Jump to content

BobS

Members
  • Posts

    14
  • Joined

  • Last visited

Everything posted by BobS

  1. Thanks so much for your help. You mentioned that the initial ComboFix log showed evidence of infected files. Is there any way for me to get more details on which files were infected (and with what)? A couple of weeks ago my credit card information was compromised and I've been trying to figure out if it's related to any of this (as I have made purchases online before).
  2. ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6415 # api_version=3.0.2 # EOSSerial=3c355b759f85b74ebca0ec00b4c739fa # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2010-12-12 02:35:02 # local_time=2010-12-11 09:35:02 (-0500, Eastern Standard Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=6143 16777215 0 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=76213 # found=0 # cleaned=0 # scan_time=4185
  3. So far everything seems ok. It's difficult to tell because, although the last few days it was blue-screening after loading windows every time I turned the computer on, there were also time before that where it would go several days in a row without blue-screening. What has changed is that I now have access to the Windows XP security center again; I had lost that a short while back. So, that seems like a good sign. I don't understand most of the information in the ComboFix logs. Does it mention having found (and removed) any viruses?
  4. Ok, I finished that and ran it again. Here's the updated log: ComboFix 10-12-04.06 - Bob 12/09/2010 16:51:27.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.561 [GMT -5:00] Running from: c:\documents and settings\Bob\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\Bob\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\Thumbs.db . ((((((((((((((((((((((((( Files Created from 2010-11-09 to 2010-12-09 ))))))))))))))))))))))))))))))) . 2010-12-07 16:08 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{4409EE42-7446-46FD-9602-8085C06F74EF}\mpengine.dll 2010-12-07 15:20 . 2010-12-07 15:20 388096 ----a-r- c:\documents and settings\Bob\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-12-07 15:20 . 2010-12-07 15:20 -------- d-----w- c:\program files\Trend Micro . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-11-29 22:42 . 2010-10-28 17:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-29 22:42 . 2010-10-28 17:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-10 04:33 . 2007-06-11 22:09 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll 2010-10-22 16:50 . 2010-10-22 16:50 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL 2010-10-22 16:50 . 2010-10-22 16:50 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2010-10-19 15:41 . 2009-10-02 17:13 222080 ------w- c:\windows\system32\MpSigStub.exe 2010-09-24 17:25 . 2010-09-24 17:25 6144 ----a-w- c:\windows\system32\drivers\UMDF\pt-PT\ZuneDriver.dll.mui 2010-09-24 17:25 . 2010-09-24 17:25 6144 ----a-w- c:\windows\system32\drivers\UMDF\pt-BR\ZuneDriver.dll.mui 2010-09-24 17:25 . 2010-09-24 17:25 6656 ----a-w- c:\windows\system32\drivers\UMDF\nl-NL\ZuneDriver.dll.mui 2010-09-24 17:24 . 2010-09-24 17:24 6656 ----a-w- c:\windows\system32\drivers\UMDF\it-IT\ZuneDriver.dll.mui 2010-09-24 17:24 . 2010-09-24 17:24 6144 ----a-w- c:\windows\system32\drivers\UMDF\fr-FR\ZuneDriver.dll.mui 2010-09-24 17:24 . 2010-09-24 17:24 6656 ----a-w- c:\windows\system32\drivers\UMDF\es-ES\ZuneDriver.dll.mui 2010-09-24 17:24 . 2010-09-24 17:24 6144 ----a-w- c:\windows\system32\drivers\UMDF\de-DE\ZuneDriver.dll.mui 2010-09-24 17:19 . 2010-09-24 17:19 444656 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe 2010-09-24 17:19 . 2010-09-24 17:19 57072 ----a-w- c:\windows\system32\ZuneBusEnum.exe 2010-09-24 16:14 . 2010-09-24 16:14 6144 ----a-w- c:\windows\system32\drivers\UMDF\en-US\ZuneDriver.dll.mui 2010-09-24 16:11 . 2010-09-24 16:11 65024 ----a-w- c:\windows\system32\ZuneTcp2Udp.dll 2010-09-24 16:11 . 2010-09-24 16:11 58368 ----a-w- c:\windows\system32\ZuneRegUtil.dll 2010-09-24 16:11 . 2010-09-24 16:11 46080 ----a-w- c:\windows\system32\ZunePTDNS.dll 2010-09-24 16:11 . 2010-09-24 16:11 365056 ----a-w- c:\windows\system32\ZuneNetProxy.dll 2010-09-24 16:11 . 2010-09-24 16:11 130560 ----a-w- c:\windows\system32\ZuneUsbTransport.dll 2010-09-24 16:11 . 2010-09-24 16:11 796672 ----a-w- c:\windows\system32\drivers\UMDF\ZuneDriver.dll 2010-09-24 16:11 . 2010-09-24 16:11 205824 ----a-w- c:\windows\system32\ZuneCoInst.dll 2010-09-24 16:11 . 2010-09-24 16:11 203776 ----a-w- c:\windows\system32\ZuneMTPZ.dll 2010-09-24 16:06 . 2010-09-24 16:06 41472 ----a-w- c:\windows\system32\drivers\zumbus.sys 2010-09-24 15:31 . 2009-08-17 16:37 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll 2010-09-18 16:23 . 2003-07-16 20:33 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2003-07-16 20:33 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2003-07-16 20:33 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2003-07-16 20:33 953856 ----a-w- c:\windows\system32\mfc40u.dll . ((((((((((((((((((((((((((((( SnapShot@2010-12-09_16.07.14 ))))))))))))))))))))))))))))))))))))))))) . + 2010-12-09 20:15 . 2010-12-09 20:15 16384 c:\windows\Temp\Perflib_Perfdata_188.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920] "Lexmark X84-X85 Button Monitor"="c:\progra~1\LEXMAR~1\ACMonitor_X84-X85.exe" [2002-10-23 40960] "Lexmark X84-X85 Button Manager"="c:\progra~1\LEXMAR~1\AcBtnMgr_X84-X85.exe" [2002-09-04 53248] "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880] "dldomon.exe"="c:\program files\Dell 968 AIO Printer\dldomon.exe" [2007-10-05 455920] "MemoryCardManager"="c:\program files\Dell 968 AIO Printer\memcard.exe" [2007-10-05 410864] "Dell 968 AIO Printer Fax Server"="c:\program files\Dell 968 AIO Printer\fm3032.exe" [2007-10-05 312560] "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888] "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 159472] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440] c:\documents and settings\Bob\Start Menu\Programs\Startup\ SendPhotos For Outlook Express.lnk - c:\program files\SendPhotos\spoe.exe [2005-5-11 69632] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Event Planner Reminder 2008.lnk - c:\windows\Installer\{747A6A10-DA58-48C2-A1F0-C15514419C8A}\Shortcut_EventPlan_5D0DF1BBD82E4FB2B98E4FDE42EF7EBB.exe [2010-3-12 1718] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminders Tray Icon.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Planner Reminders Tray Icon.lnk backup=c:\windows\pss\Event Planner Reminders Tray Icon.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TMMonitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TMMonitor.lnk backup=c:\windows\pss\TMMonitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Bob^Start Menu^Programs^Startup^Dragon NaturallySpeaking.lnk] path=c:\documents and settings\Bob\Start Menu\Programs\Startup\Dragon NaturallySpeaking.lnk backup=c:\windows\pss\Dragon NaturallySpeaking.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Bob^Start Menu^Programs^Startup^SendPhotos For Outlook Express.lnk] path=c:\documents and settings\Bob\Start Menu\Programs\Startup\SendPhotos For Outlook Express.lnk backup=c:\windows\pss\SendPhotos For Outlook Express.lnkStartup [HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Camio Viewer.lnk] path=c:\docume~1\ALLUSE~1\Start Menu\Programs\Startup\Camio Viewer.lnk backup=c:\windows\pss\Camio Viewer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] 2002-12-17 19:28 684032 -c--a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2010-09-24 09:15 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent] 2002-04-03 08:01 135264 -c--a-w- c:\program files\Creative\SBLive\Diagnostics\diagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection] 2002-07-17 01:21 28672 -c--a-w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mirabilis ICQ] 2003-10-14 16:36 38984 -c--a-w- c:\progra~1\ICQ\ICQNet.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray] 2002-09-19 03:52 36864 -c--a-w- c:\windows\system32\spool\drivers\w32x86\3\printray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] 2000-05-11 08:00 90112 -c----w- c:\windows\Updreg.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender] 2006-11-04 02:20 866584 -c--a-w- c:\program files\Windows Defender\MSASCui.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher] 2010-09-24 17:19 159472 ----a-w- c:\program files\Zune\ZuneLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Eyeball\\Eyeball Chat\\EyeballChat.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\dldocoms.exe"= "c:\\Program Files\\Dell 968 AIO Printer\\dldomon.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldopswx.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldotime.exe"= "c:\\Program Files\\Dell 968 AIO Printer\\dldoaiox.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldojswx.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Dell 968 AIO Printer\\DLDOFax.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\ICQ\\Icq.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Dell 968 AIO Printer\\dldoafcn.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1108000.005\symds.sys [10/23/2010 10:06 AM 328752] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1108000.005\symefa.sys [10/23/2010 10:06 AM 173104] R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20101123.003\BHDrvx86.sys [12/2/2010 10:17 AM 691248] R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1108000.005\cchpx86.sys [10/23/2010 10:06 AM 501888] R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1108000.005\ironx86.sys [10/23/2010 10:06 AM 116784] R2 dldo_device;dldo_device;c:\windows\system32\dldocoms.exe -service --> c:\windows\system32\dldocoms.exe -service [?] R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.8.0.5\ccsvchst.exe [10/23/2010 10:01 AM 126392] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 9:19 PM 13592] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/22/2010 12:01 PM 102448] R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20101208.001\IDSXpx86.sys [12/8/2010 10:10 AM 341944] S2 dldoCATSCustConnectService;dldoCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldoserv.exe [3/9/2008 2:47 PM 99568] S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [9/24/2010 12:19 PM 268528] . Contents of the 'Scheduled Tasks' folder 2010-02-04 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2010-12-09 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://us.mc839.mail.yahoo.com/mc/welcome?action=&YY=97955753&ymv=0&noFlush uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} uInternet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com Trusted Zone: plaxo.com\www . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-12-09 16:57 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV] "ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.8.0.5\diMaster.dll\" /prefetch:1" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\XP*] "DisplayName"="?\13?\13" "DeviceDesc"="?\13?\13" "ProviderName"="" "MFG"="???\\" "ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\?\13\\DriverFiles\\.INF" "DeviceInstanceIds"=multi:"07267.inf\00" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(676) c:\windows\system32\Ati2evxx.dll . Completion time: 2010-12-09 17:01:14 ComboFix-quarantined-files.txt 2010-12-09 22:01 ComboFix2.txt 2010-12-09 16:10 Pre-Run: 49,700,687,872 bytes free Post-Run: 49,683,062,784 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn - - End Of File - - 63FC52FCC488FB0950ECBE09315F8FCD
  5. Here is the requested ComboFix log. At the beginning the program warned me that the Windows recovery console was not installed and asked if I wanted to download and install it (it also warned me that it would nto be able to attempt any "serious" repairs without doing this first), but since I had already disconnected the internet connection I selected "no". If needed, I can download and install the Windows recovery console and then attempt to run ComboFix again. Was there anything important I needed in the folders ComboFix deleted? That action surprised me somewhat (especially since the before and after drive free drive space numbers show a 352,931,840 byte difference). ComboFix 10-12-04.06 - Bob 12/09/2010 10:57:49.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.507 [GMT -5:00] Running from: c:\documents and settings\Bob\Desktop\Combo-Fix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\documents and settings\Bob\Recent\Thumbs.db C:\Images c:\images\DirCfg.ini c:\program files\INSTALL.LOG c:\windows\system32\Data c:\windows\system32\fonts c:\windows\system32\fonts\ACADEMY_.PFB c:\windows\system32\fonts\ACADEMY_.PFM c:\windows\system32\fonts\ACADEMY_.TTF c:\windows\system32\Thumbs.db ----- BITS: Possible infected sites ----- hxxp://buy-download.norton.com . ((((((((((((((((((((((((( Files Created from 2010-11-09 to 2010-12-09 ))))))))))))))))))))))))))))))) . 2010-12-07 16:08 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{4409EE42-7446-46FD-9602-8085C06F74EF}\mpengine.dll 2010-12-07 15:20 . 2010-12-07 15:20 388096 ----a-r- c:\documents and settings\Bob\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-12-07 15:20 . 2010-12-07 15:20 -------- d-----w- c:\program files\Trend Micro . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-11-29 22:42 . 2010-10-28 17:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-29 22:42 . 2010-10-28 17:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-10 04:33 . 2007-06-11 22:09 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll 2010-10-22 16:50 . 2010-10-22 16:50 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL 2010-10-22 16:50 . 2010-10-22 16:50 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2010-10-19 15:41 . 2009-10-02 17:13 222080 ------w- c:\windows\system32\MpSigStub.exe 2010-09-24 17:25 . 2010-09-24 17:25 6144 ----a-w- c:\windows\system32\drivers\UMDF\pt-PT\ZuneDriver.dll.mui 2010-09-24 17:25 . 2010-09-24 17:25 6144 ----a-w- c:\windows\system32\drivers\UMDF\pt-BR\ZuneDriver.dll.mui 2010-09-24 17:25 . 2010-09-24 17:25 6656 ----a-w- c:\windows\system32\drivers\UMDF\nl-NL\ZuneDriver.dll.mui 2010-09-24 17:24 . 2010-09-24 17:24 6656 ----a-w- c:\windows\system32\drivers\UMDF\it-IT\ZuneDriver.dll.mui 2010-09-24 17:24 . 2010-09-24 17:24 6144 ----a-w- c:\windows\system32\drivers\UMDF\fr-FR\ZuneDriver.dll.mui 2010-09-24 17:24 . 2010-09-24 17:24 6656 ----a-w- c:\windows\system32\drivers\UMDF\es-ES\ZuneDriver.dll.mui 2010-09-24 17:24 . 2010-09-24 17:24 6144 ----a-w- c:\windows\system32\drivers\UMDF\de-DE\ZuneDriver.dll.mui 2010-09-24 17:19 . 2010-09-24 17:19 444656 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe 2010-09-24 17:19 . 2010-09-24 17:19 57072 ----a-w- c:\windows\system32\ZuneBusEnum.exe 2010-09-24 16:14 . 2010-09-24 16:14 6144 ----a-w- c:\windows\system32\drivers\UMDF\en-US\ZuneDriver.dll.mui 2010-09-24 16:11 . 2010-09-24 16:11 65024 ----a-w- c:\windows\system32\ZuneTcp2Udp.dll 2010-09-24 16:11 . 2010-09-24 16:11 58368 ----a-w- c:\windows\system32\ZuneRegUtil.dll 2010-09-24 16:11 . 2010-09-24 16:11 46080 ----a-w- c:\windows\system32\ZunePTDNS.dll 2010-09-24 16:11 . 2010-09-24 16:11 365056 ----a-w- c:\windows\system32\ZuneNetProxy.dll 2010-09-24 16:11 . 2010-09-24 16:11 130560 ----a-w- c:\windows\system32\ZuneUsbTransport.dll 2010-09-24 16:11 . 2010-09-24 16:11 796672 ----a-w- c:\windows\system32\drivers\UMDF\ZuneDriver.dll 2010-09-24 16:11 . 2010-09-24 16:11 205824 ----a-w- c:\windows\system32\ZuneCoInst.dll 2010-09-24 16:11 . 2010-09-24 16:11 203776 ----a-w- c:\windows\system32\ZuneMTPZ.dll 2010-09-24 16:06 . 2010-09-24 16:06 41472 ----a-w- c:\windows\system32\drivers\zumbus.sys 2010-09-24 15:31 . 2009-08-17 16:37 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll 2010-09-18 16:23 . 2003-07-16 20:33 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2003-07-16 20:33 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2003-07-16 20:33 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2003-07-16 20:33 953856 ----a-w- c:\windows\system32\mfc40u.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920] "Lexmark X84-X85 Button Monitor"="c:\progra~1\LEXMAR~1\ACMonitor_X84-X85.exe" [2002-10-23 40960] "Lexmark X84-X85 Button Manager"="c:\progra~1\LEXMAR~1\AcBtnMgr_X84-X85.exe" [2002-09-04 53248] "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880] "dldomon.exe"="c:\program files\Dell 968 AIO Printer\dldomon.exe" [2007-10-05 455920] "MemoryCardManager"="c:\program files\Dell 968 AIO Printer\memcard.exe" [2007-10-05 410864] "Dell 968 AIO Printer Fax Server"="c:\program files\Dell 968 AIO Printer\fm3032.exe" [2007-10-05 312560] "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888] "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 159472] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440] c:\documents and settings\Bob\Start Menu\Programs\Startup\ SendPhotos For Outlook Express.lnk - c:\program files\SendPhotos\spoe.exe [2005-5-11 69632] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Event Planner Reminder 2008.lnk - c:\windows\Installer\{747A6A10-DA58-48C2-A1F0-C15514419C8A}\Shortcut_EventPlan_5D0DF1BBD82E4FB2B98E4FDE42EF7EBB.exe [2010-3-12 1718] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminders Tray Icon.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Planner Reminders Tray Icon.lnk backup=c:\windows\pss\Event Planner Reminders Tray Icon.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TMMonitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TMMonitor.lnk backup=c:\windows\pss\TMMonitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Bob^Start Menu^Programs^Startup^Dragon NaturallySpeaking.lnk] path=c:\documents and settings\Bob\Start Menu\Programs\Startup\Dragon NaturallySpeaking.lnk backup=c:\windows\pss\Dragon NaturallySpeaking.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Bob^Start Menu^Programs^Startup^SendPhotos For Outlook Express.lnk] path=c:\documents and settings\Bob\Start Menu\Programs\Startup\SendPhotos For Outlook Express.lnk backup=c:\windows\pss\SendPhotos For Outlook Express.lnkStartup [HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Camio Viewer.lnk] path=c:\docume~1\ALLUSE~1\Start Menu\Programs\Startup\Camio Viewer.lnk backup=c:\windows\pss\Camio Viewer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] 2002-12-17 19:28 684032 -c--a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2010-09-24 09:15 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent] 2002-04-03 08:01 135264 -c--a-w- c:\program files\Creative\SBLive\Diagnostics\diagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection] 2002-07-17 01:21 28672 -c--a-w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mirabilis ICQ] 2003-10-14 16:36 38984 -c--a-w- c:\progra~1\ICQ\ICQNet.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray] 2002-09-19 03:52 36864 -c--a-w- c:\windows\system32\spool\drivers\w32x86\3\printray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] 2000-05-11 08:00 90112 -c----w- c:\windows\Updreg.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender] 2006-11-04 02:20 866584 -c--a-w- c:\program files\Windows Defender\MSASCui.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher] 2010-09-24 17:19 159472 ----a-w- c:\program files\Zune\ZuneLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Eyeball\\Eyeball Chat\\EyeballChat.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\dldocoms.exe"= "c:\\Program Files\\Dell 968 AIO Printer\\dldomon.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldopswx.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldotime.exe"= "c:\\Program Files\\Dell 968 AIO Printer\\dldoaiox.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldojswx.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Dell 968 AIO Printer\\DLDOFax.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\ICQ\\Icq.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Dell 968 AIO Printer\\dldoafcn.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1108000.005\symds.sys [10/23/2010 10:06 AM 328752] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1108000.005\symefa.sys [10/23/2010 10:06 AM 173104] R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20101123.003\BHDrvx86.sys [12/2/2010 10:17 AM 691248] R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1108000.005\cchpx86.sys [10/23/2010 10:06 AM 501888] R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1108000.005\ironx86.sys [10/23/2010 10:06 AM 116784] R2 dldo_device;dldo_device;c:\windows\system32\dldocoms.exe -service --> c:\windows\system32\dldocoms.exe -service [?] R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.8.0.5\ccsvchst.exe [10/23/2010 10:01 AM 126392] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 9:19 PM 13592] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/22/2010 12:01 PM 102448] R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20101208.001\IDSXpx86.sys [12/8/2010 10:10 AM 341944] S2 dldoCATSCustConnectService;dldoCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldoserv.exe [3/9/2008 2:47 PM 99568] S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [9/24/2010 12:19 PM 268528] . Contents of the 'Scheduled Tasks' folder 2010-02-04 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2010-12-09 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://us.mc839.mail.yahoo.com/mc/welcome?action=&YY=97955753&ymv=0&noFlush uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} uInternet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com Trusted Zone: plaxo.com\www . - - - - ORPHANS REMOVED - - - - WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file) HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe HKLM-Run-ATIPTA - c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe SafeBoot-WudfPf SafeBoot-WudfRd SafeBoot-svcWRSSSDK MSConfigStartUp-ATI Launchpad - c:\program files\ATI Multimedia\main\launchpd.exe MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe MSConfigStartUp-ReminderApp - c:\program files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-12-09 11:05 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV] "ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.8.0.5\diMaster.dll\" /prefetch:1" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\XP*] "DisplayName"="?\13?\13" "DeviceDesc"="?\13?\13" "ProviderName"="" "MFG"="???\\" "ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\?\13\\DriverFiles\\.INF" "DeviceInstanceIds"=multi:"07267.inf\00" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(672) c:\windows\system32\Ati2evxx.dll . Completion time: 2010-12-09 11:10:37 ComboFix-quarantined-files.txt 2010-12-09 16:10 Pre-Run: 49,362,976,768 bytes free Post-Run: 49,715,908,608 bytes free - - End Of File - - C0E099598D30D1667BBC5D7A6AB07354
  6. Thanks for taking the time to help me. Here are the logs you requested. The virus scan came up empty. MBAM Log: Malwarebytes' Anti-Malware 1.50 www.malwarebytes.org Database version: 5274 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 12/8/2010 6:03:01 PM mbam-log-2010-12-08 (18-03-01).txt Scan type: Quick scan Objects scanned: 145032 Time elapsed: 11 minute(s), 35 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Uninstall List: ABBYY FineReader 6.0 Sprint Adobe Flash Player 10 ActiveX Adobe Reader 8.2.5 Adobe Shockwave Player 11 Apple Application Support Apple Software Update ArcSoft PhotoImpression 6 ArcSoft ShowBiz DVD 2 ATI - Software Uninstall Utility ATI Catalyst Control Center ATI Display Driver BCM V.92 56K Modem Catalyst Control Center - Branding ClearType Tuning Control Panel Applet Critical Update for Windows Media Player 11 (KB959772) Dell 968 AIO Printer Dell ResourceCD DR Systems Web Ambassador Easy CD Creator 5 Basic Event Planner Eyeball Chat 2.2 ffdshow (remove only) Free Games Offer, Desktop Shortcut Hallmark Card Studio 2005 Deluxe Hallmark Card Studio 2008 Deluxe Hallmark Card Studio 3 Deluxe HiJackThis Hotfix for Microsoft .NET Framework 3.0 (KB932471) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Format 11 SDK (KB973442) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB2158563) Hotfix for Windows XP (KB932716-v2) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954708) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) Hotfix for Windows XP (KB976098-v2) Hotfix for Windows XP (KB979306) Hotfix for Windows XP (KB981793) ICQ Intel® PRO Network Adapters and Drivers Intel
  7. Hello. I've been running into a problem lately where one of my computers blue-screens frequently, at least once per day, usually soon after booting up or when attempting to update Norton Antivirus. When I first tried to figure out what the problem was, I used Malwarebyete's Anti-Malware to run a scan and it claimed to have found three Trojan.Dropper files in my C:\Windows\Temp directory (which it placed into Quarantine). Norton AV had not ever noticed these files in its prior scans, however. Because the computer is still experiencing numerous crashes lately, I'm concerned that I might still have some sort of malware on my system. I collected a Hijackthis log and the results are posted below: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 10:22:13 AM, on 12/7/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe C:\WINDOWS\system32\dldocoms.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Dell 968 AIO Printer\dldomon.exe C:\Program Files\Dell 968 AIO Printer\memcard.exe C:\Program Files\Norton AntiVirus\Engine\17.8.0.5\ccSvcHst.exe C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\PSIService.exe C:\Program Files\Creative Home\Hallmark Card Studio 2008 Deluxe\Planner\PLNRnote.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\SendPhotos\spoe.exe C:\WINDOWS\System32\MsPMSPSv.exe c:\WINDOWS\system32\ZuneBusEnum.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Norton AntiVirus\Engine\17.8.0.5\ccSvcHst.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.mc839.mail.yahoo.com/mc/welcome?...v=0&noFlush R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\17.8.0.5\IPSBHO.DLL O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [iSUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI" Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [dldomon.exe] "C:\Program Files\Dell 968 AIO Printer\dldomon.exe" O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell 968 AIO Printer\memcard.exe" O4 - HKLM\..\Run: [Dell 968 AIO Printer Fax Server] "C:\Program Files\Dell 968 AIO Printer\fm3032.exe" /s O4 - HKLM\..\Run: [ArcSoft Connection Service] "C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe" O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: SendPhotos For Outlook Express.lnk = C:\Program Files\SendPhotos\spoe.exe O4 - Global Startup: Event Planner Reminder 2008.lnk = ? O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} (SonyOnlineInstallerX) - http://www-cdn.freerealms.com/gamedata/plu...ller.cab?v=1032 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: dldoCATSCustConnectService - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldoserv.exe O23 - Service: dldo_device - - C:\WINDOWS\system32\dldocoms.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Norton AntiVirus (NAV) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\17.8.0.5\ccSvcHst.exe O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe -- End of file - 7571 bytes Thank you for your time, and any suggestions you can offer.
  8. Thanks again for your help on this. Norton-AV recent history file: Recent_History.txt New HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:04:08 PM, on 5/24/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\brsvc01a.exe C:\WINDOWS\System32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\WINDOWS\MXOALDR.EXE C:\WINDOWS\CTHELPER.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe C:\WINDOWS\system32\WTablet\TabUserW.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Bob Smith\Desktop\Hijack\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;*.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [sBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - Z:\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe -- End of file - 9542 bytes ESET log: ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=6 # IEXPLORE.EXE=7.00.6000.16827 (vista_gdr.090226-1506) # OnlineScanner.ocx=1.0.0.5863 # api_version=3.0.2 # EOSSerial=b2be26a5a20b3a4da8031c05514429ab # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2009-05-24 09:59:39 # local_time=2009-05-24 05:59:39 (-0500, Eastern Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=1797 37 100 100 1454490312500 # compatibility_mode=3587 37 100 94 49370336718750 # scanned=165179 # found=0 # cleaned=0 # scan_time=4488 New ARK log (much shorter this time, is that normal?) : GMER 1.0.15.14972 - http://www.gmer.net Rootkit scan 2009-05-24 14:33:39 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.15 ---- SSDT 898E5050 ZwAlertResumeThread SSDT 898E7050 ZwAlertThread SSDT 89EC0D78 ZwAllocateVirtualMemory SSDT 89ABC1F8 ZwAssignProcessToJobObject SSDT 89BD47C8 ZwConnectPort SSDT F7A55CFE ZwCreateKey SSDT 897F6FC0 ZwCreateMutant SSDT 89B698F0 ZwCreateSymbolicLinkObject SSDT F7A55CF4 ZwCreateThread SSDT 89921050 ZwDebugActiveProcess SSDT F7A55D03 ZwDeleteKey SSDT F7A55D0D ZwDeleteValueKey SSDT 89EAC108 ZwDuplicateObject SSDT sptd.sys ZwEnumerateKey [0xF74F2FB2] SSDT sptd.sys ZwEnumerateValueKey [0xF74F3340] SSDT 89E9CF80 ZwFreeVirtualMemory SSDT 89997050 ZwImpersonateAnonymousToken SSDT 89939050 ZwImpersonateThread SSDT 89E17E30 ZwLoadDriver SSDT F7A55D12 ZwLoadKey SSDT 89EBE750 ZwMapViewOfSection SSDT 89B7F050 ZwOpenEvent SSDT sptd.sys ZwOpenKey [0xF74ED0B0] SSDT F7A55CE0 ZwOpenProcess SSDT 8990C050 ZwOpenProcessToken SSDT 89957288 ZwOpenSection SSDT F7A55CE5 ZwOpenThread SSDT 883173C8 ZwProtectVirtualMemory SSDT sptd.sys ZwQueryKey [0xF74F3418] SSDT sptd.sys ZwQueryValueKey [0xF74F3298] SSDT F7A55D1C ZwReplaceKey SSDT F7A55D17 ZwRestoreKey SSDT 88C825D0 ZwResumeThread SSDT 898CD050 ZwSetContextThread SSDT 89FC1720 ZwSetInformationProcess SSDT 89B5B978 ZwSetSystemInformation SSDT F7A55D08 ZwSetValueKey SSDT 89B77798 ZwSuspendProcess SSDT 898DC050 ZwSuspendThread SSDT F7A55CEF ZwTerminateProcess SSDT 8994D050 ZwTerminateThread SSDT 89964050 ZwUnmapViewOfSection SSDT 89EA2F40 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- ? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process. ? SYMEFA.SYS The system cannot find the file specified. ! .text USBPORT.SYS!DllUnload B9D718AC 5 Bytes JMP 89E2D770 ? System32\Drivers\asm0d4ai.SYS The system cannot find the path specified. ! ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F750406C] sptd.sys IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!KeInitializeDpc] 8A997448 IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7504018] sptd.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F75269AE] sptd.sys IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F750406C] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74EDAD4] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74EDC1A] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74EDB9C] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74EE748] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74EE61E] sptd.sys IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F750329A] sptd.sys ---- Devices - GMER 1.0.15 ---- Device 8A9931E8 Device Ntfs.sys (NT File System Driver/Microsoft Corporation) AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Ip nltdi.sys (NetLimiter Driver/Locktime Software) Device \Driver\usbuhci \Device\USBPDO-0 89E1B438 Device \Driver\usbuhci \Device\USBPDO-1 89E1B438 Device \Driver\usbuhci \Device\USBPDO-2 89E1B438 Device \Driver\usbuhci \Device\USBPDO-3 89E1B438 Device \Driver\usbehci \Device\USBPDO-4 89E77790 AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Tcp nltdi.sys (NetLimiter Driver/Locktime Software) Device \Driver\Ftdisk \Device\HarddiskVolume1 8A9951E8 Device \Driver\PCI_NTPNP8890 \Device\00000071 sptd.sys Device \Driver\PCI_NTPNP8890 \Device\00000071 sptd.sys Device \Driver\Ftdisk \Device\HarddiskVolume2 8A9951E8 Device \Driver\Cdrom \Device\CdRom0 89DAA790 Device \Driver\Cdrom \Device\CdRom1 89DAA790 Device \Driver\Ftdisk \Device\HarddiskVolume3 8A9951E8 Device \Driver\Cdrom \Device\CdRom2 89DAA790 Device \Driver\NetBT \Device\NetBt_Wins_Export 897FE400 Device \Driver\NetBT \Device\NetbiosSmb 897FE400 AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Udp nltdi.sys (NetLimiter Driver/Locktime Software) AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp nltdi.sys (NetLimiter Driver/Locktime Software) Device \Driver\usbuhci \Device\USBFDO-0 89E1B438 Device \Driver\usbuhci \Device\USBFDO-1 89E1B438 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8981E2A8 Device \Driver\usbuhci \Device\USBFDO-2 89E1B438 Device 8981E2A8 Device \Driver\usbuhci \Device\USBFDO-3 89E1B438 Device \Driver\usbehci \Device\USBFDO-4 89E77790 Device \Driver\Ftdisk \Device\FtControl 8A9951E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{6052316E-2923-4C0E-9C82-CBC342164609} 897FE400 Device \Driver\asm0d4ai \Device\Scsi\asm0d4ai1 89DE76C0 Device \Driver\asm0d4ai \Device\Scsi\asm0d4ai1Port5Path0Target0Lun0 89DE76C0 Device \Driver\UlSata \Device\Scsi\UlSata1 8A9941E8 Device \Driver\UlSata \Device\Scsi\UlSata1Port4Path0Target0Lun0 8A9941E8 Device \FileSystem\Cdfs \Cdfs 897E9790 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB5 0x8F 0x72 0xD4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x30 0xC8 0x6E 0x75 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x7C 0xA8 0xEF 0x25 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB5 0x8F 0x72 0xD4 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x30 0xC8 0x6E 0x75 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x7C 0xA8 0xEF 0x25 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB5 0x8F 0x72 0xD4 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x30 0xC8 0x6E 0x75 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x7C 0xA8 0xEF 0x25 ... ---- EOF - GMER 1.0.15 ---- Recent_History.txt
  9. No sooner did I finish sending the above post off when Norton popped up new warnings about Backdoor.Tidserv and Packed.Generic.200. It requested another restart and after I did that I ran another scan with Norton-AV and it didn't find anything else. The log lists both of those threats as "removed" (again), and for the past few hours nothing new has popped up. Maybe they're really gone at this point, but I can't help but wonder if I still have an infected file on my system somewhere that keeps reinfecting it.
  10. I just completed a scan with Norton-AV and it's come up with the following three alerts: * Packed.Generic.200 has been fully resolved <= Norton just claimed it fixed this 2 hours ago yet here it is again. * Downloader has been fully resolved. * Backdoor.Tidserv has been resolved. Restart required. When this scan was completed I restarted Windows as requested (keeping in mind this is where everything went horribly wrong the first time), but Norton seems to be still up and running now that Windows has reloaded. Norton's security history log now shows that Backdoor.Tidserv has been "removed". After that I did a quick scan with MBAM and it didn't find anything. I did another scan and log of HijackThis and now I'm going to run a Norton-AV scan again just to be safe. I also uninstalled WinPCap, renamed the jnlp-applet folder, and disabled Antivir. Iexplore.exe doesn't seem to be loading silently anymore in the background but somehow during all of this Firefox got flagged as my default web browser (which I'm fine with, I'm just wondering if that's why the Iexplore.exe problem has vanished). Anyhow, does everything look normal with this log now? Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:49:47 PM, on 5/23/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\brsvc01a.exe C:\WINDOWS\System32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe C:\WINDOWS\MXOALDR.EXE C:\WINDOWS\CTHELPER.EXE C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE C:\WINDOWS\System32\CTsvcCDA.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\WTablet\TabUserW.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe C:\Documents and Settings\Bob Smith\Desktop\Hijack\HijackThis.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;*.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [sBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - Z:\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe -- End of file - 9177 bytes
  11. Looking at it, I've never been to http://www.winpcap.org/. At first I thought it might be a component for a program I had installed several years ago called "Net Limiter 2 Lite", but now looking at the properties on the WinPcap directory I see that it was created on 4-29-09 at 5:38 in the evening. (so, a few weeks ago). I can't think of anything I installed recently that would make use of it. The .jnlp-applet folder was created on 4-28-09 at 5:39 in the evening (almost exactly 24 hours after WinPcap). I have no idea why it's there either. As for AntiVir, I had run a scan with it after my initial post and by the end it had 11 events of malware detections. I'm not sure if they were false positives, but I'm a bit disturbed that having just run a virus scan a few days ago Norton AV turned up empty while AntiVir is flagging 11 files (some of which I've had for a while) as being infected. Is there any harm in keeping it as a backup scanner? Honestly, at this point I'm thinking Norton should be my backup scanner as this is the second time now that I've had a serious virus problem and both times Norton failed to prevent/fix it. Instead I had to rely on other tools (like MBAM) to save my system. I'm in the process of running MBAM, but twice now it seems to become unresponsive while scanning "C:\Windows\Installer\b8290d.msi". During MBAM's first scan attempt Norton popped up a message warning me that it had detected and removed a heuristic virus threat called "Packed.Generic.200" from my system.
  12. Also, after following your instructions Malwarebytes is now able to load. I also re-enabled Norton AV through my msconfig=>services tab and it is also loading when the system boots into Windows. However, I haven't done scans with either program yet (and won't until you suggest that it's time to do so). The HijackThis log I pasted in my last post is with Norton AV still disabled from the Combofix session.
  13. Thanks for the help. I hopped on this immediately but it took quite a while for the scans to finish. I also ran into a little trouble while running Combofix. I was unable to deactivate Norton AntiVirus because it hasn't been showing up in my taskbar since this problem I'm having started the other night. I did disable Avira AntiVir, however (which I had installed shortly after visiting here), in addition to my Window's Firewall and Adaware. However, when I ran Combofix it warned me (twice) that Norton AntiVirus was still running. Prior to running Combofix I had disabled the Norton Antivirus entry through my msconfig=>services tab. When warned that it was still running I checked my task manager and could find no signs of it, so I prompted Combofix to continue running anyway. Shortly into the run Combofix requested a restart and presented me with a list of filenames (and asked me to write them down in case they were needed later, which I did). I allowed Combofix to restart the machine, but the process of rebooting caused Avira AntiVir to reload with Windows, and a warning from (regarding Combofix) popped up once Combofix began it's process again. I told Avira AntiVir to ignore Combofix but I was unable to disable it again at that point as Combofix had caused the majority of my desktop controls to vanish. Anyway, it eventually finished and here are the requested logs. Ark.txt is uploaded as file due to its size. Ark.txt Combofix.txt : ComboFix 09-05-23.01 - Bob Smith 05/23/2009 14:58.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1613 [GMT -4:00] Running from: c:\documents and settings\Bob Smith\Desktop\Bongo.exe AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7} AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\BOBSMI~1\LOCALS~1\Temp\tmp1.tmp c:\docume~1\BOBSMI~1\LOCALS~1\Temp\tmp2.tmp c:\program files\INSTALL.LOG c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb c:\windows\IE4 Error Log.txt c:\windows\system32\drivers\UACubrrnomykmotoqo.sys c:\windows\system32\lowsec c:\windows\system32\lowsec\local.ds c:\windows\system32\lowsec\user.ds c:\windows\system32\MabryObj.dll c:\windows\system32\sdra64.exe c:\windows\system32\UACbalqheoeraonrjb.dll c:\windows\system32\uacinit.dll c:\windows\system32\UACivaldbdmriwxwul.dll c:\windows\system32\UACkyqoijtatbuxeye.log c:\windows\system32\UAClillisswwgmtqug.dll c:\windows\system32\UACqgixuiycfqjufeh.dat c:\windows\system32\UACtjmoopcqtkwprrr.log c:\windows\system32\UACvmonyxjkipfrwgv.dll c:\windows\system32\UACwyibsjnklpcwevp.log c:\windows\system32\UACxdpavrkswbwryqd.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_UACd.sys ((((((((((((((((((((((((( Files Created from 2009-04-23 to 2009-05-23 ))))))))))))))))))))))))))))))) . 2009-05-23 18:28 . 2009-05-23 18:28 -------- d-----w C:\bingo 2009-05-23 16:01 . 2009-05-23 16:01 -------- d-----w C:\ARK 2009-05-23 05:30 . 2009-03-30 14:33 96104 ----a-w c:\windows\system32\drivers\avipbb.sys 2009-05-23 05:30 . 2009-03-24 20:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys 2009-05-23 05:30 . 2009-02-13 16:29 22360 ----a-w c:\windows\system32\drivers\avgntmgr.sys 2009-05-23 05:30 . 2009-02-13 16:17 45416 ----a-w c:\windows\system32\drivers\avgntdd.sys 2009-05-23 05:30 . 2009-05-23 05:30 -------- d-----w c:\program files\Avira 2009-05-23 05:30 . 2009-05-23 05:30 -------- d-----w c:\documents and settings\All Users\Application Data\Avira 2009-05-22 21:23 . 2009-05-22 21:23 -------- d-----w c:\program files\CleanUp! 2009-05-22 16:14 . 2009-05-22 16:20 -------- d-----w c:\program files\Unlocker 2009-05-22 05:10 . 2009-05-22 14:58 -------- d-----w c:\documents and settings\BoB Smith\.housecall6.6 2009-05-22 02:48 . 2009-05-22 04:15 -------- d-----w c:\windows\BDOSCAN8 2009-05-22 02:20 . 2009-05-22 02:20 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Symantec 2009-05-22 01:49 . 2009-05-22 01:49 -------- d-----w c:\documents and settings\Bob Smith\Local Settings\Application Data\Symantec 2009-05-16 15:15 . 2009-03-05 09:00 89104 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090516.003\NAVENG.SYS 2009-05-16 15:15 . 2009-03-05 09:00 876144 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090516.003\NAVEX15.SYS 2009-05-16 15:15 . 2009-03-05 09:00 371248 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090516.003\EECTRL.SYS 2009-05-16 15:15 . 2009-03-05 09:00 259368 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090516.003\ECMSVR32.DLL 2009-05-16 15:15 . 2009-03-05 09:00 2414128 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090516.003\CCERASER.DLL 2009-05-16 15:15 . 2009-03-05 09:00 177520 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090516.003\NAVENG32.DLL 2009-05-16 15:15 . 2009-03-05 09:00 1181040 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090516.003\NAVEX32A.DLL 2009-05-16 15:15 . 2009-03-05 09:00 101936 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090516.003\ERASER.SYS 2009-05-11 14:52 . 2009-03-16 20:03 533880 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090508.002\Scxpx86.dll 2009-05-11 14:52 . 2009-01-29 21:50 276344 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090508.002\IDSXpx86.sys 2009-05-11 14:52 . 2009-01-29 21:50 292912 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090508.002\IDSvix86.sys 2009-05-11 14:52 . 2009-01-29 21:50 447864 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090508.002\IDSxpx86.dll 2009-05-11 14:52 . 2009-01-29 21:50 396848 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090508.002\IDSviA64.sys 2009-05-05 16:44 . 2009-05-05 16:44 -------- d-----w c:\documents and settings\Bob Smith\Local Settings\Application Data\Rawr 2009-05-05 15:31 . 2009-03-16 20:03 533880 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090501.001\Scxpx86.dll 2009-05-05 15:31 . 2009-01-29 21:50 276344 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090501.001\IDSXpx86.sys 2009-05-05 15:31 . 2009-01-29 21:50 292912 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090501.001\IDSvix86.sys 2009-05-05 15:31 . 2009-01-29 21:50 447864 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090501.001\IDSxpx86.dll 2009-05-05 15:31 . 2009-01-29 21:50 396848 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090501.001\IDSviA64.sys 2009-04-29 21:38 . 2009-04-29 21:38 -------- d-----w c:\program files\WinPcap 2009-04-28 21:39 . 2009-04-28 21:39 -------- d-----w c:\documents and settings\Bob Smith\.jnlp-applet . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-23 18:57 . 2008-03-21 22:23 -------- d-----w c:\documents and settings\Bob Smith\Application Data\WTablet 2009-05-22 03:08 . 2007-05-24 08:03 -------- d-----w c:\documents and settings\Bob Smith\Application Data\Move Networks 2009-05-22 03:06 . 2007-09-25 19:38 -------- d-----w c:\documents and settings\All Users\Application Data\Proxy Long Chin Ping 2009-05-22 01:01 . 2004-10-10 19:02 -------- d-----w c:\program files\Teamspeak2_RC2 2009-05-17 01:38 . 2005-11-29 01:34 -------- d-----w c:\documents and settings\Bob Smith\Application Data\Skype 2009-04-25 21:52 . 2008-07-18 20:48 -------- d-----w c:\program files\Common 2009-04-25 20:02 . 2008-10-09 20:24 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-25 19:59 . 2008-10-20 21:04 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-04-15 15:48 . 2003-07-07 04:38 44424 ----a-w c:\documents and settings\Bob Smith\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-14 21:45 . 2009-04-14 21:45 -------- d-----w c:\program files\MSECache 2009-04-11 05:53 . 2004-11-08 00:49 -------- d-----w c:\documents and settings\Bob Smith\Application Data\Azureus 2009-04-07 05:07 . 2009-04-07 05:07 78580 ----a-w c:\documents and settings\Bob Smith\Application Data\Move Networks\MoveMediaPlayer_071303000006.exe 2009-04-06 19:32 . 2008-10-09 20:24 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 19:32 . 2008-10-09 20:24 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-03-29 18:00 . 2009-03-29 18:00 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec 2009-03-28 18:36 . 2006-03-11 23:03 -------- d-----w c:\program files\Symantec 2009-03-28 18:36 . 2009-03-05 18:01 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF 2009-03-28 18:36 . 2009-03-05 18:01 7386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT 2009-03-28 18:36 . 2009-03-05 18:01 60808 ----a-w c:\windows\system32\S32EVNT1.DLL 2009-03-28 18:36 . 2009-03-05 18:01 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS 2009-03-16 20:03 . 2009-03-16 20:03 533880 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll 2009-03-09 15:34 . 2009-04-07 05:09 971776 ----a-w c:\documents and settings\Bob Smith\Application Data\Mozilla\Firefox\Profiles\q5yx3tj4.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll 2009-03-06 14:22 . 2002-08-29 12:00 284160 ----a-w c:\windows\system32\pdh.dll 2009-03-05 18:01 . 2009-03-05 18:01 1294680 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll 2009-03-05 18:01 . 2009-03-05 18:01 136840 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll 2009-03-05 18:01 . 2009-03-05 18:01 791920 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll 2009-03-03 00:18 . 2004-02-07 01:05 826368 ----a-w c:\windows\system32\wininet.dll 2009-02-27 10:57 . 2009-03-05 18:01 36400 ----a-r c:\windows\system32\drivers\SymIM.sys 2009-02-24 22:41 . 2009-02-28 00:19 2590336 -c--a-w c:\documents and settings\All Users\Application Data\{76E4F0D3-DBAE-4553-92DF-9807B61B5277}\Impulse_setup.exe 2009-02-24 22:10 . 2009-02-28 00:18 587120 -c--a-w c:\documents and settings\All Users\Application Data\{76E4F0D3-DBAE-4553-92DF-9807B61B5277}\OFFLINE\939F327A\6217F262\SDC.dll 2009-02-24 22:10 . 2009-02-28 00:18 9072 -c--a-w c:\documents and settings\All Users\Application Data\{76E4F0D3-DBAE-4553-92DF-9807B61B5277}\OFFLINE\939F327A\38EBD4A9\Sd.Irc.resources.dll 2009-02-24 22:10 . 2009-02-28 00:18 107888 -c--a-w c:\documents and settings\All Users\Application Data\{76E4F0D3-DBAE-4553-92DF-9807B61B5277}\OFFLINE\939F327A\C430389C\VistaBridgeLibrary.dll 2009-02-24 22:10 . 2009-02-28 00:18 161136 -c--a-w c:\documents and settings\All Users\Application Data\{76E4F0D3-DBAE-4553-92DF-9807B61B5277}\OFFLINE\939F327A\C430389C\VDialog.dll 2009-02-24 22:08 . 2009-02-28 00:18 733184 -c--a-w c:\documents and settings\All Users\Application Data\{76E4F0D3-DBAE-4553-92DF-9807B61B5277}\OFFLINE\939F327A\C430389C\UninstHelper.exe 2009-02-24 22:07 . 2009-02-28 00:18 616696 -c--a-w c:\documents and settings\All Users\Application Data\{76E4F0D3-DBAE-4553-92DF-9807B61B5277}\OFFLINE\939F327A\C430389C\7z.dll 2003-12-18 18:33 . 2006-05-26 19:07 20102 ----a-w c:\program files\Readme.txt 2003-09-03 14:46 . 2006-05-26 19:07 10960 ----a-w c:\program files\EULA.txt . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-06-06 114688] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152] "CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056] "SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056] "CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2002-09-13 49152] "IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 94208] "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2001-07-25 57344] "MXO Auto Loader"="c:\windows\MXOALDR.EXE" [2003-04-08 118784] "PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-12 86016] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-12-08 16384] "PtiuPbmd"="ptipbm.dll" - c:\windows\system32\ptipbm.dll [2003-01-16 24576] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2005-07-23 28160] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-03 1630208] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-6-20 528384] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys] @="FSFilter Activity Monitor" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk backup=c:\windows\pss\Exif Launcher.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^BoB Smith^Start Menu^Programs^Startup^War FTPD Tray icon.lnk] path=c:\documents and settings\Bob Smith\Start Menu\Programs\Startup\War FTPD Tray icon.lnk backup=c:\windows\pss\War FTPD Tray icon.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "nlsvc"=2 (0x2) "UleadBurningHelper"=2 (0x2) "Symantec Core LC"=3 (0x3) "SPBBCSvc"=3 (0x3) "SNDSrvc"=3 (0x3) "SAVScan"=3 (0x3) "NSCService"=3 (0x3) "NPFMntor"=2 (0x2) "navapsvc"=3 (0x3) "LiveUpdate Notice Service"=2 (0x2) "LiveUpdate"=3 (0x3) "ccSetMgr"=2 (0x2) "ccEvtMgr"=2 (0x2) "Norton AntiVirus"=2 (0x2) "aawservice"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\SmartFTP\\SmartFTP.exe"= "c:\\Program Files\\ICQ\\Icq.exe"= "c:\\Program Files\\Microsoft Hardware\\Game Voice\\GameVoice.exe"= "c:\\WINDOWS\\system32\\dpnsvr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "z:\\3ds Max 9\\3dsmax.exe"= "c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"= "c:\\Program Files\\Autodesk\\Backburner\\manager.exe"= "c:\\Program Files\\Autodesk\\Backburner\\server.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "z:\\Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [3/28/2009 2:36 PM 310320] R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [3/28/2009 2:36 PM 258608] R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [3/28/2009 2:35 PM 482352] R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090508.002\IDSXpx86.sys [5/11/2009 10:52 AM 276344] R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [9/13/2006 3:59 PM 75776] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/23/2009 1:30 AM 108289] R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/1/2008 3:13 AM 34064] R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [12/30/2002 2:53 PM 12160] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/5/2009 5:00 AM 101936] S2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys --> c:\windows\system32\drivers\wf2kvcap.sys [?] S2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys --> c:\windows\system32\drivers\wf2ktunr.sys [?] S2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;c:\windows\system32\drivers\wf2kxbar.sys --> c:\windows\system32\drivers\wf2kxbar.sys [?] S3 cusbohcn;cusbohcn;\??\c:\docume~1\BOBSMI~1\LOCALS~1\Temp\cusbohcn.sys --> c:\docume~1\BOBSMI~1\LOCALS~1\Temp\cusbohcn.sys [?] S3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFTVFM\WFIOCTL.sys [11/27/2006 7:09 PM 9446] S4 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [3/28/2009 2:35 PM 115560] . - - - - ORPHANS REMOVED - - - - HKLM-Run-CTXFIREG - CTxfiReg.exe SafeBoot-procexp90.Sys . ------- Supplementary Scan ------- . uStart Page = about:blank uInternet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;*.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000 Trusted Zone: aol.com\free Trusted Zone: turbotax.com DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Bob Smith\Application Data\Mozilla\Firefox\Profiles\q5yx3tj4.default\ FF - plugin: c:\documents and settings\Bob Smith\Application Data\Mozilla\Firefox\Profiles\q5yx3tj4.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npoctoshape.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npWebLaunch.dll FF - plugin: c:\program files\Octoshape Streaming Services\Bob Smith\octoprogram-L03-N00-U00-C00_0706180_000\npoctoshape.dll FF - plugin: c:\program files\thriXXX\WebLaunch\Binaries\npWebLaunch.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-23 15:02 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run CTStartup = "c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" /run?Z?A~d???*?A~?????????^??????h?@?x?????B~D??????sx??sB???????y??w????@@@????|D@@?????>??w?????O8?H??????|???|???????|L(?s?O8??????/?s????????D???????????????????,????????????+?s@@@?D???`|?w??????@ scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus] "ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1" . Completion time: 2009-05-23 15:05 ComboFix-quarantined-files.txt 2009-05-23 19:05 Pre-Run: 4,658,712,576 bytes free Post-Run: 6,255,230,976 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=AlwaysOff 274 --- E O F --- 2009-05-14 19:54 New HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:12:11 PM, on 5/23/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\brss01a.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe C:\WINDOWS\system32\WTablet\TabUserW.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\Tablet.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\Bob Smith\Desktop\Hijack\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;*.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [sBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKCU\..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - Z:\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe -- End of file - 8900 bytes Ark.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.