Free Malware Removal Forum

[gomfedj]

Normally i can remove these types of problems myself, but what ever i have now has gone beyond my ability,

I have tried TDDSkiller and it says ATAPI has a rootkit and will be fixed on next reboot well next reboot it STILL finds a root kit in it (so it is being reinstalled during reboot some time i assume)
I have run my endpoint protection virus scan, as well as an ESET on-line virus scan and Malwarebytes Anti-malware

and when i attempt to access the world wide web via Firefox i tend to get a HTTP Tidserv Request detected message on my endpoint protection firewall.

here is the hijack this log for the system in question..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:40:05 AM, on 4/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\VIA\RAID\vialogsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINDOWS\system32\oodtray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SymCorpUI.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [\\anbf3\EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P38 "\\anbf3\EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [VIARaidUtl] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &GET... - C:\nat32\htm\script3.htm
O8 - Extra context menu item: &RAW... - C:\nat32\htm\script2.htm
O8 - Extra context menu item: &Similar pages... - C:\nat32\htm\script.htm
O8 - Extra context menu item: &URLs... - C:\nat32\htm\script1.htm
O8 - Extra context menu item: Edit... - C:\nat32\htm\script5.htm
O8 - Extra context menu item: Google... - C:\nat32\htm\script4.htm
O8 - Extra context menu item: Scripts... - C:\nat32\htm\script6.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1037516921
O16 - DPF: {7CF3E7C4-6112-4D72-A0CD-D0AD7EEB5467} (VpnWebControl Class) - http://www.packetix.net/en/special/file ... vpnweb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ANBF.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = ANBF.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ANBF.LOCAL
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ANBF.LOCAL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: Symantec Auto-upgrade Agent (Smcinst) - Unknown owner - C:\Program Files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe (file missing)
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: PacketiX VPN Client (vpnclient) - SoftEther Corporation - C:\Program Files\PacketiX VPN Client English\vpnclient.exe
O23 - Service: VRAID Log Service - Unknown owner - C:\Program Files\VIA\RAID\vialogsv.exe

--
End of file - 7669 bytes


Thank you for any assistance you can give..

[gringo_pr]

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

1.Please do not run any other tool untill instructed to do so!
2.Please reply to this thread, do not start another!
3.Please tell me about any problems that have occurred during the fix.
4.Please tell me of any other symptoms you may be having as these can help also.
5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

I would like to get a better look at your system, please do the following so I can get some more detailed logs.


DeFogger:

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
  
• Click the Disable button to disable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download DDS:

Please download DDS by sUBs from one of the links below and save it to your desktop:


Download DDS and save it to your desktop

Link1
Link2
Link3

Please disable any anti-malware program that will block scripts from running before running DDS.


• Double-Click on dds.scr and a command window will appear. This is normal.
  
• Shortly after two logs will appear:
  
  • DDS.txt
  • Attach.txt
• A window will open instructing you save & post the logs
• Save the logs to a convenient place such as your desktop
• Copy the contents of both logs & post in your next reply

GMER:

Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
  
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan..


• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  
  • Sections <---leave this ticked please
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

information and logs:

In your next post I need the following


1.logs from DDS
2.log from GMER
3.let me know of any problems you may have had

Gringo

[gomfedj]

I am having trouble getting GMER to complete it's scan it has rebooted my system 4 times now and locked it up once, my computer has a "history" of rebooting but normally it is RARE (once every few weeks) and i had just figured it was the power supply, this may or may not be the same issue.

I also notice upon rebooting i am getting a error box that says "getdrivelayout: createfile Fail" i figure that is what ever this malware/rootkit has done to the ATAPI has jacked up my via raid software.
the final issue i notice now is when opening firefox i no longer see my symantec endpoint protection saying it is blocking anything, but i do get an additional tab opened on firefox going to a random site suggesting i get windows xp antivirus.

here are the logs from DDS, i will keep attempting to get a complete log from GMER until otherwise notified by you,
Thank you

EDIT!! btw i noticed DDS picked up on a lot of info/issues dealing with my DC ANBF3, those shouldn't relate to my issue at all but the reason those errors exist is my DC has taken a dump past week had a 512memory chip go bad and i am afraid it corrupted some of the active directory files, so i am slowly rebuilding it from a ghost image.


DDS (Ver_10-03-17.01) - NTFSx86
Run by ninja at 4:18:26.33 on Sun 04/11/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1337 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\VIA\RAID\vialogsv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINDOWS\system32\oodtray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\ninja.ANBF\Desktop\dds.scr

============== Pseudo HJT Report ===============

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [\\anbf3\EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2h1.exe /p38 "\\anbf3\EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
mRun: [OODefragTray] c:\windows\system32\oodtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [VIARaidUtl] c:\program files\via\raid\raid_tool.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
IE: &GET... - c:\nat32\htm\script3.htm
IE: &RAW... - c:\nat32\htm\script2.htm
IE: &Similar pages... - c:\nat32\htm\script.htm
IE: &URLs... - c:\nat32\htm\script1.htm
IE: Edit... - c:\nat32\htm\script5.htm
IE: Google... - c:\nat32\htm\script4.htm
IE: Scripts... - c:\nat32\htm\script6.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/ ... vc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windows ... 1037516921
DPF: {7CF3E7C4-6112-4D72-A0CD-D0AD7EEB5467} - hxxp://www.packetix.net/en/special/file ... vpnweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/s ... wflash.cab
mASetup: {621FCD24-4498-4324-A81E-07D331376EDF} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ninja~1.anb\applic~1\mozilla\firefox\profiles\5a0zyz9q.default\
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - plugin: c:\documents and settings\ninja.anbf\local settings\application data\huludesktop\instances\0.9.2.1\npHDPlg.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [2007-11-14 71720]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2007-4-23 82200]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-10-30 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-10-30 108392]
R2 NetProbe;NetProbe Packet Driver;c:\windows\system32\drivers\NetProbe.sys [2009-3-24 5365]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-10-30 2477304]
R2 VRAID Log Service;VRAID Log Service;c:\program files\via\raid\vialogsv.exe [2009-1-6 52888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-29 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100410.004\NAVENG.SYS [2010-4-10 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100410.004\NAVEX15.SYS [2010-4-10 1324720]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-2-3 115432]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\coh_mon.sys [2009-1-6 23888]
S3 Neo_VPN;VPN Client Device Driver - VPN;c:\windows\system32\drivers\neo_0103.sys [2009-1-4 22000]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [2010-3-24 38976]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe --> c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe [?]
S3 vpnclient;PacketiX VPN Client;c:\program files\packetix vpn client english\vpnclient.exe [2008-5-15 2478080]
S4 TwonkyMedia;TwonkyMedia;c:\program files\twonkymedia\twonkymediaserverwatchdog.exe -serviceversion 0 --> c:\program files\twonkymedia\twonkymediaserverwatchdog.exe -serviceversion 0 [?]
S4 vsdatant;vsdatant;a --> a [?]

=============== Created Last 30 ================

2010-04-11 09:17:10 0 ----a-w- c:\documents and settings\ninja.anbf\defogger_reenable
2010-04-11 06:39:20 96512 ----a-w- c:\windows\system32\drivers\tsk7.tmp
2010-04-11 06:39:20 36488 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-04-11 06:12:19 0 d-----w- c:\program files\Trend Micro
2010-04-11 04:40:37 0 d-----w- c:\program files\Debugging Tools for Windows (x86)
2010-04-06 07:24:17 0 d-----w- c:\program files\ESET
2010-04-06 06:51:46 146432 -c--a-w- c:\windows\system32\dllcache\regedit.exe
2010-04-06 06:51:46 146432 ----a-w- c:\windows\regedit.exe
2010-04-06 06:43:45 98816 ----a-w- c:\windows\sed.exe
2010-04-06 06:43:45 77312 ----a-w- c:\windows\MBR.exe
2010-04-06 06:43:45 261632 ----a-w- c:\windows\PEV.exe
2010-04-06 06:43:45 161792 ----a-w- c:\windows\SWREG.exe
2010-04-06 05:02:31 452 --sha-r- c:\documents and settings\ninja.anbf\ntuser.pol
2010-04-06 03:53:18 0 d--h--w- c:\windows\system32\GroupPolicy
2010-04-06 03:47:55 0 d-----w- c:\docume~1\ninja~1.anb\applic~1\Malwarebytes
2010-04-06 03:39:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-06 03:39:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-06 03:35:44 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-06 03:35:44 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-06 03:17:02 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-04-06 03:17:02 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-04-06 03:16:53 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-04-06 03:16:53 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-04-06 03:16:49 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-04-06 03:16:49 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-04-06 02:51:03 0 d-----w- c:\docume~1\ninja~1.anb\applic~1\GameMill Entertainment
2010-03-25 07:55:20 209408 ----a-w- c:\windows\system32\Tabctl32.ocx
2010-03-25 07:55:20 203576 ----a-w- c:\windows\system32\RichTx32.ocx
2010-03-25 07:55:19 958224 ----a-w- c:\windows\system32\MsChart.ocx
2010-03-25 07:55:19 227600 ----a-w- c:\windows\system32\MsFlxGrd.ocx
2010-03-25 07:55:19 140288 ----a-w- c:\windows\system32\ComDlg32.ocx
2010-03-25 07:55:19 115016 ----a-w- c:\windows\system32\MsInet.ocx
2010-03-25 07:55:19 108336 ----a-w- c:\windows\system32\MsWinsck.ocx
2010-03-25 06:13:56 0 d-----w- c:\docume~1\alluse~1\applic~1\SolarWinds
2010-03-25 06:10:02 0 d-----w- c:\program files\SolarWinds
2010-03-24 09:30:18 0 d-----w- c:\program files\CommTraffic
2010-03-24 08:34:46 38976 ----a-w- c:\windows\system32\drivers\pssdk42.sys
2010-03-24 08:34:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Paessler
2010-03-24 08:32:44 0 d-----w- c:\program files\PRTG Network Monitor
2010-03-24 07:29:16 0 d-----w- c:\program files\Network Probe 3

==================== Find3M ====================

2010-04-11 06:29:11 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-07 02:56:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2010-02-17 19:52:33 162048 ----a-w- c:\windows\system32\drivers\wpshelper.sys

============= FINISH: 4:20:21.79 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 1/2/2009 1:49:51 AM
System Uptime: 4/11/2010 1:28:27 AM (3 hours ago)

Motherboard: MSI | | MS-7008
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Socket-1 | 3214/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 20 GiB total, 6.049 GiB free.
D: is FIXED (NTFS) - 466 GiB total, 87.903 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is FIXED (NTFS) - 92 GiB total, 73.557 GiB free.
I: is Removable
M: is NetworkDisk (NTFS) - 186 GiB total, 114.433 GiB free.
S: is NetworkDisk (NTFS) - 211 GiB total, 97.012 GiB free.
T: is NetworkDisk (NTFS) - 233 GiB total, 48.154 GiB free.
U: is NetworkDisk (NTFS) - 699 GiB total, 62.259 GiB free.
V: is Removable
W: is Removable
X: is Removable
Y: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VIA Compatable Fast Ethernet Adapter
Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_C03C1462&REV_78\3&61AAA01&0&90
Manufacturer: VIA Technologies, Inc.
Name: VIA Compatable Fast Ethernet Adapter
PNP Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_C03C1462&REV_78\3&61AAA01&0&90
Service: FETNDIS

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VPN Client Adapter - VPN
Device ID: ROOT\NET\0000
Manufacturer: SoftEther Corporation
Name: VPN Client Adapter - VPN
PNP Device ID: ROOT\NET\0000
Service: Neo_VPN

Class GUID: {ADE50D0F-E431-4CB2-AC42-04FD9E1E7C17}
Description: PortIO32 - Xbox 360 Device Driver
Device ID: ROOT\UNKNOWN\0000
Manufacturer: JungleFlasher
Name: PortIO32 - Xbox 360 Device Driver
PNP Device ID: ROOT\UNKNOWN\0000
Service: portio32

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Advertising Center
CloneCD
Compatibility Pack for the 2007 Office system
Convert FLV to MP3 1.0
Debugging Tools for Windows (x86)
DolbyFiles
DVD Decrypter (Remove Only)
DVD Shrink 3.2
EncVorbis 1.1
ESET Online Scanner v3
EVEREST Ultimate Edition v5.00
Fraps
Free Music Zilla
GameHouse
Giganews Accelerator
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
HuluDesktop
ImagXpress
iPrep v008.8
ISO Recorder
Java(TM) 6 Update 14
LiveUpdate 3.3 (Symantec Corporation)
Logitech Harmony Remote Software 7
Malwarebytes' Anti-Malware
Menu Templates - Starter Kit
Microsoft .NET Framework 2.0
Microsoft ActiveSync
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Premium
Microsoft Visual C++ 2005 Redistributable
Movie Templates - Starter Kit
Mozilla Firefox (3.6.3)
Nero 7 Ultra Edition
Nero 9
Nero BurnRights
Nero ControlCenter
Nero CoverDesigner
Nero DiscSpeed
Nero DriveSpeed
Nero InfoTool
Nero Installer
Nero PhotoSnap
Nero Recode
Nero Rescue Agent
Nero ShowTime
Nero StartSmart
Nero Vision
Nero WaveEditor
NeroBurningROM
NeroExpress
neroxml
NetLimiter 2 Pro (remove only)
NewsBin Pro
NVIDIA Drivers
O&O Defrag Professional Edition
O&O DiskRecovery
Opti Drive Control 1.44
OpticFilm 7300
PacketiX VPN Client (English)
PixiePack Codec Pack
Platform
Power Sound Editor Free
Presto! ImageFolio 4
Presto! PageManager 7.10
QuickPar 0.9
Remote Control USB Driver
Runes of Magic
Sandboxie 3.44
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SilverFast UScan-SE 6.6.0r2
SoundTrax
Spybot - Search & Destroy
Symantec Endpoint Protection
Trillian
TwonkyMedia Manager
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VIA Platform Device Manager
VLC media player 0.9.9
VueScan
WebFldrs XP
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format Runtime
WinRAR archiver
ZIP Password Recovery Magic v6.1.1.2

==== Event Viewer Messages From Past Week ========

4/6/2010 2:06:03 AM, error: NETLOGON [5719] - No Domain Controller is available for domain ANBF due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
4/6/2010 2:05:55 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
4/6/2010 2:05:55 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
4/6/2010 1:54:13 AM, error: Service Control Manager [7034] - The VRAID Log Service service terminated unexpectedly. It has done this 1 time(s).
4/6/2010 1:16:35 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
4/6/2010 1:13:33 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ViaIde
4/6/2010 1:13:33 AM, error: Service Control Manager [7023] - The Network Security service terminated with the following error: The specified module could not be found.
4/6/2010 1:13:18 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
4/5/2010 9:21:55 PM, error: System Error [1003] - Error code 0000001a, parameter1 00041284, parameter2 d97ca001, parameter3 000152ff, parameter4 c0c00000.
4/5/2010 10:28:22 PM, information: Windows File Protection [64004] - The protected system file regedit.exe could not be restored to its original, valid version. The file version of the bad file is unknown The specific error code is 0x000006ba [The RPC server is unavailable. ].
4/5/2010 10:26:38 PM, error: Service Control Manager [7034] - The NetLimiter service terminated unexpectedly. It has done this 1 time(s).
4/5/2010 10:22:51 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
4/5/2010 10:21:02 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
4/5/2010 10:17:25 PM, error: Service Control Manager [7000] - The USB Scanner Driver service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:17:24 PM, error: Service Control Manager [7000] - The USB Audio Driver (WDM) service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:17:23 PM, error: Service Control Manager [7000] - The Tunebite High-Speed Dubbing service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:17:22 PM, error: Service Control Manager [7000] - The Microsoft Kernel GS Wavetable Synthesizer service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:17:21 PM, error: Service Control Manager [7000] - The SRTSPL service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:17:20 PM, error: Service Control Manager [7000] - The Microsoft Kernel Audio Splitter service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:17:18 PM, error: Service Control Manager [7000] - The Secdrv service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:17:17 PM, error: Service Control Manager [7000] - The PSSDK42 service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:17:14 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file lbrtfdc.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.10.1.0.
4/5/2010 10:17:14 PM, error: Service Control Manager [7000] - The IPX Traffic Forwarder Driver service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:17:11 PM, error: Service Control Manager [7001] - The IPX Traffic Filter Driver service depends on the IPX Traffic Forwarder Driver service which failed to start because of the following error: The system cannot find the file specified.
4/5/2010 10:17:08 PM, error: Service Control Manager [7000] - The Microsoft Streaming Quality Manager Proxy service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:17:07 PM, error: Service Control Manager [7000] - The Microsoft Streaming Clock Proxy service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:17:03 PM, error: Service Control Manager [7000] - The Microsoft Streaming Service Proxy service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:17:02 PM, error: Service Control Manager [7000] - The IR Enumerator Service service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:17:01 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file i2omgmt.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
4/5/2010 10:17:01 PM, error: Service Control Manager [7000] - The IP Network Address Translator service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:17:00 PM, error: Service Control Manager [7000] - The IP in IP Tunnel Driver service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:16:59 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file changer.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
4/5/2010 10:16:59 PM, error: Service Control Manager [7000] - The IP Traffic Filter Driver service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:16:58 PM, error: Service Control Manager [7000] - The IPv6 Windows Firewall Driver service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:16:54 PM, error: Service Control Manager [7000] - The i8042 Keyboard and PS/2 Mouse Port Driver service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:16:54 PM, error: Service Control Manager [7000] - The i2omgmt service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:16:53 PM, error: Service Control Manager [7000] - The Microsoft Kernel DRM Audio Descrambler service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:16:52 PM, error: Service Control Manager [7000] - The Microsoft Kernel DLS Syntheiszer service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:16:50 PM, error: Service Control Manager [7000] - The COH_Mon service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:16:47 PM, error: Service Control Manager [7000] - The Bluetooth Network Filter service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:16:45 PM, error: Service Control Manager [7000] - The Bluetooth USB For Bluetooth Service service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:16:44 PM, error: Service Control Manager [7000] - The MAC Bridge service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:16:44 PM, error: Service Control Manager [7000] - The MAC Bridge Miniport service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:16:43 PM, error: Service Control Manager [7000] - The RAS Asynchronous Media Driver service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:16:43 PM, error: Service Control Manager [7000] - The ATM ARP Client Protocol service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:16:42 PM, error: Service Control Manager [7000] - The Microsoft Kernel Acoustic Echo Canceller service failed to start due to the following error: The system cannot find the file specified.
4/5/2010 10:15:59 PM, error: Service Control Manager [7023] - The 6to4 service terminated with the following error: The specified module could not be found.
4/5/2010 10:15:26 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\windows\system32\drwtsn32.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 5.1.2600.0, the version of the system file is 5.1.2600.0.
4/11/2010 12:29:50 AM, error: NetBT [4321] - The name "ANBF :1d" could not be registered on the Interface with IP address 192.168.100.10. The machine with the IP address 192.168.100.11 did not allow the name to be claimed by this machine.
4/11/2010 1:39:30 AM, error: NETLOGON [5783] - The session setup to the Windows NT or Windows 2000 Domain Controller \\anbf3.ANBF.LOCAL for the domain ANBF is not responsive. The current RPC call from Netlogon on \\NINJA2ND to \\anbf3.ANBF.LOCAL has been cancelled.

==== End Of File ===========================

[gringo_pr]

Good evening

I need to see the gmer scan so here is other ways to get it to work

GMER:

I would like you to download this "special version of gmer." and save it to your desktop.

• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan..

• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  
  • Sections <---leave this checked please
  • IAT/EAT
  • devices(don't miss this one) <--this one is different than the picture
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If Gmer runs then please give me the log and pass on the next step.

If Gmer still does not run and Only if it don't run please do the following.

I would like you to try and run Gmer in Safe mode to enter safe mode do the following.

Boot into Safe Mode

Reboot your computer in Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe Mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.
• Login on your usual account.

If Gmer does run to the end please send me the log in your next reply and If it still does not run please let me know and we will try something else

"information and logs"

In your next post I need the following


1. log from Gmer
   
2. let me know of any problems you may have had
3. How is the computer doing now?

Gringo

[gomfedj]

Finally got GMER to complete here is the attached log, apparently running that made something go crazy in my processes... either Lsass.exe Rtvscan.exe smc.exe or smcgui.exe would start using as much processor time as possible and max it out at 100% cpu usage (this is what was causing my system to reboot I believe)

anyways here is the GMER log, Thank ya for your assistance..
I was able to get this complete using the method you had previously posted (i actually did not see your reply till i posted this message sorry)


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-12 00:11:00
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\NINJA~1.ANB\LOCALS~1\Temp\uflyqpow.sys


---- System - GMER 1.0.15 ----

SSDT 89AEAF00 ZwAlertResumeThread
SSDT 8A372C58 ZwAlertThread
SSDT 8985A008 ZwAllocateVirtualMemory
SSDT 89B60230 ZwConnectPort
SSDT 89A62928 ZwCreateMutant
SSDT 899B76E0 ZwCreateThread
SSDT 898602C8 ZwFreeVirtualMemory
SSDT 89AC8270 ZwImpersonateAnonymousToken
SSDT 89AED2F8 ZwImpersonateThread
SSDT 89860228 ZwMapViewOfSection
SSDT 8A061988 ZwOpenEvent
SSDT 89AD6210 ZwOpenProcessToken
SSDT 8A2BDB88 ZwOpenThreadToken
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xB7A1B880]
SSDT 89AEAEC0 ZwResumeThread
SSDT 8A37DAD0 ZwSetContextThread
SSDT 8A2BDC58 ZwSetInformationProcess
SSDT 899B6C80 ZwSetInformationThread
SSDT 8A55A860 ZwSuspendProcess
SSDT 8A15AB38 ZwSuspendThread
SSDT 8A34D548 ZwTerminateProcess
SSDT 8A22C608 ZwTerminateThread
SSDT 89ACD1A8 ZwUnmapViewOfSection
SSDT 8985A0B8 ZwWriteVirtualMemory

Code 891B4CEC ZwRequestPort
Code 891B4D8C ZwRequestWaitReplyPort
Code 891B4C4C ZwTraceEvent
Code 891B4CEB NtRequestPort
Code 891B4D8B NtRequestWaitReplyPort
Code 891B4C4B NtTraceEvent

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!NtTraceEvent 805499A0 5 Bytes JMP 891B4C50
PAGE ntoskrnl.exe!NtRequestWaitReplyPort 80579485 5 Bytes JMP 891B4D90
PAGE ntoskrnl.exe!NtRequestPort 805E94D0 5 Bytes JMP 891B4CF0
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xBA0C5360, 0x37388D, 0xE8000020]
.rsrc C:\WINDOWS\system32\DRIVERS\ipsec.sys entry point in ".rsrc" section [0xB7994614]
.text win32k.sys!EngAcquireSemaphore + 2642 BF808936 5 Bytes JMP 891B44D0
.text win32k.sys!EngFreeUserMem + 5502 BF80EDED 5 Bytes JMP 891B4430
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 320C BF81E6C3 5 Bytes JMP 891B4A70
.text win32k.sys!EngSetLastError + 7659 BF82860D 5 Bytes JMP 891B4610
.text win32k.sys!EngLockSurface + 148C BF834F2B 5 Bytes JMP 891B4750
.text win32k.sys!EngCreateBitmap + D973 BF8457BB 5 Bytes JMP 891B46B0
.text win32k.sys!EngMultiByteToWideChar + 2F22 BF852729 5 Bytes JMP 891B4930
.text win32k.sys!EngStretchBlt + CCB6 BF86C8A2 5 Bytes JMP 891B4570
.text win32k.sys!FONTOBJ_pxoGetXform + 1032F BF8C3127 5 Bytes JMP 891B47F0
.text win32k.sys!EngFillPath + 3B8D BF8F0327 5 Bytes JMP 891B49D0
.text win32k.sys!EngCreateClip + 1994 BF9126F5 5 Bytes JMP 891B4B10
.text win32k.sys!EngCreateClip + 1F24 BF912C85 5 Bytes JMP 891B4BB0
.text win32k.sys!EngCreateClip + 256A BF9132CB 5 Bytes JMP 891B4890

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1804] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1804] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1804] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 0098000C
.text C:\WINDOWS\System32\svchost.exe[1804] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 02BF000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2528] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 0124000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2528] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 0125000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2528] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 0123000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2528] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\WINDOWS\Explorer.EXE[2928] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[2928] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[2928] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00B5000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\SYMTDI \Device\SymTDI wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 899F6AC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 226367130B0CF627D318277EE0DD317B1D153235A771289CBCE87F595364B575900D5CE366EB7771918581D453BE93B48F157B02A81443F04D8065E78DAA3D3E60DEF08F0AE25B0EE6FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79335D575E7D6A3B98089DB7CE019D40AA5CBA7FD869164D67945EB887BF21BE4663AD783CD7851F3E6AA46FD4FEA1FE531840FA319C9A50150D268F42FCC382E58679BF6E92BB386713B9138A1F98427914B4315C151E7349978ED6375B89BFEDF6CE249BD5EC2D98CF06AF74441C9554C87EEE566D21B3D1207F74DB9D4D08C6971F718AEECC05DCA3269249E9D793AF7302A864EF6AE15D43C69E28F88C011F01C042052130DA824299DE447F1BEE9A08882454D8DFE2D8CF15619999E8E56881ED8657A313DD9A17C108A4E85AE967AA3C7D75D810317BCA811C311B29855697450653A295527BBC67D92B7FAD5DACB8AE219B15ACD8BAE98484F1913640E27849584FBB780E408737F1A08E5136C6BFD5D39DA7887BD3997B2065021F8ECA0C60E8A502A47DC67CBE41CD552473558088AA569C9ECEC778A8CB18E595798FF0D479B2FD231E30D3F08D820A2A2B3AF30292A7750A1BD9DBAFB79BABED1FF675D49FD829A40664FB27F112528C049DC2E44874268DBF12C99AE68336A3320

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\ipsec.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

[gringo_pr]

Greetings

Good, that showed me what I need to know.

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:

Code: Select all

:filefind
*ipsec*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt


Gringo

[gomfedj]

Here is the results of running Systemlook with the code specified, no new symptoms to report.

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 01:36 on 12/04/2010 by ninja (Administrator - Elevation successful)

========== filefind ==========

Searching for "*ipsec*"
C:\WINDOWS\Help\ipsecconcepts.chm --a--- 219609 bytes [04:18 03/04/2007] [04:18 03/04/2007] 561086D29B911EBE468A0E4522F6C28A
C:\WINDOWS\Help\ipsecsnp.chm --a--- 18800 bytes [12:00 04/08/2004] [12:00 04/08/2004] 27893081909B5F7430F648DC48688CB6
C:\WINDOWS\Help\ipsecsnp.hlp --a--- 84292 bytes [12:00 04/08/2004] [12:00 04/08/2004] 98EAAA9552B7ADAF2343BBB089AF8143
C:\WINDOWS\Symbols\dll\ipsecsnp.pdb --a--- 551936 bytes [04:47 11/04/2010] [08:20 17/02/2007] 43DBAFED6EA69CE4DDC424E3CCAF46CD
C:\WINDOWS\Symbols\dll\ipsecsvc.pdb --a--- 445440 bytes [04:47 11/04/2010] [08:20 17/02/2007] 627F803EBDB1BBB4F16045D601939D82
C:\WINDOWS\Symbols\dll\nshipsec.pdb --a--- 207872 bytes [04:47 11/04/2010] [08:41 17/02/2007] B3D3ED3A430AEEF1137B6D02B783E709
C:\WINDOWS\Symbols\dll\winipsec.pdb --a--- 68608 bytes [04:46 11/04/2010] [09:09 17/02/2007] 3DCB63AF794978CA8D451B0BA69707F9
C:\WINDOWS\Symbols\exe\ipsec6.pdb --a--- 115712 bytes [04:45 11/04/2010] [00:50 22/03/2005] 66F955CF3395D70AF732CB89E9709821
C:\WINDOWS\Symbols\sys\ipsec.pdb --a--- 207872 bytes [04:47 11/04/2010] [08:20 17/02/2007] ECF91E915C6576510BB1652F25E1FBFA
C:\WINDOWS\system32\dllcache\ipsec.sys --a--c 75264 bytes [06:49 14/04/2008] [02:56 07/04/2010] 23C74D75E36E7158768DD63D92789A91
C:\WINDOWS\system32\dllcache\ipsec6.exe --a--c 44032 bytes [12:00 04/08/2004] [12:00 04/08/2004] 9869330E6E45029FD1640AA80130146E
C:\WINDOWS\system32\dllcache\ipsecsnp.dll --a--c 349696 bytes [11:41 14/04/2008] [11:41 14/04/2008] EF90321EE87DF18CE318E44DB4B33455
C:\WINDOWS\system32\dllcache\ipsecsvc.dll --a--c 183808 bytes [11:41 14/04/2008] [11:41 14/04/2008] 332760FBA1655FCFD35BD6F4FD871300
C:\WINDOWS\system32\dllcache\napipsec.dll --a--c 30208 bytes [11:42 14/04/2008] [11:42 14/04/2008] 87906187B3AF89582380D156DA601F68
C:\WINDOWS\system32\dllcache\winipsec.dll --a--c 32256 bytes [11:42 14/04/2008] [11:42 14/04/2008] 248712EA6BA17B9FF0C542A3828375DD
C:\WINDOWS\system32\drivers\ipsec.sys --a--- 75264 bytes [06:49 14/04/2008] [02:56 07/04/2010] 23C74D75E36E7158768DD63D92789A91
C:\WINDOWS\system32\ipsec6.exe --a--- 44032 bytes [12:00 04/08/2004] [12:00 04/08/2004] 9869330E6E45029FD1640AA80130146E
C:\WINDOWS\system32\ipsecsnp.dll --a--- 349696 bytes [11:41 14/04/2008] [11:41 14/04/2008] EF90321EE87DF18CE318E44DB4B33455
C:\WINDOWS\system32\ipsecsvc.dll --a--- 183808 bytes [11:41 14/04/2008] [11:41 14/04/2008] 332760FBA1655FCFD35BD6F4FD871300
C:\WINDOWS\system32\napipsec.dll --a--- 30208 bytes [11:42 14/04/2008] [11:42 14/04/2008] 87906187B3AF89582380D156DA601F68
C:\WINDOWS\system32\winipsec.dll --a--- 32256 bytes [11:42 14/04/2008] [11:42 14/04/2008] 248712EA6BA17B9FF0C542A3828375DD

-=End Of File=-

[gringo_pr]

Greetings

please read the complete post before starting and ask any questions before starting

please print out these instructions so you can have them handy while performing the fix

Create and Run Batch File

Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:

Code: Select all

@echo off
copy /y C:\WINDOWS\system32\dllcache\ipsec.sys c:\
del %0

Save the file to your DESKTOP as "fix.bat". Make sure to save it with the quotes.
Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.
It should look like this:
Double-click on fix.bat to run it.

Burn recovery console cd

1. Download recovery_console_cd.zip file to your drive and extract it to its own folder (c:\recoverycd for example).
2. Download floppy disk setup package xp pro for your operating system (XP pro) and save it to the folder you extracted the zip to.
3. Rename the floppy disk setup package to Bootdisk.exe.
4. Insert a blank cd into your burner.
5. Double-click the RecoveryCD.bat file and follow the prompts to burn a cd that will allow you to boot to the recovery console.

Boot into recovery console

• insert the cd that we made into cd player
• restart the computer
• screen will say "Windows set up" just wait
• at the welcome screen press "R"
• type 1 to enter c:\windows
• type in the following and press enter after each line - please note the spaces
  
  
  cd c:\windows\system32\drivers
  ren ipsec.sys ipsec.old
  copy c:\ipsec.sys c:\windows\system32\drivers
  exit
  

after you have booted back into windows please rerun GMER and send me the log and let me know if the redirects are still happening

gringo

[gomfedj]

ok got GMER to finish 1st try this time, just babied it along killing symantec as necessary when it ate too many cpu cycles.. no idea why it is doing that even disabling the firewall/antivirus and everything didn't help, don't worry unplugged from the internet before i disabled that stuff! I think that issue has nothing at all to do with any malware/adware and it is just an artifact of symantec going ape crazy on GMER's scan..


Here is the GMER log so far everything looks GREAT no extra tabs in firefox and no firewall blocking messages!

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-12 21:29:41
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\NINJA~1.ANB\LOCALS~1\Temp\uflyqpow.sys


---- System - GMER 1.0.15 ----

SSDT 8992FC48 ZwAlertResumeThread
SSDT 89AE8D48 ZwAlertThread
SSDT 89A6DC90 ZwAllocateVirtualMemory
SSDT 8A312228 ZwConnectPort
SSDT 89935100 ZwCreateMutant
SSDT 89A85548 ZwCreateThread
SSDT 89ACB900 ZwFreeVirtualMemory
SSDT 89B49AE8 ZwImpersonateAnonymousToken
SSDT 89931D20 ZwImpersonateThread
SSDT 8993AC68 ZwMapViewOfSection
SSDT 8A08F870 ZwOpenEvent
SSDT 8992A260 ZwOpenProcessToken
SSDT 89AB68B0 ZwOpenThreadToken
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xB9ECC880]
SSDT 89AED950 ZwResumeThread
SSDT 89AB6830 ZwSetContextThread
SSDT 8993ED48 ZwSetInformationProcess
SSDT 89ADBF80 ZwSetInformationThread
SSDT 8A08F7B0 ZwSuspendProcess
SSDT 89AC3608 ZwSuspendThread
SSDT 89A855E8 ZwTerminateProcess
SSDT 89AC36C8 ZwTerminateThread
SSDT 89B39C88 ZwUnmapViewOfSection
SSDT 89B426A8 ZwWriteVirtualMemory

Code 883FECEC ZwRequestPort
Code 883FED8C ZwRequestWaitReplyPort
Code 883FEC4C ZwTraceEvent
Code 883FECEB NtRequestPort
Code 883FED8B NtRequestWaitReplyPort
Code 883FEC4B NtTraceEvent

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 1DA 804E4A14 4 Bytes CALL E6D7FEB3
.text ntoskrnl.exe!ZwYieldExecution + 47A 804E4CB4 8 Bytes CALL 48D7F50E
.text ntoskrnl.exe!NtTraceEvent 805499A0 5 Bytes JMP 883FEC50
PAGE ntoskrnl.exe!NtRequestWaitReplyPort 80579485 5 Bytes JMP 883FED90
PAGE ntoskrnl.exe!NtRequestPort 805E94D0 5 Bytes JMP 883FECF0
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xBA0C5360, 0x37388D, 0xE8000020]
.text win32k.sys!EngAcquireSemaphore + 2642 BF808936 5 Bytes JMP 883FE4D0
.text win32k.sys!EngFreeUserMem + 5502 BF80EDED 5 Bytes JMP 883FE430
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 320C BF81E6C3 5 Bytes JMP 883FEA70
.text win32k.sys!EngSetLastError + 7659 BF82860D 5 Bytes JMP 883FE610
.text win32k.sys!EngLockSurface + 148C BF834F2B 5 Bytes JMP 883FE750
.text win32k.sys!EngCreateBitmap + D973 BF8457BB 5 Bytes JMP 883FE6B0
.text win32k.sys!EngMultiByteToWideChar + 2F22 BF852729 5 Bytes JMP 883FE930
.text win32k.sys!EngStretchBlt + CCB6 BF86C8A2 5 Bytes JMP 883FE570
.text win32k.sys!FONTOBJ_pxoGetXform + 1032F BF8C3127 5 Bytes JMP 883FE7F0
.text win32k.sys!EngFillPath + 3B8D BF8F0327 5 Bytes JMP 883FE9D0
.text win32k.sys!EngCreateClip + 1994 BF9126F5 5 Bytes JMP 883FEB10
.text win32k.sys!EngCreateClip + 1F24 BF912C85 5 Bytes JMP 883FEBB0
.text win32k.sys!EngCreateClip + 256A BF9132CB 5 Bytes JMP 883FE890

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[3264] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip nltdi.sys (NetLimiter Driver/Locktime Software)
AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp nltdi.sys (NetLimiter Driver/Locktime Software)
AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp nltdi.sys (NetLimiter Driver/Locktime Software)
AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp nltdi.sys (NetLimiter Driver/Locktime Software)

Device \Driver\SYMTDI \Device\SymTDI wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 226367130B0CF627D318277EE0DD317B1D153235A771289CBCE87F595364B575900D5CE366EB7771918581D453BE93B48F157B02A81443F04D8065E78DAA3D3E60DEF08F0AE25B0EE6FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79335D575E7D6A3B98089DB7CE019D40AA5CBA7FD869164D67945EB887BF21BE4663AD783CD7851F3E6AA46FD4FEA1FE531840FA319C9A50150D268F42FCC382E58679BF6E92BB386713B9138A1F98427914B4315C151E7349978ED6375B89BFEDF6CE249BD5EC2D98CF06AF74441C9554C87EEE566D21B3D1207F74DB9D4D08C6971F718AEECC05DCA3269249E9D793AF7302A864EF6AE15D43C69E28F88C011F01C042052130DA824299DE447F1BEE9A08882454D8DFE2D8CF15619999E8E56881ED8657A313DD9A17C108A4E85AE967AA3C7D75D810317BCA811C311B29855697450653A295527BBC67D92B7FAD5DACB8AE219B15ACD8BAE98484F1913640E27849584FBB780E408737F1A08E5136C6BFD5D39DA7887BD3997B2065021F8ECA0C60E8A502A47DC67CBE41CD552473558088AA569C9ECEC778A8CB18E595798FF0D479B2FD231E30D3F08D820A2A2B3AF30292A7750A1BD9DBAFB79BABED1FF675D49FD829A40664FB27F112528C049DC2E44874268DBF12C99AE68336A3320
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@StartTime 2010/04/12-17:11:19
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesProcessed 16
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesSuccessful 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@LastTraceFailure 1306

---- EOF - GMER 1.0.15 ----

[gringo_pr]

Hello

These logs are looking good. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 9.1

and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.


If you don't like Adobe Reader (33.5 MB), you can download Foxit PDF Reader(3.5MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.

Your Java is out of date.

It can be updated by the Java control panel

• click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
• An update should begin;
• follow the prompts
• After the update is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    Applications and Applets
    Trace and Log Files
    
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

• Please download TFC to your desktop,
• Save any unsaved work. TFC will close all open application windows.
• Double-click TFC.exe to run the program.
• If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

Please download Malwarebytes' Anti-Malware to your desktop.


• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

:Kaspersky scan:

Please go to Kaspersky website and perform an online antivirus scan.


• Read through the requirements and privacy statement and click on Accept button.
  
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

"information and logs"

In your next post I need the following


1. Log From MBAM
   
2. Log From Kaspersky
3. let me know of any problems you may have had
4. How is the computer doing now?

Gringo

[gomfedj]

ok lets see..

1st I had adobe reader 9.1 installed i did not see any older versions of acrobat reader installed so did not do anything there

2. My java was out of date.. was version 6 update 14.. tried to update it to an update it had ready to installed update 17 but it failed out on a file called localedata.jar, so i uninstalled java completely
and then redownloaded the newest version which is version 6 update 19 and installed it, this seemed to go fine.

3. I ran temp file cleaner and had no issues wanted to reboot to finish clearing

4. I updated and ran malwarebytes anti-malware and it found 0 issues (log attached at bottom), but just a minute into the scan Symantec poped up that it had found several trojans in the local settings\temp directory (see attached image)

5. installed a ran kaspersky on-line scan it found SEVERAL issues, but MOST of them were quarantined files that symantec had already picked up on, it did find 2 non quarantined files one was for xbox 360 explorer (used to copy data from xbox 360 hard drives to your system or between xbox 360 storage devices), i THINK that is 100% clean though unless it got infected by something outside of the program (possible and i don't mind deleting it just in case, i am sure there is a newer version anyways available) also, the log is attached as requested. BTW i disabled the antivirus part of symantec endpoint protection when i ran this, as suggested by the website.

the system seems OK, only thing that has be worried was when i ran malwarebytes, symantec suddenly found some trojans (that should not of been there after the temp file cleaner i assume, it makes me think malwarebytes touched on something that set it off, yet it didn't detect anything itself.


Thank you again for your time,
*** Edit
Bah! just noticed i saved the kaspersky-scan as a html not a Txt, i am cutting and pasting the text from the HTML and adding it to the post, sorry this is in the incorrect format!


Malwarebytes' Anti-Malware 1.45
http://www.malwarebytes.org

Database version: 3983

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

4/13/2010 4:26:46 AM
mbam-log-2010-04-13 (04-26-46).txt

Scan type: Quick scan
Objects scanned: 109631
Time elapsed: 4 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Tuesday, April 13, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, April 13, 2010 08:08:41
Records in database: 3938991
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
M:\
S:\
T:\
U:\
V:\
W:\
X:\
Y:\
Z:\
Scan statistics
Objects scanned 77038
Threats found 12
Infected objects found 71
Suspicious objects found 0
Scan duration 02:13:29

File name Threat Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\08600000\4BFAD17B.VBN Infected: Packed.Win32.Katusha.j 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\08600001\4BFAD39F.VBN Infected: Packed.Win32.Katusha.j 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\08600002\4BFAD53B.VBN Infected: Packed.Win32.Katusha.j 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0DE40000\4FE438A0.VBN Infected: Packed.Win32.Katusha.j 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0DE40001\4FE438B6.VBN Infected: Packed.Win32.Katusha.j 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0DE40002\4FE438CF.VBN Infected: Exploit.JS.Pdfka.bvg 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0DE40002\4FE438CF.VBN Infected: Exploit.JS.Pdfka.brn 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0DE40005\4FE43901.VBN Infected: Packed.Win32.Katusha.j 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0DF40000\4FFE6424.VBN Infected: Exploit.JS.Pdfka.bvg 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0DF40000\4FFE6424.VBN Infected: Exploit.JS.Pdfka.brn 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740005.VBN Infected: Trojan.Win32.Scar.bueu 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740006.VBN Infected: Trojan-Downloader.Win32.Geral.och 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740007.VBN Infected: Backdoor.Win32.Agent.aopu 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740008.VBN Infected: Virus.Win32.Virut.ce 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740009.VBN Infected: Packed.Win32.Katusha.j 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E74000A.VBN Infected: Packed.Win32.Katusha.j 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E74000B.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E74000C.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E74000D.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E74000E.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E74000F.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740010.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740011.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740012.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740013.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740014.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740015.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740016.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740017.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740018.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740019.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E74001A.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E74001B.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E74001C.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E74001D.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E74001E.VBN Infected: Packed.Win32.Katusha.j 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E74001F.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740020.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740021.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740022.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740023.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740024.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740025.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740026.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740027.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740028.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740029.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E74002A.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E74002B.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E74002C.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E74002D.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E74002E.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E74002F.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740030.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740031.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740032.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740033.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740034.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740035.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740036.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740037.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740038.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E740039.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E74003A.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E74003B.VBN Infected: Rootkit.Win32.Agent.bert 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E74003C.VBN Infected: Virus.Win32.Virut.ce 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E74003D.VBN Infected: Trojan.Win32.Tdss.azzn 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E74003E\4FFEB1DE.VBN Infected: Trojan-Downloader.Win32.Mufanom.pyx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E940000\4FBEC0BF.VBN Infected: Packed.Win32.Katusha.j 1
C:\Documents and Settings\ninja.ANBF\Desktop\Xplorer360_extreme2.exe Infected: Worm.Win32.Bybz.atr 1
C:\WINDOWS\system32\drivers\ipsec.old Infected: Rootkit.Win32.TDSS.ap 1
Selected area has been scanned.

[gringo_pr]

one was for xbox 360 explorer (used to copy data from xbox 360 hard drives to your system or between xbox 360 storage devices), i THINK that is 100% clean though unless it got infected by something outside of the program (possible and i don't mind deleting it just in case, i am sure there is a newer version anyways available)

it may be a false possitive buit lets be safe I would like you to upload it here

:upload files to jotti:

Please upload a file for scanning:

• Open virusscan.jotti
  
• Copy/paste this file and path into the white box at the top:
C:\Documents and Settings\ninja.ANBF\Desktop\Xplorer360_extreme2.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

Note: If Jotti is busy, you can use VirusTotal instead.

This file we will clean out when you send me the log from jotti

C:\WINDOWS\system32\drivers\ipsec.old

let me have the log from jotti

gringo

[gomfedj]

ok here is the link from the jotti scan (that site is neat gonna bookmark that for future reference!)
http://virusscan.jotti.org/en/scanresul ... 1a5f90c1c3


deleted (and cleared recycle bin) for the old infected ipsec.old file..


just in case i cut and pasted the text at the bottom of jotti (in case that link does not work or is NOT what you wanted)

Scanners
[ArcaVir]
2010-03-25 Found nothing
[F-Secure Anti-Virus]
2010-03-25 Worm.Win32.Bybz.atr
[A-Squared]
2010-03-25 Found nothing
[G DATA]
2010-03-25 Found nothing
[Avast! antivirus]
2010-03-25 Found nothing
[Ikarus]
2010-03-25 Found nothing
[Grisoft AVG Anti-Virus]
2010-03-25 Found nothing
[Kaspersky Anti-Virus]
2010-03-25 Worm.Win32.Bybz.atr
[Avira AntiVir]
2010-03-25 Found nothing
[ESET NOD32]
2010-03-25 Found nothing
[Softwin BitDefender]
2010-03-25 Found nothing
[Panda Antivirus]
2010-03-25 Found nothing
[ClamAV]
2010-03-25 Found nothing
[Quick Heal]
2010-03-25 Found nothing
[CPsecure]
2010-03-25 Found nothing
[Sophos]
2010-03-25 Found nothing
[Dr.Web]
2010-03-25 Found nothing
[VirusBlokAda VBA32]
2010-03-24 Found nothing
[Frisk F-Prot Antivirus]
2010-03-25 Found nothing
[VirusBuster]
2010-03-25 Found nothing

[gringo_pr]

Hello

i don't mind deleting it just in case, i am sure there is a newer version anyways available

I think this would be the best thing to do xbox 360 explorer you can always download it again


Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.



The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point.

:Uninstall ComboFix:

• push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
• please copy and past the following into the box ComboFix /Uninstall and click OK.
• Note the space between the X and the /Uninstall, it needs to be there.
• 

:DeFogger:

To re-enable your Emulation drivers, double click DeFogger to run the tool.

• The application window will appear
  
• Click the Re-enable button to re-enable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

:Make your Internet Explorer more secure:

please visit this page that gives instructions to do this
http://surfthenetsafely.com/ieseczone8.htm

:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

you have a couple of good antispyware programs on this computer but you still can try some of these others to see if you like them also

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

• WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  
  
• Malwarebytes' Anti-Malware- Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
  totally free but for real-time protection you will have to pay a small one-time fee.
  
• Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.

please read this great article by miekiemoes How to prevent Malware:
and
this great article by Tony Klein So How Did I Get Infected In First Place

Now you have followed my advice - it's time to lodge a complaint against what you have suffered.........

Malware Complaints
If you were infected .... Stand Up and be Counted.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.


Gringo

[Mugsz]

Hey Gringo....I'm having the same problems. I downloaded the gmer and dds files and followed directions. As I type this, the gmer directions are followed and it's doing the scans and the dds attachments that was instructed, I'm having problems with. Since my exe files have been hijacked, it's not allowing me to zip.