02-28 02:58 . 2010-02-28 02:58 1291104 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2010-02-28 02:58 . 2010-02-28 02:58 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2010-02-28 02:58 . 2010-02-28 02:58 776952 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2010-02-28 02:57 . 2010-02-28 20:34 -------- d-----w- c:\windows\system32\drivers\N360
2010-02-28 02:57 . 2010-02-28 02:57 -------- d-----w- c:\program files\Norton Security Suite
2010-02-28 02:57 . 2010-02-28 02:57 -------- d-----w- c:\program files\Windows Sidebar
2010-02-28 02:57 . 2010-02-28 02:57 -------- d-----w- c:\program files\NortonInstaller
2010-02-28 02:31 . 2006-12-07 18:45 110592 ----a-w- c:\documents and settings\Administrator\Application Data\U3\temp\cleanup.exe
2010-02-28 02:31 . 2010-02-28 02:31 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2010-02-28 02:16 . 2010-02-28 02:16 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-02-28 02:16 . 2010-02-28 02:58 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-28 02:16 . 2010-02-28 02:58 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-28 02:15 . 2010-03-11 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-28 02:15 . 2010-02-28 02:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-28 01:40 . 2010-02-28 03:25 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-28 01:40 . 2010-02-28 01:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-28 01:40 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-28 01:40 . 2010-02-28 03:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-28 01:40 . 2010-02-28 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-28 01:40 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-28 01:39 . 2006-12-07 18:45 3096576 ---ha-w- c:\documents and settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe
2010-02-28 01:39 . 2010-02-28 01:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2010-02-25 20:40 . 2010-02-25 20:40 -------- d-----w- c:\documents and settings\HelpAssistant\Incomplete
2010-02-25 04:02 . 2010-03-16 05:09 -------- d-----w- c:\documents and settings\HelpAssistant
2010-02-25 04:02 . 2010-02-25 05:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-25 03:46 . 2010-02-25 03:46 -------- d-----w- c:\documents and settings\Francine Fua\Application Data\AVG8
2010-02-25 03:10 . 2010-02-28 01:06 -------- d-----w- c:\documents and settings\Francine Fua\Local Settings\Application Data\ocapqa

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-11 03:12 . 2006-06-22 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-28 05:18 . 2008-08-04 23:56 -------- d-----w- c:\program files\Alwil Software
2010-02-28 05:00 . 2006-06-22 19:40 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-28 05:00 . 2010-02-25 05:12 -------- d-----w- c:\program files\PCPitstop
2010-02-28 02:58 . 2010-02-28 02:16 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-28 02:58 . 2010-02-28 02:16 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-28 02:58 . 2006-06-22 19:40 -------- d-----w- c:\program files\Symantec
2010-02-28 02:58 . 2008-01-29 19:01 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-02-28 02:58 . 2008-01-29 19:02 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-02-28 00:59 . 2007-10-13 17:31 -------- d-----w- c:\program files\Dl_cats
2010-02-28 00:54 . 2006-07-19 22:09 76376 -c--a-w- c:\documents and settings\Francine Fua\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-25 06:25 . 2010-02-25 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2010-02-25 05:22 . 2010-02-25 05:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2010-02-11 04:06 . 2007-11-01 02:16 -------- d-----w- c:\documents and settings\Francine Fua\Application Data\Move Networks
2010-02-04 06:29 . 2009-11-03 19:42 143976 ----a-w- c:\documents and settings\Francine Fua\Application Data\Move Networks\uninstall.exe
2010-02-04 06:29 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\Francine Fua\Application Data\Move Networks\plugins\npqmp071701000002.dll
2010-02-04 06:29 . 2010-02-04 06:28 1794456 ----a-w- c:\documents and settings\Francine Fua\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
2010-02-02 06:33 . 2009-12-10 19:26 4187512 ----a-w- c:\documents and settings\Francine Fua\Application Data\Move Networks\plugins\npqmp071505000011.dll
2010-02-02 06:33 . 2010-02-02 06:28 1438976 ----a-w- c:\documents and settings\Francine Fua\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe
2009-12-31 16:50 . 2005-08-16 09:18 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2005-08-16 09:18 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 08:09 . 2010-02-05 23:25 49241 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4482.14.4\sb_BunkerHill.dll
2009-12-16 18:43 . 2005-08-16 09:37 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 15:07 . 2010-02-05 23:25 136528 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4482.14.4\Vercopy.exe
2009-12-16 15:07 . 2010-02-05 23:25 136528 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4482.14.4\AOLSetup.exe
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"MBMon"="CTMBHA.DLL" [2006-03-03 1355938]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"snp325"="c:\windows\vsnp325.exe" [2007-05-10 835584]
"DLCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll" [2006-10-20 73728]
"PC Pitstop Diskmd3 Reminder"="c:\program files\PCPitstop\DiskMD3\Reminder-Diskmd3.exe" [2009-01-27 198656]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-6-16 49152]
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-9-7 2056275]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-2 24576]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-1-3 118784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 06:46 57344 -c--a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 06:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
c:\program files\AIM\aim.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-05-19 05:23 49968 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-01-03 01:41 45056 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2004-12-02 23:23 102400 ------w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2007-05-14 22:23 1191936 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlcgmon.exe]
2006-12-08 04:33 430984 -c--a-w- c:\program files\Dell AIO 810\DLCGmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 -c----w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
2006-12-08 04:35 312200 -c--a-w- c:\program files\Dell Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2006-10-19 00:58 696320 -c--a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2006-10-19 01:04 802816 -c--a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 15:44 249856 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 15:44 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 21:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MskAgentexe]
c:\program files\McAfee\MSK\MskAgent.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-27 00:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
2004-12-22 09:40 24576 ----a-w- c:\windows\MIDIDEF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
c:\program files\SiteAdvisor\6253\SiteAdv.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 09:11 132496 -c--a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-03-08 16:48 761947 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
2006-01-02 14:13 1126400 -c----w- c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"IDriverT"=3 (0x3)
"HidServ"=2 (0x2)
"Fax"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"matlabserver"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"8114:TCP"= 8114:TCP:Services

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/28/2010 1:25 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/28/2010 1:25 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/28/2010 1:25 PM 482432]
R2 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe [2/28/2010 1:25 PM 117640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/3/2008 11:42 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/27/2010 1:10 PM 102448]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/10/2006 4:16 PM 611064]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100310.001\IDSXpx86.sys [3/10/2010 8:10 PM 329592]
S3 EraserUtilDrvI9;EraserUtilDrvI9;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys [?]
S3 SNP325;USB PC Camera (SNPSTD325);c:\windows\system32\drivers\snp325.sys [1/13/2009 3:00 AM 451456]
.
Contents of the 'Scheduled Tasks' folder

2010-02-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/DiskMD3/DiskMD3Ctrl.dll
FF - ProfilePath - c:\documents and settings\Francine Fua\Application Data\Mozilla\Firefox\Profiles\qw1zkkxo.default\
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\Francine Fua\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Francine Fua\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
.
- - - - ORPHANS REMOVED - - - -

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-PCM - c:\documents and settings\Francine Fua\Desktop\PCM\Uninstal.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> 0x89343ef8
\Driver\atapi -> atapi.sys @ 0xb9f11852
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> 0x894e1330
PacketIndicateHandler -> NDIS.sys @ 0xb9db3a21
SendHandler -> NDIS.sys @ 0xb9d9187b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0923CA09
malicious code @ sector 0x0923CA0C !
PE file found in sector at 0x0923CA22 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1420)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-03-15 22:26:07
ComboFix-quarantined-files.txt 2010-03-16 05:26

Pre-Run: 30,456,446,976 bytes free
Post-Run: 30,398,476,288 bytes free

- - End Of File - - 6A31E2FE1C601CBD9327C469E6280EA2
dalilbunnifufu
Regular Member
 
Posts: 20
Joined: February 25th, 2010, 6:12 pm

Re: Antivirus Soft

Unread postby deltalima » March 16th, 2010, 8:55 am

Hi dalilbunnifufu,

Now please reboot into normal mode.

Run Rkill

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Antivirus Soft

Unread postby dalilbunnifufu » March 16th, 2010, 6:48 pm

C:\Documents and Settings\Francine Fua\Desktop\HelpAsst_mebroot_fix.exe
Tue 03/16/2010 at 15:29:42.53

HelpAssistant account was found to be Inactive


~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"4708:TCP"=-
"2479:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"4708:TCP"=-
"2479:TCP"=-


HelpAssistant profile not found in registry

~~ Checking mbr ~~

mbr infection detected! ~ running mbr -f

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x8a17ce10
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> 0x89454330
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0923CA09
malicious code @ sector 0x0923CA0C !
PE file found in sector at 0x0923CA22 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Tue 03/16/2010 at 15:43:05.57

Full Name Remote Desktop Help Assistant Account
Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys >>UNKNOWN [0x8A94373C]<<
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0923CA09
malicious code @ sector 0x0923CA0C !
PE file found in sector at 0x0923CA22 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

S-1-5-21-2481678285-1810982164-1046370265-1004
%SystemDrive%\Documents and Settings\HelpAssistant.FRANCINE

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.FRANCINE

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~
dalilbunnifufu
Regular Member
 
Posts: 20
Joined: February 25th, 2010, 6:12 pm

Re: Antivirus Soft

Unread postby deltalima » March 17th, 2010, 7:47 am

Hi dalilbunnifufu,

From now on please run all scans and fixes in normal mode, let me know if there are any problems doing so.

Close out all other open programs and windows.

Please double click HelpAsst_mebroot_fix.exe again to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 14 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware