1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Backdoor.Tisderv.I!inf virus removal

Discussion in 'Virus & Other Malware Removal' started by Kirenni, Jan 9, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. Kirenni

    Kirenni Thread Starter

    Joined:
    Jan 8, 2011
    Messages:
    17
    Hello TSG :)

    I've discovered this little nasty on my children's desktop pc (among many others which i have managed to remove), but as you know it requires manual removal. I have browsed the forums and discovered another user with the same virus and thought to follow your advice for him, however the advice did seem reliant upon that user's individual machine hardware/software configuration etc.

    I do hope to remove this as soon as possible so that the machine is safe and running properly before the kids head back to school :) Your assistance would be greatly appreciated. Cheers!


    As per the read before posting message, please see log reports below and attached txt file FYI.


    OS Version: Microsoft Windows XP Home Edition, Service Pack 3, 32 bit
    Processor: Intel Pentium III Xeon processor, x86 Family 6 Model 23 Stepping 10
    Processor Count: 2
    RAM: 1023 Mb
    Graphics Card: NVIDIA GeForce 8400 GS , 512 Mb
    Hard Drives: C: Total - 152617 MB, Free - 75780 MB; F: Total - 76316 MB, Free - 76248 MB;
    Motherboard: ASUSTeK Computer INC., P5KPL-CM, x.xx, MS1C92B30100627
    Antivirus: Norton Internet Security, Updated: Yes, On-Demand Scanner: Enabled

    _________________________________________________________

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:50:40 AM, on 9/01/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe
    C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
    C:\Program Files\Norton Online\Engine\2.1.0.21\ccSvcHst.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Belkin\Belkin USB Print and Storage Center\connect.exe
    C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
    C:\Program Files\Belkin\Router Setup and Monitor\dlnaPlugin.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Mum\Desktop\HijackThis.exe
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\IPSBHO.DLL
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Norton Safety Minder BHO - {B8E07826-0971-4f16-B133-047B88034E89} - C:\Program Files\Norton Online\AddOns\Norton Safety Minder\Engine\2.1.0.37\coIEPlg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\coIEPlg.dll
    O4 - HKLM\..\Run: [InstaLAN] "C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" startup
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolba...si=2778&a=JqbgfA1D5r_HLtS1nvcEPg&n=2010092901
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-5/SmileyCreatorInitialSetup1.0.1.4.cab
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
    O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Updater) - https://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.31.0.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Adobe Active File Monitor V8 (AdobeActiveFileMonitor8.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
    O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Belkin Local Backup Service - Unknown owner - C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe
    O23 - Service: Belkin Network USB Helper - Unknown owner - C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Norton Online (NOF) - Symantec Corporation - C:\Program Files\Norton Online\Engine\2.1.0.21\ccSvcHst.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
    --
    End of file - 8933 bytes

    _________________________________________________________________


    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Mum at 11:52:20.06 on Sun 09/01/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.1023.311 [GMT 11:00]
    AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *Enabled*
    ============== Running Processes ===============
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe
    C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
    C:\Program Files\Norton Online\Engine\2.1.0.21\ccSvcHst.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Belkin\Belkin USB Print and Storage Center\connect.exe
    C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
    C:\Program Files\Belkin\Router Setup and Monitor\dlnaPlugin.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Mum\Desktop\dds.scr
    ============== Pseudo HJT Report ===============
    uStart Page = hxxp://www.google.com.au/
    mWinlogon: Userinit=c:\windows\system32\userinit.exe
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.8.0.5\IPSBHO.DLL
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Norton Safety Minder: {b8e07826-0971-4f16-b133-047b88034e89} - c:\program files\norton online\addons\norton safety minder\engine\2.1.0.37\coIEPlg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [InstaLAN] "c:\program files\belkin\router setup and monitor\BelkinRouterMonitor.exe" startup
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    dRunOnce: [RunNarrator] Narrator.exe
    uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
    dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
    IE: &Search - http://edits.mywebsearch.com/toolba...si=2778&a=JqbgfA1D5r_HLtS1nvcEPg&n=2010092901
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-5/SmileyCreatorInitialSetup1.0.1.4.cab
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
    DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.31.0.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    ============= SERVICES / DRIVERS ===============
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1108000.005\symds.sys [2010-9-24 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1108000.005\symefa.sys [2010-9-24 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\bashdefs\20101123.003\BHDrvx86.sys [2010-12-2 691248]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys [2010-9-24 501888]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1108000.005\ironx86.sys [2010-9-24 116784]
    R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\adobe\elements organizer 8.0\PhotoshopElementsFileAgent.exe [2009-9-18 169312]
    R2 Belkin Local Backup Service;Belkin Local Backup Service;c:\program files\belkin\belkin usb print and storage center\BkBackupScheduler.exe [2010-10-4 152064]
    R2 Belkin Network USB Helper;Belkin Network USB Helper;c:\program files\belkin\belkin usb print and storage center\Bkapcs.exe [2010-10-4 49152]
    R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.8.0.5\ccsvchst.exe [2010-9-24 126392]
    R2 NOF;Norton Online;c:\program files\norton online\engine\2.1.0.21\ccsvchst.exe [2010-11-12 126904]
    R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-11-7 583640]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-11-30 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\ipsdefs\20110107.002\IDSXpx86.sys [2011-1-9 341944]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\virusdefs\20110108.002\NAVENG.SYS [2011-1-9 86008]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\virusdefs\20110108.002\NAVEX15.SYS [2011-1-9 1360760]
    R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2010-10-4 246936]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-4-22 238080]
    S1 wbiaidzy;wbiaidzy;\??\c:\windows\system32\drivers\wbiaidzy.sys --> c:\windows\system32\drivers\wbiaidzy.sys [?]
    S3 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A};Symantec Redirector - Norton Safety Minder;c:\windows\system32\drivers\nsm\0201000.025\symrdr.sys [2010-11-12 181296]
    =============== Created Last 30 ================
    2011-01-06 12:20:07 -------- d-----w- c:\windows\system32\MpEngineStore
    2011-01-05 05:42:09 -------- d-----w- c:\docume~1\mum\applic~1\Registry Mechanic
    2010-12-16 02:04:16 15256 ----a-w- c:\docume~1\mum\applic~1\microsoft\identitycrl\production\ppcrlconfig.dll
    2010-12-15 11:46:01 -------- d-----w- c:\documents and settings\mum\Tracing
    ==================== Find3M ====================
    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-12 00:38:28 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 00:28:53 215016 ----a-w- c:\windows\system32\PnkBstrB.xtr
    2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    ============= FINISH: 11:52:58.56 ===============
    _________________________________________________

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-01-09 16:18:41
    Windows 5.1.2600 Service Pack 3 Harddisk2\DR2 -> \Device\Ide\IdeDeviceP3T0L0-22 ST3160813AS rev.CC2H
    Running: i5jthsvh.exe; Driver: C:\DOCUME~1\Mum\LOCALS~1\Temp\awkyrfoc.sys

    ---- System - GMER 1.0.15 ----
    SSDT 85E70050 ZwAlertResumeThread
    SSDT 85E3E050 ZwAlertThread
    SSDT 85DB8900 ZwAllocateVirtualMemory
    SSDT 85E39050 ZwAssignProcessToJobObject
    SSDT 85F49800 ZwConnectPort
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF456E720]
    SSDT 86779F80 ZwCreateMutant
    SSDT 85E2E070 ZwCreateSymbolicLinkObject
    SSDT 85ED9788 ZwCreateThread
    SSDT 85E4E050 ZwDebugActiveProcess
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF456E9A0]
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF456EF00]
    SSDT 85DE15F8 ZwDuplicateObject
    SSDT 85DB0D00 ZwFreeVirtualMemory
    SSDT 85E9A050 ZwImpersonateAnonymousToken
    SSDT 85E3D050 ZwImpersonateThread
    SSDT 85EFFE40 ZwLoadDriver
    SSDT 85E602E8 ZwMapViewOfSection
    SSDT 85E3C050 ZwOpenEvent
    SSDT 85DF7AF0 ZwOpenProcess
    SSDT 85E57050 ZwOpenProcessToken
    SSDT 85E3B050 ZwOpenSection
    SSDT 85DBC1F8 ZwOpenThread
    SSDT 85E2E140 ZwProtectVirtualMemory
    SSDT 85E71050 ZwResumeThread
    SSDT 85E40050 ZwSetContextThread
    SSDT 85E30520 ZwSetInformationProcess
    SSDT 85E3A050 ZwSetSystemInformation
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF456F150]
    SSDT 85E50050 ZwSuspendProcess
    SSDT 85E3F050 ZwSuspendThread
    SSDT 85E48650 ZwTerminateProcess
    SSDT 85E72050 ZwTerminateThread
    SSDT 85EA1050 ZwUnmapViewOfSection
    SSDT 85DB6E40 ZwWriteVirtualMemory
    ---- Kernel code sections - GMER 1.0.15 ----
    .text ntkrnlpa.exe!ZwCallbackReturn + 2CE0 8050457C 4 Bytes JMP C9A539D7
    .text ntkrnlpa.exe!ZwCallbackReturn + 2D49 805045E5 3 Bytes JMP DAA1866F
    .text ntkrnlpa.exe!ZwCallbackReturn + 2D94 80504630 4 Bytes CALL 9CD62C37
    ? SYMDS.SYS The system cannot find the file specified. !
    ? SYMEFA.SYS The system cannot find the file specified. !
    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6C7A360, 0x3535DF, 0xE8000020]
    init C:\WINDOWS\system32\drivers\monfilt.sys entry point in "init" section [0xF4863280]
    ---- Devices - GMER 1.0.15 ----
    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
    ---- EOF - GMER 1.0.15 ----
     

    Attached Files:

  2. Kirenni

    Kirenni Thread Starter

    Joined:
    Jan 8, 2011
    Messages:
    17
    Bump!
     
  3. Satchfan

    Satchfan Malware Specialist

    Joined:
    Jan 12, 2009
    Messages:
    653
    Hello Kirenni and welcome to the TSG forum.

    My name is Satchfan and I would be glad to help you with your computer problem. Please read the following guidelines which will help to make cleaning your machine easier:


    • • Please do not install/uninstall any programs unless asked to.
      • Please do not run any scans other than those requested
      • Please follow all instructions in the order posted
      • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
      • If you don't understand something, please don't hesitate to ask for clarification before proceeding
      • The fixes are specific to your problem and should only be used for this issue on this machine.
      • Please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!
    Please note that I am still in training and my replies need to be checked by an expert in order for you to receive the best possible advice. This may result in a small delay between my posts but I shall try to keep this to a minimum.


    I am looking through your logs now and will reply as soon as possible.

    Satchfan
     
  4. Kirenni

    Kirenni Thread Starter

    Joined:
    Jan 8, 2011
    Messages:
    17
    Awesome, thanks Satchfan!

    The machine in question here isn't being used at all while this issue is being worked on. So, what now?

    I appreciate your help :)
     
  5. Satchfan

    Satchfan Malware Specialist

    Joined:
    Jan 12, 2009
    Messages:
    653
    Hello again Kirenni

    Please do NOT use System Restore. Malware is almost certainly in the restore points. We will have you clear those after the computer is clean but at this stage it is better to have an infected restore point than none at all.

    Run TDSSKiller


    Please download TDSSKiller.zip
    • Extract it to your desktop
    • Double click TDSSKiller.exe
    • Press Start Scan
      • Only if Malicious objects are found then ensure Cure is selected
      • Then click Continue > Reboot now
    • Copy and paste the log in your next reply
      • A copy of the log will be saved automatically to the root of the drive (typically C:\) called TDSSKiller_*** (*** denotes version & date)
    Download and run ComboFix

    Download ComboFix from the following location:

    Link



    * IMPORTANT !!! Save ComboFix.exe to your Desktop
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • See this Link for programs that need to be disabled and instruction on how to disable them.
    • Remember to re-enable them when we're done.
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

      [​IMG]


    • Click on Yes, to continue scanning for malware.
    Note: Do not mouse-click combofix's window while it is running. That may cause it to stall.

    When finished, it will produce a log. Please include the ComboFix.txt in your next reply. It can be found at C:\ComboFix.txt

    Logs to include with next post:

    TDSSKiller log
    Combofix.txt

    Thanks

    Satchfan
     
  6. Kirenni

    Kirenni Thread Starter

    Joined:
    Jan 8, 2011
    Messages:
    17
    ComboFix 11-01-13.01 - Mum 14/01/2011 13:53:07.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.1023.558 [GMT 11:00]
    Running from: c:\documents and settings\Mum\Desktop\ComboFix.exe
    AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\docume~1\Mum\LOCALS~1\Temp\1.tmp\F_IN_BOX.dll
    c:\documents and settings\Kelly\Local Settings\Application Data\{32CAA0E8-E98F-44C0-86EF-2849CE490D8B}
    c:\documents and settings\Kelly\Local Settings\Application Data\{32CAA0E8-E98F-44C0-86EF-2849CE490D8B}\chrome.manifest
    c:\documents and settings\Kelly\Local Settings\Application Data\{32CAA0E8-E98F-44C0-86EF-2849CE490D8B}\chrome\content\_cfg.js
    c:\documents and settings\Kelly\Local Settings\Application Data\{32CAA0E8-E98F-44C0-86EF-2849CE490D8B}\chrome\content\overlay.xul
    c:\documents and settings\Kelly\Local Settings\Application Data\{32CAA0E8-E98F-44C0-86EF-2849CE490D8B}\install.rdf
    c:\documents and settings\Mum\Local Settings\Temp\1.tmp\F_IN_BOX.dll
    c:\program files\FunWebProducts
    c:\program files\FunWebProducts\Installr\2.bin\F3EZSETP.DLL
    c:\program files\FunWebProducts\Installr\2.bin\F3PLUGIN.DLL
    c:\program files\FunWebProducts\Installr\2.bin\NPFUNWEB.DLL
    c:\program files\FunWebProducts\Installr\Cache\019F6752.exe
    c:\program files\FunWebProducts\Installr\Cache\files.ini
    c:\program files\FunWebProducts\Installr\setups\mwsbarSp.exe
    c:\windows\system32\drivers\etc\lmhosts
    c:\windows\system32\pthreadVC.dll
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    -------\Legacy_NPF

    ((((((((((((((((((((((((( Files Created from 2010-12-14 to 2011-01-14 )))))))))))))))))))))))))))))))
    .
    2011-01-06 12:20 . 2011-01-06 12:20 -------- d-----w- c:\windows\system32\MpEngineStore
    2011-01-05 06:24 . 2011-01-05 06:24 -------- d-----w- c:\documents and settings\Mum\Application Data\Media Player Classic
    2011-01-05 05:42 . 2011-01-05 06:08 -------- d-----w- c:\documents and settings\Mum\Application Data\Registry Mechanic
    2010-12-15 11:46 . 2011-01-05 05:54 -------- d-----w- c:\documents and settings\Mum\Tracing
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-06 12:20 . 2008-04-14 11:00 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys_backup
    2010-11-18 18:12 . 2009-06-27 01:58 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-12 00:38 . 2010-08-03 08:48 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2010-11-12 00:38 . 2010-08-03 08:48 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-11-06 00:26 . 2008-04-14 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26 . 2008-04-14 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26 . 2008-04-14 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25 . 2008-04-14 11:00 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2008-04-14 11:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-11-02 00:28 . 2010-09-11 07:37 215016 ----a-w- c:\windows\system32\PnkBstrB.xtr
    2010-10-28 13:13 . 2008-04-14 11:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2008-04-14 11:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    .
    ------- Sigcheck -------
    [-] 2009-04-22 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-14 13680640]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "_nltide_3"="advpack.dll" [2009-03-07 128512]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "ForceClassicControlPanel"= 1 (0x1)
    [HKLM\~\startupfolder\C:^Documents and Settings^Cody^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
    backup=c:\windows\pss\LimeWire On Startup.lnkStartup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gryewtqj
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    2008-04-14 11:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-04-28 05:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-13 19:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 06:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2008-07-14 04:33 570664 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2009-01-14 20:19 13680640 ----a-w- c:\windows\system32\nvcpl.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2009-01-14 20:19 86016 ----a-w- c:\windows\system32\nvmctray.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2009-01-14 20:19 1657376 ----a-w- c:\windows\system32\nwiz.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-03-17 11:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-05-21 01:34 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\World of Warcraft\\Launcher.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Belkin\\Belkin USB Print and Storage Center\\Connect.exe"=
    "c:\\Program Files\\Norton Internet Security\\Engine\\17.8.0.5\\ccsvchst.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
    "19540:UDP"= 19540:UDP:SXUPTP
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1108000.005\symds.sys [24/09/2010 9:40 AM 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1108000.005\symefa.sys [24/09/2010 9:40 AM 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\BASHDefs\20101123.003\BHDrvx86.sys [2/12/2010 6:22 PM 691248]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1108000.005\cchpx86.sys [24/09/2010 9:40 AM 501888]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1108000.005\ironx86.sys [24/09/2010 9:40 AM 116784]
    R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [18/09/2009 4:54 AM 169312]
    R2 Belkin Local Backup Service;Belkin Local Backup Service;c:\program files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe [4/10/2010 5:16 PM 152064]
    R2 Belkin Network USB Helper;Belkin Network USB Helper;c:\program files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe [4/10/2010 5:16 PM 49152]
    R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe [24/09/2010 9:40 AM 126392]
    R2 NOF;Norton Online;c:\program files\Norton Online\Engine\2.1.0.21\ccsvchst.exe [12/11/2010 11:37 AM 126904]
    R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [7/11/2010 3:02 PM 583640]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [30/11/2010 3:22 AM 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\IPSDefs\20110113.001\IDSXpx86.sys [14/01/2011 1:41 PM 341944]
    R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [4/10/2010 5:15 PM 246936]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [22/04/2009 12:40 PM 238080]
    S1 wbiaidzy;wbiaidzy;\??\c:\windows\system32\drivers\wbiaidzy.sys --> c:\windows\system32\drivers\wbiaidzy.sys [?]
    S3 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A};Symantec Redirector - Norton Safety Minder;c:\windows\system32\drivers\NSM\0201000.025\symrdr.sys [12/11/2010 11:37 AM 181296]
    .
    Contents of the 'Scheduled Tasks' folder
    2010-12-20 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 01:50]
    2011-01-06 c:\windows\Tasks\RMSchedule.job
    - c:\program files\Registry Mechanic\RegMech.exe [2010-11-07 21:46]
    2011-01-14 c:\windows\Tasks\User_Feed_Synchronization-{F6371499-D56B-41D5-83FC-4C17E98F0B4C}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-07 18:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.au/
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
    DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
    DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.31.0.cab
    .
    - - - - ORPHANS REMOVED - - - -
    MSConfigStartUp-googletalk - c:\documents and settings\Kayla\Application Data\Google\Google Talk\googletalk.exe

    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-14 14:04
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
    "ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.8.0.5\diMaster.dll\" /prefetch:1"
    --
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NOF]
    "ImagePath"="\"c:\program files\Norton Online\Engine\2.1.0.21\ccSvcHst.exe\" /s \"NOF\" /m \"c:\program files\Norton Online\Engine\2.1.0.21\diMaster.dll\" /prefetch:1"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    - - - - - - - > 'explorer.exe'(276)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\brss01a.exe
    c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\Belkin\Belkin USB Print and Storage Center\connect.exe
    c:\program files\Belkin\Router Setup and Monitor\BelkinSetup.exe
    c:\program files\Belkin\Router Setup and Monitor\dlnaPlugin.exe
    .
    **************************************************************************
    .
    Completion time: 2011-01-14 14:07:42 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-01-14 03:07
    Pre-Run: 79,338,172,416 bytes free
    Post-Run: 80,934,936,576 bytes free
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    - - End Of File - - 3227CA66C7668B4091D54E23A9295C0E


    2011/01/14 13:32:33.0891 TDSS rootkit removing tool 2.4.13.0 Jan 12 2011 09:51:11
    2011/01/14 13:32:33.0891 ================================================================================
    2011/01/14 13:32:33.0891 SystemInfo:
    2011/01/14 13:32:33.0891
    2011/01/14 13:32:33.0891 OS Version: 5.1.2600 ServicePack: 3.0
    2011/01/14 13:32:33.0891 Product type: Workstation
    2011/01/14 13:32:33.0891 ComputerName: KELLY-756D8347F
    2011/01/14 13:32:33.0891 UserName: Mum
    2011/01/14 13:32:33.0891 Windows directory: C:\WINDOWS
    2011/01/14 13:32:33.0891 System windows directory: C:\WINDOWS
    2011/01/14 13:32:33.0891 Processor architecture: Intel x86
    2011/01/14 13:32:33.0891 Number of processors: 2
    2011/01/14 13:32:33.0891 Page size: 0x1000
    2011/01/14 13:32:33.0891 Boot type: Normal boot
    2011/01/14 13:32:33.0891 ================================================================================
    2011/01/14 13:32:34.0532 Initialize success
    2011/01/14 13:32:49.0876 ================================================================================
    2011/01/14 13:32:49.0876 Scan started
    2011/01/14 13:32:49.0876 Mode: Manual;
    2011/01/14 13:32:49.0876 ================================================================================
    2011/01/14 13:32:50.0329 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/01/14 13:32:50.0422 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/01/14 13:32:50.0594 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/01/14 13:32:50.0657 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2011/01/14 13:32:50.0688 AFGSp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\WINDOWS\system32\Drivers\AFGSp50.sys
    2011/01/14 13:32:50.0860 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/01/14 13:32:50.0954 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/01/14 13:32:51.0063 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/01/14 13:32:51.0110 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/01/14 13:32:51.0157 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/01/14 13:32:51.0376 BHDrvx86 (83a2fec59a0a0fc73bf6598e901b2fbd) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\BASHDefs\20101123.003\BHDrvx86.sys
    2011/01/14 13:32:51.0547 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\Drivers\BrScnUsb.sys
    2011/01/14 13:32:51.0610 BrSerIf (c121e10c64318182a6478acae1855ee0) C:\WINDOWS\system32\Drivers\BrSerIf.sys
    2011/01/14 13:32:51.0626 BrUsbSer (7ac85cdc03befd78908b3b6a73d201d0) C:\WINDOWS\system32\Drivers\BrUsbSer.sys
    2011/01/14 13:32:51.0657 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/01/14 13:32:51.0797 ccHP (e941e709847fa00e0dd6d58d2b8fb5e1) C:\WINDOWS\system32\drivers\NIS\1108000.005\ccHPx86.sys
    2011/01/14 13:32:51.0891 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/01/14 13:32:51.0954 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/01/14 13:32:51.0985 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/01/14 13:32:52.0047 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/01/14 13:32:52.0079 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/01/14 13:32:52.0110 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/01/14 13:32:52.0204 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/01/14 13:32:52.0266 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/01/14 13:32:52.0297 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/01/14 13:32:52.0407 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    2011/01/14 13:32:52.0454 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    2011/01/14 13:32:52.0641 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/01/14 13:32:52.0751 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    2011/01/14 13:32:52.0797 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/01/14 13:32:52.0876 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2011/01/14 13:32:53.0016 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2011/01/14 13:32:53.0079 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/01/14 13:32:53.0094 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/01/14 13:32:53.0126 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    2011/01/14 13:32:53.0157 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/01/14 13:32:53.0172 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/01/14 13:32:53.0235 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/01/14 13:32:53.0297 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/01/14 13:32:53.0360 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/01/14 13:32:53.0532 IDSxpx86 (0308238c582a55d83d34feee39542793) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\IPSDefs\20110107.002\IDSxpx86.sys
    2011/01/14 13:32:53.0641 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/01/14 13:32:53.0688 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/01/14 13:32:53.0688 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2011/01/14 13:32:53.0735 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/01/14 13:32:53.0766 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/01/14 13:32:53.0782 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/01/14 13:32:53.0813 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/01/14 13:32:53.0829 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/01/14 13:32:53.0876 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/01/14 13:32:53.0922 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/01/14 13:32:53.0954 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/01/14 13:32:54.0016 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/01/14 13:32:54.0079 L1e (93e64bab9dee162ca0ca5258d132a047) C:\WINDOWS\system32\DRIVERS\l1e51x86.sys
    2011/01/14 13:32:54.0126 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/01/14 13:32:54.0157 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/01/14 13:32:54.0297 monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\monfilt.sys
    2011/01/14 13:32:54.0407 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/01/14 13:32:54.0485 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/01/14 13:32:54.0532 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/01/14 13:32:54.0547 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/01/14 13:32:54.0594 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/01/14 13:32:54.0610 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/01/14 13:32:54.0641 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/01/14 13:32:54.0657 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/01/14 13:32:54.0672 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/01/14 13:32:54.0704 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/01/14 13:32:54.0751 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
    2011/01/14 13:32:54.0782 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/01/14 13:32:54.0922 NAVENG (c8ef74e4d8105b1d02d58ea4734cf616) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\VirusDefs\20110108.002\NAVENG.SYS
    2011/01/14 13:32:55.0063 NAVEX15 (94b3164055d821a62944d9fe84036470) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\VirusDefs\20110108.002\NAVEX15.SYS
    2011/01/14 13:32:55.0204 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/01/14 13:32:55.0251 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/01/14 13:32:55.0360 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/01/14 13:32:55.0485 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/01/14 13:32:55.0532 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/01/14 13:32:55.0579 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/01/14 13:32:55.0610 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/01/14 13:32:55.0766 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/01/14 13:32:55.0797 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/01/14 13:32:55.0860 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/01/14 13:32:56.0079 nv (9e143fb3ef13b7ec1c1dd06529debadd) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2011/01/14 13:32:56.0391 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/01/14 13:32:56.0516 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/01/14 13:32:56.0563 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/01/14 13:32:56.0594 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/01/14 13:32:56.0641 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/01/14 13:32:56.0688 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/01/14 13:32:56.0704 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/01/14 13:32:56.0735 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/01/14 13:32:56.0844 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/01/14 13:32:56.0860 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/01/14 13:32:56.0876 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/01/14 13:32:56.0922 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/01/14 13:32:57.0063 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/01/14 13:32:57.0157 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/01/14 13:32:57.0204 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/01/14 13:32:57.0235 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/01/14 13:32:57.0282 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/01/14 13:32:57.0329 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/01/14 13:32:57.0360 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/01/14 13:32:57.0610 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/01/14 13:32:57.0688 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/01/14 13:32:57.0704 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/01/14 13:32:57.0719 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/01/14 13:32:57.0766 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/01/14 13:32:57.0860 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/01/14 13:32:57.0922 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/01/14 13:32:58.0001 SRTSP (ec5c3c6260f4019b03dfaa03ec8cbf6a) C:\WINDOWS\System32\Drivers\NIS\1108000.005\SRTSP.SYS
    2011/01/14 13:32:58.0094 SRTSPX (55d5c37ed41231e3ac2063d16df50840) C:\WINDOWS\system32\drivers\NIS\1108000.005\SRTSPX.SYS
    2011/01/14 13:32:58.0235 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/01/14 13:32:58.0297 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/01/14 13:32:58.0344 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/01/14 13:32:58.0407 sxuptp (c8a43978dadcf12b7e40a0577227dfbc) C:\WINDOWS\system32\DRIVERS\sxuptp.sys
    2011/01/14 13:32:58.0563 SymDS (56890bf9d9204b93042089d4b45ae671) C:\WINDOWS\system32\drivers\NIS\1108000.005\SYMDS.SYS
    2011/01/14 13:32:58.0719 SymEFA (1c91df5188150510a6f0cf78f7d94b69) C:\WINDOWS\system32\drivers\NIS\1108000.005\SYMEFA.SYS
    2011/01/14 13:32:58.0829 SymEvent (5c76a63fac8a5580c5a1c4a4ed827782) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    2011/01/14 13:32:58.0891 SymIM (fcde811209f6e05720676effa36e9a38) C:\WINDOWS\system32\DRIVERS\SymIM.sys
    2011/01/14 13:32:58.0891 SymIMMP (fcde811209f6e05720676effa36e9a38) C:\WINDOWS\system32\DRIVERS\SymIM.sys
    2011/01/14 13:32:58.0985 SymIRON (dc80fbf0a348e54853ef82eed4e11e35) C:\WINDOWS\system32\drivers\NIS\1108000.005\Ironx86.SYS
    2011/01/14 13:32:59.0126 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A} (2018079ece532e34dbf8969f150d343e) C:\WINDOWS\System32\Drivers\NSM\0201000.025\SymRdr.SYS
    2011/01/14 13:32:59.0266 SYMTDI (41aad61f87ca8e3b5d0f7fe7fba0797d) C:\WINDOWS\System32\Drivers\NIS\1108000.005\SYMTDI.SYS
    2011/01/14 13:32:59.0407 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/01/14 13:32:59.0454 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/01/14 13:32:59.0485 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/01/14 13:32:59.0579 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/01/14 13:32:59.0594 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/01/14 13:32:59.0641 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/01/14 13:32:59.0688 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/01/14 13:32:59.0719 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2011/01/14 13:32:59.0797 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
    2011/01/14 13:32:59.0829 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/01/14 13:32:59.0860 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/01/14 13:32:59.0876 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/01/14 13:32:59.0922 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/01/14 13:32:59.0969 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/01/14 13:32:59.0985 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/01/14 13:33:00.0016 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/01/14 13:33:00.0047 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/01/14 13:33:00.0079 VIAHdAudAddService (80ed26c12af05779a3f897b9badf6f28) C:\WINDOWS\system32\drivers\viahduaa.sys
    2011/01/14 13:33:00.0126 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/01/14 13:33:00.0157 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/01/14 13:33:00.0235 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/01/14 13:33:00.0297 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/01/14 13:33:00.0329 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/01/14 13:33:00.0516 ================================================================================
    2011/01/14 13:33:00.0516 Scan finished
    2011/01/14 13:33:00.0516 ================================================================================
    2011/01/14 13:33:24.0110 Deinitialize success


    These are the two requested logs.

    Thanks again for your help :)
     
  7. Satchfan

    Satchfan Malware Specialist

    Joined:
    Jan 12, 2009
    Messages:
    653
    Hi Kirenni

    P2P - I see you have P2P software, (LimeWire), installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infection. If your computer is infected, it likely contributed to your current situation.

    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P file-sharing as a major conduit to spread their wares.

    Please see this topic for more information:

    Perils of P2P File Sharing.

    I would strongly recommend that you uninstall it now. You can do so via Control Panel, Programs, and then Programs and Features.

    Should you decide to keep it, please don’t use it until we have finished up here.


    Open ComboFix


    Please do the following:

    • • Close any open browsers.
      • Close/disable all anti virus and anti malware programs so that they do not interfere with the running of ComboFix.
      • Open notepad and copy/paste the text in the codebox below into it:
    Code:
    [B][FONT=Arial][SIZE=3]File::[/SIZE][/FONT][/B]
    [B][FONT=Arial][SIZE=3]c:\windows\system32\drivers\wbiaidzy.sys[/SIZE][/FONT][/B]
     
    [B][FONT=Arial][SIZE=3]SRPeek::[/SIZE][/FONT][/B]
    [B][FONT=Arial][SIZE=3]c:\windows\system32\sfcfiles.dll[/SIZE][/FONT][/B]
     
     
    [B][FONT=Arial][SIZE=3]Registry::[/SIZE][/FONT][/B]
    [B][FONT=Arial][SIZE=3][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\My Web Search Bar Search Scope Monitor][/SIZE][/FONT][/B]
    [B][FONT=Arial][SIZE=3][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin][/SIZE][/FONT][/B]
    [B][FONT=Arial][SIZE=3]wbiaidzy[/SIZE][/FONT][/B]
     
    [B][FONT=Arial][SIZE=3]DDS::[/SIZE][/FONT][/B]
    [B][FONT=Arial][SIZE=3]DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab[/SIZE][/FONT][/B]
     
    

    Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it produces a log at C:\ComboFix.txt. Post the contents of Combofix.txt in your next reply.

    Satchfan
     
  8. Kirenni

    Kirenni Thread Starter

    Joined:
    Jan 8, 2011
    Messages:
    17
    Hey Satchfan :)

    I'm not sure why Limewire is evident in the log, I uninstalled it during my removal of viruses as mentioned in my initial post and it no longer appears in my Add/Remove programs list..? Not sure what to do about that...

    Please find below the contents of the combofix log as requested.
    (Please note: Combofix detected an updated version after I dragged and dropped the txt file as instructed and updated then restarted itself, I hope this is ok)

    ComboFix 11-01-16.02 - Mum 17/01/2011 11:40:25.2.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.1023.438 [GMT 11:00]
    Running from: c:\documents and settings\Mum\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Mum\Desktop\CFScript.txt
    AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    FILE ::
    "c:\windows\system32\drivers\wbiaidzy.sys"
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\docume~1\Mum\LOCALS~1\Temp\1.tmp\F_IN_BOX.dll
    c:\documents and settings\Mum\Local Settings\Temp\1.tmp\F_IN_BOX.dll
    .
    ((((((((((((((((((((((((( Files Created from 2010-12-17 to 2011-01-17 )))))))))))))))))))))))))))))))
    .
    2011-01-05 06:24 . 2011-01-05 06:24 -------- d-----w- c:\documents and settings\Mum\Application Data\Media Player Classic
    2011-01-05 05:42 . 2011-01-05 06:08 -------- d-----w- c:\documents and settings\Mum\Application Data\Registry Mechanic
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-06 12:20 . 2008-04-14 11:00 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys_backup
    2010-11-18 18:12 . 2009-06-27 01:58 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-12 00:38 . 2010-08-03 08:48 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2010-11-12 00:38 . 2010-08-03 08:48 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-11-09 14:52 . 2008-04-14 11:00 249856 ----a-w- c:\windows\system32\odbc32.dll
    2010-11-06 00:26 . 2008-04-14 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26 . 2008-04-14 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26 . 2008-04-14 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25 . 2008-04-14 11:00 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2008-04-14 11:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-11-02 00:28 . 2010-09-11 07:37 215016 ----a-w- c:\windows\system32\PnkBstrB.xtr
    2010-10-28 13:13 . 2008-04-14 11:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2008-04-14 11:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    .
    (((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ------- Sigcheck -------
    [-] 2009-04-22 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-14 13680640]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "_nltide_3"="advpack.dll" [2009-03-07 128512]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "ForceClassicControlPanel"= 1 (0x1)
    [HKLM\~\startupfolder\C:^Documents and Settings^Cody^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
    backup=c:\windows\pss\LimeWire On Startup.lnkStartup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    2008-04-14 11:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-04-28 05:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-13 19:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 06:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2008-07-14 04:33 570664 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2009-01-14 20:19 13680640 ----a-w- c:\windows\system32\nvcpl.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2009-01-14 20:19 86016 ----a-w- c:\windows\system32\nvmctray.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2009-01-14 20:19 1657376 ----a-w- c:\windows\system32\nwiz.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-03-17 11:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-05-21 01:34 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\World of Warcraft\\Launcher.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Belkin\\Belkin USB Print and Storage Center\\Connect.exe"=
    "c:\\Program Files\\Norton Internet Security\\Engine\\17.8.0.5\\ccsvchst.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
    "19540:UDP"= 19540:UDP:SXUPTP
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1108000.005\symds.sys [24/09/2010 9:40 AM 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1108000.005\symefa.sys [24/09/2010 9:40 AM 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\BASHDefs\20101123.003\BHDrvx86.sys [2/12/2010 6:22 PM 691248]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1108000.005\cchpx86.sys [24/09/2010 9:40 AM 501888]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1108000.005\ironx86.sys [24/09/2010 9:40 AM 116784]
    R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [18/09/2009 4:54 AM 169312]
    R2 Belkin Local Backup Service;Belkin Local Backup Service;c:\program files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe [4/10/2010 5:16 PM 152064]
    R2 Belkin Network USB Helper;Belkin Network USB Helper;c:\program files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe [4/10/2010 5:16 PM 49152]
    R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe [24/09/2010 9:40 AM 126392]
    R2 NOF;Norton Online;c:\program files\Norton Online\Engine\2.1.0.21\ccsvchst.exe [12/11/2010 11:37 AM 126904]
    R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [7/11/2010 3:02 PM 583640]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [30/11/2010 3:22 AM 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\IPSDefs\20110114.002\IDSXpx86.sys [17/01/2011 11:39 AM 341944]
    R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [4/10/2010 5:15 PM 246936]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [22/04/2009 12:40 PM 238080]
    S3 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A};Symantec Redirector - Norton Safety Minder;c:\windows\system32\drivers\NSM\0201000.025\symrdr.sys [12/11/2010 11:37 AM 181296]
    .
    Contents of the 'Scheduled Tasks' folder
    2010-12-20 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 01:50]
    2011-01-06 c:\windows\Tasks\RMSchedule.job
    - c:\program files\Registry Mechanic\RegMech.exe [2010-11-07 21:46]
    2011-01-17 c:\windows\Tasks\User_Feed_Synchronization-{F6371499-D56B-41D5-83FC-4C17E98F0B4C}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-07 18:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.au/
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
    DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
    DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.31.0.cab
    .
    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-17 12:10
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
    "ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.8.0.5\diMaster.dll\" /prefetch:1"
    --
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NOF]
    "ImagePath"="\"c:\program files\Norton Online\Engine\2.1.0.21\ccSvcHst.exe\" /s \"NOF\" /m \"c:\program files\Norton Online\Engine\2.1.0.21\diMaster.dll\" /prefetch:1"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    - - - - - - - > 'explorer.exe'(3400)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\brss01a.exe
    c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\Belkin\Belkin USB Print and Storage Center\connect.exe
    c:\program files\Belkin\Router Setup and Monitor\BelkinSetup.exe
    c:\program files\Belkin\Router Setup and Monitor\dlnaPlugin.exe
    .
    **************************************************************************
    .
    Completion time: 2011-01-17 12:14:43 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-01-17 01:14
    ComboFix2.txt 2011-01-14 03:07
    Pre-Run: 81,128,804,352 bytes free
    Post-Run: 82,365,480,960 bytes free
    - - End Of File - - C52F3FDD5F20C4D4B96C5AE7B7EC9473
     
  9. Satchfan

    Satchfan Malware Specialist

    Joined:
    Jan 12, 2009
    Messages:
    653
    Thanks for the log kirenni.

    It's 1.35am in the UK so I'll look at your log tomorrow and reply as soon as I can
     
  10. Satchfan

    Satchfan Malware Specialist

    Joined:
    Jan 12, 2009
    Messages:
    653
    Kirenni

    Open ComboFix



    Please do the following:
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so that they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    Code:
    [B]File::[/B]
    [B]C:\Documents and Settings\Cody\Start Menu\Programs\Startup\ LimeWire On Startup.lnk[/B]
    [B]c:\windows\pss\LimeWire On Startup.lnkStartup[/B]
    
    Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it produces a log at C:\ComboFix.txt. Post the contents of Combofix.txt in your next reply.

    Please download SystemLook from one of the links below and save it to your Desktop.

    Download Mirror #1
    Download Mirror #2

    Code:
    :filefind
    Code:
    [B]sfcfiles.dll[/B]


    Note: The log can also be found on your Desktop entitled SystemLook.txt

    Please include both the ComboFix log and SystemLook.txt

    Thanks

    Satchfan
     
  11. Satchfan

    Satchfan Malware Specialist

    Joined:
    Jan 12, 2009
    Messages:
    653
    Kirenni

    The code for SystemLook seems to have altered and should be:

    Code:
    [B]:filefind[/B]
    [B]sfcfiles.dll[/B]
    
    Please follow the previous instructions for SystemLook and enter the above.

    Satchfan
     
  12. Kirenni

    Kirenni Thread Starter

    Joined:
    Jan 8, 2011
    Messages:
    17
    Thank you Satchfan, I apologise for the delayed reply! I am having serious issues with my ISP and have been down for a few days but all back up and running now, I'll follow your instructions and post them as soon as I'm done.

    Thanks a buunch!
     
  13. Kirenni

    Kirenni Thread Starter

    Joined:
    Jan 8, 2011
    Messages:
    17
    Ok, so here goes...

    ComboFix 11-01-16.02 - Mum 23/01/2011 20:04:37.3.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.1023.601 [GMT 11:00]
    Running from: c:\documents and settings\Mum\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Mum\Desktop\CFScript.txt
    AV: Norton Internet Security *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .
    - REDUCED FUNCTIONALITY MODE -
    FILE ::
    "c:\documents and settings\Cody\Start Menu\Programs\Startup\ LimeWire On Startup.lnk"
    "c:\windows\pss\LimeWire On Startup.lnkStartup"
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\docume~1\Mum\LOCALS~1\Temp\1.tmp\F_IN_BOX.dll
    c:\documents and settings\Mum\Local Settings\Temp\1.tmp\F_IN_BOX.dll
    c:\windows\pss\LimeWire On Startup.lnkStartup
    .
    ((((((((((((((((((((((((( Files Created from 2010-12-23 to 2011-01-23 )))))))))))))))))))))))))))))))
    .
    2011-01-05 06:24 . 2011-01-05 06:24 -------- d-----w- c:\documents and settings\Mum\Application Data\Media Player Classic
    2011-01-05 05:42 . 2011-01-05 06:08 -------- d-----w- c:\documents and settings\Mum\Application Data\Registry Mechanic
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-06 12:20 . 2008-04-14 11:00 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys_backup
    2010-11-18 18:12 . 2009-06-27 01:58 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-12 00:38 . 2010-08-03 08:48 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2010-11-12 00:38 . 2010-08-03 08:48 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-11-09 14:52 . 2008-04-14 11:00 249856 ----a-w- c:\windows\system32\odbc32.dll
    2010-11-06 00:26 . 2008-04-14 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26 . 2008-04-14 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26 . 2008-04-14 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25 . 2008-04-14 11:00 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2008-04-14 11:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-11-02 00:28 . 2010-09-11 07:37 215016 ----a-w- c:\windows\system32\PnkBstrB.xtr
    2010-10-28 13:13 . 2008-04-14 11:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2008-04-14 11:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    .
    ------- Sigcheck -------
    [-] 2009-04-22 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-14 13680640]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "_nltide_3"="advpack.dll" [2009-03-07 128512]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "ForceClassicControlPanel"= 1 (0x1)
    [HKLM\~\startupfolder\C:^Documents and Settings^Cody^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
    backup=c:\windows\pss\LimeWire On Startup.lnkStartup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
    2008-04-14 11:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-04-28 05:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-13 19:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 06:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2008-07-14 04:33 570664 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2009-01-14 20:19 13680640 ----a-w- c:\windows\system32\nvcpl.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2009-01-14 20:19 86016 ----a-w- c:\windows\system32\nvmctray.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2009-01-14 20:19 1657376 ----a-w- c:\windows\system32\nwiz.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-03-17 11:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-05-21 01:34 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\World of Warcraft\\Launcher.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Belkin\\Belkin USB Print and Storage Center\\Connect.exe"=
    "c:\\Program Files\\Norton Internet Security\\Engine\\17.8.0.5\\ccsvchst.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
    "19540:UDP"= 19540:UDP:SXUPTP
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1108000.005\symds.sys [24/09/2010 9:40 AM 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1108000.005\symefa.sys [24/09/2010 9:40 AM 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\BASHDefs\20101123.003\BHDrvx86.sys [2/12/2010 6:22 PM 691248]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1108000.005\cchpx86.sys [24/09/2010 9:40 AM 501888]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1108000.005\ironx86.sys [24/09/2010 9:40 AM 116784]
    R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [18/09/2009 4:54 AM 169312]
    R2 Belkin Local Backup Service;Belkin Local Backup Service;c:\program files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe [4/10/2010 5:16 PM 152064]
    R2 Belkin Network USB Helper;Belkin Network USB Helper;c:\program files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe [4/10/2010 5:16 PM 49152]
    R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe [24/09/2010 9:40 AM 126392]
    R2 NOF;Norton Online;c:\program files\Norton Online\Engine\2.1.0.21\ccsvchst.exe [12/11/2010 11:37 AM 126904]
    R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [7/11/2010 3:02 PM 583640]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [30/11/2010 3:22 AM 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\IPSDefs\20110114.002\IDSXpx86.sys [17/01/2011 11:39 AM 341944]
    R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [4/10/2010 5:15 PM 246936]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [22/04/2009 12:40 PM 238080]
    S3 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A};Symantec Redirector - Norton Safety Minder;c:\windows\system32\drivers\NSM\0201000.025\symrdr.sys [12/11/2010 11:37 AM 181296]
    .
    Contents of the 'Scheduled Tasks' folder
    2010-12-20 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 01:50]
    2011-01-23 c:\windows\Tasks\RMSchedule.job
    - c:\program files\Registry Mechanic\RegMech.exe [2010-11-07 21:46]
    2011-01-23 c:\windows\Tasks\User_Feed_Synchronization-{F6371499-D56B-41D5-83FC-4C17E98F0B4C}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-07 18:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.au/
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
    DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
    DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.31.0.cab
    .
    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-23 20:13
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
    "ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.8.0.5\diMaster.dll\" /prefetch:1"
    --
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NOF]
    "ImagePath"="\"c:\program files\Norton Online\Engine\2.1.0.21\ccSvcHst.exe\" /s \"NOF\" /m \"c:\program files\Norton Online\Engine\2.1.0.21\diMaster.dll\" /prefetch:1"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    - - - - - - - > 'explorer.exe'(412)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\brss01a.exe
    c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Belkin\Belkin USB Print and Storage Center\connect.exe
    c:\program files\Belkin\Router Setup and Monitor\BelkinSetup.exe
    c:\program files\Belkin\Router Setup and Monitor\dlnaPlugin.exe
    .
    **************************************************************************
    .
    Completion time: 2011-01-23 20:14:49 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-01-23 09:14
    ComboFix2.txt 2011-01-17 01:14
    ComboFix3.txt 2011-01-14 03:07
    Pre-Run: 82,688,192,512 bytes free
    Post-Run: 82,729,930,752 bytes free
    - - End Of File - - 53AE40EAA778509A97A8F27BCB0EA819

    SystemLook 04.09.10 by jpshortstuff
    Log created at 20:17 on 23/01/2011 by Mum
    Administrator - Elevation successful
    ========== filefind ==========
    Searching for "sfcfiles.dll "
    C:\WINDOWS\system32\sfcfiles.dll --a---- 1614848 bytes [01:43 22/04/2009] [01:43 22/04/2009] 362BC5AF8EAF712832C58CC13AE05750
    -= EOF =-

    Thanks again for all your help :)
    I'm going away tomorrow with the family for 6 days but will keep an eye on the thread while I'm away.
     
  14. Satchfan

    Satchfan Malware Specialist

    Joined:
    Jan 12, 2009
    Messages:
    653
    Thanks for the log kirenni

    Does this mean that you are capable of responding to it, or do you want us to keep it open until you return?
     
  15. Kirenni

    Kirenni Thread Starter

    Joined:
    Jan 8, 2011
    Messages:
    17
    Hi Satchfan :)

    Thanks for keeping this open for me, I'm sorry I didn't get back to you re: your last post, must have left before your response. I'm back now and ready to proceed whenever you are ready!

    Cheers :)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/973528

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice