Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

tidserv request 2

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: tidserv request 2

Unread postby Tim Brug » April 5th, 2010, 10:36 pm

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3958

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

4/5/2010 8:56:48 PM
mbam-log-2010-04-05 (20-56-48).txt

Scan type: Quick scan
Objects scanned: 99309
Time elapsed: 6 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=29c778e949f21240985dad8d76e9b0c9
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-04-05 10:18:03
# local_time=2010-04-05 06:18:03 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3584 16777191 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=591
# found=0
# cleaned=0
# scan_time=175
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=29c778e949f21240985dad8d76e9b0c9
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-04-05 11:45:44
# local_time=2010-04-05 07:45:44 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3584 16777191 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=46982
# found=0
# cleaned=0
# scan_time=4832
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=29c778e949f21240985dad8d76e9b0c9
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-04-06 02:24:02
# local_time=2010-04-05 10:24:02 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3584 16777191 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=46930
# found=0
# cleaned=0
# scan_time=4581

Still getting tidserve request 2 attack warnings from Norton. File in question seems to be:
\DEVICE\HARDDISKVOLUME1\WINDOWS\STSTEM32\SVCHOST.EXE

Again, TFC never rebooted machine, instead hung up at "windows is shutting down" message for awhile before screen going black. Had to reboot machine manually.
Tim Brug
Regular Member
 
Posts: 33
Joined: March 31st, 2010, 9:06 pm
Advertisement
Register to Remove

Re: tidserv request 2

Unread postby melboy » April 6th, 2010, 3:59 am

Hi

Ok, don't worry about TFC for now.



COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    DeQuarantine::
    C:\qoobox\quarantine\c:\windows\AppPatch\AcAdProc.dll.vir 
    Quit::
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run for a short while on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of C:\DeQuarantine.txt in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


=====================


OTL
Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under the Custom Scan box paste this in
    Code: Select all
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys 
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys 
    netbt.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav 
    
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.


In your next reply:
  1. OTL.txt
  2. Extras.txt
  3. DeQuarantine.txt
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: tidserv request 2

Unread postby Tim Brug » April 6th, 2010, 8:23 am

ComboFix 10-04-03.02 - Tim Brugnoli 04/06/2010 6:48.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1547 [GMT -4:00]
Running from: c:\documents and settings\Tim Brugnoli\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tim Brugnoli\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2010-03-06 to 2010-04-06 )))))))))))))))))))))))))))))))
.

2010-04-06 10:14 . 2010-02-04 21:13 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100405.038\NAVENG.SYS
2010-04-06 10:14 . 2010-02-04 21:13 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100405.038\NAVEX15.SYS
2010-04-06 10:14 . 2009-11-07 02:30 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100405.038\NAVENG32.DLL
2010-04-06 10:14 . 2009-11-07 02:30 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100405.038\NAVEX32A.DLL
2010-04-06 10:14 . 2009-12-09 23:57 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100405.038\CCERASER.DLL
2010-04-06 10:14 . 2009-11-07 02:30 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100405.038\EECTRL.SYS
2010-04-06 10:14 . 2009-11-07 02:30 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100405.038\ECMSVR32.DLL
2010-04-06 10:14 . 2009-11-07 02:30 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100405.038\ERASER.SYS
2010-04-05 22:08 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100402.001\IDSvix86.sys
2010-04-05 22:08 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100402.001\Scxpx86.dll
2010-04-05 22:08 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100402.001\IDSxpx86.dll
2010-04-05 22:07 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100402.001\IDSXpx86.sys
2010-04-05 22:07 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100402.001\IDSviA64.sys
2010-04-05 21:57 . 2010-04-05 21:57 -------- d-----w- c:\program files\ESET
2010-04-01 05:35 . 2010-04-03 21:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-01 00:25 . 2010-04-01 00:25 388096 ----a-r- c:\documents and settings\Tim Brugnoli\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-01 00:25 . 2010-04-01 00:25 -------- d-----w- c:\program files\TrendMicro
2010-03-31 21:13 . 2010-03-31 21:13 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-31 01:03 . 2004-08-04 02:59 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-03-31 01:03 . 2004-08-04 02:59 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-03-31 01:03 . 2004-08-04 03:00 8192 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-03-31 01:03 . 2004-08-04 03:00 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-03-31 01:03 . 2004-08-04 03:00 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-03-31 01:03 . 2004-08-04 03:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-03-27 15:11 . 2010-03-27 15:11 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-03-26 09:34 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100326.001\IDSvix86.sys
2010-03-26 09:34 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100326.001\IDSXpx86.sys
2010-03-26 09:34 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100326.001\Scxpx86.dll
2010-03-26 09:34 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100326.001\IDSxpx86.dll
2010-03-26 09:34 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100326.001\IDSviA64.sys
2010-03-24 20:38 . 2010-03-24 20:38 536112 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHDrvx86.sys
2010-03-24 20:38 . 2010-03-24 20:38 201616 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHRules.dll
2010-03-24 20:38 . 2010-03-24 20:38 1407888 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHEngine.dll
2010-03-24 20:38 . 2010-03-24 20:38 678960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHDrvx64.sys
2010-03-24 20:38 . 2010-03-24 20:38 611216 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\bbRGen.dll
2010-03-23 22:37 . 2010-03-23 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-23 22:37 . 2010-03-23 22:37 1924976 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-03-23 22:36 . 2010-03-24 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-06 02:42 . 2004-08-12 13:36 872064 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-04-04 16:35 . 2006-02-21 01:29 -------- d-----w- c:\program files\Agent
2010-04-04 14:22 . 2004-08-12 13:24 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-04-04 03:33 . 2009-01-02 23:11 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-04-04 03:06 . 2006-02-21 22:31 -------- d-----w- c:\program files\EasyAgent
2010-03-31 21:13 . 2010-03-02 02:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 04:46 . 2010-03-02 02:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2010-03-02 02:26 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-02 02:26 . 2010-03-02 02:26 -------- d-----w- c:\documents and settings\Tim Brugnoli\Application Data\Malwarebytes
2010-03-02 02:26 . 2010-03-02 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-25 06:24 . 2004-08-12 13:33 916480 ------w- c:\windows\system32\wininet.dll
2007-08-25 03:52 . 2008-02-11 05:37 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-04-04_18.07.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-06 10:38 . 2010-04-06 10:38 16384 c:\windows\Temp\Perflib_Perfdata_6d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Photo AIO Printer 942"="c:\program files\Dell Photo AIO Printer 942\dlbubmgr.exe" [2004-08-31 294912]
"DellMCM"="c:\program files\Dell Photo AIO Printer 942\memcard.exe" [2004-07-27 262144]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-11-11 4612096]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"P17Helper"="P17.dll" [2004-06-10 60928]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 1358384]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"NBJ"="c:\program files\Ahead\Nero BackItUp\nbj.exe"
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"InCD"=c:\program files\Ahead\InCD\InCD.exe
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"iRiver Updater"=\Updater.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_06\bin\jusched.exe
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"UIUCU"=c:\docume~1\TIMBRU~1\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
"MimBoot"=c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe
"BlackBerryAutoUpdate"=c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
"<NO NAME>"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1105000.07F\symds.sys [1/11/2010 5:07 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1105000.07F\symefa.sys [1/11/2010 5:07 PM 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHDrvx86.sys [3/24/2010 4:38 PM 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1105000.07F\cchpx86.sys [1/11/2010 5:07 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1105000.07F\ironx86.sys [1/11/2010 5:07 PM 116272]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.5.0.127\ccsvchst.exe [1/11/2010 5:07 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/17/2009 10:38 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100326.001\IDSXpx86.sys [3/26/2010 5:34 AM 329592]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [11/20/2009 8:57 PM 627072]
.
Contents of the 'Scheduled Tasks' folder

2009-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 16:34]

2010-03-30 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Tim Brugnoli.job
- c:\program files\Norton Internet Security\Engine\17.5.0.127\navw32.exe [2010-01-11 06:08]

2010-01-18 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

2009-05-05 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-05 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.optimum.net/News/Weather?sta ... nton,%20NJ
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Tim Brugnoli\Application Data\Mozilla\Firefox\Profiles\ik58xs29.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.optimum.net/News/Weather?sta ... nton,%20NJ
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-06 06:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x88ACDAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecfc3
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba7117b4
\Driver\iaStor -> iaStor.sys @ 0xba648b10
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
ParseProcedure -> ntkrnlpa.exe @ 0x8058155c
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
ParseProcedure -> ntkrnlpa.exe @ 0x8058155c
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.5.0.127\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(784)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3004)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-06 06:59:46
ComboFix-quarantined-files.txt 2010-04-06 10:59
ComboFix2.txt 2010-04-06 10:10
ComboFix3.txt 2010-04-04 18:11

Pre-Run: 180,674,846,720 bytes free
Post-Run: 180,633,370,624 bytes free

- - End Of File - - 918B30357A7400B75D31063E18120D18





OTL Extras logfile created on: 4/6/2010 7:02:13 AM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Tim Brugnoli\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 72.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.82 Gb Total Space | 168.25 Gb Free Space | 72.27% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BRUGNOLI
Current User Name: Tim Brugnoli
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Generate MD5 Signatures] -- "C:\Program Files\Michael K. Weise\mkw Audio Compression Toolkit\mkwACT.exe" (Michael K. Weise)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{072D2077-9E22-4F7F-B817-A92CA6CCC843}" = iriver Music Manager
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{206FD69B-F9FE-4164-81BD-D52552BC9C23}" = GearDrvs
"{20C53FA2-4307-4671-A93F-9463B29DFCF1}" = Symantec Technical Support Web Controls
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3560CE5A-C4EF-4DB0-9ECC-BA035FE309C5}" = MSN Toolbar
"{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe® Photoshop® Album Starter Edition 3.0
"{54F6C98F-94A0-421C-B90E-0B6A2A96A9CF}" = Pure Networks Platform
"{56F3E1FF-54FE-4384-A153-6CCABA097814}" = Creative MediaSource
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{81A34902-9D0B-4920-A25C-4CDC5D14B328}" = Jasc Paint Shop Pro 8 Dell Edition
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel Matrix Storage Manager
"{90840409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Excel Viewer 2003
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A70500000002}" = Adobe Reader 7.0.8
"{AC76BA86-7AD7-5464-3428-7050000000A7}" = Adobe Reader 7.0.5 Language Support
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B607C354-CD79-4D22-86D1-92DC94153F42}" = Apple Application Support
"{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}" = Jasc Paint Shop Photo Album
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEB481CC-F57C-4397-81A0-DADD22257047}" = Sound Blaster Live! 24-bit
"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{F574616C-4C15-49CE-9C98-E998CD80264A}" = BlackBerry Device Software Updater
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CCleaner" = CCleaner
"CSCLIB" = Canon Camera Support Core Library
"Dell Photo AIO Printer 942" = Dell Photo AIO Printer 942
"EOS Utility" = Canon Utilities EOS Utility
"ESET Online Scanner" = ESET Online Scanner v3
"Exact Audio Copy" = Exact Audio Copy 0.99pb3
"FLAC" = FLAC Installer 1.1.1a (remove only)
"FLVPlayer" = FLV Player 1.3.3
"Forte Agent" = Forté Agent
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"InCD!UninstallKey" = InCD
"InstallShield_{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
"Intel(R) 537EP V9x DF PCI Modem" = Intel(R) 537EP V9x DF PCI Modem
"Linksys Wireless Manager" = Linksys Wireless Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"mkwACT" = mkw Audio Compression Toolkit
"mkwMFCRTL" = mkw Runtime Libraries
"MLUpdater" = iRiver Updater
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.6.2)" = Mozilla Firefox (3.6.2)
"Mozilla Thunderbird (2.0.0.23)" = Mozilla Thunderbird (2.0.0.23)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant" = MSN Music Assistant
"MSNINST" = MSN
"Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition
"NeroVision!UninstallKey" = Nero Digital
"NIS" = Norton Internet Security
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NMIX!UninstallKey" = NeroMIX
"NMPUninstallKey" = Nero Media Player
"NVIDIA Drivers" = NVIDIA Drivers
"PhotoStitch" = Canon Utilities PhotoStitch
"QuickPar" = QuickPar 0.9
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RealPlayer 6.0" = RealPlayer
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"Shutterfly Plugin" = Shutterfly Plugin
"WGA" = Windows Genuine Advantage Validation Tool
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/27/2009 9:45:51 PM | Computer Name = BRUGNOLI | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: An internal certificate chaining error has occurred.

Error - 11/27/2009 10:08:46 PM | Computer Name = BRUGNOLI | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: An internal certificate chaining error has occurred.

Error - 11/30/2009 4:26:51 PM | Computer Name = BRUGNOLI | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: An internal certificate chaining error has occurred.

Error - 3/30/2010 10:14:50 PM | Computer Name = BRUGNOLI | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module urlmon.dll, version 8.0.6001.18904, fault address 0x0002df76.

Error - 4/3/2010 9:26:23 PM | Computer Name = BRUGNOLI | Source = Userenv | ID = 1007
Description = Windows cannot determine the associated site for this computer. (The
RPC server is too busy to complete this operation. ). Group Policy processing aborted.


Error - 4/3/2010 9:31:20 PM | Computer Name = BRUGNOLI | Source = Userenv | ID = 1007
Description = Windows cannot determine the associated site for this computer. (The
RPC server is too busy to complete this operation. ). Group Policy processing aborted.


Error - 4/4/2010 11:53:28 AM | Computer Name = BRUGNOLI | Source = ESENT | ID = 489
Description = wuauclt (2360) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 4/4/2010 11:53:28 AM | Computer Name = BRUGNOLI | Source = ESENT | ID = 455
Description = wuaueng.dll (2360) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 4/4/2010 11:53:39 AM | Computer Name = BRUGNOLI | Source = ESENT | ID = 489
Description = wuauclt (2360) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 4/4/2010 11:53:39 AM | Computer Name = BRUGNOLI | Source = ESENT | ID = 455
Description = wuaueng.dll (2360) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

[ Application Events ]
Error - 11/27/2009 9:45:51 PM | Computer Name = BRUGNOLI | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: An internal certificate chaining error has occurred.

Error - 11/27/2009 10:08:46 PM | Computer Name = BRUGNOLI | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: An internal certificate chaining error has occurred.

Error - 11/30/2009 4:26:51 PM | Computer Name = BRUGNOLI | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: An internal certificate chaining error has occurred.

Error - 3/30/2010 10:14:50 PM | Computer Name = BRUGNOLI | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module urlmon.dll, version 8.0.6001.18904, fault address 0x0002df76.

Error - 4/3/2010 9:26:23 PM | Computer Name = BRUGNOLI | Source = Userenv | ID = 1007
Description = Windows cannot determine the associated site for this computer. (The
RPC server is too busy to complete this operation. ). Group Policy processing aborted.


Error - 4/3/2010 9:31:20 PM | Computer Name = BRUGNOLI | Source = Userenv | ID = 1007
Description = Windows cannot determine the associated site for this computer. (The
RPC server is too busy to complete this operation. ). Group Policy processing aborted.


Error - 4/4/2010 11:53:28 AM | Computer Name = BRUGNOLI | Source = ESENT | ID = 489
Description = wuauclt (2360) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 4/4/2010 11:53:28 AM | Computer Name = BRUGNOLI | Source = ESENT | ID = 455
Description = wuaueng.dll (2360) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 4/4/2010 11:53:39 AM | Computer Name = BRUGNOLI | Source = ESENT | ID = 489
Description = wuauclt (2360) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 4/4/2010 11:53:39 AM | Computer Name = BRUGNOLI | Source = ESENT | ID = 455
Description = wuaueng.dll (2360) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

[ System Events ]
Error - 4/5/2010 8:05:54 PM | Computer Name = BRUGNOLI | Source = SRTSP | ID = 524292
Description = Error loading virus definitions.

Error - 4/5/2010 8:05:54 PM | Computer Name = BRUGNOLI | Source = SRTSP | ID = 524293
Description = Error loading Symantec real time Anti-Virus driver.

Error - 4/5/2010 8:10:04 PM | Computer Name = BRUGNOLI | Source = Service Control Manager | ID = 7034
Description = The Creative Service for CDROM Access service terminated unexpectedly.
It has done this 1 time(s).

Error - 4/5/2010 8:10:04 PM | Computer Name = BRUGNOLI | Source = Service Control Manager | ID = 7034
Description = The Intel(R) Matrix Storage Event Monitor service terminated unexpectedly.
It has done this 1 time(s).

Error - 4/5/2010 8:10:04 PM | Computer Name = BRUGNOLI | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 4/5/2010 8:10:04 PM | Computer Name = BRUGNOLI | Source = Service Control Manager | ID = 7034
Description = The Pure Networks Platform Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 4/5/2010 8:10:05 PM | Computer Name = BRUGNOLI | Source = Service Control Manager | ID = 7034
Description = The InCD Helper service terminated unexpectedly. It has done this
1 time(s).

Error - 4/5/2010 10:43:22 PM | Computer Name = BRUGNOLI | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IntelIde

Error - 4/5/2010 10:43:29 PM | Computer Name = BRUGNOLI | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.

Error - 4/6/2010 6:22:02 AM | Computer Name = BRUGNOLI | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000243'
while processing the file 'SrtETmp' on the volume 'HarddiskVolume1'. It has stopped
monitoring the volume.


< End of report >


OTL logfile created on: 4/6/2010 7:02:13 AM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Tim Brugnoli\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 72.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.82 Gb Total Space | 168.25 Gb Free Space | 72.27% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BRUGNOLI
Current User Name: Tim Brugnoli
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/06 06:32:31 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tim Brugnoli\Desktop\OTL.exe
PRC - [2009/12/09 05:05:51 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccsvchst.exe
PRC - [2009/02/16 05:44:55 | 001,358,384 | R--- | M] (Linksys, LLC) -- C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
PRC - [2008/12/12 19:06:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
PRC - [2008/12/12 19:06:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
PRC - [2008/10/24 09:14:36 | 000,206,112 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/03/23 17:06:38 | 000,880,128 | ---- | M] (Nero AG) -- C:\Program Files\Ahead\InCD\InCDsrv.exe
PRC - [2005/06/17 08:56:14 | 000,139,264 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2005/06/17 08:55:58 | 000,086,140 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
PRC - [2004/08/31 10:34:08 | 000,102,400 | ---- | M] () -- C:\Program Files\Dell Photo AIO Printer 942\dlbubmon.exe
PRC - [2004/08/31 10:18:44 | 000,294,912 | ---- | M] () -- C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe
PRC - [2004/07/27 10:08:22 | 000,262,144 | ---- | M] () -- C:\Program Files\Dell Photo AIO Printer 942\memcard.exe
PRC - [2003/09/17 10:43:36 | 000,057,344 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe


========== Modules (SafeList) ==========

MOD - [2010/04/06 06:32:31 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tim Brugnoli\Desktop\OTL.exe
MOD - [2009/12/17 02:08:57 | 000,407,408 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.5.0.127\asoehook.dll
MOD - [2009/07/12 04:02:02 | 000,653,120 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.5.0.127\microsoft.vc90.crt\msvcr90.dll
MOD - [2009/07/12 04:02:00 | 000,569,664 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.5.0.127\microsoft.vc90.crt\msvcp90.dll
MOD - [2006/08/25 11:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (RoxLiveShare9)
SRV - [2009/12/09 05:05:51 | 000,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe -- (NIS)
SRV - [2008/12/12 19:06:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe -- (nmservice)
SRV - [2008/01/29 17:09:02 | 000,394,704 | ---- | M] (Symantec, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe -- (Symantec RemoteAssist)
SRV - [2006/03/23 17:06:38 | 000,880,128 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrv)
SRV - [2005/09/30 19:22:50 | 000,096,341 | ---- | M] (Canon Inc.) [On_Demand | Stopped] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2005/06/17 08:55:58 | 000,086,140 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe -- (IAANTMon) Intel(R)
SRV - [2004/07/01 16:45:46 | 000,421,888 | ---- | M] (Dell) [On_Demand | Stopped] -- C:\WINDOWS\System32\dlbucoms.exe -- (dlbu_device)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.live.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.optimum.net/News/Weather?sta ... nton,%20NJ
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.optimum.net/News/Weather?station=D-KTTN&location=Trenton,%20NJ"
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:4.5

FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\ [2009/10/16 22:35:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\ [2010/01/13 18:15:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/30 21:12:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/30 21:12:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009/10/17 11:53:13 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2008/08/27 21:39:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim Brugnoli\Application Data\Mozilla\Extensions
[2010/04/03 12:44:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim Brugnoli\Application Data\Mozilla\Firefox\Profiles\ik58xs29.default\extensions
[2009/10/13 06:34:20 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Tim Brugnoli\Application Data\Mozilla\Firefox\Profiles\ik58xs29.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/01/23 18:17:23 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/08/24 23:52:00 | 000,300,400 | ---- | M] (Symantec Corporation) -- C:\Program Files\Mozilla Firefox\components\coFFPlgn.dll
[2005/04/27 18:31:10 | 000,225,280 | ---- | M] (Asgard Software Inc.) -- C:\Program Files\Mozilla Firefox\plugins\NPUploader.dll

O1 HOSTS File: ([2009/11/21 07:38:13 | 000,719,797 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 http://www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 http://www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 http://www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 http://www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 http://www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 http://www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 http://www.1001namen.com
O1 - Hosts: 127.0.0.1 http://www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 http://www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 http://www.10sek.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 http://www.1-2005-search.com
O1 - Hosts: 12234 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ipsbho.dll (Symantec Corporation)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\coieplg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\coieplg.dll (Symantec Corporation)
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [Dell Photo AIO Printer 942] C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe ()
O4 - HKLM..\Run: [DellMCM] C:\Program Files\Dell Photo AIO Printer 942\memcard.exe ()
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [Linksys Wireless Manager] C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe (Linksys, LLC)
O4 - HKLM..\Run: [nmctxth] C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Cisco Systems, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [P17Helper] C:\WINDOWS\System32\P17.dll ()
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.EXE (Creative Technology Ltd.)
O4 - HKCU..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/ ... ontrol.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} https://www-secure.symantec.com/techsup ... SupCtl.cab (Reg Error: Key error.)
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} https://www-secure.symantec.com/techsup ... mAData.cab (ActiveDataInfo Class)
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsup ... gctlsi.cab (Symantec SmartIssue)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsup ... gctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftup ... 1007452875 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} https://a248.e.akamai.net/f/248/5462/2h ... mDlBrg.cab (Reg Error: Key error.)
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} http://cdn.digitalcity.com/radio/ampx/a ... _en_dl.cab (IWinAmpActiveX Class)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/s ... wflash.cab (Shockwave Flash Object)
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} http://liveca12.custhelp.com/7530-b327h ... a/RntX.cab (Live Collaboration)
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Tim Brugnoli\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Tim Brugnoli\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/02/20 17:35:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2006/02/20 12:21:24 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17465059307421696)

========== Files/Folders - Created Within 14 Days ==========

[2010/04/06 06:32:31 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Tim Brugnoli\Desktop\OTL.exe
[2010/04/05 17:57:45 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/04/05 15:37:27 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Tim Brugnoli\Desktop\TFC.exe
[2010/04/05 06:44:02 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Tim Brugnoli\Desktop\Copy of TDSSKiller.exe
[2010/04/05 06:43:06 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Tim Brugnoli\Desktop\TDSSKiller.exe
[2010/04/04 13:56:03 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/04 13:24:49 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/04 13:24:49 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/04 13:24:49 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/04 13:24:49 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/04 13:24:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/04 13:23:32 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/03 23:04:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tim Brugnoli\Desktop\New Folder
[2010/04/03 17:26:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/04/03 17:08:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/03 12:58:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Real
[2010/04/01 01:35:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/03/31 20:25:16 | 000,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2010/03/31 19:53:50 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Tim Brugnoli\Recent
[2010/03/30 22:18:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/03/30 21:21:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/03/30 21:07:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/03/27 11:11:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee
[2010/03/23 18:37:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2010/03/23 18:36:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/01/23 18:17:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Mozilla
[2009/12/07 23:10:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Help
[2009/12/07 23:10:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Help
[2009/11/27 13:46:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/10/26 16:44:11 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\A3d.dll
[2008/09/06 09:47:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Roxio
[2007/01/19 23:23:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007/01/18 21:27:01 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/01/05 11:25:33 | 000,630,784 | ---- | C] (Citrix Online) -- C:\Documents and Settings\Tim Brugnoli\GoToAssist_chat2way__317_en.exe
[2006/08/28 21:53:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2006/08/20 23:28:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Talkback
[2006/08/20 23:28:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla
[2006/02/20 18:00:36 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

========== Files - Modified Within 14 Days ==========

[2010/04/06 06:59:49 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/06 06:55:57 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/06 06:37:40 | 000,016,052 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/04/06 06:37:19 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/06 06:35:06 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Tim Brugnoli\ntuser.ini
[2010/04/06 06:35:05 | 009,961,472 | -H-- | M] () -- C:\Documents and Settings\Tim Brugnoli\NTUSER.DAT
[2010/04/06 06:34:50 | 004,317,300 | -H-- | M] () -- C:\Documents and Settings\Tim Brugnoli\Local Settings\Application Data\IconCache.db
[2010/04/06 06:32:31 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tim Brugnoli\Desktop\OTL.exe
[2010/04/05 19:50:27 | 000,001,475 | ---- | M] () -- C:\Documents and Settings\Tim Brugnoli\Desktop\Windows Explorer.lnk
[2010/04/05 15:42:27 | 002,672,312 | ---- | M] () -- C:\Documents and Settings\Tim Brugnoli\Desktop\esetsmartinstaller_enu.exe
[2010/04/05 15:37:28 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tim Brugnoli\Desktop\TFC.exe
[2010/04/05 06:33:29 | 000,100,908 | ---- | M] () -- C:\Documents and Settings\Tim Brugnoli\Desktop\SystemLook.exe
[2010/04/04 13:56:15 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/04/04 13:19:30 | 003,907,280 | R--- | M] () -- C:\Documents and Settings\Tim Brugnoli\Desktop\ComboFix.exe
[2010/04/04 08:13:57 | 000,000,000 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2010/04/03 13:43:29 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Tim Brugnoli\defogger_reenable
[2010/04/03 13:38:16 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Tim Brugnoli\Desktop\dds.scr
[2010/04/03 13:03:26 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Tim Brugnoli\Desktop\lmyzwn8q.exe
[2010/04/03 13:02:30 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Tim Brugnoli\Desktop\Defogger.exe
[2010/04/03 12:31:48 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/31 21:20:05 | 000,002,455 | ---- | M] () -- C:\Documents and Settings\Tim Brugnoli\Desktop\HiJackThis.lnk
[2010/03/30 21:11:19 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/29 20:00:00 | 000,000,758 | ---- | M] () -- C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Tim Brugnoli.job
[2010/03/25 17:34:54 | 000,000,758 | ---- | M] () -- C:\WINDOWS\dellstat.ini

========== Files Created - No Company Name ==========

[2010/04/05 15:38:55 | 002,672,312 | ---- | C] () -- C:\Documents and Settings\Tim Brugnoli\Desktop\esetsmartinstaller_enu.exe
[2010/04/05 06:33:29 | 000,100,908 | ---- | C] () -- C:\Documents and Settings\Tim Brugnoli\Desktop\SystemLook.exe
[2010/04/04 13:56:15 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/04/04 13:56:12 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/04 13:24:49 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/04 13:24:49 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/04 13:24:49 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/04 13:24:49 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/04 13:24:49 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/04 13:19:28 | 003,907,280 | R--- | C] () -- C:\Documents and Settings\Tim Brugnoli\Desktop\ComboFix.exe
[2010/04/03 13:43:29 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Tim Brugnoli\defogger_reenable
[2010/04/03 13:38:16 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Tim Brugnoli\Desktop\dds.scr
[2010/04/03 13:03:25 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Tim Brugnoli\Desktop\lmyzwn8q.exe
[2010/04/03 13:02:30 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Tim Brugnoli\Desktop\Defogger.exe
[2010/03/31 20:25:16 | 000,002,455 | ---- | C] () -- C:\Documents and Settings\Tim Brugnoli\Desktop\HiJackThis.lnk
[2009/10/26 17:57:06 | 000,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2009/10/26 17:56:43 | 000,003,278 | ---- | C] () -- C:\WINDOWS\System32\LudaP17.ini
[2009/10/26 17:56:43 | 000,000,029 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2009/10/26 17:56:42 | 000,060,928 | ---- | C] () -- C:\WINDOWS\System32\P17.dll
[2009/10/26 17:56:42 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\P17CPI.dll
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/12/25 10:39:12 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\csdlocalmon.dll
[2008/10/18 18:12:21 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Tim Brugnoli\Local Settings\Application Data\rx_image.Cache
[2007/11/28 20:20:37 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2007/10/20 13:32:20 | 000,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/06/29 15:46:38 | 157,801,497 | ---- | C] () -- C:\Documents and Settings\Tim Brugnoli\__rzi_00.328
[2006/06/04 22:31:05 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Tim Brugnoli\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/03/23 17:24:52 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2006/02/22 20:55:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OPPRIN~1.INI
[2006/02/21 21:23:19 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/02/21 19:36:39 | 000,528,384 | ---- | C] () -- C:\WINDOWS\System32\BladeEnc.dll
[2006/02/21 19:36:39 | 000,120,832 | ---- | C] () -- C:\WINDOWS\System32\ShnDll32.dll
[2006/02/21 18:50:43 | 000,000,149 | ---- | C] () -- C:\Documents and Settings\Tim Brugnoli\default.pls
[2006/02/21 17:16:45 | 000,000,229 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/02/20 20:49:30 | 000,000,758 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2006/02/20 20:49:11 | 000,143,360 | R--- | C] () -- C:\WINDOWS\System32\dlbucoin.dll
[2006/02/20 20:49:11 | 000,131,072 | R--- | C] () -- C:\WINDOWS\System32\dlbusnls.dll
[2006/02/20 20:46:36 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbuvs.dll
[2006/02/20 20:46:32 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\dlbucur.dll
[2006/02/20 20:46:32 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\dlbucu.dll
[2006/02/20 20:46:24 | 000,557,056 | ---- | C] () -- C:\WINDOWS\System32\dlbujswr.dll
[2006/02/20 20:46:15 | 000,401,408 | ---- | C] () -- C:\WINDOWS\System32\dlbuutil.dll
[2006/02/20 19:23:26 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\ntuser.dat
[2006/02/20 19:23:26 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\ntuser.dat.LOG
[2006/02/20 18:40:06 | 000,000,072 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2006/02/20 18:03:23 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Tim Brugnoli\ntuser.dat.LOG
[2006/02/20 18:03:23 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Tim Brugnoli\ntuser.ini
[2006/02/20 18:03:22 | 009,961,472 | -H-- | C] () -- C:\Documents and Settings\Tim Brugnoli\NTUSER.DAT

========== LOP Check ==========

[2009/10/16 22:26:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCSettings
[2009/11/21 19:55:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/10/17 11:57:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/06/18 21:49:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2007/11/23 00:37:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim Brugnoli\Application Data\ImgBurn
[2007/06/18 15:43:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim Brugnoli\Application Data\Leadertech
[2008/10/18 23:13:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim Brugnoli\Application Data\Musicmatch
[2007/12/15 17:44:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim Brugnoli\Application Data\Netscape
[2009/02/22 21:42:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim Brugnoli\Application Data\Opera
[2007/12/22 11:42:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim Brugnoli\Application Data\Thunderbird
[2009/11/19 23:38:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tim Brugnoli\Application Data\Tific
[2010/01/18 12:59:00 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job
[2009/05/05 19:05:26 | 000,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2004/03/10 17:16:33 | 000,077,824 | ---- | M] (Moodlogic) -- C:\catgen.exe
[2004/07/01 17:20:20 | 000,212,992 | ---- | M] (Moodlogic) -- C:\Updater.exe


< MD5 for: AGP440.SYS >
[2004/08/12 09:29:28 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/12 09:29:28 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/12 09:17:27 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\eventlog.dll
[2004/08/12 09:19:04 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2004/08/12 09:19:04 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2004/08/12 09:19:04 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: IASTOR.SYS >
[2005/06/17 08:35:20 | 000,504,320 | ---- | M] (Intel Corporation) MD5=384B596BA3A59FFB63C541CC4BF09071 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys
[2005/06/17 08:33:40 | 000,872,064 | ---- | M] (Intel Corporation) MD5=9A65E42664D1534B68512CAAD0EFE963 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys
[2010/04/05 22:42:29 | 000,872,064 | ---- | M] (Intel Corporation) MD5=9A65E42664D1534B68512CAAD0EFE963 -- C:\WINDOWS\system32\drivers\iaStor.sys
[2004/08/12 09:36:15 | 000,467,200 | ---- | M] (Intel Corporation) MD5=F26BFD48B1C314E0F23BF77ACFA75940 -- C:\WINDOWS\dell\iastor\iastor.sys
[2004/08/12 09:36:15 | 000,467,200 | ---- | M] (Intel Corporation) MD5=F26BFD48B1C314E0F23BF77ACFA75940 -- C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\iaStor.sys

< MD5 for: NETBT.SYS >
[2010/03/31 23:07:54 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=0C80E410CD2F47134407EE7DD19CC86B -- C:\WINDOWS\system32\dllcache\netbt.sys
[2010/04/04 10:22:04 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=0C80E410CD2F47134407EE7DD19CC86B -- C:\WINDOWS\system32\drivers\netbt.sys
[2008/04/13 15:21:00 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=74B2B2F5BEA5E9A3DC021D685551BD3D -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\netbt.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/12 09:24:31 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2004/08/12 09:24:31 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2004/08/12 09:24:31 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/12 09:27:47 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2004/08/12 09:27:47 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\scecli.dll
[2004/08/12 09:27:47 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >
Tim Brug
Regular Member
 
Posts: 33
Joined: March 31st, 2010, 9:06 pm

Re: tidserv request 2

Unread postby melboy » April 6th, 2010, 10:44 am

Hi

  • Highlight and copy the text in the codebox below.
    Code: Select all
    "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller_2.txt"
  • Click Start, click Run... and paste the text above into the Open: line and click OK.
  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
  • After reboot, open tdsskiller_2.txt on your desktop and post the contents in your next reply
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: tidserv request 2

Unread postby Tim Brug » April 6th, 2010, 3:39 pm

15:34:23:593 3528 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
15:34:23:593 3528 ================================================================================
15:34:23:593 3528 SystemInfo:

15:34:23:593 3528 OS Version: 5.1.2600 ServicePack: 2.0
15:34:23:593 3528 Product type: Workstation
15:34:23:593 3528 ComputerName: BRUGNOLI
15:34:23:593 3528 UserName: Tim Brugnoli
15:34:23:593 3528 Windows directory: C:\WINDOWS
15:34:23:593 3528 Processor architecture: Intel x86
15:34:23:593 3528 Number of processors: 2
15:34:23:593 3528 Page size: 0x1000
15:34:23:593 3528 Boot type: Normal boot
15:34:23:593 3528 ================================================================================
15:34:23:625 3528 UnloadDriverW: NtUnloadDriver error 2
15:34:23:625 3528 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
15:34:23:765 3528 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
15:34:23:765 3528 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:34:23:765 3528 wfopen_ex: Trying to KLMD file open
15:34:23:765 3528 wfopen_ex: File opened ok (Flags 2)
15:34:23:765 3528 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
15:34:23:765 3528 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:34:23:765 3528 wfopen_ex: Trying to KLMD file open
15:34:23:765 3528 wfopen_ex: File opened ok (Flags 2)
15:34:23:765 3528 Initialize success
15:34:23:765 3528
15:34:23:765 3528 Scanning Services ...
15:34:23:828 3528 Raw services enum returned 346 services
15:34:23:843 3528
15:34:23:843 3528 Scanning Kernel memory ...
15:34:23:843 3528 Devices to scan: 4
15:34:23:843 3528
15:34:23:843 3528 Driver Name: Disk
15:34:23:843 3528 IRP_MJ_CREATE : BA8EEC30
15:34:23:843 3528 IRP_MJ_CREATE_NAMED_PIPE : 804F4476
15:34:23:843 3528 IRP_MJ_CLOSE : BA8EEC30
15:34:23:843 3528 IRP_MJ_READ : BA8E8D9B
15:34:23:843 3528 IRP_MJ_WRITE : BA8E8D9B
15:34:23:843 3528 IRP_MJ_QUERY_INFORMATION : 804F4476
15:34:23:843 3528 IRP_MJ_SET_INFORMATION : 804F4476
15:34:23:843 3528 IRP_MJ_QUERY_EA : 804F4476
15:34:23:843 3528 IRP_MJ_SET_EA : 804F4476
15:34:23:843 3528 IRP_MJ_FLUSH_BUFFERS : BA8E9366
15:34:23:843 3528 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4476
15:34:23:843 3528 IRP_MJ_SET_VOLUME_INFORMATION : 804F4476
15:34:23:843 3528 IRP_MJ_DIRECTORY_CONTROL : 804F4476
15:34:23:843 3528 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4476
15:34:23:843 3528 IRP_MJ_DEVICE_CONTROL : BA8E944D
15:34:23:843 3528 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA8ECFC3
15:34:23:843 3528 IRP_MJ_SHUTDOWN : BA8E9366
15:34:23:843 3528 IRP_MJ_LOCK_CONTROL : 804F4476
15:34:23:843 3528 IRP_MJ_CLEANUP : 804F4476
15:34:23:843 3528 IRP_MJ_CREATE_MAILSLOT : 804F4476
15:34:23:843 3528 IRP_MJ_QUERY_SECURITY : 804F4476
15:34:23:843 3528 IRP_MJ_SET_SECURITY : 804F4476
15:34:23:843 3528 IRP_MJ_POWER : BA8EAEF3
15:34:23:843 3528 IRP_MJ_SYSTEM_CONTROL : BA8EFA24
15:34:23:843 3528 IRP_MJ_DEVICE_CHANGE : 804F4476
15:34:23:843 3528 IRP_MJ_QUERY_QUOTA : 804F4476
15:34:23:843 3528 IRP_MJ_SET_QUOTA : 804F4476
15:34:23:953 3528 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
15:34:23:953 3528
15:34:23:953 3528 Driver Name: USBSTOR
15:34:23:953 3528 IRP_MJ_CREATE : B214D218
15:34:23:953 3528 IRP_MJ_CREATE_NAMED_PIPE : 804F4476
15:34:23:953 3528 IRP_MJ_CLOSE : B214D218
15:34:23:953 3528 IRP_MJ_READ : B214D23C
15:34:23:953 3528 IRP_MJ_WRITE : B214D23C
15:34:23:953 3528 IRP_MJ_QUERY_INFORMATION : 804F4476
15:34:23:953 3528 IRP_MJ_SET_INFORMATION : 804F4476
15:34:23:953 3528 IRP_MJ_QUERY_EA : 804F4476
15:34:23:953 3528 IRP_MJ_SET_EA : 804F4476
15:34:23:953 3528 IRP_MJ_FLUSH_BUFFERS : 804F4476
15:34:23:953 3528 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4476
15:34:23:953 3528 IRP_MJ_SET_VOLUME_INFORMATION : 804F4476
15:34:23:953 3528 IRP_MJ_DIRECTORY_CONTROL : 804F4476
15:34:23:953 3528 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4476
15:34:23:953 3528 IRP_MJ_DEVICE_CONTROL : B214D180
15:34:23:953 3528 IRP_MJ_INTERNAL_DEVICE_CONTROL : B21489E6
15:34:23:953 3528 IRP_MJ_SHUTDOWN : 804F4476
15:34:23:953 3528 IRP_MJ_LOCK_CONTROL : 804F4476
15:34:23:953 3528 IRP_MJ_CLEANUP : 804F4476
15:34:23:953 3528 IRP_MJ_CREATE_MAILSLOT : 804F4476
15:34:23:953 3528 IRP_MJ_QUERY_SECURITY : 804F4476
15:34:23:953 3528 IRP_MJ_SET_SECURITY : 804F4476
15:34:23:953 3528 IRP_MJ_POWER : B214C5F0
15:34:23:953 3528 IRP_MJ_SYSTEM_CONTROL : B214AA6E
15:34:23:953 3528 IRP_MJ_DEVICE_CHANGE : 804F4476
15:34:23:953 3528 IRP_MJ_QUERY_QUOTA : 804F4476
15:34:23:953 3528 IRP_MJ_SET_QUOTA : 804F4476
15:34:23:968 3528 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
15:34:23:968 3528
15:34:23:968 3528 Driver Name: Disk
15:34:23:968 3528 IRP_MJ_CREATE : BA8EEC30
15:34:23:968 3528 IRP_MJ_CREATE_NAMED_PIPE : 804F4476
15:34:23:968 3528 IRP_MJ_CLOSE : BA8EEC30
15:34:23:968 3528 IRP_MJ_READ : BA8E8D9B
15:34:23:968 3528 IRP_MJ_WRITE : BA8E8D9B
15:34:23:968 3528 IRP_MJ_QUERY_INFORMATION : 804F4476
15:34:23:968 3528 IRP_MJ_SET_INFORMATION : 804F4476
15:34:23:968 3528 IRP_MJ_QUERY_EA : 804F4476
15:34:23:968 3528 IRP_MJ_SET_EA : 804F4476
15:34:23:968 3528 IRP_MJ_FLUSH_BUFFERS : BA8E9366
15:34:23:968 3528 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4476
15:34:23:968 3528 IRP_MJ_SET_VOLUME_INFORMATION : 804F4476
15:34:23:968 3528 IRP_MJ_DIRECTORY_CONTROL : 804F4476
15:34:23:968 3528 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4476
15:34:23:968 3528 IRP_MJ_DEVICE_CONTROL : BA8E944D
15:34:23:968 3528 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA8ECFC3
15:34:23:968 3528 IRP_MJ_SHUTDOWN : BA8E9366
15:34:23:968 3528 IRP_MJ_LOCK_CONTROL : 804F4476
15:34:23:968 3528 IRP_MJ_CLEANUP : 804F4476
15:34:23:968 3528 IRP_MJ_CREATE_MAILSLOT : 804F4476
15:34:23:968 3528 IRP_MJ_QUERY_SECURITY : 804F4476
15:34:23:968 3528 IRP_MJ_SET_SECURITY : 804F4476
15:34:23:968 3528 IRP_MJ_POWER : BA8EAEF3
15:34:23:968 3528 IRP_MJ_SYSTEM_CONTROL : BA8EFA24
15:34:23:968 3528 IRP_MJ_DEVICE_CHANGE : 804F4476
15:34:23:968 3528 IRP_MJ_QUERY_QUOTA : 804F4476
15:34:23:968 3528 IRP_MJ_SET_QUOTA : 804F4476
15:34:23:984 3528 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
15:34:23:984 3528
15:34:23:984 3528 Driver Name: iastor
15:34:23:984 3528 IRP_MJ_CREATE : 8886AAC8
15:34:23:984 3528 IRP_MJ_CREATE_NAMED_PIPE : 8886AAC8
15:34:23:984 3528 IRP_MJ_CLOSE : 8886AAC8
15:34:23:984 3528 IRP_MJ_READ : 8886AAC8
15:34:23:984 3528 IRP_MJ_WRITE : 8886AAC8
15:34:23:984 3528 IRP_MJ_QUERY_INFORMATION : 8886AAC8
15:34:23:984 3528 IRP_MJ_SET_INFORMATION : 8886AAC8
15:34:23:984 3528 IRP_MJ_QUERY_EA : 8886AAC8
15:34:23:984 3528 IRP_MJ_SET_EA : 8886AAC8
15:34:23:984 3528 IRP_MJ_FLUSH_BUFFERS : 8886AAC8
15:34:23:984 3528 IRP_MJ_QUERY_VOLUME_INFORMATION : 8886AAC8
15:34:23:984 3528 IRP_MJ_SET_VOLUME_INFORMATION : 8886AAC8
15:34:23:984 3528 IRP_MJ_DIRECTORY_CONTROL : 8886AAC8
15:34:23:984 3528 IRP_MJ_FILE_SYSTEM_CONTROL : 8886AAC8
15:34:23:984 3528 IRP_MJ_DEVICE_CONTROL : 8886AAC8
15:34:23:984 3528 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8886AAC8
15:34:23:984 3528 IRP_MJ_SHUTDOWN : 8886AAC8
15:34:23:984 3528 IRP_MJ_LOCK_CONTROL : 8886AAC8
15:34:23:984 3528 IRP_MJ_CLEANUP : 8886AAC8
15:34:23:984 3528 IRP_MJ_CREATE_MAILSLOT : 8886AAC8
15:34:23:984 3528 IRP_MJ_QUERY_SECURITY : 8886AAC8
15:34:23:984 3528 IRP_MJ_SET_SECURITY : 8886AAC8
15:34:23:984 3528 IRP_MJ_POWER : 8886AAC8
15:34:23:984 3528 IRP_MJ_SYSTEM_CONTROL : 8886AAC8
15:34:23:984 3528 IRP_MJ_DEVICE_CHANGE : 8886AAC8
15:34:23:984 3528 IRP_MJ_QUERY_QUOTA : 8886AAC8
15:34:23:984 3528 IRP_MJ_SET_QUOTA : 8886AAC8
15:34:23:984 3528 Driver "iastor" infected by TDSS rootkit!
15:34:24:015 3528 C:\WINDOWS\system32\drivers\iaStor.sys - Verdict: 1
15:34:24:015 3528 File "C:\WINDOWS\system32\drivers\iaStor.sys" infected by TDSS rootkit ... 15:34:24:015 3528 Processing driver file: C:\WINDOWS\system32\drivers\iaStor.sys
15:34:24:015 3528 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
15:34:24:046 3528 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\OemDir\*) error 3
15:34:24:265 3528 !fdfb7
15:34:24:296 3528 vfvi6
15:34:24:312 3528 !dsvbh1
15:34:24:968 3528 dsvbh2
15:34:24:968 3528 Backup copy2 found, using it..
15:34:25:031 3528 will be cured on next reboot
15:34:25:031 3528 Reboot required for cure complete..
15:34:25:046 3528 Cure on reboot scheduled successfully
15:34:25:046 3528
15:34:25:046 3528 Completed
15:34:25:046 3528
15:34:25:046 3528 Results:
15:34:25:046 3528 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
15:34:25:046 3528 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
15:34:25:046 3528 File objects infected / cured / cured on reboot: 1 / 0 / 1
15:34:25:046 3528
15:34:25:046 3528 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
15:34:25:046 3528 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
15:34:25:046 3528 UnloadDriverW: NtUnloadDriver error 1
15:34:25:062 3528 KLMD(ARK) unloaded successfully
Tim Brug
Regular Member
 
Posts: 33
Joined: March 31st, 2010, 9:06 pm

Re: tidserv request 2

Unread postby Tim Brug » April 6th, 2010, 3:54 pm

First of all, thank you for your continuing efforts to help. Much appreciated.

A few unusal things have occured, when I booted up after this morning's scans 4 jpg files were placed on my desktop along with a notepad file called "desktop ini". The jpg appear to be art work for album covers but when I go to delete them I get a warning message that they are application files and if I delete them certain programs would not run properly. Also, after this last scan I still received a warning message from Norton that it block an attack upon my pc.
Tim Brug
Regular Member
 
Posts: 33
Joined: March 31st, 2010, 9:06 pm

Re: tidserv request 2

Unread postby melboy » April 6th, 2010, 5:04 pm

Hi

Thank me when we get it. It is proving to be a bit persistent. ;)

Firstly delete the copy of combofix.exe you have on your desktop and download a fresh copy from >> here <<, again saving it to your desktop.

Then carry out the instructions below.


SystemLook

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
     :dir
    %userprofile%\Desktop
    
    :contents
    %userprofile%\Desktop\desktop.ini
    

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt



COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    FCopy::
    C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys | C:\WINDOWS\system32\drivers\iaStor.sys 
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



In your next reply:
  1. SystemLook.txt
  2. combofix.txt
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: tidserv request 2

Unread postby Tim Brug » April 6th, 2010, 10:51 pm

Combo finished scan with no reboot, here are the logs.


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 22:20 on 06/04/2010 by Tim Brugnoli (Administrator - Elevation successful)

========== dir ==========

C:\Documents and Settings\Tim Brugnoli\Desktop - Parameters: "(none)"

---Files---
AlbumArtSmall.jpg ---hs- 2495 bytes [16:37 25/12/2008] [16:35 25/12/2008]
AlbumArt_{B9604EAC-283F-4339-8735-2DD5E009F6D7}_Large.jpg ---hs- 11012 bytes [16:37 25/12/2008] [16:37 25/12/2008]
AlbumArt_{B9604EAC-283F-4339-8735-2DD5E009F6D7}_Small.jpg ---hs- 2495 bytes [16:37 25/12/2008] [16:35 25/12/2008]
Attach.txt --a--- 21560 bytes [17:42 03/04/2010] [21:58 03/04/2010]
CCleaner.lnk --a--- 1548 bytes [23:20 15/12/2008] [15:53 26/11/2009]
com.txt --a--- 22350 bytes [11:00 06/04/2010] [11:00 06/04/2010]
ComboFix.exe --a--- 3908251 bytes [02:11 07/04/2010] [02:11 07/04/2010]
Copy of TDSSKiller.exe --a--- 178000 bytes [10:44 05/04/2010] [14:43 22/03/2010]
dds.scr --a--- 525824 bytes [17:38 03/04/2010] [17:38 03/04/2010]
DDS.txt --a--- 14507 bytes [17:42 03/04/2010] [21:58 03/04/2010]
Defogger.exe --a--- 50477 bytes [17:02 03/04/2010] [17:02 03/04/2010]
defogger_disable.log --a--- 486 bytes [19:02 03/04/2010] [13:32 04/04/2010]
desktop.ini ---hs- 374 bytes [16:37 25/12/2008] [16:37 25/12/2008]
esetsmartinstaller_enu.exe --a--- 2672312 bytes [19:38 05/04/2010] [19:42 05/04/2010]
est.txt --a--- 2200 bytes [02:27 06/04/2010] [02:27 06/04/2010]
eula.txt --a--- 2258 bytes [00:04 01/04/2010] [19:18 01/12/2009]
Extras.Txt --a--- 40016 bytes [11:08 06/04/2010] [12:15 06/04/2010]
Folder.jpg ---hs- 11012 bytes [16:37 25/12/2008] [16:37 25/12/2008]
gmer.log --a--- 6696 bytes [15:50 04/04/2010] [15:50 04/04/2010]
Hamilton Hurricanes U8 team as of 7-17-06.doc --a--- 34376 bytes [12:47 19/07/2006] [19:18 23/02/2008]
HiJackThis.lnk --a--- 2455 bytes [00:25 01/04/2010] [01:20 01/04/2010]
hlp.txt --a--- 655 bytes [10:41 06/04/2010] [10:41 06/04/2010]
Linksys Adapter.txt --a--- 62 bytes [01:19 21/11/2009] [01:19 21/11/2009]
lmyzwn8q.exe --a--- 293376 bytes [17:03 03/04/2010] [17:03 03/04/2010]
log.txt --a--- 22262 bytes [18:20 04/04/2010] [18:20 04/04/2010]
mbam-log-2010-04-05 (20-56-48).txt --a--- 892 bytes [00:57 06/04/2010] [00:57 06/04/2010]
Merry Christmas.mp3 --a--- 4613990 bytes [19:54 24/12/2007] [03:43 15/01/2008]
Nero Media Player.lnk --a--- 1126 bytes [21:39 25/02/2006] [23:09 21/02/2006]
Norton Installation Files.lnk --a--- 761 bytes [01:39 16/10/2009] [02:23 17/10/2009]
OTL.exe --a--- 561664 bytes [10:32 06/04/2010] [10:32 06/04/2010]
OTL.Txt --a--- 71924 bytes [11:08 06/04/2010] [12:14 06/04/2010]
Shortcut to Date and Time.lnk --a--- 236 bytes [22:16 20/07/2006] [22:16 20/07/2006]
Shortcut to Local Area Connection.lnk --a--- 402 bytes [23:24 21/11/2009] [23:24 21/11/2009]
Shortcut to NeroStartSmart.lnk --a--- 759 bytes [23:48 21/02/2006] [23:48 21/02/2006]
SystemLook.exe --a--- 100908 bytes [10:33 05/04/2010] [10:33 05/04/2010]
SystemLook.txt --a--- 0 bytes [10:33 05/04/2010] [02:20 07/04/2010]
TDSSKiller.exe --a--- 178000 bytes [10:43 05/04/2010] [14:43 22/03/2010]
tdsskiller.txt --a--- 21078 bytes [10:44 05/04/2010] [10:44 05/04/2010]
tdsskiller_2.txt --a--- 21078 bytes [19:34 06/04/2010] [19:34 06/04/2010]
TFC.exe --a--- 444416 bytes [19:37 05/04/2010] [19:37 05/04/2010]
uninstall_list.txt --a--- 13484 bytes [01:20 01/04/2010] [01:20 01/04/2010]
Windows Explorer.lnk --a--- 1475 bytes [03:05 21/02/2006] [23:50 05/04/2010]
Windows Media Player.lnk --a--- 788 bytes [14:12 25/12/2008] [14:12 25/12/2008]

---Folders---
Anti Spy d----- [16:35 06/09/2008]
IRIVER d----- [22:35 14/11/2009]
Music Tools d----- [00:06 22/02/2006]
New Folder d----- [03:04 04/04/2010]
PICTURE APPLICATIONS d----- [22:34 14/11/2009]

========== contents ==========

%userprofile%\Desktop\desktop.ini - Opened succesfully.

[.ShellClassInfo]
FolderType=MusicAlbum
MusicBuyUrl=http://redir.metaservices.microsoft.com/redir/buynow/?providerName=AMG&albumID=B9604EAC-283F-4339-8735-2DD5E009F6D7&a_id=R%20%20%20426873&album=Santa's%20Greatest%20Hits%20[Hip-O]&artistID=80064449-C40C-486A-8D0E-D3ACB5DA99B9&p_id=%20&artist=Various%20Artists&locale=409&geoid=f4&version=11.0.5721.5230&userlocale=409


-=End Of File=-



ComboFix 10-04-05.06 - Tim Brugnoli 04/06/2010 22:29:42.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1467 [GMT -4:00]
Running from: c:\documents and settings\Tim Brugnoli\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tim Brugnoli\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\program files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys --> c:\windows\system32\drivers\iaStor.sys
.
((((((((((((((((((((((((( Files Created from 2010-03-07 to 2010-04-07 )))))))))))))))))))))))))))))))
.

2010-04-06 10:14 . 2010-02-04 21:13 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100405.038\NAVENG.SYS
2010-04-06 10:14 . 2010-02-04 21:13 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100405.038\NAVEX15.SYS
2010-04-06 10:14 . 2009-11-07 02:30 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100405.038\NAVENG32.DLL
2010-04-06 10:14 . 2009-11-07 02:30 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100405.038\NAVEX32A.DLL
2010-04-06 10:14 . 2009-12-09 23:57 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100405.038\CCERASER.DLL
2010-04-06 10:14 . 2009-11-07 02:30 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100405.038\EECTRL.SYS
2010-04-06 10:14 . 2009-11-07 02:30 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100405.038\ECMSVR32.DLL
2010-04-06 10:14 . 2009-11-07 02:30 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100405.038\ERASER.SYS
2010-04-05 22:08 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100402.001\IDSvix86.sys
2010-04-05 22:08 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100402.001\Scxpx86.dll
2010-04-05 22:08 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100402.001\IDSxpx86.dll
2010-04-05 22:07 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100402.001\IDSXpx86.sys
2010-04-05 22:07 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100402.001\IDSviA64.sys
2010-04-05 21:57 . 2010-04-05 21:57 -------- d-----w- c:\program files\ESET
2010-04-01 05:35 . 2010-04-03 21:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-01 00:25 . 2010-04-01 00:25 388096 ----a-r- c:\documents and settings\Tim Brugnoli\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-01 00:25 . 2010-04-01 00:25 -------- d-----w- c:\program files\TrendMicro
2010-03-31 21:13 . 2010-03-31 21:13 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-31 01:03 . 2004-08-04 02:59 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-03-31 01:03 . 2004-08-04 02:59 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-03-31 01:03 . 2004-08-04 03:00 8192 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-03-31 01:03 . 2004-08-04 03:00 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-03-31 01:03 . 2004-08-04 03:00 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-03-31 01:03 . 2004-08-04 03:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-03-27 15:11 . 2010-03-27 15:11 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-03-26 09:34 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100326.001\IDSvix86.sys
2010-03-26 09:34 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100326.001\IDSXpx86.sys
2010-03-26 09:34 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100326.001\Scxpx86.dll
2010-03-26 09:34 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100326.001\IDSxpx86.dll
2010-03-26 09:34 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100326.001\IDSviA64.sys
2010-03-24 20:38 . 2010-03-24 20:38 536112 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHDrvx86.sys
2010-03-24 20:38 . 2010-03-24 20:38 201616 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHRules.dll
2010-03-24 20:38 . 2010-03-24 20:38 1407888 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHEngine.dll
2010-03-24 20:38 . 2010-03-24 20:38 678960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHDrvx64.sys
2010-03-24 20:38 . 2010-03-24 20:38 611216 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\bbRGen.dll
2010-03-23 22:37 . 2010-03-23 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-23 22:37 . 2010-03-23 22:37 1924976 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-03-23 22:36 . 2010-03-24 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-06 11:07 . 2004-08-12 13:24 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-04-04 16:35 . 2006-02-21 01:29 -------- d-----w- c:\program files\Agent
2010-04-04 03:33 . 2009-01-02 23:11 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-04-04 03:06 . 2006-02-21 22:31 -------- d-----w- c:\program files\EasyAgent
2010-03-31 21:13 . 2010-03-02 02:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 04:46 . 2010-03-02 02:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2010-03-02 02:26 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-02 02:26 . 2010-03-02 02:26 -------- d-----w- c:\documents and settings\Tim Brugnoli\Application Data\Malwarebytes
2010-03-02 02:26 . 2010-03-02 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-25 06:24 . 2004-08-12 13:33 916480 ------w- c:\windows\system32\wininet.dll
2007-08-25 03:52 . 2008-02-11 05:37 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-04-04_18.07.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-07 02:19 . 2010-04-07 02:19 16384 c:\windows\Temp\Perflib_Perfdata_6e0.dat
+ 2004-08-12 13:24 . 2010-04-06 11:07 162816 c:\windows\system32\dllcache\netbt.sys
- 2004-08-12 13:24 . 2010-04-01 03:07 162816 c:\windows\system32\dllcache\netbt.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Photo AIO Printer 942"="c:\program files\Dell Photo AIO Printer 942\dlbubmgr.exe" [2004-08-31 294912]
"DellMCM"="c:\program files\Dell Photo AIO Printer 942\memcard.exe" [2004-07-27 262144]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-11-11 4612096]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"P17Helper"="P17.dll" [2004-06-10 60928]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 1358384]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"NBJ"="c:\program files\Ahead\Nero BackItUp\nbj.exe"
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"InCD"=c:\program files\Ahead\InCD\InCD.exe
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"iRiver Updater"=\Updater.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_06\bin\jusched.exe
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"UIUCU"=c:\docume~1\TIMBRU~1\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
"MimBoot"=c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe
"BlackBerryAutoUpdate"=c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
"<NO NAME>"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1105000.07F\symds.sys [1/11/2010 5:07 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1105000.07F\symefa.sys [1/11/2010 5:07 PM 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHDrvx86.sys [3/24/2010 4:38 PM 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1105000.07F\cchpx86.sys [1/11/2010 5:07 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1105000.07F\ironx86.sys [1/11/2010 5:07 PM 116272]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.5.0.127\ccsvchst.exe [1/11/2010 5:07 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/17/2009 10:38 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100326.001\IDSXpx86.sys [3/26/2010 5:34 AM 329592]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [11/20/2009 8:57 PM 627072]
.
Contents of the 'Scheduled Tasks' folder

2009-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 16:34]

2010-03-30 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Tim Brugnoli.job
- c:\program files\Norton Internet Security\Engine\17.5.0.127\navw32.exe [2010-01-11 06:08]

2010-01-18 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

2009-05-05 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-05 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.optimum.net/News/Weather?sta ... nton,%20NJ
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Tim Brugnoli\Application Data\Mozilla\Firefox\Profiles\ik58xs29.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.optimum.net/News/Weather?sta ... nton,%20NJ
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-06 22:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x88797AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecfc3
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba7117b4
\Driver\iaStor -> iaStor.sys @ 0xba648b10
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
ParseProcedure -> ntkrnlpa.exe @ 0x8058155c
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
ParseProcedure -> ntkrnlpa.exe @ 0x8058155c
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.5.0.127\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(792)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2092)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-06 22:41:33
ComboFix-quarantined-files.txt 2010-04-07 02:41
ComboFix2.txt 2010-04-06 10:59
ComboFix3.txt 2010-04-06 10:10
ComboFix4.txt 2010-04-04 18:11

Pre-Run: 180,606,386,176 bytes free
Post-Run: 180,569,767,936 bytes free

- - End Of File - - B8BC2408C9A13CF4CF7EFF45FF46D99B
Tim Brug
Regular Member
 
Posts: 33
Joined: March 31st, 2010, 9:06 pm

Re: tidserv request 2

Unread postby melboy » April 7th, 2010, 8:04 am

Hi

The .jpeg files are related to Windows Media Player and not malicious, neither is the desktop.ini They are normally hidden so we'll re-hide them in due course.

How are things running? Are you still getting the warnings from Norton?
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: tidserv request 2

Unread postby Tim Brug » April 7th, 2010, 5:16 pm

Got hit with several warnings in a matter of minutes:

tidserv request
tidserv request 2
uhtxkr.exe was removed by norton sonar
suspicious file downlaod acrobat was blocked.

I would love to copy and paste norton's history but it won't let me.
Tim Brug
Regular Member
 
Posts: 33
Joined: March 31st, 2010, 9:06 pm

Re: tidserv request 2

Unread postby melboy » April 7th, 2010, 7:41 pm

Hi

This is being stubborn, we'll try another tool.


Norman TDSS Cleaner

Please download >> Norman TDSS Cleaner << and save to your Desktop.

  • Double-click on Norman_TDSS_Cleaner.exe to run the tool.
  • Read the agreement and click Accept.
  • When the program window opens, click Start scan.
  • After the scan has finished, a log file named NFix_date_time (i.e. NFix_2010-04-08_00-32-32.log) will be created on your desktop with the results.
  • Copy and paste the contents of that file in your next reply.

Note: In some cases you may be prompted to restart the computer to completely remove an infection.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: tidserv request 2

Unread postby Tim Brug » April 7th, 2010, 8:03 pm

Her is the log. I habve my fingers crossed. When I rebooted I got a bsd, said something about the iastor file.


Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLS = -> ""
Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = 0x00000000
Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000
Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000

Running anti-TDSS module:

TDSS/TDL3 Rootkit Detected!
Infected driver successfully cured
Reboot required to complete rootkit disinfection


Running post-scan cleanup routine:

Number of files found: 0
Number of archives unpacked: 0
Number of files scanned: 0
Number of files not scanned: 0
Number of files skipped due to exclude list: 0
Number of infected files found: 0
Number of infected files repaired/deleted: 0
Number of infections removed: 0
Total scanning time: 8m 6s
Tim Brug
Regular Member
 
Posts: 33
Joined: March 31st, 2010, 9:06 pm

Re: tidserv request 2

Unread postby Tim Brug » April 7th, 2010, 8:10 pm

Darn, can it be the virus or malware is preventing tdss killer from rebooting correctly and preventing the removal? I scanned twice and both times got a bsd.
Tim Brug
Regular Member
 
Posts: 33
Joined: March 31st, 2010, 9:06 pm

Re: tidserv request 2

Unread postby melboy » April 8th, 2010, 8:15 am

Hi

It could be any one of a few reasons. It could possibly be Norton that is interfering - at this point, I'm not sure. The file is a critical file, it cant just be deleted or your PC won't boot. It has to be cleaned or replaced and it looks like you only had one possible replacement on board and that was infected too.

Can you give me a status update: Are you able to boot the machine? if so, are you still getting the warnings?
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: tidserv request 2

Unread postby Tim Brug » April 8th, 2010, 9:41 am

I can still boot up after bsod incident. Still getting alerts and after secnd and third scans with Norman, still picks Ùp infection but constant bsod after shut down.
Tim Brug
Regular Member
 
Posts: 33
Joined: March 31st, 2010, 9:06 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 55 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware