Jump to content

Norton keeps blocking something, please help.


Recommended Posts

Hi,

My PC appears to be infected with spyware of some kind. When I am surfing the internet, I keep getting alerts from Norton saying that "a recent attempt to attack your computer has been blocked." This probably happens about 2-3 times per hour. I am running the free version of Norton 360 from Comcast.

My PC doesn't seem to be experiencing any other problems, but it can't be trusted right now. Do you have any suggestions?

I have attached recent logs from MB and HJT. I ran them in the last day or so. I've also attached a screenshot of the Norton security activity. Any help you can give me will be great, even if you point me to some free spyware scanning tools.

Thanks,

Josh

post-31709-1277177830_thumb.jpg

mbam_log_2010_06_20__02_49_54_.txt

2010_06_21_hijackthis.txt

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please paste logs directly into your reply instead of attaching them.

First, please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

Link to post
Share on other sites

Hi screen317,

Thanks for your reply, and I'm sorry for my late response. I updated MBAM and ran a quick scan. I also ran DDS as instructed. Both logs are pasted below. The DDS log that I pasted was called DDS.txt (not minimized).

Thanks!

MBAM...

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4230

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

6/23/2010 5:20:42 PM

mbam-log-2010-06-23 (17-20-42).txt

Scan type: Quick scan

Objects scanned: 134397

Time elapsed: 29 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS...

DDS (Ver_10-03-17.01) - NTFSx86

Run by Compaq_Owner at 1:03:25.56 on Thu 06/24/2010

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_02

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.162 [GMT -4:00]

AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.altavista.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop

uInternet Connection Wizard,ShellNext = hxxp://www.symantec.com/techsupp/servlet/ProductMessages?product=LU&version=2.5&language=English&module=LU&error=1848&build=Symantec

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\3.8.0.41\IPSBHO.DLL

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9f.exe

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton security suite\engine\3.8.0.41\CoIEPlg.dll

Notify: igfxcui - igfxsrvc.dll

mASetup: {c23dd370-cb79-11d2-898a-00c04f80a47f} - rundll32.exe advpack.dll,LaunchINFSectionEx %SystemRoot%\INF\toolimg.inf,PerUserStub.Install,,260

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\nhhdhogr.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-25 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-25 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-25 482432]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100623.001\IDSXpx86.sys [2010-6-23 331640]

R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\3.8.0.41\ccSvcHst.exe [2010-2-25 117640]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-29 102448]

R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100623.024\NAVENG.SYS [2010-6-23 85552]

R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100623.024\NAVEX15.SYS [2010-6-23 1347504]

S0 IFP300;iRiver Internet Audio Player IFP-300;c:\windows\system32\drivers\ifp300.sys --> c:\windows\system32\drivers\ifp300.sys [?]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-4-27 40960]

S3 NUVision;NUVision II Video Service;c:\windows\system32\drivers\nuvvid2.sys [2006-1-4 153760]

S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

==================== Find3M ====================

2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-03 01:45:15 64824 ---ha-w- c:\windows\system32\mlfcache.dat

2010-02-16 06:24:15 336 ----a-w- c:\program files\temp995.bat

2005-02-05 00:43:06 0 --sha-w- c:\windows\sminst\HPCD.SYS

============= FINISH: 1:04:44.34 ===============

Link to post
Share on other sites

Hi,

I will run ComboFix as soon as I am able to. I am going to be busy for the next two days. On Monday, I will run Combofix and DDS and post the logs for you. Thanks again and I will get back to you.

Josh

Hi,

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi screen317,

I'm sorry for the delayed response. I ran ComboFix and DDS as you suggested. I have posted the logs below. Please get back to me with the next instructions. Thank you so much.

Josh

ComboFix:--------------------------------------------------------

ComboFix 10-06-29.02 - Compaq_Owner 06/29/2010 17:22:09.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.156 [GMT -4:00]

Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe

AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Security Suite *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\fsc.txt

Infected copy of c:\windows\system32\drivers\Fasttx2k.sys was found and disinfected

Restored copy from - Kitty had a snack :D

.

((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-29 )))))))))))))))))))))))))))))))

.

No new files created in this timespan

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-30 03:43 . 2007-08-18 03:32 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\uTorrent

2010-05-25 01:14 . 2009-12-07 02:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-16 04:12 . 2010-05-16 04:12 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\SharePod

2010-04-29 19:39 . 2009-12-07 02:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-12-07 02:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-03 01:45 . 2010-04-03 01:45 64824 ---ha-w- c:\windows\system32\mlfcache.dat

2010-02-16 06:24 . 2010-02-16 06:24 336 ----a-w- c:\program files\temp995.bat

2005-02-05 00:43 . 2005-02-09 00:21 0 --sha-w- c:\windows\SMINST\HPCD.SYS

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-25 218496]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk

backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-01-12 02:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

2005-03-04 16:01 88209 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]

2004-09-08 03:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]

2004-12-16 21:49 49152 ----a-w- c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2004-08-04 10:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]

2005-03-29 15:41 1245184 ----a-w- c:\program files\D-Link\AirPlus G\AirGCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]

2004-04-15 08:32 270336 ----a-w- c:\program files\Dell AIO Printer A920\dlbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]

1998-05-07 23:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2004-08-21 05:55 155648 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2004-04-18 02:41 196608 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2004-04-13 20:07 69632 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-02-15 22:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]

2003-02-12 03:02 61440 ----a-w- c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]

2004-10-15 04:54 253952 ----a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]

2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]

2003-09-13 03:13 98304 ----a-w- c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-11-11 03:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]

2004-04-15 03:43 233472 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]

2002-02-05 02:32 53248 ------w- c:\program files\REGSHAVE\REGSHAVE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower]

2005-04-12 15:31 49152 ----a-w- c:\windows\system32\SiSPower.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2007-07-12 08:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2004-10-20 14:25 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\msncall.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe [2/25/2010 10:55 PM 117640]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/29/2010 4:00 AM 102448]

S0 IFP300;iRiver Internet Audio Player IFP-300;c:\windows\system32\DRIVERS\ifp300.sys --> c:\windows\system32\DRIVERS\ifp300.sys [?]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS --> c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS [?]

S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\Drivers\N360\0308000.029\BHDrvx86.sys --> c:\windows\system32\Drivers\N360\0308000.029\BHDrvx86.sys [?]

S1 ccHP;Symantec Hash Provider;c:\windows\system32\Drivers\N360\0308000.029\ccHPx86.sys --> c:\windows\system32\Drivers\N360\0308000.029\ccHPx86.sys [?]

S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100625.001\IDSXpx86.sys [6/25/2010 11:21 PM 331640]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [4/27/2008 12:27 AM 40960]

S3 NUVision;NUVision II Video Service;c:\windows\system32\drivers\nuvvid2.sys [1/4/2006 9:39 PM 153760]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{c23dd370-cb79-11d2-898a-00c04f80a47f}]

2004-08-04 10:00 99840 ----a-w- c:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

2010-06-29 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.altavista.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop

uInternet Connection Wizard,ShellNext = hxxp://www.symantec.com/techsupp/servlet/ProductMessages?product=LU&version=2.5&language=English&module=LU&error=1848&build=Symantec

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\nhhdhogr.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-UpdateManager - c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-29 17:29

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]

"ImagePath"="\"c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1966917074-588807719-325630507-1009\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

Completion time: 2010-06-29 17:34:24

ComboFix-quarantined-files.txt 2010-06-29 21:34

Pre-Run: 1,009,491,968 bytes free

Post-Run: 1,015,791,616 bytes free

- - End Of File - - 9EA80291DF98A6102757FC2ED1F9DB53

DDS:---------------------------------------------------------------------

DDS (Ver_10-03-17.01) - NTFSx86

Run by Compaq_Owner at 17:41:21.50 on Tue 06/29/2010

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_02

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.113 [GMT -4:00]

AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Security Suite *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

svchost.exe

C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.altavista.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop

uInternet Connection Wizard,ShellNext = hxxp://www.symantec.com/techsupp/servlet/ProductMessages?product=LU&version=2.5&language=English&module=LU&error=1848&build=Symantec

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\3.8.0.41\IPSBHO.DLL

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\3.8.0.41\coIEPlg.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9f.exe

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton security suite\engine\3.8.0.41\CoIEPlg.dll

Notify: igfxcui - igfxsrvc.dll

mASetup: {c23dd370-cb79-11d2-898a-00c04f80a47f} - rundll32.exe advpack.dll,LaunchINFSectionEx %SystemRoot%\INF\toolimg.inf,PerUserStub.Install,,260

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\nhhdhogr.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\3.8.0.41\ccSvcHst.exe [2010-2-25 117640]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-29 102448]

S0 IFP300;iRiver Internet Audio Player IFP-300;c:\windows\system32\drivers\ifp300.sys --> c:\windows\system32\drivers\ifp300.sys [?]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\symefa.sys --> c:\windows\system32\drivers\n360\0308000.029\SYMEFA.SYS [?]

S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\bhdrvx86.sys --> c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [?]

S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys --> c:\windows\system32\drivers\n360\0308000.029\ccHPx86.sys [?]

S1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100625.001\IDSXpx86.sys [2010-6-25 331640]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-4-27 40960]

S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100629.002\NAVENG.SYS [2010-6-29 85552]

S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100629.002\NAVEX15.SYS [2010-6-29 1347504]

S3 NUVision;NUVision II Video Service;c:\windows\system32\drivers\nuvvid2.sys [2006-1-4 153760]

S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2010-06-29 21:12:29 98816 ----a-w- c:\windows\sed.exe

2010-06-29 21:12:29 77312 ----a-w- c:\windows\MBR.exe

2010-06-29 21:12:29 256512 ----a-w- c:\windows\PEV.exe

2010-06-29 21:12:29 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2010-04-03 01:45:15 64824 ---ha-w- c:\windows\system32\mlfcache.dat

2010-02-16 06:24:15 336 ----a-w- c:\program files\temp995.bat

2005-02-05 00:43:06 0 --sha-w- c:\windows\sminst\HPCD.SYS

============= FINISH: 17:41:40.03 ===============

Link to post
Share on other sites

Here is the contents of that file...

-----------------------

:again

del "C:\Program Files\pdf995\res\utilities\thinsetup.exe"

if exist C:\Program Files\pdf995\res\utilities\thinsetup.exe goto again

rmdir /Q "C:\Program Files\pdf995\res\utilities"

rmdir /Q "C:\Program Files\pdf995\res"

rmdir /Q "C:\Program Files\pdf995"

rmdir /Q C:\Program Files\pdf995

del "C:\Program Files\temp995.bat"

----------------------------

Thanks,

Josh

Link to post
Share on other sites

  • Staff

Hi Josh,

Please go to VirusTotal, and upload the following file for analysis:

c:\windows\system32\advpack.dll

Post the results in your reply.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

screen317,

I'm sorry I haven't written back in 4 days. It was due to the holiday weekend.

I read your latest instructions. I'm having trouble getting my Norton to start up. I'm a little hesitant to connect my PC to the internet to perform your suggested tests, until I get Norton to come back on. The problem started after I disabled Norton to run ComboFix. I wonder if ComboFix messed something up??? I'll try to see if I can get it back on tonight.

When I get Norton back, I will perform the suggested tests and post the results here.

Thanks for your patience.

Josh

Link to post
Share on other sites

  • Staff

Hi,

From the looks of things, ComboFix didn't touch Norton; then again, with the infection you had, it wouldn't surprise me if it was the infection that was screwing with Norton. It may be worth reinstalling (or my personal recommendation, uninstall it completely and get a great, free antivirus like Microsoft Security Essentials.

Link to post
Share on other sites

Chris,

Once again, I'm sorry for my delayed response. I was able to uninstall and reinstall Norton on my PC and reconnect it to the internet. It appears that I am back in business for the time being. I completed your previous instructions and the results are below. Please look this over and let me know what to do next. Things appear to be running better, since I have not seen any intrusion notifications yet. I'll keep my fingers crossed.

Thanks,

Josh

Virustotal---------------------------

File advpack.dll received on 2010.07.14 04:26:51 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/42 (0%)

Loading server information...

Your file is queued in position: 1.

Estimated start time is between 40 and 57 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:

Antivirus Version Last Update Result

a-squared 5.0.0.31 2010.07.14 -

AhnLab-V3 2010.07.14.00 2010.07.13 -

AntiVir 8.2.4.10 2010.07.13 -

Antiy-AVL 2.0.3.7 2010.07.12 -

Authentium 5.2.0.5 2010.07.14 -

Avast 4.8.1351.0 2010.07.13 -

Avast5 5.0.332.0 2010.07.13 -

AVG 9.0.0.836 2010.07.13 -

BitDefender 7.2 2010.07.14 -

CAT-QuickHeal 11.00 2010.07.14 -

ClamAV 0.96.0.3-git 2010.07.14 -

Comodo 5419 2010.07.14 -

DrWeb 5.0.2.03300 2010.07.14 -

eSafe 7.0.17.0 2010.07.11 -

eTrust-Vet 36.1.7704 2010.07.13 -

F-Prot 4.6.1.107 2010.07.14 -

F-Secure 9.0.15370.0 2010.07.14 -

Fortinet 4.1.143.0 2010.07.13 -

GData 21 2010.07.14 -

Ikarus T3.1.1.84.0 2010.07.14 -

Jiangmin 13.0.900 2010.07.13 -

Kaspersky 7.0.0.125 2010.07.14 -

McAfee 5.400.0.1158 2010.07.14 -

McAfee-GW-Edition 2010.1 2010.07.13 -

Microsoft 1.5902 2010.07.13 -

NOD32 5276 2010.07.13 -

Norman 6.05.11 2010.07.13 -

nProtect 2010-07-13.01 2010.07.13 -

Panda 10.0.2.7 2010.07.13 -

PCTools 7.0.3.5 2010.07.14 -

Prevx 3.0 2010.07.14 -

Rising 22.56.02.01 2010.07.14 -

Sophos 4.55.0 2010.07.14 -

Sunbelt 6578 2010.07.14 -

SUPERAntiSpyware 4.40.0.1006 2010.07.14 -

Symantec 20101.1.1.7 2010.07.14 -

TheHacker 6.5.2.1.313 2010.07.13 -

TrendMicro 9.120.0.1004 2010.07.13 -

TrendMicro-HouseCall 9.120.0.1004 2010.07.14 -

VBA32 3.12.12.6 2010.07.13 -

ViRobot 2010.7.12.3932 2010.07.14 -

VirusBuster 5.0.27.0 2010.07.13 -

Additional information

File size: 128512 bytes

MD5...: 8fed1e0a491d4990853d23f21c59c730

SHA1..: 42aed9decc353e31b4de871fd1ea7137c3c2fff0

SHA256: 4ba6c93bfd43baeb852b5cb9129522c97ddb542d7ef8ee34aecd8cdf1bf0fc38

ssdeep: 3072:nXwogDrxQxCzFCTU/mPvUq5Dij8WCyqJHJlykCjr1dspHmFdaspPf:XwoIx

QEiHVG8W+rCjr1mpGFVf

PEiD..: -

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x1496

timedatestamp.....: 0x49b3acdc (Sun Mar 08 11:32:44 2009)

machinetype.......: 0x14c (I386)

( 4 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x1be40 0x1c000 6.15 f46044ac630e680ffbd7ee12e684733b

.data 0x1d000 0xdc94 0xe00 3.35 1bfd5d63e837a69ec02876b543b3b918

.rsrc 0x2b000 0x808 0xa00 3.81 35136ae4a6c2e02145678f1afa3b2ebb

.reloc 0x2c000 0x189c 0x1a00 6.58 127aea3ea334b85118f610894aea36f1

( 9 imports )

> msvcrt.dll: malloc, _XcptFilter, free, _ultow, _setjmp3, longjmp, _wtoi, _wtol, _vsnprintf, _vsnwprintf, memcpy, memmove, _amsg_exit, _adjust_fdiv, _initterm, wcsncmp, _wcsicmp, _wcsnicmp, bsearch, memset

> USER32.dll: SendMessageW, SetWindowPos, SendDlgItemMessageW, LoadStringW, CharNextW, ReleaseDC, GetDC, GetWindowRect, CharPrevW, CharUpperW, GetSystemMetrics, MessageBoxW, MessageBeep, DispatchMessageW, MsgWaitForMultipleObjects, PeekMessageW, ExitWindowsEx, EndDialog, EnableWindow, GetDlgItem, SetWindowTextW, GetDesktopWindow, GetDlgItemTextW, SetDlgItemTextW, DialogBoxParamW, OemToCharA, IsWindow, ShowWindow, DestroyWindow, UpdateWindow, CreateDialogParamW, CharNextA

> GDI32.dll: CreateFontIndirectW, GetObjectW, GetStockObject, GetDeviceCaps, DeleteObject

> KERNEL32.dll: GetDiskFreeSpaceW, MulDiv, EnumResourceLanguagesW, MultiByteToWideChar, WideCharToMultiByte, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, RtlUnwind, InterlockedCompareExchange, InterlockedExchange, GetFileTime, ReadFile, SetFileTime, WritePrivateProfileSectionW, GetProfileStringW, lstrcmpiA, GetProcessHeap, HeapAlloc, GetLocalTime, HeapFree, GetFullPathNameW, GetSystemInfo, SearchPathW, GetPrivateProfileIntW, FindFirstFileW, FindNextFileW, FindClose, lstrcmpiW, GetCurrentProcess, GetSystemDirectoryW, MoveFileW, MoveFileExW, CopyFileW, GetPrivateProfileSectionW, CreateProcessW, CreateDirectoryW, SetFileAttributesW, GetVolumeInformationW, CompareStringW, ExpandEnvironmentStringsW, GetShortPathNameW, FormatMessageW, RemoveDirectoryW, CreateFileMappingW, MapViewOfFileEx, SetLastError, GetUserDefaultUILanguage, LoadLibraryExW, LoadLibraryW, FindResourceExW, MapViewOfFile, GetLocaleInfoW, GetSystemDefaultUILanguage, Sleep, UnmapViewOfFile, GetLastError, lstrlenW, GetDriveTypeW, LocalFree, GetEnvironmentVariableW, CloseHandle, WriteFile, CreateFileW, WritePrivateProfileStringW, LockResource, LoadResource, SizeofResource, FindResourceW, GetTempFileNameW, GetWindowsDirectoryW, GetTempPathW, LocalAlloc, lstrlenA, SetFilePointer, GetModuleFileNameW, DeleteFileW, LocalReAlloc, GetVersionExW, DisableThreadLibraryCalls, lstrcmpW, GetPrivateProfileStringW, FreeLibrary, GetFileAttributesW, GetProcAddress, GetFileSize

> ADVAPI32.dll: RegFlushKey, RegQueryValueExW, RegCreateKeyExW, RegOpenKeyExW, RegQueryInfoKeyW, RegOpenKeyExA, RegQueryValueExA, RegEnumKeyW, RegUnLoadKeyW, RegLoadKeyW, RegSaveKeyW, RegCloseKey, RegDeleteKeyW, EqualSid, GetTokenInformation, RegDeleteValueW, AllocateAndInitializeSid, FreeSid, RegEnumValueW, RegSetValueW, RegSetValueExW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges

> ole32.dll: OleInitialize, OleUninitialize, CoTaskMemFree

> VERSION.dll: GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

> SETUPAPI.dll: SetupCloseInfFile, SetupDefaultQueueCallbackW, SetupOpenAppendInfFileW, SetupOpenInfFileW, SetupSetDirectoryIdW, SetupGetLineTextW, SetupFindNextLine, SetupFindFirstLineW, SetupGetStringFieldW, SetupCloseFileQueue, SetupTermDefaultQueueCallback, SetupCommitFileQueueW, SetupInitDefaultQueueCallbackEx, SetupQueueCopyW, SetupOpenFileQueue, SetupInstallFromInfSectionW

> SHLWAPI.dll: StrStrIW, StrChrW, PathAddBackslashW, -, -, StrRChrW, PathFileExistsW, PathAppendW, PathRemoveFileSpecW, PathBuildRootW, PathCombineW

( 84 exports )

AddDelBackupEntry, AddDelBackupEntryA, AddDelBackupEntryW, AdvInstallFile, AdvInstallFileA, AdvInstallFileW, CloseINFEngine, DelNode, DelNodeA, DelNodeRunDLL32, DelNodeRunDLL32A, DelNodeRunDLL32W, DelNodeW, DoInfInstall, DoInfInstallA, DoInfInstallW, ExecuteCab, ExecuteCabA, ExecuteCabW, ExtractFiles, ExtractFilesA, ExtractFilesW, FileSaveMarkNotExist, FileSaveMarkNotExistA, FileSaveMarkNotExistW, FileSaveRestore, FileSaveRestoreA, FileSaveRestoreOnINF, FileSaveRestoreOnINFA, FileSaveRestoreOnINFW, FileSaveRestoreW, GetVersionFromFile, GetVersionFromFileA, GetVersionFromFileEx, GetVersionFromFileExA, GetVersionFromFileExW, GetVersionFromFileW, IsNTAdmin, LaunchINFSection, LaunchINFSectionA, LaunchINFSectionEx, LaunchINFSectionExA, LaunchINFSectionExW, LaunchINFSectionW, NeedReboot, NeedRebootInit, OpenINFEngine, OpenINFEngineA, OpenINFEngineW, RebootCheckOnInstall, RebootCheckOnInstallA, RebootCheckOnInstallW, RegInstall, RegInstallA, RegInstallW, RegRestoreAll, RegRestoreAllA, RegRestoreAllW, RegSaveRestore, RegSaveRestoreA, RegSaveRestoreOnINF, RegSaveRestoreOnINFA, RegSaveRestoreOnINFW, RegSaveRestoreW, RegisterOCX, RegisterOCXW, RunSetupCommand, RunSetupCommandA, RunSetupCommandW, SetPerUserSecValues, SetPerUserSecValuesA, SetPerUserSecValuesW, TranslateInfString, TranslateInfStringA, TranslateInfStringEx, TranslateInfStringExA, TranslateInfStringExW, TranslateInfStringW, UserInstStubWrapper, UserInstStubWrapperA, UserInstStubWrapperW, UserUnInstStubWrapper, UserUnInstStubWrapperA, UserUnInstStubWrapperW

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Win64 Executable Generic (59.6%)

Win32 Executable MS Visual C++ (generic) (26.2%)

Win32 Executable Generic (5.9%)

Win32 Dynamic Link Library (generic) (5.2%)

Generic Win/DOS Executable (1.3%)

sigcheck:

publisher....: Microsoft Corporation

copyright....: © Microsoft Corporation. All rights reserved.

product......: Windows_ Internet Explorer

description..: ADVPACK

original name: ADVPACK.DLL

internal name: ADVPACK.DLL

file version.: 8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

F-Secure------------------------

Scanning Report

Wednesday, July 14, 2010 01:06:16 - 01:20:44

Computer name: IPAQ

Scanning type: Quick scan

Target: System

--------------------------------------------------------------------------------

1 malware found

TrackingCookie.Yieldmanager (spyware)

System (Disinfected)

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 3890

System: 3890

Not scanned: 0

Actions:

Disinfected: 1

Renamed: 0

Deleted: 0

Not cleaned: 0

Submitted: 0

--------------------------------------------------------------------------------

Options

Scanning engines:

--------------------------------------------------------------------------------

Copyright

Link to post
Share on other sites

Okay, I ran DDS again. Below is the attach.txt log.

Josh

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 2/8/2005 7:40:55 PM

System Uptime: 7/14/2010 3:45:31 PM (2 hours ago)

Motherboard: ASUSTek Computer INC. | | Salmon

Processor: AMD Sempron Processor 3100+ | Socket 754 | 1808/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 77 GiB total, 2.186 GiB free.

E: is CDROM ()

F: is Removable

G: is Removable

H: is Removable

I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP97: 7/13/2010 9:35:38 PM - Software Distribution Service 3.0

RP98: 7/14/2010 3:08:14 AM - Software Distribution Service 3.0

==== Installed Programs ======================

Link to post
Share on other sites

  • Staff

Hi Josh,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck and DDS.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java

Link to post
Share on other sites

Chris,

Thanks for all of your help! I uninstalled those programs and I will get the latest Java and Adobe Reader versions. I also removed DDS, Security Check and ComboFix.

Everything appears to be running correctly now. I haven't seen any Norton alerts since I ran all of this.

Anything else you would suggest? Thanks a million!

Josh

Link to post
Share on other sites

  • Staff

Hi Josh,

Things are looking good from here. :)

If you are not experiencing any other issues, then now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

5) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

6) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

-screen317

Link to post
Share on other sites

  • Staff

Glad we could help. :D

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.