Jump to content

Not sure if I should believe all clear scans...


Recommended Posts

Hello,

I run Norton 360, and its Autoprotect claimed to clean up some stuff yesterday. It looks like it thought a quarantined file from a previous TDSkiller session (helped by you all here!) was a threat,but then there was a couple of other things it found:

Full Path: c:\tdsskiller_quarantine\04.09.2012_08.54.31\mbr0000\tdlfs0000\tsk0010.dta

Threat: Backdoor.Tidserv

____________________________

File Actions

File: C:\resycled\boot.com

Removed

File: c:\tdsskiller_quarantine\04.09.2012_08.54.31\mbr0000\tdlfs0000\tsk0010.dta

Removed

File: C:\Users\Sunshine\Desktop\Casino.url

Removed

____________________________

Suspicious Actions

Service change: spooler

Terminated

Could someone please take a look at my logs and make sure everything is OK? Spybot and MBAM didn't find anything. Thanks in advance.

Sunshine

DDS:

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 9.0.8112.16455 BrowserJavaVersion: 10.9.2

Run by Sunshine at 9:31:11 on 2012-12-02

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3037.1472 [GMT -6:00]

.

AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

.

============== Running Processes ================

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe

C:\Program Files\Norton 360\Engine\6.4.0.9\ccSvcHst.exe

C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe

C:\Program Files\Rain City Digital LLC\TimesUpKidz\TimesUpKidzServer.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe

C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\WUDFHost.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe

C:\Program Files\Norton 360\Engine\6.4.0.9\ccSvcHst.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Intel\IntelAppStore\bin\ismagent.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Intel\IntelAppStore\bin\AppUp.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe

C:\Users\Sunshine\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe

C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe

C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k HsfXAudioService

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\svchost.exe -k SDRSVC

.

============== Pseudo HJT Report ===============

.

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton 360\engine\6.4.0.9\coieplg.dll

BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton 360\engine\6.4.0.9\ips\ipsbho.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll

TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\6.4.0.9\coieplg.dll

TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\6.4.0.9\coieplg.dll

uRun: [sansaDispatch] c:\users\Sunshine\appdata\roaming\sandisk\sansa updater\SansaDispatch.exe

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [intel AppUp(SM) center] "c:\program files\intel\intelappstore\bin\ismagent.exe" --domain-id F0399437-FD0C-4A48-B101-F0314A6172E4

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [intel AppUp(SM) center Systray] "c:\program files\intel\intelappstore\bin\AppUp.exe" --domain F0399437-FD0C-4A48-B101-F0314A6172E4 --openmode trayicon

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [sDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\timesu~1.lnk - c:\windows\installer\{837da79c-b12b-4709-9b9b-16d1468e418a}\_E0FC1390CC082CEC4B7147.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

uPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: NoDrives = dword:0

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

.

INFO: HKCU has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab

DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab

TCP: NameServer = 192.168.254.254 192.168.254.254

TCP: Interfaces\{F6DD09E8-37A6-4945-A7D9-F383575F0CC7} : DHCPNameServer = 192.168.254.254 192.168.254.254

Notify: igfxcui - igfxdev.dll

Notify: SDWinLogon - SDWinLogon.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\Sunshine\appdata\roaming\mozilla\firefox\profiles\dd8pwjtk.default\

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\amazon\mp3 downloader\npAmazonMP3DownloaderPlugin1017300.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll

FF - plugin: c:\program files\intel\intelappstore\bin\npAppUp.dll

FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll

FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll

FF - plugin: c:\windows\system32\adobe\director\np32dsw_1166636.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll

FF - plugin: c:\windows\system32\npDeployJava1.dll

FF - plugin: c:\windows\system32\npmproxy.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

============= SERVICES / DRIVERS ===============

.

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0604000.009\symds.sys [2012-10-1 340088]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0604000.009\symefa.sys [2012-10-1 924320]

R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.1.2\definitions\bashdefs\20121106.001\BHDrvx86.sys [2012-10-23 995488]

R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\n360\0604000.009\ccsetx86.sys [2012-10-1 132768]

R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.1.2\definitions\ipsdefs\20121130.001\IDSvix86.sys [2012-11-30 386720]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0604000.009\ironx86.sys [2012-10-1 149624]

R1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\n360\0604000.009\symnets.sys [2012-10-1 318584]

R2 AERTFilters;Andrea RT Filters Service;c:\program files\realtek\audio\hda\AERTSrv.exe [2009-12-12 81920]

R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]

R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]

R2 N360;Norton 360;c:\program files\norton 360\engine\6.4.0.9\ccsvchst.exe [2012-10-1 138272]

R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2012-12-1 1103392]

R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2012-12-1 1369624]

R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2012-12-1 168384]

R2 TimesUpKidz;TimesUpKidz;c:\program files\rain city digital llc\timesupkidz\TimesUpKidzServer.exe [2011-10-22 11264]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-8-13 106656]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-6-10 394856]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-10-24 14848]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-10-24 49664]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-20 1343400]

.

=============== Created Last 30 ================

.

2012-12-02 14:55:37 -------- d-----w- c:\users\Sunshine\appdata\local\{91C105CF-91BB-416A-A338-FDB55E42BA3D}

2012-12-02 04:01:00 15224 ----a-w- c:\windows\system32\sdnclean.exe

2012-12-02 04:00:57 -------- d-----w- c:\program files\Spybot - Search & Destroy 2

2012-12-02 04:00:14 -------- d-----w- c:\users\Sunshine\appdata\local\Programs

2012-12-01 19:33:59 -------- d-----w- c:\users\Sunshine\appdata\local\{BE24D499-1D34-4421-A6EC-711599334B72}

2012-12-01 04:33:24 -------- d-----w- c:\users\Sunshine\appdata\local\{FA676445-1222-435C-B853-561FEFC706A0}

2012-11-30 14:09:47 -------- d-----w- c:\users\Sunshine\appdata\local\{C67F240A-BFAB-4946-8E65-8D048B4A95C6}

2012-11-30 01:55:52 -------- d-----w- c:\users\Sunshine\appdata\local\{81B709E8-274B-4DFB-970F-B354D8CF0915}

2012-11-29 13:55:28 -------- d-----w- c:\users\Sunshine\appdata\local\{A4130063-A367-4207-99D5-CABEEB4C1E99}

2012-11-28 14:46:18 -------- d-----w- c:\users\Sunshine\appdata\local\{BFB698EE-14D2-4B20-BDD2-6C56B3ED4944}

2012-11-28 02:45:54 -------- d-----w- c:\users\Sunshine\appdata\local\{D2E797C9-3F9F-4357-A1BA-60DB6CCF46DB}

2012-11-27 14:45:43 -------- d-----w- c:\users\Sunshine\appdata\local\{6842530A-FC96-47C3-8BA2-6BB204C8F697}

2012-11-27 02:45:20 -------- d-----w- c:\users\Sunshine\appdata\local\{A19DA96C-F049-4F39-B314-54B391629477}

2012-11-26 13:54:59 -------- d-----w- c:\users\Sunshine\appdata\local\{D9FBB065-CEE1-45B8-97BC-A4925A3045E6}

2012-11-25 16:28:07 -------- d-----w- c:\users\Sunshine\appdata\local\{1D3232B1-96DC-4325-8280-E4F35994ABDF}

2012-11-24 17:51:11 -------- d-----w- c:\users\Sunshine\appdata\local\{A8FC00CA-A744-4781-83C4-485ABFEB30E6}

2012-11-23 22:50:32 -------- d-----w- c:\users\Sunshine\appdata\local\{FB23691E-B5E5-448F-92F4-42022C32049B}

2012-11-22 16:02:25 -------- d-----w- c:\users\Sunshine\appdata\local\{5659E8F0-6AC4-4B7B-8FD9-BC2C00989847}

2012-11-21 17:30:20 -------- d-----w- c:\users\Sunshine\appdata\local\{F3EFF4F8-A387-4A68-B03C-CF1970860DC4}

2012-11-21 05:26:32 -------- d-----w- c:\users\Sunshine\appdata\local\{EE83EB0A-87F6-4B39-8D3E-03FDAB20C2FC}

2012-11-20 14:11:42 -------- d-----w- c:\users\Sunshine\appdata\local\{FDABB266-8CB3-41DC-ABC6-CFA3D07B65CE}

2012-11-20 02:11:18 -------- d-----w- c:\users\Sunshine\appdata\local\{BDE5FF05-29C5-4258-9ECC-E9E307A1500C}

2012-11-19 14:01:39 -------- d-----w- c:\users\Sunshine\appdata\local\{C4152796-CF40-43AE-AF8B-FA8DE19737F9}

2012-11-17 18:02:51 -------- d-----w- c:\users\Sunshine\appdata\local\{BA031EC8-F902-4865-9042-860F18EEFF97}

2012-11-17 05:49:41 -------- d-----w- c:\users\Sunshine\appdata\local\{75F1BE29-1989-4A91-9461-3C58B0E5E3AA}

2012-11-16 17:00:12 -------- d-----w- c:\users\Sunshine\appdata\local\{1E620A07-BA71-40D9-B712-5D468A76F9F9}

2012-11-16 04:59:48 -------- d-----w- c:\users\Sunshine\appdata\local\{5CB83D1E-A767-465B-A9B5-67B40B5C5B99}

2012-11-16 04:44:18 -------- d-----w- c:\users\Sunshine\appdata\local\{178E6B89-F9C8-42B6-84DB-255EB8CE939B}

2012-11-15 22:14:02 52224 ----a-w- c:\windows\system32\nlaapi.dll

2012-11-15 22:14:02 499712 ----a-w- c:\windows\system32\iphlpsvc.dll

2012-11-15 22:14:02 35328 ----a-w- c:\windows\system32\drivers\tcpipreg.sys

2012-11-15 22:14:02 242176 ----a-w- c:\windows\system32\nlasvc.dll

2012-11-15 22:14:02 18944 ----a-w- c:\windows\system32\netevent.dll

2012-11-15 22:14:02 175104 ----a-w- c:\windows\system32\netcorehc.dll

2012-11-15 22:14:02 156672 ----a-w- c:\windows\system32\ncsi.dll

2012-11-15 22:14:02 1293680 ----a-w- c:\windows\system32\drivers\tcpip.sys

2012-11-15 22:13:56 78336 ----a-w- c:\windows\system32\synceng.dll

2012-11-15 22:12:57 2345984 ----a-w- c:\windows\system32\win32k.sys

2012-11-15 22:12:43 44032 ----a-w- c:\windows\system32\dhcpcsvc6.dll

2012-11-15 22:12:43 193536 ----a-w- c:\windows\system32\dhcpcore6.dll

2012-11-15 16:20:24 -------- d-----w- c:\users\Sunshine\appdata\local\{97F4F9C7-2209-4282-9830-6F32F1C1D464}

2012-11-15 04:20:01 -------- d-----w- c:\users\Sunshine\appdata\local\{7D968EDF-AAB4-4557-92E3-BAD174DD3648}

2012-11-14 15:45:24 -------- d-----w- c:\users\Sunshine\appdata\local\{BD1C5897-9FA8-4822-8121-7C38DE6AB742}

2012-11-14 03:13:16 -------- d-----w- c:\users\Sunshine\appdata\local\{75ED3293-8971-4B1E-B4D0-B7015AE5ACF2}

2012-11-13 14:05:10 -------- d-----w- c:\users\Sunshine\appdata\local\{E21AE30D-D032-4015-B5FD-ED0DF26EF5C1}

2012-11-13 02:04:19 -------- d-----w- c:\users\Sunshine\appdata\local\{70FBE023-3F6A-41A7-BE84-2CFACB94DD9C}

2012-11-12 14:03:55 -------- d-----w- c:\users\Sunshine\appdata\local\{4F5F1ABF-D8DF-48BD-AE9E-35B12DF27659}

2012-11-11 20:01:29 -------- d-----w- c:\users\Sunshine\appdata\local\{6F8981C5-997D-47B0-B184-827BB2E736E3}

2012-11-11 04:30:37 -------- d-----w- c:\users\Sunshine\appdata\local\{1C3314F5-8462-477D-8592-D44A552B8464}

2012-11-10 16:30:14 -------- d-----w- c:\users\Sunshine\appdata\local\{60554413-D8F6-4E0D-96BE-181A63137072}

2012-11-10 03:51:40 -------- d-----w- c:\users\Sunshine\appdata\local\{A8DC604D-000C-4137-9655-F8ED613D1643}

2012-11-09 15:51:17 -------- d-----w- c:\users\Sunshine\appdata\local\{B0596F1B-652C-45E9-8035-54E907A89443}

2012-11-09 03:50:49 -------- d-----w- c:\users\Sunshine\appdata\local\{A2CE5F17-3DD5-451E-A922-96E82556C7B9}

2012-11-09 03:10:13 -------- d-----w- c:\users\Sunshine\appdata\local\{552A7452-7F61-429E-9ADA-F93E22B3851B}

2012-11-08 14:50:48 -------- d-----w- c:\users\Sunshine\appdata\local\{E04DBA09-3DA2-4CA7-9098-6092FE29C91B}

2012-11-07 17:51:12 -------- d-----w- c:\users\Sunshine\appdata\local\{18ED5800-880E-4F8F-9F41-2BF6B21760B3}

2012-11-07 04:59:11 -------- d-----w- c:\users\Sunshine\appdata\local\{9502D6C3-6F09-4F28-9E40-73EEDEBC0E93}

2012-11-06 16:06:56 -------- d-----w- c:\users\Sunshine\appdata\local\{534B1664-54DD-4C96-AED4-38D2AADECE73}

2012-11-05 17:16:01 -------- d-----w- c:\users\Sunshine\appdata\local\{2C74B646-0F55-44E6-B84F-6EEC4106D567}

2012-11-04 19:16:21 -------- d-----w- c:\users\Sunshine\appdata\local\{7E0F64C1-7A54-4105-A977-44AE0741CA3D}

.

==================== Find3M ====================

.

2012-10-16 07:39:52 561664 ----a-w- c:\windows\apppatch\AcLayers.dll

2012-10-08 20:46:36 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-10-08 20:46:36 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-10-08 07:56:24 1800704 ----a-w- c:\windows\system32\jscript9.dll

2012-10-08 07:48:03 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-10-08 07:47:44 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-10-08 07:44:05 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-10-08 07:43:21 420864 ----a-w- c:\windows\system32\vbscript.dll

2012-10-08 07:40:56 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-09-30 00:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-25 04:16:36 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2012-09-14 18:28:53 2048 ----a-w- c:\windows\system32\tzres.dll

2012-09-05 14:39:04 821736 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-09-05 14:39:04 746984 ----a-w- c:\windows\system32\deployJava1.dll

2012-09-05 14:12:20 152576 ----a-w- c:\windows\system32\msclmd.dll

.

============= FINISH: 9:31:44.50 ===============

Attach:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume2

Install Date: 2/4/2010 11:26:12 AM

System Uptime: 12/2/2012 7:59:48 AM (2 hours ago)

.

Motherboard: Dell Inc. | | 0JJW8N

Processor: Intel® Core2 Duo CPU E7500 @ 2.93GHz | Socket 775 | 2928/266mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 218 GiB total, 153.838 GiB free.

D: is CDROM ()

F: is Removable

G: is Removable

H: is Removable

I: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP296: 11/10/2012 12:53:03 PM - Scheduled Checkpoint

RP297: 11/15/2012 11:35:28 PM - Windows Update

RP298: 11/23/2012 6:02:22 PM - Scheduled Checkpoint

RP299: 11/28/2012 8:09:52 PM - Windows Update

.

==== Installed Programs ======================

.

Sansa Media Converter

Activity Center, Winnie the Pooh

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader X (10.1.4)

Adobe Shockwave Player 11.6

Amazon MP3 Downloader 1.0.17

Angry Birds

Arthur's Thinking Games

Baby Smartronics

Beauty and the Beast Magical Ballroom

Blue's Art Time Activities

Cinderella's Dollhouse

Clifford Learning Activities

Compatibility Pack for the 2007 Office system

Conexant D850 PCI V.92 Modem

Cool Timer 3.6

Coupon Printer for Windows

D3DX10

Dell Backup and Recovery Manager

Dell Edoc Viewer

Digital Line Detect

Dropbox

Google Chrome

Google Update Helper

Intel AppUp(SM) center

Intel® Graphics Media Accelerator Driver

Intel® TV Wizard

Intel® Matrix Storage Manager

iSEEK AnswerWorks English Runtime

Java 7 Update 9

Java Auto Updater

Junk Mail filter update

Malwarebytes Anti-Malware version 1.65.1.1000

Math Games - Multiplication 1.1

Mathboard Addition

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Application Error Reporting

Microsoft Money 2005

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Silverlight

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319

Microsoft Works

Mozilla Firefox 16.0.2 (x86 en-US)

Mozilla Maintenance Service

MSVCRT

NetWaiting

NHL 2000

Norton 360

Norton Internet Security

OGA Notifier 2.0.0048.0

OverDrive Media Console

Picasa 3

PowerDVD DX

Putt-Putt Travels Through Time

QuickTime

Reader Rabbit's Math Ages 6-9

Reader Rabbit® I Can Read! With Phonics

Realtek High Definition Audio Driver

Rob's Maths

Roxio Creator Audio

Roxio Creator Copy

Roxio Creator Data

Roxio Creator DE 10.3

Roxio Creator Tools

Roxio Express Labeler 3

Roxio Update Manager

Sansa Updater

Scholastic's I SPY Junior

Scrapbook Factory Deluxe 4.0

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Shutterfly Express Uploader

Spybot - Search & Destroy

SpywareBlaster 4.6

StarFlyers Royal Jewel Rescue

swMSM

The Ultimate Math Practicen 2.5.1

TimesUpKidz

TurboTax 2009

TurboTax 2009 WinPerFedFormset

TurboTax 2009 WinPerReleaseEngine

TurboTax 2009 WinPerTaxSupport

TurboTax 2009 wmniper

TurboTax 2009 wrapper

TurboTax 2010

TurboTax 2010 WinPerFedFormset

TurboTax 2010 WinPerReleaseEngine

TurboTax 2010 WinPerTaxSupport

TurboTax 2010 wmniper

TurboTax 2010 wrapper

TurboTax 2011

TurboTax 2011 WinPerFedFormset

TurboTax 2011 WinPerReleaseEngine

TurboTax 2011 WinPerTaxSupport

TurboTax 2011 wmniper

TurboTax 2011 wrapper

Tux Paint 0.9.21c

Tux Paint Stamps 2009-06-28

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

US State Finder

Windows Live Communications Platform

Windows Live Essentials

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Mail

Windows Live MIME IFilter

Windows Live Photo Common

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live Sync

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

Windows Media Player Firefox Plugin

Wisdom-soft Set up ScreenHunter 5.1 Free

.

==== Event Viewer Messages From Past Week ========

.

12/1/2012 4:59:30 PM, Error: Service Control Manager [7023] - The Server service terminated with the following error: The service has not been started.

12/1/2012 4:59:29 PM, Error: Service Control Manager [7038] - The PolicyAgent service was unable to log on as NT Authority\NetworkService with the currently configured password due to the following error: The request is not supported. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

12/1/2012 4:59:29 PM, Error: Service Control Manager [7038] - The Dhcp service was unable to log on as NT Authority\LocalService with the currently configured password due to the following error: The request is not supported. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

12/1/2012 4:59:29 PM, Error: Service Control Manager [7009] - A timeout was reached (60001 milliseconds) while waiting for the Windows Search service to connect.

12/1/2012 4:59:29 PM, Error: Service Control Manager [7001] - The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: The service did not start due to a logon failure.

12/1/2012 4:59:29 PM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

12/1/2012 4:59:29 PM, Error: Service Control Manager [7000] - The Portable Device Enumerator Service service failed to start due to the following error: A system shutdown is in progress.

12/1/2012 4:59:29 PM, Error: Service Control Manager [7000] - The IPsec Policy Agent service failed to start due to the following error: The service did not start due to a logon failure.

12/1/2012 4:59:29 PM, Error: Service Control Manager [7000] - The Diagnostic System Host service failed to start due to the following error: A system shutdown is in progress.

12/1/2012 4:59:29 PM, Error: Service Control Manager [7000] - The DHCP Client service failed to start due to the following error: The service did not start due to a logon failure.

12/1/2012 4:59:29 PM, Error: Service Control Manager [7000] - The Computer Browser service failed to start due to the following error: A system shutdown is in progress.

12/1/2012 11:03:24 AM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {0228576F-6E6C-4E1A-B175-0E46A316AFE2}. The error: "786" Happened while starting this command: C:\Windows\ehome\ehmsas.exe -Embedding

12/1/2012 10:07:32 AM, Error: Microsoft-Windows-DistributedCOM [10001] - Unable to start a DCOM Server: {380689D0-AFAA-47E6-B80E-A33436FE314B} as /. The error: "786" Happened while starting this command: "C:\Program Files\Windows Live\Contacts\wlcomm.exe" -Embedding

12/1/2012 1:23:12 PM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {5DDFFCF7-03EF-47B3-9527-FA3C25CB56BE}. The error: "786" Happened while starting this command: C:\PROGRA~1\MICROS~2\WkDStore.exe -Embedding

12/1/2012 1:23:12 PM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {0CD18583-8805-11D2-BD0E-00C04F72DBBC}. The error: "786" Happened while starting this command: C:\PROGRA~1\MICROS~2\wkgdcach.exe -Embedding

11/30/2012 10:33:01 PM, Error: Service Control Manager [7011] - A timeout (60001 milliseconds) was reached while waiting for a transaction response from the lmhosts service.

11/29/2012 12:46:54 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00009088 (0x917cbb74, 0x917cbb78, 0x917cbb6c, 0x917cbb70). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 112912-23758-01.

.

==== End Of File ===========================

Link to post
Share on other sites

:welcome: I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear. :)

Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

Please include the C:\ComboFix.txt in your next reply for further review.

=====

Also, please download Malwarebytes Anti-Rootkit here.

  • Unzip the contents to a folder on the Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe ( right-click and select Run as administrator for Vista and Windows 7).
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Please post the two logs produced.

Please note: This tool is still in BETA mode, so please ensure you have backed up any important files.

=====

Finally, please download AdwCleaner by Xplode onto your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well.

=====

In your reply please provide the contents of the following:

  • ComboFix.txt.
  • Both MBAR logs.
  • AdwCleaner[R1].txt.

How is the computer currently running?

Link to post
Share on other sites

Here are my logs:

Combofix:

ComboFix 12-12-02.01 - Sunshine 12/03/2012 15:45:19.3.2 - x86

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3037.2015 [GMT -6:00]

Running from: c:\users\Sunshine\Desktop\ComboFix.exe

AV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton 360 *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2012-11-03 to 2012-12-03 )))))))))))))))))))))))))))))))

.

.

2012-12-03 21:51 . 2012-12-03 21:51 -------- d-----w- c:\users\Public\AppData\Local\temp

2012-12-03 21:51 . 2012-12-03 21:51 -------- d-----w- c:\users\Nicole\AppData\Local\temp

2012-12-03 21:51 . 2012-12-03 21:51 -------- d-----w- c:\users\Nicole.Sunshine-DellPC\AppData\Local\temp

2012-12-03 21:51 . 2012-12-03 21:51 -------- d-----w- c:\users\Nels\AppData\Local\temp

2012-12-03 21:51 . 2012-12-03 21:51 -------- d-----w- c:\users\Homework\AppData\Local\temp

2012-12-03 21:51 . 2012-12-03 21:51 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-12-03 21:51 . 2012-12-03 21:51 -------- d-----w- c:\users\Brita\AppData\Local\temp

2012-12-02 04:01 . 2009-01-25 18:14 15224 ----a-w- c:\windows\system32\sdnclean.exe

2012-12-02 04:00 . 2012-12-02 04:01 -------- d-----w- c:\program files\Spybot - Search & Destroy 2

2012-12-02 04:00 . 2012-12-02 04:00 -------- d-----w- c:\users\Sunshine\AppData\Local\Programs

2012-11-26 15:50 . 2012-11-26 15:50 -------- d-----w- c:\users\Nicole.Sunshine-DellPC\AppData\Roaming\CyberLink

2012-11-15 22:14 . 2012-10-03 16:58 1293680 ----a-w- c:\windows\system32\drivers\tcpip.sys

2012-11-15 22:14 . 2012-10-03 16:42 52224 ----a-w- c:\windows\system32\nlaapi.dll

2012-11-15 22:14 . 2012-10-03 16:42 242176 ----a-w- c:\windows\system32\nlasvc.dll

2012-11-15 22:14 . 2012-10-03 16:42 18944 ----a-w- c:\windows\system32\netevent.dll

2012-11-15 22:14 . 2012-10-03 16:42 175104 ----a-w- c:\windows\system32\netcorehc.dll

2012-11-15 22:14 . 2012-10-03 16:42 156672 ----a-w- c:\windows\system32\ncsi.dll

2012-11-15 22:14 . 2012-10-03 16:40 499712 ----a-w- c:\windows\system32\iphlpsvc.dll

2012-11-15 22:14 . 2012-10-03 15:21 35328 ----a-w- c:\windows\system32\drivers\tcpipreg.sys

2012-11-15 22:13 . 2012-09-25 22:47 78336 ----a-w- c:\windows\system32\synceng.dll

2012-11-15 22:12 . 2012-10-18 17:59 2345984 ----a-w- c:\windows\system32\win32k.sys

2012-11-15 22:12 . 2012-10-09 17:40 44032 ----a-w- c:\windows\system32\dhcpcsvc6.dll

2012-11-15 22:12 . 2012-10-09 17:40 193536 ----a-w- c:\windows\system32\dhcpcore6.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-10-18 22:12 . 2012-10-18 22:12 163056 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10142.bin

2012-10-17 15:47 . 2010-03-21 05:59 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll

2012-10-17 15:47 . 2010-03-23 17:46 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll

2012-10-17 15:47 . 2010-05-21 23:55 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll

2012-10-16 07:39 . 2012-11-28 14:01 561664 ----a-w- c:\windows\apppatch\AcLayers.dll

2012-10-08 20:46 . 2012-04-23 20:10 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-10-08 20:46 . 2011-05-17 14:05 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-09-30 00:54 . 2011-12-01 04:01 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-25 04:16 . 2012-10-26 22:58 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2012-09-21 13:07 . 2010-03-21 05:54 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll

2012-09-21 13:06 . 2010-05-19 22:20 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll

2012-09-14 18:28 . 2012-10-10 13:04 2048 ----a-w- c:\windows\system32\tzres.dll

2012-09-05 14:39 . 2012-08-30 04:01 821736 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-09-05 14:39 . 2010-08-11 15:24 746984 ----a-w- c:\windows\system32\deployJava1.dll

2012-09-05 14:12 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll

2012-10-28 02:44 . 2012-10-28 02:44 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2012-06-30 04:19 94208 ----a-w- c:\users\Sunshine\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2012-06-30 04:19 94208 ----a-w- c:\users\Sunshine\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2012-06-30 04:19 94208 ----a-w- c:\users\Sunshine\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SansaDispatch"="c:\users\Sunshine\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe" [2011-12-26 79872]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-05-23 7514656]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520]

"Intel AppUp(SM) center"="c:\program files\Intel\IntelAppStore\bin\ismagent.exe" [2012-08-07 155456]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

"Intel AppUp(SM) center Systray"="c:\program files\Intel\IntelAppStore\bin\AppUp.exe" [2012-08-07 901416]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 137752]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 171032]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 172568]

"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-12-12 50688]

TimesUpKidz Reminders.lnk - c:\windows\Installer\{837DA79C-B12B-4709-9B9B-16D1468E418A}\_E0FC1390CC082CEC4B7147.exe [2012-4-2 17542]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe

.

R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [x]

R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]

R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0604000.009\SYMDS.SYS [x]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0604000.009\SYMEFA.SYS [x]

S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\BASHDefs\20121130.005\BHDrvx86.sys [x]

S1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\N360\0604000.009\ccSetx86.sys [x]

S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\IPSDefs\20121130.001\IDSvix86.sys [x]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0604000.009\Ironx86.SYS [x]

S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360\0604000.009\SYMNETS.SYS [x]

S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [x]

S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [x]

S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x]

S2 N360;Norton 360;c:\program files\Norton 360\Engine\6.4.0.9\ccSvcHst.exe [x]

S2 TimesUpKidz;TimesUpKidz;c:\program files\Rain City Digital LLC\TimesUpKidz\TimesUpKidzServer.exe [x]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HsfXAudioService REG_MULTI_SZ HsfXAudioService

GPSvcGroup REG_MULTI_SZ GPSvc

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-03 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-23 20:46]

.

2012-12-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-04 18:56]

.

2012-12-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-04 18:56]

.

.

------- Supplementary Scan -------

.

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

Trusted Zone: intuit.com\ttlc

TCP: DhcpNameServer = 192.168.254.254 192.168.254.254

FF - ProfilePath - c:\users\Sunshine\AppData\Roaming\Mozilla\Firefox\Profiles\dd8pwjtk.default\

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

- - - - ORPHANS REMOVED - - - -

.

Notify-SDWinLogon - SDWinLogon.dll

SafeBoot-84977827.sys

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]

"ImagePath"="\"c:\program files\Norton 360\Engine\6.4.0.9\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\6.4.0.9\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1498416925-3057025073-3905950374-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.Email.1"

.

[HKEY_USERS\S-1-5-21-1498416925-3057025073-3905950374-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.VCard.1"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(5416)

c:\users\Sunshine\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

Completion time: 2012-12-03 15:52:24

ComboFix-quarantined-files.txt 2012-12-03 21:52

ComboFix2.txt 2012-09-03 01:01

.

Pre-Run: 167,059,918,848 bytes free

Post-Run: 166,900,908,032 bytes free

.

- - End Of File - - 370E4D5EDC9D5E06EABEA160205C27C8

Mbar-log:

Malwarebytes Anti-Rootkit 1.1.0.1009

www.malwarebytes.org

Database version: v2012.12.03.13

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

Sunshine :: Sunshine-DELLPC [administrator]

12/3/2012 4:40:46 PM

mbar-log-2012-12-03 (16-40-46).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken

Scan options disabled: PUP | PUM | P2P

Objects scanned: 27896

Time elapsed: 8 minute(s), 36 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

System-log:

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 2.926000 GHz

Memory total: 3184513024, free: 1754730496

------------ Kernel report ------------

12/03/2012 16:31:30

------------ Loaded modules -----------

\SystemRoot\system32\ntkrnlpa.exe

\SystemRoot\system32\halmacpi.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\BOOTVID.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\DRIVERS\iaStor.sys

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\N360\0604000.009\SYMDS.SYS

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\system32\drivers\N360\0604000.009\SYMEFA.SYS

\SystemRoot\System32\Drivers\PxHelp20.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\DRIVERS\disk.sys

\SystemRoot\system32\DRIVERS\CLASSPNP.SYS

\SystemRoot\system32\drivers\cdrom.sys

\SystemRoot\system32\drivers\N360\0604000.009\ccSetx86.sys

\SystemRoot\System32\Drivers\N360\0604000.009\SRTSP.SYS

\SystemRoot\system32\drivers\N360\0604000.009\Ironx86.SYS

\SystemRoot\system32\drivers\N360\0604000.009\SRTSPX.SYS

\??\C:\Windows\system32\Drivers\SYMEVENT.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\drivers\ws2ifsl.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\serial.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\drivers\termdd.sys

\SystemRoot\System32\Drivers\N360\0604000.009\SYMNETS.SYS

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\drivers\mssmbios.sys

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\IPSDefs\20121130.001\IDSvix86.sys

\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\DRIVERS\igdkmd32.sys

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\DRIVERS\usbuhci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\drivers\HDAudBus.sys

\SystemRoot\system32\DRIVERS\Rt86win7.sys

\SystemRoot\system32\DRIVERS\HSXHWBS2.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\HSX_DPV.sys

\SystemRoot\system32\DRIVERS\HSX_CNXT.sys

\SystemRoot\system32\drivers\modem.sys

\SystemRoot\system32\DRIVERS\serenum.sys

\SystemRoot\system32\drivers\i8042prt.sys

\SystemRoot\system32\drivers\mouclass.sys

\SystemRoot\system32\drivers\pfc.sys

\SystemRoot\system32\drivers\CompositeBus.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\drivers\kbdclass.sys

\SystemRoot\system32\drivers\swenum.sys

\SystemRoot\system32\drivers\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\RTKVHDA.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\DRIVERS\usbprint.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\system32\drivers\hidusb.sys

\SystemRoot\system32\drivers\HIDCLASS.SYS

\SystemRoot\system32\drivers\HIDPARSE.SYS

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\system32\drivers\kbdhid.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_iaStor.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\system32\drivers\luafv.sys

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\system32\DRIVERS\mdmxsdk.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\system32\DRIVERS\XAudio32.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\system32\DRIVERS\WUDFRd.sys

\SystemRoot\System32\Drivers\fastfat.SYS

\SystemRoot\system32\DRIVERS\udfs.sys

\SystemRoot\System32\cdd.dll

\SystemRoot\System32\ATMFD.DLL

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\BASHDefs\20121130.005\BHDrvx86.sys

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\VirusDefs\20121203.002\NAVEX15.SYS

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\VirusDefs\20121203.002\NAVENG.SYS

\??\C:\Windows\system32\Drivers\PROCEXP113.SYS

\??\C:\Users\Sunshine\AppData\Local\Temp\catchme.sys

\SystemRoot\system32\DRIVERS\mouhid.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk4\DR4

Upper Device Object: 0xffffffff891b4560

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\0000007e\

Lower Device Object: 0xffffffff891b04e8

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

DriverEntry returned 0x0

Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk3\DR3

Upper Device Object: 0xffffffff891b4ac8

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\0000007d\

Lower Device Object: 0xffffffff85595ca8

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk2\DR2

Upper Device Object: 0xffffffff891b2560

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\0000007c\

Lower Device Object: 0xffffffff88d21678

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xffffffff891b2ac8

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\0000007b\

Lower Device Object: 0xffffffff855bdca8

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xffffffff86ce3030

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IAAStorageDevice-1\

Lower Device Object: 0xffffffff85ea6028

Lower Device Driver Name: \Driver\iaStor\

Driver name found: iaStor

DriverEntry returned 0x0

Function returned 0x0

Downloaded database version: v2012.12.03.13

Downloaded database version: v2012.11.30.01

Initializing...

Done!

Scanning directory: C:\Windows\system32\drivers...

<<<2>>>

Device number: 0, partition: 3

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xffffffff86ce3030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff86ce3d10, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff86ce3030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff85ea6028, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\

------------ End ----------

Upper DeviceData: 0xffffffffa095b4c8, 0xffffffff86ce3030, 0xffffffff88c71208

Lower DeviceData: 0xffffffffcfd34f48, 0xffffffff85ea6028, 0xffffffff85773548

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 7740BF64

Partition information:

Partition 0 type is Other (0xde)

Partition is NOT ACTIVE.

Partition starts at LBA: 63 Numsec = 80262

Partition 1 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 81920 Numsec = 30720000

Partition file system is NTFS

Partition is bootable

Partition 2 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 30801920 Numsec = 457477282

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 250000000000 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-488261250-488281250)...

Physical Sector Size: 0

Drive: 1, DevicePointer: 0xffffffff891b2ac8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff891bad10, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff891b2ac8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff855bdca8, DeviceName: \Device\0000007b\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 0

Drive: 2, DevicePointer: 0xffffffff891b2560, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff88d1d588, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff891b2560, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff88d21678, DeviceName: \Device\0000007c\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 0

Drive: 3, DevicePointer: 0xffffffff891b4ac8, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff88d28910, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff891b4ac8, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff85595ca8, DeviceName: \Device\0000007d\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 0

Drive: 4, DevicePointer: 0xffffffff891b4560, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff85578d10, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff891b4560, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff891b04e8, DeviceName: \Device\0000007e\, DriverName: \Driver\USBSTOR\

------------ End ----------

Done!

Performing system, memory and registry scan...

Done!

Scan finished

=======================================

Adw:

# AdwCleaner v2.011 - Logfile created 12/03/2012 at 16:45:00

# Updated 02/12/2012 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)

# User : Sunshine - Sunshine-DELLPC

# Boot Mode : Normal

# Running from : C:\Users\Sunshine\Desktop\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16455

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.2 (en-US)

Profile name : default

File : C:\Users\Sunshine\AppData\Roaming\Mozilla\Firefox\Profiles\dd8pwjtk.default\prefs.js

[OK] File is clean.

Profile name : default

File : C:\Users\Brita\AppData\Roaming\Mozilla\Firefox\Profiles\csjd9y1v.default\prefs.js

[OK] File is clean.

Profile name : default

File : C:\Users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\dzv61ltc.default\prefs.js

[OK] File is clean.

Profile name : default

File : C:\Users\Allison\AppData\Roaming\Mozilla\Firefox\Profiles\14jxg4lo.default\prefs.js

[OK] File is clean.

Profile name : default

File : C:\Users\Aric\AppData\Roaming\Mozilla\Firefox\Profiles\nqhj5m7h.default\prefs.js

[OK] File is clean.

Profile name : default

File : C:\Users\Homework\AppData\Roaming\Mozilla\Firefox\Profiles\nwh2p4r1.default\prefs.js

[OK] File is clean.

Profile name : default

File : C:\Users\Nels\AppData\Roaming\Mozilla\Firefox\Profiles\jsmge43r.default\prefs.js

[OK] File is clean.

Profile name : default

File : C:\Users\Nicole.Sunshine-DellPC\AppData\Roaming\Mozilla\Firefox\Profiles\1lgcdpwm.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v23.0.1271.95

File : C:\Users\Sunshine\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Users\Brita\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1955 octets] - [03/12/2012 16:45:00]

########## EOF - C:\AdwCleaner[R1].txt - [2015 octets] ##########

Link to post
Share on other sites

Good afternoon Sunshine2. :)

Your logs don't show anything malicious.

Please run a free online scan with the ESET Online Scanner.

Note: You can use Internet Explorer or Mozilla Firefox for this scan.

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start.
  • When asked, allow the ActiveX control to install.
  • Click Start.
  • Make sure that the option Remove found threats is unchecked and the option Scan unwanted applications is checked.
  • Click Scan.
    Wait for the scan to finish.
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

How is your computer running? Nothing odd that you have observed?

Link to post
Share on other sites

My computer seems to be fine. After you helped me fix up the stuff I had in August, having Norton tell me it found something now made me want to be especially careful and thoroughly check things out.

ESET said it found:

C:\TDSSKiller_Quarantine\04.09.2012_08.54.31\mbr0000\tdlfs0000\tsk0004.dta Win64/Olmarik.AL trojan

C:\Users\Sunshine\AppData\Roaming\Mozilla\Firefox\Profiles\dd8pwjtk.default\user.js JS/SecurityDisabler.A.Gen application

The log it created is here:

ESETSmartInstaller@High as downloader log:

all ok

esets_scanner_update returned -1 esets_gle=53251

# version=8

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6844

# api_version=3.0.2

# EOSSerial=96e8bb531958f44dbdb058d69d0adfb5

# end=stopped

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2012-12-04 03:33:03

# local_time=2012-12-04 09:33:03 (-0600, Central Standard Time)

# country="United States"

# lang=1033

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode=3592 16777213 100 98 137825 105211279 0 0

# compatibility_mode=5893 16776574 66 85 6859084 106179974 0 0

# scanned=0

# found=0

# cleaned=0

# scan_time=3117

ESETSmartInstaller@High as downloader log:

all ok

esets_scanner_update returned -1 esets_gle=53251

# version=8

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6844

# api_version=3.0.2

# EOSSerial=96e8bb531958f44dbdb058d69d0adfb5

# end=stopped

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2012-12-04 04:14:02

# local_time=2012-12-04 10:14:02 (-0600, Central Standard Time)

# country="United States"

# lang=1033

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode=3592 16777213 100 98 0 105213738 0 0

# compatibility_mode=5893 16776574 66 85 6861543 106182433 0 0

# scanned=0

# found=0

# cleaned=0

# scan_time=2229

Link to post
Share on other sites

Hey Sunshine2. :)

Your user.js file in Firefox appears to be infected. Please note that you will need to recreate this file yourself as it does not exist by default.

Please navigate to: C:\Users\Sunshine\AppData\Roaming\Mozilla\Firefox\Profiles\dd8pwjtk.default\user.js and delete the file.

=====

Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Link to post
Share on other sites

Weird. I couldn't go through Windows Explorer to find that file, I had to search for it. It was modified yesterday and had a .bak file too. I deleted them both - I hadn't ever created it myself. Looks like some people use it for Firefox preferences; I'm not rememebering using it.

Here is the checkup.txt:

Results of screen317's Security Check version 0.99.56

Windows 7 Service Pack 1 x86 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Norton 360

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Scholastic's I SPY Junior

SpywareBlaster 4.6

Spybot - Search & Destroy

Malwarebytes Anti-Malware version 1.65.1.1000

Java 7 Update 9

Adobe Flash Player 11.4.402.287

Adobe Reader 10.1.4 Adobe Reader out of Date!

Mozilla Firefox 16.0.2 Firefox out of Date!

Google Chrome 21.0.1180.83

Google Chrome 21.0.1180.89

Google Chrome 22.0.1229.79

Google Chrome 22.0.1229.92

Google Chrome 22.0.1229.94

Google Chrome 23.0.1271.64

Google Chrome 23.0.1271.91

Google Chrome 23.0.1271.95

````````Process Check: objlist.exe by Laurent````````

Norton ccSvcHst.exe

Spybot Teatimer.exe is disabled!

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 5%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

Hey Sunshine2.

Oh, that's a hidden file/folder thing. Got it.

My apologies. I should have mentioned it.

Your version of Adobe Reader is out of date. It could have security vulnerabilities, so please follow these instructions to update it:

  • Please go to Start>All Programs>Adobe Reader.
  • Open Adobe Reader and navigate to Help>Check for Updates.
  • Please follow the prompts to install the latest version.

Also, your version of Mozilla Firefox is out of date. Please do the following to update it:

  • Go to Start>All Programs>Mozilla Firefox.
  • Click Firefox>Help>About Firefox.
  • Let it search for any updates and install them when found.
  • Please restart your computer if prompted.

=====

In your reply please let me know how the updates go.

Link to post
Share on other sites

Hello Sunshine2. :)

Often that is the case. :P

A little housekeeping to uninstall ComboFix:

Please click Start>Run and copy/paste the following text, including the space between "ComboFix and "/uninstall", into the Run box and click OK:

ComboFix /uninstall

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

And AdwCleaner:

  • Please double click on adwcleaner.exe to run the tool.
  • Click on Uninstall.
  • Confirm with Yes.

You may use the ESET uninstaller for the ESET online scan.

Right-click the Recycle Bin and please select Empty Recycle Bin.

=====

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :thumbup:

IMPORTANT: Please enable Automatic Updates under Start > Control Panel > Automatic Updates to ensure your Windows updates regularly. This is extremely important in ensuring you remain protected against vulnerabilities and infections. This is a crucial security measure.

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Please consider installing and running the following program (there is a free version available):

SpywareBlaster

A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster, can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you may be able to find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and Add-ons, like Adblock Plus and NoScript, can make it even more secure. To avoid dangerous sites Web of Trust or McAfee SiteAdvisor can be installed. Google Chrome or Opera are other good options.

Two useful programs for keeping your programs up-to-date are FileHippo or Secunia PSI. Running one of these regularly will help you obtain the latest program updates.

Please also read Tony Klein's excellent article: How did I get infected in the first place.

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. :)

Link to post
Share on other sites

  • 2 weeks later...

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.