TechSpot

Backdoor.Tidserv.I!inf

By Ris
May 13, 2011
  1. Hello, recently my antivirus (Norton) detected "Backdoor.Tidserv.I!inf" which has also shown up as "System Infected: Tidserv Activity 2" on the alerts shown by Norton (I'm not quite sure if they're the same thing). It's been redirecting my search results to other websites as well as showing advertisements. It's also been causing slowness on my computer and freezes frequently Additionally, it seems that programs don't necessarily start when asked to. Also, after searching for quite a bit, I've disabled the system restore on my computer. If you think that I should enable it again, please tell me. Please keep in mind that I'm a computer illiterate, so I apologize if I don't quite understand everything you ask for me to do. I'm grateful for any help that is given.

    Here's the MBAM log:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6562

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    5/13/2011 7:57:32 PM
    mbam-log-2011-05-13 (19-57-32).txt

    Scan type: Quick scan
    Objects scanned: 154920
    Time elapsed: 8 minute(s), 12 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)




    GMER log:

    GMER 1.0.15.15627 - http://www.gmer.net
    Rootkit scan 2011-05-12 17:07:03
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD7501AALS-00J7B1 rev.05.00K05
    Running: gqgl66j3.exe; Driver: C:\DOCUME~1\RAYMON~1\LOCALS~1\Temp\uxrdrpod.sys


    ---- System - GMER 1.0.15 ----

    SSDT 89DF9570 ZwAlertResumeThread
    SSDT 89F3B450 ZwAlertThread
    SSDT 8AB3BE00 ZwAllocateVirtualMemory
    SSDT 8A976CD0 ZwAssignProcessToJobObject
    SSDT 8A94A268 ZwConnectPort
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA2E81710]
    SSDT 89F2E720 ZwCreateMutant
    SSDT 89DDF640 ZwCreateSymbolicLinkObject
    SSDT 8AB2D308 ZwCreateThread
    SSDT 8A976DB0 ZwDebugActiveProcess
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA2E81990]
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA2E81EF0]
    SSDT 8A96DD10 ZwDuplicateObject
    SSDT 89F06DA0 ZwFreeVirtualMemory
    SSDT 89E356A8 ZwImpersonateAnonymousToken
    SSDT 89DF9490 ZwImpersonateThread
    SSDT 8A972098 ZwLoadDriver
    SSDT 89DF8458 ZwMapViewOfSection
    SSDT 89F2E660 ZwOpenEvent
    SSDT 89FD4D78 ZwOpenProcess
    SSDT 89F13348 ZwOpenProcessToken
    SSDT 89F41CF0 ZwOpenSection
    SSDT 8A96DE00 ZwOpenThread
    SSDT 8AA5A618 ZwProtectVirtualMemory
    SSDT 89E38968 ZwResumeThread
    SSDT 89F05800 ZwSetContextThread
    SSDT 89DF8858 ZwSetInformationProcess
    SSDT 8A9C7600 ZwSetSystemInformation
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA2E82140]
    SSDT 89F41DD0 ZwSuspendProcess
    SSDT 89E38A48 ZwSuspendThread
    SSDT 8AB2D3E8 ZwTerminateProcess
    SSDT 89F05740 ZwTerminateThread
    SSDT 89DF8398 ZwUnmapViewOfSection
    SSDT 8AB3BD30 ZwWriteVirtualMemory

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwCallbackReturn + 2F9C 80503D70 8 Bytes CALL C0DAF048
    ? SYMDS.SYS The system cannot find the file specified. !
    ? SYMEFA.SYS The system cannot find the file specified. !
    .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB686A000, 0x253E67, 0xE8000020]
    ? C:\DOCUME~1\RAYMON~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\svchost.exe[1028] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B0000A
    .text C:\WINDOWS\System32\svchost.exe[1028] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B1000A
    .text C:\WINDOWS\System32\svchost.exe[1028] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007E000C
    .text C:\WINDOWS\System32\svchost.exe[1028] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 00D9000A
    .text C:\WINDOWS\System32\svchost.exe[1028] ole32.dll!CoCreateInstance 7750055E 5 Bytes JMP 00B9000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[1424] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 02C0003A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[1424] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 018D000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[1424] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 018E000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[1424] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 018C000C
    .text C:\Program Files\Mozilla Firefox\firefox.exe[1424] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[1596] USER32.dll!TrackPopupMenu 7E4650EE 5 Bytes JMP 1040C334 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\WINDOWS\Explorer.EXE[1848] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CE000A
    .text C:\WINDOWS\Explorer.EXE[1848] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CF000A
    .text C:\WINDOWS\Explorer.EXE[1848] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] kernel32.dll!LoadResource 7C809FC5 7 Bytes JMP 2806C580 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] kernel32.dll!FindResourceExW 7C80AC98 7 Bytes JMP 2806C3E0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] kernel32.dll!FindResourceW 7C80BBDE 7 Bytes JMP 2806C360 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] kernel32.dll!SizeofResource 7C80BC79 7 Bytes JMP 2806C630 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] kernel32.dll!FindResourceA 7C80BE99 7 Bytes JMP 2806C460 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] kernel32.dll!LockResource 7C80CCA7 5 Bytes JMP 2806C6A0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] kernel32.dll!CreateEventA 7C8308C9 5 Bytes JMP 2806BFC0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] kernel32.dll!FindResourceExA 7C835FC0 7 Bytes JMP 2806C4F0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] ADVAPI32.dll!CryptDeriveKey 77DEA1A5 7 Bytes JMP 2806BAD0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] ADVAPI32.dll!CryptDecrypt 77DEA2D1 7 Bytes JMP 2806BB30 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] USER32.dll!GetWindowLongW 7E4188A6 7 Bytes JMP 28070560 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 2806E560 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 2806DB40 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] USER32.dll!SetWindowRgn 7E41FFB2 7 Bytes JMP 2806FBA0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] USER32.dll!LoadIconW 7E420894 5 Bytes JMP 28070430 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] USER32.dll!LoadImageW 7E422CFE 5 Bytes JMP 280702B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] USER32.dll!CreateDialogParamW 7E427D4F 5 Bytes JMP 2806FC50 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] USER32.dll!SetWindowPlacement 7E42D84C 5 Bytes JMP 2806FB00 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 2806FE50 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] USER32.dll!TrackPopupMenuEx 7E46CD28 5 Bytes JMP 2806EBE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] WS2_32.dll!send 71AB428A 5 Bytes JMP 28074580 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 280743D0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] WS2_32.dll!recv 71AB615A 5 Bytes JMP 280742A0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 280746F0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 280748C0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] SHELL32.dll!Shell_NotifyIconW 7CA21BEA 5 Bytes JMP 2806D230 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] ole32.dll!CoInitializeEx 774FEF5B 5 Bytes JMP 2806C900 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] ole32.dll!CoCreateInstance 7750055E 5 Bytes JMP 2806CC80 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] ole32.dll!CoRegisterClassObject 77507FF0 5 Bytes JMP 2806CA00 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 280734B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 280735F0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 28073350 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3312] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 28073550 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
    .text C:\Program Files\Real\RealUpgrade\realupgrade.exe[3472] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8B00E53B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8B00E53B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8B00E53B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8B00E53B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-3 8B00E53B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8B00E53B

    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- EOF - GMER 1.0.15 ----




    DDS.txt log:

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Raymond l at 16:30:18.78 on Thu 05/12/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3579.2448 [GMT -4:00]
    .
    AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Program Files\360\360sd\360sd.exe
    C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\360\360sd\360rp.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\Program Files\Real\RealUpgrade\realupgrade.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\system32\dwwin.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\WINDOWS\system32\dwwin.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\WINDOWS\system32\dwwin.exe
    C:\Documents and Settings\Raymond l\My Documents\Downloads\HijackThis.exe
    C:\WINDOWS\system32\dumprep.exe
    C:\WINDOWS\system32\dwwin.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Documents and Settings\Raymond l\My Documents\Downloads\dds.com
    .
    ============== Pseudo HJT Report ===============
    .
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    uURLSearchHooks: SearchHook Class: {bc86e1ab-eda5-4059-938f-ce307b0c6f0a} - c:\program files\devicevm\browser configuration utility\AddressBarSearch.dll
    mWinlogon: Userinit=c:\windows\system32\userinit.exe
    BHO: AcroIEHelperStub: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - Adobe PDF Link Helper
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.6.0.29\ips\IPSBHO.DLL
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [360sd] "c:\program files\360\360sd\360sdrun.exe"
    uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    uRun: [InstallIQUpdater] "c:\program files\w3i\installiqupdater\InstallIQUpdater.exe" /silent /autorun
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [BCU] "c:\program files\devicevm\browser configuration utility\BCU.exe"
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
    mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [Pyixuy] rundll32.exe "c:\windows\upixonugidel.dll",Startup
    IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
    IE: ?????? - c:\program files\thunder network\thunder\program\GetUrl.htm
    IE: ?????????? - c:\program files\thunder network\thunder\program\GetAllUrl.htm
    IE: ???????? - c:\program files\thunder network\thunder\program\OfflineDownload.htm
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
    DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.jp/3drender/renderer/mabiweb.2010.05.24.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\raymon~1\applic~1\mozilla\firefox\profiles\xdex0rkd.default\
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\coffplgn\components\coFFPlgn.dll
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\ipsffplgn\components\IPSFFPl.dll
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\documents and settings\raymond l\application data\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\program files\common files\thunder network\kankan\npDapCtrlFirefox.2.0.5901.12.(826).dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
    FF - plugin: c:\program files\windows media player\np-mswmp.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
    FF - Ext: Symantec IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\IPSFFPlgn
    FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\coFFPlgn
    FF - Ext: XULRunner: {58F21841-FE97-4598-B35B-688FF89B1918} - c:\documents and settings\raymond l\local settings\application data\{58F21841-FE97-4598-B35B-688FF89B1918}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: All-in-One Sidebar: {097d3191-e6fa-4728-9826-b533d755359d} - %profile%\extensions\{097d3191-e6fa-4728-9826-b533d755359d}
    FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: general.useragent.extra.brc -
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1206000.01d\symds.sys [2011-5-9 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1206000.01d\symefa.sys [2011-5-9 744568]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20110430.001\BHDrvx86.sys [2011-5-2 802936]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys [2011-5-9 136312]
    R2 BCUService;Browser Configuration Utility Service;c:\program files\devicevm\browser configuration utility\BCUService.exe [2010-1-7 219360]
    R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.6.0.29\ccsvchst.exe [2011-5-9 130008]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-9 105592]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20110511.001\IDSXpx86.sys [2011-5-11 341944]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110512.002\NAVENG.SYS [2011-5-12 86136]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110512.002\NAVEX15.SYS [2011-5-12 1393144]
    R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-5-12 38224]
    S0 nielprt;Nielsen Patch Service; [x]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-1-7 1684736]
    S3 EraserUtilDrvI9;EraserUtilDrvI9;\??\c:\program files\common files\symantec shared\eengine\eraserutildrvi9.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrvI9.sys [?]
    S3 NielGfx;Nielsen USB GFX; [x]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 XDva346;XDva346; [x]
    S3 XDva351;XDva351; [x]
    S3 XDva372;XDva372;\??\c:\windows\system32\xdva372.sys --> c:\windows\system32\XDva372.sys [?]
    S3 XDva373;XDva373; [x]
    S3 XDva380;XDva380;\??\c:\windows\system32\xdva380.sys --> c:\windows\system32\XDva380.sys [?]
    S3 XDva383;XDva383;\??\c:\windows\system32\xdva383.sys --> c:\windows\system32\XDva383.sys [?]
    .
    =============== Created Last 30 ================
    .
    2011-05-12 19:39:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-12 19:39:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-12 01:52:23 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-05-12 01:51:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
    2011-05-09 22:49:14 369784 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symtdi.sys
    2011-05-09 22:49:14 331384 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symtdiv.sys
    2011-05-09 22:49:14 296568 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symnets.sys
    2011-05-09 22:49:13 744568 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symefa.sys
    2011-05-09 22:49:13 516216 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\srtsp.sys
    2011-05-09 22:49:13 50168 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\srtspx.sys
    2011-05-09 22:49:13 340088 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symds.sys
    2011-05-09 22:49:13 136312 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys
    2011-05-09 22:48:35 -------- d-----w- c:\windows\system32\drivers\nis\1206000.01D
    2011-05-09 01:38:30 -------- d-----w- c:\docume~1\raymon~1\applic~1\PhotoScape
    2011-05-03 02:49:00 -------- d-----w- c:\docume~1\raymon~1\applic~1\Office Genuine Advantage
    2011-05-01 04:39:29 -------- d-----w- c:\windows\ie8updates
    2011-04-30 20:18:34 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
    2011-04-30 20:18:34 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
    2011-04-30 20:18:33 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2011-04-30 20:18:31 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2011-04-30 20:18:31 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2011-04-30 20:18:29 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
    2011-04-30 20:18:23 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
    2011-04-23 15:48:42 -------- d-----w- c:\docume~1\raymon~1\locals~1\applic~1\{58F21841-FE97-4598-B35B-688FF89B1918}
    2011-04-17 15:47:48 -------- d-----w- c:\program files\GRETECH
    .
    ==================== Find3M ====================
    .
    2011-05-12 04:54:40 0 ----a-w- c:\windows\Ifutur.bin
    2011-05-09 22:49:16 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2009-03-16 19:36:16 1691464 -c--a-w- c:\program files\dsetup32.dll
    2009-03-16 19:35:46 525128 -c--a-w- c:\program files\DXSETUP.exe
    2009-03-16 19:35:34 94024 -c--a-w- c:\program files\DSETUP.dll
    .
    =================== ROOTKIT ====================
    .
    Windows 5.1.2600 Disk: WDC_WD7501AALS-00J7B1 rev.05.00K05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-3
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8B00E6F0]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8b014a10]; MOV EAX, [0x8b014a8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\Harddisk0\DR0[0x8AFA6AB8]
    3 CLASSPNP[0xBA11905B] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\0000007e[0x8B0612C0]
    5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x8B05E940]
    \Driver\atapi[0x8B049488] -> IRP_MJ_CREATE -> 0x8B00E6F0
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8B00E53B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 16:32:58.32 ===============




    Attach.txt log:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 1/7/2010 12:09:12 AM
    System Uptime: 5/12/2011 3:54:02 PM (1 hours ago)
    .
    Motherboard: Gigabyte Technology Co., Ltd. | | P55M-UD2
    Processor: Intel(R) Core(TM) i5 CPU 750 @ 2.67GHz | Socket 1156 | 2664/133mhz
    Processor: Intel(R) Core(TM) i5 CPU 750 @ 2.67GHz | Socket 1156 | 2664/133mhz
    Processor: Intel(R) Core(TM) i5 CPU 750 @ 2.67GHz | Socket 1156 | 2664/133mhz
    Processor: Intel(R) Core(TM) i5 CPU 750 @ 2.67GHz | Socket 1156 | 2664/133mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 488 GiB total, 326.619 GiB free.
    D: is CDROM ()
    E: is FIXED (NTFS) - 210 GiB total, 210.276 GiB free.
    F: is FIXED (FAT32) - 466 GiB total, 385.276 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    360??
    7-Zip 9.10 beta
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.2
    Adobe Reader 9.2 - Chinese Simplified
    Adobe Shockwave Player 11.5
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft PhotoImpression 6
    ArcSoft Print Creations
    ATI AVIVO Codecs
    ATI Catalyst Control Center
    ATI Catalyst Install Manager
    ATI Catalyst Registration
    ATI Parental Control & Encoder
    ATI Problem Report Wizard
    Bonjour
    Browser Configuration Utility
    Canon Camera Access Library
    Canon MovieEdit Task for ZoomBrowser EX
    Canon Utilities CameraWindow DC 8
    Canon Utilities CameraWindow Launcher
    Canon Utilities Movie Uploader for YouTube
    Canon Utilities MyCamera
    Canon Utilities PhotoStitch
    Canon Utilities ZoomBrowser EX
    Canon ZoomBrowser EX Memory Card Utility
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center HydraVision Full
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization All
    ccc-core-preinstall
    ccc-core-static
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    EPSON CX4400 Series User's Guide
    EPSON Printer Software
    EPSON Scan
    EPSON Stylus CX4400 Series Scanner Driver Update
    Facebook Plug-In
    Fraps
    Gigabyte Raid Configurer
    High Definition Audio Driver Package - KB888111
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows XP (KB926239)
    Hotfix for Windows XP (KB932716-v2)
    Hotfix for Windows XP (KB933062)
    Hotfix for Windows XP (KB934428-v3)
    Hotfix for Windows XP (KB935448)
    Hotfix for Windows XP (KB935843)
    Hotfix for Windows XP (KB940275-v3)
    Hotfix for Windows XP (KB951830)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB955535)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    InstallIQ Updater
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 23
    Junk Mail filter update
    Malwarebytes' Anti-Malware
    Messenger Plus! Live
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft Office Professional Edition 2003
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.6.17)
    MSN
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    Nero 8 Essentials
    neroxml
    Norton Internet Security
    OGA Notifier 2.0.0048.0
    Pando Media Booster
    QuickTime
    RealPlayer
    REALTEK GbE & FE Ethernet PCI-E NIC Driver
    Realtek High Definition Audio Driver
    RealUpgrade 1.0
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB911565)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899588)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901190)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925454)
    Security Update for Windows XP (KB925486)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB943055)
    Security Update for Windows XP (KB943460)
    Security Update for Windows XP (KB943485)
    Security Update for Windows XP (KB944338-v2)
    Security Update for Windows XP (KB945553)
    Security Update for Windows XP (KB946026)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950582)
    Security Update for Windows XP (KB950749)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953155)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971032)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB981350)
    Security Update for Windows XP (KB982381)
    Segoe UI
    SpeedFan (remove only)
    System Requirements Lab
    The Lord of the Rings FREE Trial
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB894391)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB914882)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB925720)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB929338)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB946501-v2)
    Update for Windows XP (KB955704)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB958752)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB978207)
    Update for Windows XP (KB980182)
    VCRedistSetup
    Vegas Pro 9.0
    WebFldrs XP
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Upload Tool
    Windows Media Format 11 runtime
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB886677
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    .
    ==== Event Viewer Messages From Past Week ========
    .
    5/11/2011 8:19:35 PM, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.
    .
    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! You do appear to have a rootkit. I try to make my instructions clear, so all you have to do is follow them. If you have any questions, please feel free to ask me.

    Please keep this in mine: Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
    ============================================
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result. Please paste this logs into your next reply.
      [*] A reboot is required after disinfection.

    ======================================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ==============================================
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    These scans should help find, then remove any malware. Please keep in mind, that if a malware infection is severe enough, or it appears that the system has been compromised, I would then recommend a reformat/reinstall. Hopefully we can avoid that.
     
  3. Ris

    Ris TS Rookie Topic Starter

    Thank you for your quick reply :). The scans took longer than I expected, but it seems that my computer is responding better than before. Anyhow, here are the logs:

    TDSSKiller:

    \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
    \HardDisk0 - ok




    ESETScan:

    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\14\3160e6ce-709eff74 multiple threats
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\43\6c8c35eb-67a5e2b6 multiple threats
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\58\1f240c7a-75449f13 multiple threats
    C:\Documents and Settings\Raymond l\Application Data\4C04B35473009D0376BECEE36CB4B4EC\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application
    C:\Documents and Settings\Raymond l\Application Data\4C04B35473009D0376BECEE36CB4B4EC\local.ini Win32/Adware.AntimalwareDoctor.AE.Gen application




    Combofix:

    ComboFix 11-05-13.02 - Raymond l 05/13/2011 21:30:19.3.4 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3579.2881 [GMT -4:00]
    Running from: c:\documents and settings\Raymond l\Desktop\ComboFix.exe
    AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\360Rec
    c:\360rec\20100712\1805A3.vir
    c:\360rec\20100809\17326F.vir
    c:\360rec\20100816\020F5C.vir
    c:\documents and settings\Raymond l\Application Data\Adobe\plugs
    c:\documents and settings\Raymond l\Application Data\Adobe\shed
    c:\documents and settings\Raymond l\Local Settings\Application Data\{58F21841-FE97-4598-B35B-688FF89B1918}
    c:\documents and settings\Raymond l\Local Settings\Application Data\{58F21841-FE97-4598-B35B-688FF89B1918}\chrome.manifest
    c:\documents and settings\Raymond l\Local Settings\Application Data\{58F21841-FE97-4598-B35B-688FF89B1918}\chrome\content\_cfg.js
    c:\documents and settings\Raymond l\Local Settings\Application Data\{58F21841-FE97-4598-B35B-688FF89B1918}\chrome\content\overlay.xul
    c:\documents and settings\Raymond l\Local Settings\Application Data\{58F21841-FE97-4598-B35B-688FF89B1918}\install.rdf
    c:\documents and settings\Raymond l\WINDOWS
    c:\documents and settings\Raymond l\WINDOWS\system directory\d3dx9_37.dll
    c:\documents and settings\Raymond l\WINDOWS\system directory\readme.txt
    c:\program files\Downloaded Installers
    c:\windows\system32\Device.dll
    .
    .
    \\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-14 to 2011-05-14 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-14 00:37 . 2011-05-14 00:37 -------- d-----w- c:\program files\ESET
    2011-05-12 19:39 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-12 19:39 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-12 01:52 . 2011-05-12 01:52 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-05-12 01:51 . 2011-05-12 01:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2011-05-09 22:48 . 2011-05-10 18:49 -------- d-----w- c:\windows\system32\drivers\NIS\1206000.01D
    2011-05-09 01:38 . 2011-05-09 01:45 -------- d-----w- c:\documents and settings\Raymond l\Application Data\PhotoScape
    2011-05-03 02:49 . 2011-05-03 02:49 -------- d-----w- c:\documents and settings\Raymond l\Application Data\Office Genuine Advantage
    2011-05-03 02:49 . 2011-05-03 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
    2011-05-01 04:39 . 2011-05-01 04:44 -------- d-----w- c:\windows\ie8updates
    2011-04-30 20:18 . 2010-05-06 10:41 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
    2011-04-30 20:18 . 2010-05-06 10:41 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
    2011-04-30 20:18 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2011-04-30 20:18 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2011-04-30 20:18 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2011-04-30 20:18 . 2010-05-06 10:41 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
    2011-04-30 20:18 . 2010-05-06 10:41 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
    2011-04-17 15:47 . 2011-04-29 20:22 -------- d-----w- c:\program files\GRETECH
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-09 22:49 . 2010-11-28 22:54 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2011-05-09 22:49 . 2010-11-28 22:54 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2009-03-16 19:36 . 2009-03-16 19:36 1691464 -c--a-w- c:\program files\dsetup32.dll
    2009-03-16 19:35 . 2009-03-16 19:35 525128 -c--a-w- c:\program files\DXSETUP.exe
    2009-03-16 19:35 . 2009-03-16 19:35 94024 -c--a-w- c:\program files\DSETUP.dll
    .
    .
    ------- Sigcheck -------
    .
    [7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
    [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
    [7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\tcpip.sys
    [-] 2008-06-20 . 43333B1B7E6AE2D4367C7F0B366A85A6 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\tcpip.sys
    [7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
    [-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\tcpip.sys
    [7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "360sd"="c:\program files\360\360sd\360sdrun.exe" [2010-08-20 161280]
    "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-25 1840424]
    "InstallIQUpdater"="c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe" [2010-02-24 982528]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-08-05 346320]
    "RTHDCPL"="RTHDCPL.EXE" [2009-08-24 18702336]
    "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
    "36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2009-08-26 1970176]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-07 202256]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "secureapp70700.exe"=c:\documents and settings\Raymond l\Application Data\4C04B35473009D0376BECEE36CB4B4EC\secureapp70700.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
    "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "c:\\Program Files\\360\\360sd\\LiveUpdate360skin\\360sd-update.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\360\\360sd\\LiveUpdate360.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "58792:TCP"= 58792:TCP:pando Media Booster
    "58792:UDP"= 58792:UDP:pando Media Booster
    "56847:TCP"= 56847:TCP:pando Media Booster
    "56847:UDP"= 56847:UDP:pando Media Booster
    .
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1206000.01D\symds.sys [5/9/2011 6:49 PM 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1206000.01D\symefa.sys [5/9/2011 6:49 PM 744568]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110430.001\BHDrvx86.sys [5/2/2011 9:02 PM 802936]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1206000.01D\ironx86.sys [5/9/2011 6:49 PM 136312]
    R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [1/7/2010 1:14 AM 219360]
    R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe [5/9/2011 6:48 PM 130008]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/9/2011 10:28 PM 105592]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110512.001\IDSXpx86.sys [5/12/2011 8:22 PM 341944]
    S0 nielprt;Nielsen Patch Service; [x]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/7/2010 1:17 AM 1684736]
    S3 EraserUtilDrvI9;EraserUtilDrvI9;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys [?]
    S3 NielGfx;Nielsen USB GFX; [x]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 XDva346;XDva346; [x]
    S3 XDva351;XDva351; [x]
    S3 XDva372;XDva372;\??\c:\windows\system32\XDva372.sys --> c:\windows\system32\XDva372.sys [?]
    S3 XDva373;XDva373; [x]
    S3 XDva380;XDva380;\??\c:\windows\system32\XDva380.sys --> c:\windows\system32\XDva380.sys [?]
    S3 XDva383;XDva383;\??\c:\windows\system32\XDva383.sys --> c:\windows\system32\XDva383.sys [?]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bdx REG_MULTI_SZ scan sysagent
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-14 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
    .
    2011-05-14 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    2011-05-14 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-448539723-1972579041-725345543-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    2011-05-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    2011-05-14 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-448539723-1972579041-725345543-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    2011-05-14 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2010-01-11 06:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
    IE: ?????? - c:\program files\Thunder Network\Thunder\Program\GetUrl.htm
    IE: ?????????? - c:\program files\Thunder Network\Thunder\Program\GetAllUrl.htm
    IE: ???????? - c:\program files\Thunder Network\Thunder\Program\OfflineDownload.htm
    FF - ProfilePath - c:\documents and settings\Raymond l\Application Data\Mozilla\Firefox\Profiles\xdex0rkd.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: Symantec IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\IPSFFPlgn
    FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\coFFPlgn
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: All-in-One Sidebar: {097d3191-e6fa-4728-9826-b533d755359d} - %profile%\extensions\{097d3191-e6fa-4728-9826-b533d755359d}
    FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
    FF - user.js: general.useragent.extra.brc -
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
    AddRemove-HitmanPro35 - c:\documents and settings\Raymond l\My Documents\Downloads\HitmanPro35.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-13 21:36
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NIS]
    "ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(636)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\atiadlxx.dll
    .
    Completion time: 2011-05-13 21:38:09
    ComboFix-quarantined-files.txt 2011-05-14 01:37
    ComboFix2.txt 2010-07-13 18:22
    .
    Pre-Run: 356,635,500,544 bytes free
    Post-Run: 359,322,165,248 bytes free
    .
    - - End Of File - - 748F1F0C277155D2D04F623B6F7E5D0F
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

  5. Ris

    Ris TS Rookie Topic Starter

    Alright, thank you. I've already notified the other forum that I'm receiving help here.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    They will appreciate your consideration.
    For the Eset entries: 3 entries are in the Java cache:
    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      There are three options on this window to clear the cache.Check all.
    • . Delete Files
    • .View Applications
    • .View Applets
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Note: If you want to delete a specific application and applet from the cache, click on View Application and View Applet options respectively.
    =============================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files  
      C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\14\3160e6ce-709eff74 
      C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\43\6c8c35eb-67a5e2b6 
      C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\58\1f240c7a-75449f13 
      C:\Documents and Settings\Raymond l\Application Data\4C04B35473009D0376BECEE36CB4B4EC\enemies-names.txt 
      C:\Documents and Settings\Raymond l\Application Data\4C04B35473009D0376BECEE36CB4B4EC\local.ini 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =============================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    KillAll::
    File::
    c:\windows\system32\drivers\hitmanpro35.sys
    c:\windows\system32\XDva372.sys
    c:\windows\system32\XDva380.sys
    c:\windows\system32\XDva383.sys
    Folder::
    c:\documents and settings\All Users\Application Data\Hitman Pro
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "360sd"=-
    "InstallIQUpdater"=-
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "secureapp70700.exe"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\360\\360sd\\LiveUpdate360skin\\360sd-update.exe"=-
    "c:\\Program Files\\360\\360sd\\LiveUpdate360.exe"=
    DDS::
    IE: ?????? - c:\program files\thunder network\thunder\program\GetUrl.htm
    IE: ?????????? - c:\program files\thunder network\thunder\program\GetAllUrl.htm
    IE: ???????? - c:\program files\thunder network\thunder\program\OfflineDownload.htm
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} 
    Extra::
    File::
    c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    Firefox:: 
    Firefox-: - Profile - c:\docume~1\raymon~1\applic~1\mozilla\firefox\profiles\xdex0rkd.default\
    Driver::
    nielprt
    NielGfx
    XDva346
    XDva351
    XDva372
    XDva373
    XDva380
    XDva383
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    There were a considerable number of malware related processes. Some will also require you to uninstall programs. I have put the remaining Hitman Pro entries in the script for removal. This program is a bundle of freeware programs that can be found on the internet. All of those programs will removal bad entries. Hitman Pro will only do that during the trial period. After that, you have to pay for removal.
    ====================
    Go ahead and run this while I get the program together for you to uninstall.
     
  7. Ris

    Ris TS Rookie Topic Starter

    Thank you :).
    Here are the logs:


    OTM:

    All processes killed
    ========== FILES ==========
    File/Folder C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\14\3160e6ce-709eff74 not found.
    File/Folder C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\43\6c8c35eb-67a5e2b6 not found.
    File/Folder C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\58\1f240c7a-75449f13 not found.
    File/Folder C:\Documents and Settings\Raymond l\Application Data\4C04B35473009D0376BECEE36CB4B4EC\enemies-names.txt not found.
    File/Folder C:\Documents and Settings\Raymond l\Application Data\4C04B35473009D0376BECEE36CB4B4EC\local.ini not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Raymond l
    ->Temp folder emptied: 667644 bytes
    ->Temporary Internet Files folder emptied: 47657 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 4474228 bytes
    ->Flash cache emptied: 148098 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 2142714 bytes
    %systemroot%\System32 .tmp files removed: 2675729 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 16384 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 266090658 bytes

    Total Files Cleaned = 264.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 05142011_230008

    Files moved on Reboot...
    File C:\WINDOWS\temp\Perflib_Perfdata_19c.dat not found!

    Registry entries deleted on Reboot...





    Combofix:

    ComboFix 11-05-13.02 - Raymond l 05/14/2011 23:09:19.4.4 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3579.2869 [GMT -4:00]
    Running from: c:\documents and settings\Raymond l\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Raymond l\Desktop\CFScript.txt
    AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .
    FILE ::
    "c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}"
    "c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}"
    "c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}"
    "c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}"
    "c:\windows\system32\drivers\hitmanpro35.sys"
    "c:\windows\system32\XDva372.sys"
    "c:\windows\system32\XDva380.sys"
    "c:\windows\system32\XDva383.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\360Rec
    c:\documents and settings\All Users\Application Data\Hitman Pro
    c:\windows\system32\drivers\hitmanpro35.sys
    .
    .
    \\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_XDVA346
    -------\Legacy_XDVA351
    -------\Legacy_XDVA372
    -------\Legacy_XDVA373
    -------\Legacy_XDVA380
    -------\Legacy_XDVA383
    -------\Service_NielGfx
    -------\Service_nielprt
    -------\Service_XDva346
    -------\Service_XDva351
    -------\Service_XDva372
    -------\Service_XDva373
    -------\Service_XDva380
    -------\Service_XDva383
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-15 to 2011-05-15 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-15 02:56 . 2011-05-15 02:56 -------- d-----w- C:\_OTM
    2011-05-14 22:23 . 2011-05-14 22:23 -------- d-----w- c:\program files\Common Files\Adobe
    2011-05-14 22:23 . 2011-05-14 22:23 -------- d-----w- c:\documents and settings\Raymond l\Local Settings\Application Data\Adobe
    2011-05-14 00:37 . 2011-05-14 00:37 -------- d-----w- c:\program files\ESET
    2011-05-12 19:39 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-12 19:39 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-09 22:48 . 2011-05-10 18:49 -------- d-----w- c:\windows\system32\drivers\NIS\1206000.01D
    2011-05-09 01:38 . 2011-05-09 01:45 -------- d-----w- c:\documents and settings\Raymond l\Application Data\PhotoScape
    2011-05-03 02:49 . 2011-05-03 02:49 -------- d-----w- c:\documents and settings\Raymond l\Application Data\Office Genuine Advantage
    2011-05-03 02:49 . 2011-05-03 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
    2011-05-01 04:39 . 2011-05-01 04:44 -------- d-----w- c:\windows\ie8updates
    2011-04-30 20:18 . 2010-05-06 10:41 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
    2011-04-30 20:18 . 2010-05-06 10:41 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
    2011-04-30 20:18 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2011-04-30 20:18 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2011-04-30 20:18 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2011-04-30 20:18 . 2010-05-06 10:41 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
    2011-04-30 20:18 . 2010-05-06 10:41 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
    2011-04-17 15:47 . 2011-04-29 20:22 -------- d-----w- c:\program files\GRETECH
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-09 22:49 . 2010-11-28 22:54 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2011-05-09 22:49 . 2010-11-28 22:54 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2009-03-16 19:36 . 2009-03-16 19:36 1691464 -c--a-w- c:\program files\dsetup32.dll
    2009-03-16 19:35 . 2009-03-16 19:35 525128 -c--a-w- c:\program files\DXSETUP.exe
    2009-03-16 19:35 . 2009-03-16 19:35 94024 -c--a-w- c:\program files\DSETUP.dll
    .
    .
    ------- Sigcheck -------
    .
    [7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
    [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
    [7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\tcpip.sys
    [-] 2008-06-20 . 43333B1B7E6AE2D4367C7F0B366A85A6 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\tcpip.sys
    [7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
    [-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\tcpip.sys
    [7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-05-14_01.36.13 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-05-15 03:17 . 2011-05-15 03:17 16384 c:\windows\Temp\Perflib_Perfdata_504.dat
    + 2011-05-15 03:15 . 2011-05-15 03:15 16384 c:\windows\Temp\Perflib_Perfdata_3e0.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-25 1840424]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-08-05 346320]
    "RTHDCPL"="RTHDCPL.EXE" [2009-08-24 18702336]
    "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
    "36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2009-08-26 1970176]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-07 202256]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
    "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "c:\\Program Files\\360\\360sd\\LiveUpdate360skin\\360sd-update.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\360\\360sd\\LiveUpdate360.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "58792:TCP"= 58792:TCP:pando Media Booster
    "58792:UDP"= 58792:UDP:pando Media Booster
    "56847:TCP"= 56847:TCP:pando Media Booster
    "56847:UDP"= 56847:UDP:pando Media Booster
    .
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1206000.01D\symds.sys [5/9/2011 6:49 PM 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1206000.01D\symefa.sys [5/9/2011 6:49 PM 744568]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110430.001\BHDrvx86.sys [5/2/2011 9:02 PM 802936]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1206000.01D\ironx86.sys [5/9/2011 6:49 PM 136312]
    R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [1/7/2010 1:14 AM 219360]
    R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe [5/9/2011 6:48 PM 130008]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/9/2011 10:28 PM 105592]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110513.001\IDSXpx86.sys [5/13/2011 11:14 PM 341944]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/7/2010 1:17 AM 1684736]
    S3 EraserUtilDrvI9;EraserUtilDrvI9;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys [?]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bdx REG_MULTI_SZ scan sysagent
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-15 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
    .
    2011-05-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    2011-05-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-448539723-1972579041-725345543-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    2011-05-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    2011-05-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-448539723-1972579041-725345543-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
    .
    2011-05-15 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2010-01-11 06:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
    IE: ?????? - c:\program files\Thunder Network\Thunder\Program\GetUrl.htm
    IE: ?????????? - c:\program files\Thunder Network\Thunder\Program\GetAllUrl.htm
    IE: ???????? - c:\program files\Thunder Network\Thunder\Program\OfflineDownload.htm
    FF - ProfilePath - c:\documents and settings\Raymond l\Application Data\Mozilla\Firefox\Profiles\xdex0rkd.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: Symantec IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\IPSFFPlgn
    FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\coFFPlgn
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: All-in-One Sidebar: {097d3191-e6fa-4728-9826-b533d755359d} - %profile%\extensions\{097d3191-e6fa-4728-9826-b533d755359d}
    FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
    FF - user.js: general.useragent.extra.brc -
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-14 23:16
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NIS]
    "ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(636)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\atiadlxx.dll
    .
    - - - - - - - > 'explorer.exe'(400)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\windows\system32\browselc.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\360\360sd\360rp.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
    .
    **************************************************************************
    .
    Completion time: 2011-05-14 23:18:28 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-05-15 03:18
    ComboFix2.txt 2011-05-14 01:38
    ComboFix3.txt 2010-07-13 18:22
    .
    Pre-Run: 347,541,315,584 bytes free
    Post-Run: 347,461,775,360 bytes free
    .
    - - End Of File - - 66FA55B0FEBAB1EA3D9C3B4EC0F35D80
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Would like to mention that a large number of files were moved in OTM: Total Files Cleaned = 264.00 mb. When I see this, I remind you that you should be doing routine maintenance on the system. This number would indicate that you are probably not doing that.

    The files that weren't found in the Eset scan were the ones you removed in the Java cache. It's just a double check to make sure they are gone.
    ====================================================
    The following should be uninstalled:
    360??
    Thunder Network
    InstallIQ Updater
    Java(TM) 6 Update 23
    secureapp70700.exe> part of Antimalware Doctor. Check hidden files and Add/Remove

    ==============================================
    The following Scheduled Tasks should be stopped: Each is entered twice. Remove all:
    RealUpgradeLogonTaskS
    RealUpgradeLogonTaskS
    RealUpgradeScheduledTaskS
    RealUpgradeScheduledTaskS
    Scheduled Tasks
    Most of these found are usually auto-updates scheduled for programs that do not need them. They will make numerous internet connections every day, looking for updates that you can find manually. You want to keep these connection attempts as few as possible and then only if needed for the system. The only[/b[ auto-update I get is for the AV program.
    Opening scheduled tasks to modify or delete them:
    Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.
    To change the settings for a task: right-click the Task> click Properties> do any of the following:
    1. To change the schedule for the task, click the Schedule tab.
    2. To customize the settings for the task, such as the maximum run time, idle time requirements, and power management options, click the Settings tab.
    3. To delete a task> right-click the task> click Delete.
    4. To prevent a task from running until you want to let it run again> right-click the task> Properties> On the General tab> clear the Enabled check box. Select the check box again to enable the task when you are ready to let the task scheduler run it again.
    ===========================================
    You have 2 of these processes running:
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe

    This is a legitimate process that is installed along with ATI display adapters to provide additional configuration options for supported devices. It is usually installed as a separate entity, and it is related to graphics, so it uses significant amounts of CPU memory. Ati2evxx.exe is considered a non-essential process and does not need to be included for ATI display adapters to work. If you choose, you can disable and remove Ati2evxx.exe from your start-up.
    ===========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\program files\Real\RealUpgrade\realupgrade.exe
    c:\program files\360\360sd\360rp.exe
    DDS::
    IE: ?????? - c:\program files\Thunder Network\Thunder\Program\GetUrl.htm
    IE: ?????????? - c:\program files\Thunder Network\Thunder\Program\GetAllUrl.htm
    IE: ???????? - c:\program files\Thunder Network\Thunder\Program\OfflineDownload.htm
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\360\\360sd\\LiveUpdate360skin\\360sd-update.exe"=-
    "c:\\Program Files\\360\\360sd\\LiveUpdate360.exe"=-
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Please open Firefox> Tools> Options> Extentions> Remove Javav6u18, v6u21 and v6u23.
    Check the plug-in section for these also.

    Update Java on the OS to v6u24. Check this site .Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.You do not need to add a separate extension to Firefox.
    ========================
    When you have finished all of the above, please do the following:
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Leave the new Combofix log and HijackThis log in next reply.
     
  9. Ris

    Ris TS Rookie Topic Starter

    I was unable to uninstall 'Thunder Network' and the 'secureapp70700.exe.' However, I did find the folder for 'Thunder Network' and deleted it. Would it be alright if I continued or no? Also, I was unable to get rid of 'Scheduled Tasks' since it didn't seem to exist in the scheduled tasks.
     
  10. Ris

    Ris TS Rookie Topic Starter

    Alright, I've completed the steps; I hope it was alright for me to continue.

    Combofix:

    ComboFix 11-05-13.02 - Raymond l 05/15/2011 13:55:21.5.4 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3579.3104 [GMT -4:00]
    Running from: c:\documents and settings\Raymond l\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Raymond l\Desktop\CFScript.txt
    AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .
    FILE ::
    "c:\program files\360\360sd\360rp.exe"
    "c:\program files\Real\RealUpgrade\realupgrade.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\360Rec
    c:\program files\Real\RealUpgrade\realupgrade.exe
    .
    .
    \\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-15 to 2011-05-15 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-15 02:56 . 2011-05-15 02:56 -------- d-----w- C:\_OTM
    2011-05-14 00:37 . 2011-05-14 00:37 -------- d-----w- c:\program files\ESET
    2011-05-12 19:39 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-12 19:39 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-09 22:48 . 2011-05-10 18:49 -------- d-----w- c:\windows\system32\drivers\NIS\1206000.01D
    2011-05-09 01:38 . 2011-05-09 01:45 -------- d-----w- c:\documents and settings\Raymond l\Application Data\PhotoScape
    2011-05-03 02:49 . 2011-05-03 02:49 -------- d-----w- c:\documents and settings\Raymond l\Application Data\Office Genuine Advantage
    2011-05-03 02:49 . 2011-05-03 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
    2011-05-01 04:39 . 2011-05-01 04:44 -------- d-----w- c:\windows\ie8updates
    2011-04-30 20:18 . 2010-05-06 10:41 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
    2011-04-30 20:18 . 2010-05-06 10:41 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
    2011-04-30 20:18 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2011-04-30 20:18 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2011-04-30 20:18 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2011-04-30 20:18 . 2010-05-06 10:41 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
    2011-04-30 20:18 . 2010-05-06 10:41 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
    2011-04-17 15:47 . 2011-04-29 20:22 -------- d-----w- c:\program files\GRETECH
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-09 22:49 . 2010-11-28 22:54 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2011-05-09 22:49 . 2010-11-28 22:54 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2009-03-16 19:36 . 2009-03-16 19:36 1691464 -c--a-w- c:\program files\dsetup32.dll
    2009-03-16 19:35 . 2009-03-16 19:35 525128 -c--a-w- c:\program files\DXSETUP.exe
    2009-03-16 19:35 . 2009-03-16 19:35 94024 -c--a-w- c:\program files\DSETUP.dll
    .
    .
    ------- Sigcheck -------
    .
    [7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
    [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
    [7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\tcpip.sys
    [-] 2008-06-20 . 43333B1B7E6AE2D4367C7F0B366A85A6 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\tcpip.sys
    [7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
    [-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\tcpip.sys
    [7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-05-14_01.36.13 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-05-15 17:55 . 2011-05-15 17:55 16384 c:\windows\Temp\Perflib_Perfdata_57c.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-25 1840424]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-08-05 346320]
    "RTHDCPL"="RTHDCPL.EXE" [2009-08-24 18702336]
    "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
    "36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2009-08-26 1970176]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-07 202256]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
    "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "58792:TCP"= 58792:TCP:pando Media Booster
    "58792:UDP"= 58792:UDP:pando Media Booster
    "56847:TCP"= 56847:TCP:pando Media Booster
    "56847:UDP"= 56847:UDP:pando Media Booster
    .
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1206000.01D\symds.sys [5/9/2011 6:49 PM 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1206000.01D\symefa.sys [5/9/2011 6:49 PM 744568]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110430.001\BHDrvx86.sys [5/2/2011 9:02 PM 802936]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1206000.01D\ironx86.sys [5/9/2011 6:49 PM 136312]
    R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [1/7/2010 1:14 AM 219360]
    R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe [5/9/2011 6:48 PM 130008]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/9/2011 10:28 PM 105592]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110513.001\IDSXpx86.sys [5/13/2011 11:14 PM 341944]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/7/2010 1:17 AM 1684736]
    S3 EraserUtilDrvI9;EraserUtilDrvI9;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys [?]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-15 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
    .
    2011-05-15 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2010-01-11 06:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
    IE: ?????? - c:\program files\Thunder Network\Thunder\Program\GetUrl.htm
    IE: ?????????? - c:\program files\Thunder Network\Thunder\Program\GetAllUrl.htm
    IE: ???????? - c:\program files\Thunder Network\Thunder\Program\OfflineDownload.htm
    FF - ProfilePath - c:\documents and settings\Raymond l\Application Data\Mozilla\Firefox\Profiles\xdex0rkd.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: Symantec IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\IPSFFPlgn
    FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\coFFPlgn
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: All-in-One Sidebar: {097d3191-e6fa-4728-9826-b533d755359d} - %profile%\extensions\{097d3191-e6fa-4728-9826-b533d755359d}
    FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
    FF - user.js: general.useragent.extra.brc -
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-15 14:00
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NIS]
    "ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(584)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\atiadlxx.dll
    .
    Completion time: 2011-05-15 14:01:18
    ComboFix-quarantined-files.txt 2011-05-15 18:01
    ComboFix2.txt 2011-05-15 03:18
    ComboFix3.txt 2011-05-14 01:38
    ComboFix4.txt 2010-07-13 18:22
    .
    Pre-Run: 347,576,594,432 bytes free
    Post-Run: 347,556,225,024 bytes free
    .
    - - End Of File - - 09343CECAD7ABE3A5D15CF92944134E3




    HijackThis:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 9:01:07 PM, on 5/15/2011
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
    C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: SearchHook Class - {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - (no file)
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\IPS\IPSBHO.DLL
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
    O4 - HKLM\..\Run: [BCU] "C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe"
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
    O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.jp/3drender/renderer/mabiweb.2010.05.24.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Browser Configuration Utility Service (BCUService) - DeviceVM, Inc. - C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

    --
    End of file - 6957 bytes
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, the only concern I still have is the Thunder Network entries:
    The problem with the Thunder Network entries in IE looks like it was due to a language difference. But if any entries for this were still running, they would have been in the HJT log- and they weren't. So looks like your deleting the folder worked.
    ============================================
    And the outdated Java entries still in the Firefox Extensions:please remove:
    Regarding the Scheduled Tasks: Did you follow the path I gace in Reply #8 to access the scheduled tasks? You can open it in the Control Panel to remove or stop.
    ================================================
    Please uodate both of the following:
    Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
    Adobe Reader Update Uninstall any earlier updates as they are vulnerabilities.
    ===============================================
    Are you having any morwe indication of the TDServ? It appears that it has been removed. are there any remaining problems?

    If there are not: Remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Let me know if you have any questions.
     
  12. Ris

    Ris TS Rookie Topic Starter

    Thank you so much for your help.
    And I just went to check again on the scheduled tasks and I got it, thank you.
    Also, I still receive some notice about it on Norton. These are the current unsolved security risks that show up on Norton:
    [​IMG]
    The only one that shows a pop-up is the first one, which I'm not quite sure if it's the same thing.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If you are seeing a screen resembling this one:
    [​IMG]

    Please press Stop notifying me.

    Norton drives users nuts with these! You do not need to know every time a scan knocks at the door!
     
  14. Ris

    Ris TS Rookie Topic Starter

    Thank you :)!
    I got rid of all of the tools and yes, Norton is quite annoying when it comes to notifications. Thank you for your help.
    I was unable to get rid of the notifications, but I guess I'll just learn to ignore it.
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, give this a try:

    1. Press the Stop alerting me buttom
    2. Delete those entries in Norton.
    3. Run a new Eset scan:
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
     
  16. Ris

    Ris TS Rookie Topic Starter

    Sorry for not replying earlier, but the problem is that I can't even find the 'stop alerting me' button; I don't think it's on this version of Norton. On an older version I used to be able to, but I'm not sure how to on this one.
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Norton Internet Security>> What version?

    Did you disable Norton and run the Eset scan? Log?
     
  18. Ris

    Ris TS Rookie Topic Starter

    Here's the log:

    C:\System Volume Information\_restore{C82AB585-267A-4F48-8752-66BC46FB361F}\RP2\A0000007.ini Win32/Adware.AntimalwareDoctor.AE.Gen application

    Also, I'm using version 18.6.0.29.
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay- System Volume is a restore point. The malware is not active in the system. I will have you remove the old restore points and set a new, clean one when we finish.

    Check in the Norton forum and see if there's a thread to disable the alert. You are not the only one who gets this.

    Please follow this part of the cleanup:


    The system is clean. Let me know if you have any more questions.
     
  20. Ris

    Ris TS Rookie Topic Starter

    Alright. :)
    Thank you so much for your help.
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. Here are some tips to help you stay clean:

    Tips for added security and safer browsing: (Links are in Bold Blue)
    1. Browser Security
      [o] Safe Settings (Please ignore the suggestion to use the Registry Editior in this section "Creating a Custom Security Zone")
      [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
      [o] Replace the Host Files
      [o] Google Toolbar Pop Up Blocker
      [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
    2. Have layered Security:
      [o]Antivirus :(only one):Both of the following programs are free and known to be good:
      [o]Avira-AntiVir-Personal-Free-Antivirus
      [o] [o]Avast-Free Antivirus
      [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    3. Antimalware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
      [o]Spybot Search & Destroy
    4. Updates: Stay current:
      [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
      [o]Adobe Reader Install current, uninstall old.
      [o]Java Updates Install current, uninstall old.
    5. Tracking Cookies
      Reset Cookie:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    6. Do regular Maintenance
      [o] Temporary File Cleaner
    7. Restore Points:
      [o]See System Restore Guide
    8. Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Please let me know if you find any bad link.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...