[Closed] I am attempting to remove Backdoor.Tidserv!inf virus

By maw8908
Jul 29, 2011
Topic Status:
Not open for further replies.
  1. I have never joined a forum, but this one seems like a lot of help so I joined to get help. I read the bit about not following others direction so i started this one. I am trying to fix a computer where i work. I have bought Norton for it and that cleared up a lot of the problems, but it always says i need to get rid of the Backdoor.Tidserv!inf virus. Well i am not the best at this, but i am making an attempt at this.

    Multiple thing i still haven't figured out.

    1. the computer will not shutdown. i just get the logonui.exe program fails and then it keeps coming up and you basically have to shut it down by holding down the button to make that stop. I don't have this problem in safe mode though.

    2. Did steps one and two from the top of the thread, but got to the gmer program and it just wouldnt even start or open. so i went into safe mode and ran it and it seems to have run a really fast scan, then i have three things under type and i don't see anywhere to hit save.

    3. Internet explorer redirects.

    4. I constantly have to have in the windows xp pro with service pack three cd to keep windows file protection message away.

    I am decent at understanding computers, but this is not what i deal with a lot, especially since i personally have a mac. So please help, please and thank you!
  2. maw8908

    maw8908 Newcomer, in training Topic Starter

    Got it

    I restarted from safe mode and was able to get gmer working so i am moving on in steps.
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! I'll help with the malware and you are off to a good start! Instructions you see on other threads are meant for the user/system only. Although we may run the same programs, when or if we run them and how we handle the results are meant for the original user.

    You did just right for GMER. Trying to use it in Safe Mode would have been one of my suggestions. The additional scans should be run in Normal Mode and if you have any problem, let me know. I'll review the logs when you get them out.
    ============================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    FYI: Norton sometimes gives an alert like this:
    [​IMG]
    or this:
    [​IMG]
    (Images courtesy Norton Forum)

    In both of these alerts, it shows No Action Required. It shows the attempt was blocked. Also, checking Stop Notifying Me will prevent them.
  4. maw8908

    maw8908 Newcomer, in training Topic Starter

    DDS Logs

    .
    DDS (Ver_2011-06-23.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by jeanette at 9:24:50 on 2011-07-29
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.152 [GMT -5:00]
    .
    AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Maxtor\Sync\SyncServices.exe
    C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
    C:\Program Files\Iomega\REV System Software\RevUDF.exe
    C:\Program Files\Iomega\REV System Software\ImIconXp.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = https://login.yahoo.com/config/login_verify2?.intl=us&partner=sbc&.src=ym
    mWinlogon: Userinit=c:\windows\system32\Userinit.exe
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.6.0.29\ips\IPSBHO.DLL
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [Iomega ImIconXP] c:\program files\iomega\rev system software\imiconxp.exe
    mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe
    mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1306353615906
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{3C6206DD-22DE-4722-8448-9983C385980A} : DhcpNameServer = 192.168.1.254
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Notify: igfxcui - igfxdev.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 imdrvfsf;Iomega File System Filter Driver;c:\windows\system32\drivers\imdrvfsf.sys [2007-1-5 30968]
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1206000.01d\symds.sys [2011-7-25 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1206000.01d\symefa.sys [2011-7-25 744568]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\bashdefs\20110723.001\BHDrvx86.sys [2011-7-22 815736]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys [2011-7-25 136312]
    R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.6.0.29\ccsvchst.exe [2011-7-25 130008]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-29 105592]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\ipsdefs\20110728.031\IDSXpx86.sys [2011-7-28 355256]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\virusdefs\20110728.051\NAVENG.SYS [2011-7-29 86008]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\virusdefs\20110728.051\NAVEX15.SYS [2011-7-29 1542392]
    S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-27 366640]
    S3 EraserUtilDrvI10;EraserUtilDrvI10;\??\c:\program files\common files\symantec shared\eengine\eraserutildrvi10.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrvI10.sys [?]
    S3 EraserUtilDrvI11;EraserUtilDrvI11;\??\c:\program files\common files\symantec shared\eengine\eraserutildrvi11.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrvI11.sys [?]
    S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
    .
    =============== Created Last 30 ================
    .
    2011-07-28 01:01:22 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-28 01:01:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-07-27 15:57:56 -------- d-----w- c:\documents and settings\jeanette\local settings\application data\Symantec
    2011-07-26 21:32:52 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
    2011-07-26 21:32:52 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2011-07-26 19:41:28 2560 ----a-w- c:\documents and settings\all users\application data\microsoft\usmt\iconlib.dll
    2011-07-26 11:55:47 -------- d-----w- c:\documents and settings\jeanette\local settings\application data\Google
    2011-07-26 11:51:50 -------- d-----w- c:\documents and settings\jeanette\local settings\application data\NPE
    2011-07-25 22:45:58 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2011-07-25 22:45:57 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-07-25 22:45:56 -------- d-----w- c:\program files\Symantec
    2011-07-25 22:45:34 369784 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symtdi.sys
    2011-07-25 22:45:34 331384 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symtdiv.sys
    2011-07-25 22:45:33 296568 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symnets.sys
    2011-07-25 22:45:32 744568 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symefa.sys
    2011-07-25 22:45:32 50168 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\srtspx.sys
    2011-07-25 22:45:32 340088 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\symds.sys
    2011-07-25 22:45:31 516216 ----a-w- c:\windows\system32\drivers\nis\1206000.01d\srtsp.sys
    2011-07-25 22:45:30 136312 ----a-r- c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys
    2011-07-25 22:40:29 -------- d-----w- c:\windows\system32\drivers\nis\1206000.01D
    2011-07-25 22:37:59 -------- d-----w- c:\windows\system32\drivers\NIS
    2011-07-25 22:37:46 -------- d-----w- c:\program files\Norton Internet Security
    2011-07-25 21:39:31 -------- d-----w- c:\windows\system32\appmgmt
    2011-07-25 20:56:48 -------- d-----w- c:\program files\common files\Symantec Shared
    2011-07-25 20:00:50 -------- d-----w- c:\documents and settings\all users\application data\Norton
    2011-07-25 19:14:00 -------- d-----w- c:\program files\NortonInstaller
    2011-07-25 19:14:00 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller
    2011-07-11 13:06:16 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    ==================== Find3M ====================
    .
    2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-05-04 09:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-05-04 07:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
    .
    ============= FINISH: 9:27:27.73 ===============



    .txt LOG


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 1/20/2010 11:25:03 AM
    System Uptime: 7/29/2011 9:18:53 AM (0 hours ago)
    .
    Motherboard: Dell Computer Corp. | | 0TC667
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/533mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 37 GiB total, 19.139 GiB free.
    D: is CDROM (CDFS)
    X: is FIXED (NTFS) - 298 GiB total, 245.058 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: PCI Modem
    Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&1C660DD6&0&08F0
    Manufacturer:
    Name: PCI Modem
    PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&1C660DD6&0&08F0
    Service:
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Fortinet Packet Filter Miniport
    Device ID: ROOT\FT_FORTIDRVMP\0000
    Manufacturer: Fortinet
    Name: Fortinet Packet Filter Miniport
    PNP Device ID: ROOT\FT_FORTIDRVMP\0000
    Service: Fortidrv2
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Fortinet Packet Filter Miniport
    Device ID: ROOT\FT_FORTIDRVMP\0001
    Manufacturer: Fortinet
    Name: WAN Miniport (IP) - Fortinet Packet Filter Miniport
    PNP Device ID: ROOT\FT_FORTIDRVMP\0001
    Service: Fortidrv2
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Fortinet Packet Filter Miniport
    Device ID: ROOT\FT_FORTIDRVMP\0002
    Manufacturer: Fortinet
    Name: Intel(R) PRO/100 VE Network Connection - Fortinet Packet Filter Miniport
    PNP Device ID: ROOT\FT_FORTIDRVMP\0002
    Service: Fortidrv2
    .
    ==== System Restore Points ===================
    .
    RP483: 5/25/2011 2:29:43 PM - Restore Operation
    RP484: 5/25/2011 4:58:09 PM - System Checkpoint
    RP485: 5/26/2011 3:00:34 AM - Software Distribution Service 3.0
    RP486: 5/27/2011 3:00:31 AM - Software Distribution Service 3.0
    RP487: 5/28/2011 3:00:29 AM - Software Distribution Service 3.0
    RP488: 5/29/2011 3:01:05 AM - Software Distribution Service 3.0
    RP489: 5/30/2011 3:00:26 AM - Software Distribution Service 3.0
    RP490: 5/31/2011 3:01:10 AM - Software Distribution Service 3.0
    RP491: 5/31/2011 7:29:57 AM - Software Distribution Service 3.0
    RP492: 6/1/2011 3:01:28 AM - Software Distribution Service 3.0
    RP493: 6/1/2011 2:10:09 PM - Software Distribution Service 3.0
    RP494: 6/1/2011 3:42:47 PM - Software Distribution Service 3.0
    RP495: 6/2/2011 3:00:46 AM - Software Distribution Service 3.0
    RP496: 6/3/2011 3:00:38 AM - Software Distribution Service 3.0
    RP497: 6/4/2011 3:01:36 AM - Software Distribution Service 3.0
    RP498: 6/5/2011 3:00:26 AM - Software Distribution Service 3.0
    RP499: 6/6/2011 3:00:26 AM - Software Distribution Service 3.0
    RP500: 6/7/2011 3:00:28 AM - Software Distribution Service 3.0
    RP501: 6/8/2011 3:00:40 AM - Software Distribution Service 3.0
    RP502: 6/9/2011 3:01:15 AM - Software Distribution Service 3.0
    RP503: 6/10/2011 3:00:28 AM - Software Distribution Service 3.0
    RP504: 6/11/2011 3:00:39 AM - Software Distribution Service 3.0
    RP505: 6/12/2011 3:01:36 AM - Software Distribution Service 3.0
    RP506: 6/13/2011 3:00:52 AM - Software Distribution Service 3.0
    RP507: 6/14/2011 3:00:44 AM - Software Distribution Service 3.0
    RP508: 6/15/2011 3:01:00 AM - Software Distribution Service 3.0
    RP509: 6/16/2011 4:01:34 AM - System Checkpoint
    RP510: 6/17/2011 3:00:40 AM - Software Distribution Service 3.0
    RP511: 6/18/2011 3:01:00 AM - Software Distribution Service 3.0
    RP512: 6/19/2011 3:00:28 AM - Software Distribution Service 3.0
    RP513: 6/20/2011 3:01:01 AM - Software Distribution Service 3.0
    RP514: 6/21/2011 3:00:29 AM - Software Distribution Service 3.0
    RP515: 6/22/2011 3:01:02 AM - Software Distribution Service 3.0
    RP516: 6/23/2011 3:01:15 AM - Software Distribution Service 3.0
    RP517: 6/24/2011 3:01:09 AM - Software Distribution Service 3.0
    RP518: 6/25/2011 3:00:29 AM - Software Distribution Service 3.0
    RP519: 6/26/2011 3:00:59 AM - Software Distribution Service 3.0
    RP520: 6/27/2011 6:33:10 AM - Software Distribution Service 3.0
    RP521: 6/28/2011 3:00:34 AM - Software Distribution Service 3.0
    RP522: 6/29/2011 3:00:37 AM - Software Distribution Service 3.0
    RP523: 6/30/2011 3:01:57 AM - Software Distribution Service 3.0
    RP524: 7/1/2011 3:01:28 AM - Software Distribution Service 3.0
    RP525: 7/5/2011 6:40:09 AM - Software Distribution Service 3.0
    RP526: 7/6/2011 3:00:35 AM - Software Distribution Service 3.0
    RP527: 7/7/2011 3:00:39 AM - Software Distribution Service 3.0
    RP528: 7/8/2011 3:00:38 AM - Software Distribution Service 3.0
    RP529: 7/9/2011 3:00:41 AM - Software Distribution Service 3.0
    RP530: 7/10/2011 3:00:33 AM - Software Distribution Service 3.0
    RP531: 7/11/2011 3:00:27 AM - Software Distribution Service 3.0
    RP532: 7/12/2011 3:00:47 AM - Software Distribution Service 3.0
    RP533: 7/13/2011 3:02:39 AM - Software Distribution Service 3.0
    RP534: 7/14/2011 3:00:28 AM - Software Distribution Service 3.0
    RP535: 7/15/2011 3:01:31 AM - Software Distribution Service 3.0
    RP536: 7/16/2011 3:01:14 AM - Software Distribution Service 3.0
    RP537: 7/17/2011 3:00:27 AM - Software Distribution Service 3.0
    RP538: 7/18/2011 3:00:56 AM - Software Distribution Service 3.0
    RP539: 7/18/2011 8:13:15 AM - Software Distribution Service 3.0
    RP540: 7/19/2011 3:02:25 AM - Software Distribution Service 3.0
    RP541: 7/20/2011 3:01:23 AM - Software Distribution Service 3.0
    RP542: 7/21/2011 3:02:44 AM - Software Distribution Service 3.0
    RP543: 7/22/2011 3:00:28 AM - Software Distribution Service 3.0
    RP544: 7/23/2011 3:45:54 AM - System Checkpoint
    RP545: 7/24/2011 4:45:52 AM - System Checkpoint
    RP546: 7/25/2011 5:45:52 AM - System Checkpoint
    RP547: 7/25/2011 4:37:32 PM - Removed FortiClient Endpoint Security
    RP548: 7/26/2011 6:06:56 PM - System Checkpoint
    RP549: 7/27/2011 7:53:01 PM - Installed Java(TM) 6 Update 26
    RP550: 7/28/2011 8:20:37 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    Active Disk
    Adobe Flash Player 10 ActiveX
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Intel(R) Extreme Graphics 2 Driver
    Intel(R) PRO Network Adapters and Drivers
    Iomega REV System Software
    Java Auto Updater
    Java(TM) 6 Update 26
    Malwarebytes' Anti-Malware version 1.51.1.1800
    Maxtor Manager
    Microsoft Word 2002
    Microsoft Works
    Microsoft Works 2005 Setup Launcher
    Microsoft Works Suite Add-in for Microsoft Word
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB973688)
    Norton Internet Security
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SoundMAX
    TFP for 2009
    TFP for 2010
    Update for Windows Internet Explorer 8 (KB975364)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 8
    Windows Live ID Sign-in Assistant
    Works Upgrade
    .
    ==== Event Viewer Messages From Past Week ========
    .
    7/29/2011 9:24:19 AM, information: Windows File Protection [64004] - The protected system file volsnap.sys could not be restored to its original, valid version. The file version of the bad file is unknown The specific error code is 0x000003e3 [The I/O operation has been aborted because of either a thread exit or an application request. ].
    7/29/2011 8:59:48 AM, error: Service Control Manager [7001] - The MBAMService service depends on the MBAMProtector service which failed to start because of the following error: The system cannot find the file specified.
    7/29/2011 8:59:48 AM, error: Service Control Manager [7000] - The MBAMProtector service failed to start due to the following error: The system cannot find the file specified.
    7/27/2011 4:07:40 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    7/27/2011 4:06:35 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx86 eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SRTSPX SymIRON SYMTDI Tcpip
    7/27/2011 4:06:35 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    7/27/2011 4:06:35 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    7/27/2011 4:06:35 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    7/27/2011 4:06:35 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    7/27/2011 4:05:59 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    7/27/2011 4:05:45 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    7/27/2011 4:05:45 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    7/26/2011 4:24:34 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SMR200
    7/26/2011 10:43:50 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    7/25/2011 9:04:59 PM, error: Service Control Manager [7031] - The Norton Internet Security service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    7/22/2011 6:12:03 AM, error: System Error [1003] - Error code 10000050, parameter1 fdda2000, parameter2 00000000, parameter3 804f3ccb, parameter4 00000000.
    7/22/2011 3:53:39 PM, error: NetBT [4321] - The name "SPROTTLONG :1d" could not be registered on the Interface with IP address 192.168.1.9. The machine with the IP address 192.168.1.5 did not allow the name to be claimed by this machine.
    7/22/2011 12:26:19 PM, error: System Error [1003] - Error code 10000050, parameter1 fc373000, parameter2 00000000, parameter3 804f3ccb, parameter4 00000000.
    7/22/2011 12:22:26 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    7/22/2011 12:22:21 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
    .
    ==== End Of File ===========================
  5. maw8908

    maw8908 Newcomer, in training Topic Starter

    gmer log and malware bytes

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-07-29 09:06:36
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST340810A rev.3.99
    Running: 50vvg5z5.exe; Driver: C:\DOCUME~1\jeanette\LOCALS~1\Temp\uglcrkog.sys


    ---- Devices - GMER 1.0.15 ----

    Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

    AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:128] 82F00E7A
    Thread System [4:132] 82F03008

    ---- EOF - GMER 1.0.15 ----



    Malware bytes seems to have been wiped from my computer, do i need to try to reinstall it or just forget it. I did run a scan with it yesterday, and it said nothing found it took about an hour to scan.
  6. maw8908

    maw8908 Newcomer, in training Topic Starter

    Found the Malware bytes log Here it is

    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7304

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    7/27/2011 8:58:42 PM
    mbam-log-2011-07-27 (20-58-42).txt

    Scan type: Quick scan
    Objects scanned: 171283
    Time elapsed: 52 minute(s), 35 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  7. maw8908

    maw8908 Newcomer, in training Topic Starter

    I believe that is all the logs neede

    If there are any more info needed then let me know. I have to leave the office, but i might be able to get here over the weekend. Thank you for your help so far.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, I'd like you to run this first: Both scans in Normal Mode
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result. Please past log into next reply.
    • A reboot is required after disinfection.
    =================================================
    Then Combofix: Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ============================================
    Hopefully Combofix will replace the volsnap.sys file.

    I'm not real sure about all the Iomega processes- whether you're storing out to loading in.There aren't many installed programs showing.
  9. maw8908

    maw8908 Newcomer, in training Topic Starter

    Not much on the comp

    The person who normally uses the comp only uses three programs, one is an accounting program that is from like the 90's and it runs like old software did where it doesn't really install itself on the comp. I want to get rid of the iomega stuff because we don't use it to back up all the word files she has. I just set up maxtor and an external hard drive. The third program she uses daily is internet explorer, but i cant even seem to get it to work where i can update her comp. It always says updates loaded then would halfway run them and install, then say failed and close so her comp is in bad need of updates. The computer is the main computer for the business, there just isnt a lot of tech needed in the office, so it is really important I get it running smooth. Is what i am going to do fix the not shutting down and restarting issue?
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    With all due respects: you are getting free help on an internet forum staffed by volunteers. We do what we think is the best for the problems at hand. I'm not putting out instructions because I like to type. No guarantees are ever made.You are asking for help for someone's else's computer who uses it for a business- feel free to have a tech fix the system- if it's fixable- and the office can take up a collection to pay for it.

    Has it occurred to you that if this continues to display, "Windows File Protection: Files that are required for windows to run properly have been replaced by unknown versions" that the system has somehow been altered?

    http://support.microsoft.com/kb/222193
  11. maw8908

    maw8908 Newcomer, in training Topic Starter

    Log for tdsskiller

    2011/08/01 10:12:01.0828 1720 TDSS rootkit removing tool 2.5.13.0 Jul 29 2011 17:24:11
    2011/08/01 10:12:02.0921 1720 ================================================================================
    2011/08/01 10:12:02.0921 1720 SystemInfo:
    2011/08/01 10:12:02.0921 1720
    2011/08/01 10:12:02.0921 1720 OS Version: 5.1.2600 ServicePack: 3.0
    2011/08/01 10:12:02.0921 1720 Product type: Workstation
    2011/08/01 10:12:02.0921 1720 ComputerName: JEANETTE-PC
    2011/08/01 10:12:02.0921 1720 UserName: jeanette
    2011/08/01 10:12:02.0921 1720 Windows directory: C:\WINDOWS
    2011/08/01 10:12:02.0921 1720 System windows directory: C:\WINDOWS
    2011/08/01 10:12:02.0921 1720 Processor architecture: Intel x86
    2011/08/01 10:12:02.0921 1720 Number of processors: 1
    2011/08/01 10:12:02.0921 1720 Page size: 0x1000
    2011/08/01 10:12:02.0921 1720 Boot type: Normal boot
    2011/08/01 10:12:02.0921 1720 ================================================================================
    2011/08/01 10:12:19.0343 1720 Initialize success
    2011/08/01 10:12:22.0765 2420 ================================================================================
    2011/08/01 10:12:22.0765 2420 Scan started
    2011/08/01 10:12:22.0765 2420 Mode: Manual;
    2011/08/01 10:12:22.0765 2420 ================================================================================
    2011/08/01 10:12:28.0328 2420 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/08/01 10:12:29.0593 2420 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/08/01 10:12:32.0875 2420 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/08/01 10:12:34.0687 2420 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
    2011/08/01 10:12:39.0250 2420 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/08/01 10:12:39.0843 2420 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/08/01 10:12:40.0828 2420 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/08/01 10:12:41.0312 2420 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/08/01 10:12:42.0187 2420 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/08/01 10:12:42.0687 2420 BHDrvx86 (f7ff24bb7714247f27b615b3a7d8b132) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20110723.001\BHDrvx86.sys
    2011/08/01 10:12:43.0171 2420 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/08/01 10:12:44.0359 2420 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/08/01 10:12:45.0109 2420 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/08/01 10:12:45.0578 2420 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/08/01 10:12:47.0578 2420 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/08/01 10:12:48.0234 2420 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/08/01 10:12:48.0968 2420 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/08/01 10:12:49.0406 2420 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/08/01 10:12:49.0875 2420 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/08/01 10:12:50.0421 2420 Dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
    2011/08/01 10:12:50.0937 2420 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
    2011/08/01 10:12:51.0593 2420 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/08/01 10:12:52.0046 2420 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    2011/08/01 10:12:52.0390 2420 eeCtrl (8f7dbc4be48f5388a6fe1f285e7948ef) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    2011/08/01 10:12:52.0625 2420 EraserUtilRebootDrv (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    2011/08/01 10:12:53.0125 2420 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/08/01 10:12:53.0593 2420 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/08/01 10:12:54.0000 2420 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/08/01 10:12:54.0390 2420 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/08/01 10:12:54.0890 2420 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2011/08/01 10:12:55.0343 2420 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/08/01 10:12:55.0828 2420 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/08/01 10:12:56.0265 2420 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/08/01 10:12:56.0687 2420 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/08/01 10:12:57.0515 2420 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/08/01 10:12:58.0656 2420 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/08/01 10:12:59.0484 2420 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    2011/08/01 10:13:00.0453 2420 IDSxpx86 (b9ba869eb7b66c5740e904a79f9245b4) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20110729.030\IDSxpx86.sys
    2011/08/01 10:13:00.0921 2420 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/08/01 10:13:01.0343 2420 imdrvfsf (aec3108ef22cb12b8e35e4f84531be67) C:\WINDOWS\system32\DRIVERS\imdrvfsf.sys
    2011/08/01 10:13:02.0468 2420 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/08/01 10:13:03.0000 2420 iomdisk (9d7069d72c0c72952f05e1688a5ae89d) C:\WINDOWS\system32\DRIVERS\iomdisk.sys
    2011/08/01 10:13:03.0765 2420 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2011/08/01 10:13:04.0453 2420 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/08/01 10:13:04.0968 2420 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/08/01 10:13:05.0546 2420 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/08/01 10:13:06.0109 2420 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/08/01 10:13:06.0625 2420 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/08/01 10:13:07.0140 2420 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/08/01 10:13:07.0593 2420 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2011/08/01 10:13:08.0359 2420 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/08/01 10:13:09.0296 2420 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/08/01 10:13:10.0750 2420 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/08/01 10:13:11.0218 2420 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/08/01 10:13:11.0703 2420 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/08/01 10:13:12.0125 2420 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/08/01 10:13:12.0593 2420 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/08/01 10:13:13.0328 2420 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/08/01 10:13:13.0968 2420 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/08/01 10:13:14.0687 2420 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/08/01 10:13:15.0359 2420 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/08/01 10:13:15.0781 2420 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/08/01 10:13:16.0312 2420 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/08/01 10:13:16.0718 2420 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/08/01 10:13:17.0203 2420 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
    2011/08/01 10:13:17.0718 2420 MXOPSWD (216ac775320f64de28cfeb7c179c4ff9) C:\WINDOWS\system32\DRIVERS\mxopswd.sys
    2011/08/01 10:13:18.0000 2420 NAVENG (920d9701bba90dbb7ccfd3536ea4d6f9) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20110731.003\NAVENG.SYS
    2011/08/01 10:13:18.0765 2420 NAVEX15 (31b1a9b53c3319b97f7874347cd992d2) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20110731.003\NAVEX15.SYS
    2011/08/01 10:13:19.0296 2420 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/08/01 10:13:19.0812 2420 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/08/01 10:13:20.0203 2420 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/08/01 10:13:20.0640 2420 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/08/01 10:13:21.0062 2420 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/08/01 10:13:21.0515 2420 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/08/01 10:13:21.0984 2420 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/08/01 10:13:22.0500 2420 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/08/01 10:13:23.0578 2420 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/08/01 10:13:24.0828 2420 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/08/01 10:13:25.0671 2420 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/08/01 10:13:26.0828 2420 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/08/01 10:13:27.0437 2420 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/08/01 10:13:28.0171 2420 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/08/01 10:13:29.0390 2420 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/08/01 10:13:30.0406 2420 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/08/01 10:13:31.0890 2420 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/08/01 10:13:33.0015 2420 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/08/01 10:13:37.0343 2420 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/08/01 10:13:38.0390 2420 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/08/01 10:13:39.0156 2420 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/08/01 10:13:44.0703 2420 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/08/01 10:13:45.0328 2420 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/08/01 10:13:46.0000 2420 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/08/01 10:13:46.0890 2420 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/08/01 10:13:47.0765 2420 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/08/01 10:13:48.0328 2420 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/08/01 10:13:49.0578 2420 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/08/01 10:13:50.0718 2420 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/08/01 10:13:51.0468 2420 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/08/01 10:13:52.0546 2420 revfs (71644c853d27de5ffd032a7478e9157e) C:\WINDOWS\system32\drivers\revfs.sys
    2011/08/01 10:13:53.0218 2420 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/08/01 10:13:53.0984 2420 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
    2011/08/01 10:13:54.0671 2420 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/08/01 10:13:55.0078 2420 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/08/01 10:13:55.0500 2420 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/08/01 10:13:56.0296 2420 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
    2011/08/01 10:13:57.0125 2420 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/08/01 10:13:57.0562 2420 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/08/01 10:13:58.0156 2420 SRTSP (83726cf02eced69138948083e06b6eac) C:\WINDOWS\system32\drivers\NIS\1206000.01D\SRTSP.SYS
    2011/08/01 10:13:59.0156 2420 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\WINDOWS\system32\drivers\NIS\1206000.01D\SRTSPX.SYS
    2011/08/01 10:13:59.0718 2420 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/08/01 10:14:00.0296 2420 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/08/01 10:14:00.0718 2420 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/08/01 10:14:01.0828 2420 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\WINDOWS\system32\drivers\NIS\1206000.01D\SYMDS.SYS
    2011/08/01 10:14:02.0609 2420 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\WINDOWS\system32\drivers\NIS\1206000.01D\SYMEFA.SYS
    2011/08/01 10:14:03.0328 2420 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    2011/08/01 10:14:03.0859 2420 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\WINDOWS\system32\drivers\NIS\1206000.01D\Ironx86.SYS
    2011/08/01 10:14:04.0468 2420 SYMTDI (dec35ccaf7a222df918306cd2fdfbd39) C:\WINDOWS\system32\drivers\NIS\1206000.01D\SYMTDI.SYS
    2011/08/01 10:14:05.0625 2420 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/08/01 10:14:06.0187 2420 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/08/01 10:14:06.0734 2420 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/08/01 10:14:07.0156 2420 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/08/01 10:14:07.0859 2420 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/08/01 10:14:08.0546 2420 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/08/01 10:14:09.0437 2420 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/08/01 10:14:10.0015 2420 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/08/01 10:14:10.0500 2420 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/08/01 10:14:10.0890 2420 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/08/01 10:14:11.0375 2420 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/08/01 10:14:11.0796 2420 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/08/01 10:14:12.0187 2420 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/08/01 10:14:12.0890 2420 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/08/01 10:14:13.0312 2420 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/08/01 10:14:14.0031 2420 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/08/01 10:14:14.0250 2420 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
    2011/08/01 10:14:14.0531 2420 MBR (0x1B8) (a4a15d6782e6fe1dce41a606cb3affe3) \Device\Harddisk1\DR2
    2011/08/01 10:14:14.0578 2420 Boot (0x1200) (59142ff21de2806759588d7d518af29d) \Device\Harddisk0\DR0\Partition0
    2011/08/01 10:14:14.0593 2420 Boot (0x1200) (e08f96b3546c1b3a6f980e54c9e46945) \Device\Harddisk1\DR2\Partition0
    2011/08/01 10:14:14.0609 2420 ================================================================================
    2011/08/01 10:14:14.0609 2420 Scan finished
    2011/08/01 10:14:14.0609 2420 ================================================================================
    2011/08/01 10:14:14.0625 2404 Detected object count: 0
    2011/08/01 10:14:14.0625 2404 Actual detected object count: 0



    Don't get me wrong asking that stuff. I know I am getting free help. We had some charge 800 to "fix" the computer 2 weeks ago, but obviously that didnt work. I appreciate all the help and it clearly is helping. Thanks so much.
     
  12. maw8908

    maw8908 Newcomer, in training Topic Starter

    combofix log

    ComboFix 11-07-31.04 - jeanette 08/01/2011 10:29:26.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.165 [GMT -5:00]
    Running from: c:\documents and settings\jeanette\Desktop\ComboFix.exe
    AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\regedit.com
    c:\windows\system32\_000005_.tmp.dll
    c:\windows\system32\_000006_.tmp.dll
    X:\Autorun.inf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-01 to 2011-08-01 )))))))))))))))))))))))))))))))
    .
    .
    2011-07-28 01:01 . 2011-07-07 00:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-28 01:01 . 2011-07-28 01:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-07-28 00:59 . 2011-07-28 00:59 -------- d-----w- c:\program files\Common Files\Java
    2011-07-27 15:57 . 2011-07-27 15:57 -------- d-----w- c:\documents and settings\jeanette\Local Settings\Application Data\Symantec
    2011-07-26 21:32 . 2008-04-14 05:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
    2011-07-26 21:32 . 2008-04-14 05:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2011-07-26 19:41 . 2008-04-14 07:00 2560 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\USMT\iconlib.dll
    2011-07-26 11:55 . 2011-07-26 23:02 -------- d-----w- c:\documents and settings\jeanette\Local Settings\Application Data\Google
    2011-07-26 11:51 . 2011-07-28 00:14 -------- d-----w- c:\documents and settings\jeanette\Local Settings\Application Data\NPE
    2011-07-25 22:45 . 2011-07-25 22:45 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2011-07-25 22:45 . 2011-07-25 22:45 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-07-25 22:45 . 2011-07-25 22:45 -------- d-----w- c:\program files\Symantec
    2011-07-25 22:37 . 2011-07-25 22:46 -------- d-----w- c:\windows\system32\drivers\NIS
    2011-07-25 22:37 . 2011-07-25 22:37 -------- d-----w- c:\program files\Norton Internet Security
    2011-07-25 20:56 . 2011-07-25 22:45 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2011-07-25 20:00 . 2011-07-25 20:00 -------- d-----w- c:\program files\Windows Sidebar
    2011-07-25 20:00 . 2011-07-28 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2011-07-25 19:14 . 2011-07-28 00:48 -------- d-----w- c:\program files\NortonInstaller
    2011-07-11 13:06 . 2011-07-11 13:06 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-01 15:09 . 2008-04-14 07:00 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys
    2011-06-02 14:02 . 2008-04-14 07:00 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-05-04 09:52 . 2010-08-09 21:17 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-05-04 07:25 . 2010-08-09 21:17 73728 ----a-w- c:\windows\system32\javacpl.cpl
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2008-10-05 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "Iomega ImIconXP"="c:\program files\Iomega\REV System Software\imiconxp.exe" [2008-01-17 249856]
    "ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
    "mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nltide_2"="shell32" [X]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    .
    R0 imdrvfsf;Iomega File System Filter Driver;c:\windows\system32\drivers\imdrvfsf.sys [1/5/2007 2:39 PM 30968]
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1206000.01D\symds.sys [7/25/2011 5:45 PM 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1206000.01D\symefa.sys [7/25/2011 5:45 PM 744568]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20110723.001\BHDrvx86.sys [7/22/2011 7:27 PM 815736]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1206000.01D\ironx86.sys [7/25/2011 5:45 PM 136312]
    R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe [7/25/2011 5:44 PM 130008]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/29/2011 1:35 AM 105592]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20110729.030\IDSXpx86.sys [7/29/2011 7:15 PM 355256]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/27/2011 8:01 PM 366640]
    S3 EraserUtilDrvI10;EraserUtilDrvI10;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI10.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI10.sys [?]
    S3 EraserUtilDrvI11;EraserUtilDrvI11;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI11.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI11.sys [?]
    S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - 21383459
    *NewlyCreated* - 46708443
    *Deregistered* - 21383459
    *Deregistered* - 46708443
    *Deregistered* - revfs
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = https://login.yahoo.com/config/login_verify2?.intl=us&partner=sbc&.src=ym
    TCP: DhcpNameServer = 192.168.1.254
    .
    - - - - ORPHANS REMOVED - - - -
    .
    SafeBoot-21383459.sys
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-01 11:23
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NIS]
    "ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Iomega Activity Disk2]
    "ImagePath"="\"\""
    .
    Completion time: 2011-08-01 11:30:43
    ComboFix-quarantined-files.txt 2011-08-01 16:30
    ComboFix2.txt 2011-05-25 19:53
    .
    Pre-Run: 20,485,566,464 bytes free
    Post-Run: 20,635,779,072 bytes free
    .
    - - End Of File - - 920220E2FA7B6BE7A69991530F728184
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    A couple of thing are evident:
    1. The presence of this deletion in Combofix> X:\Autorun.inf usually means that an infected flash drive was used. That would need to be disinfected:
    You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
    2. You told me this:
    and I left 2 images asking if either was what was being seen re the TDServ. You did not reply to that. So far, I am not seeing any indication of that malware and the program you ran-TDSKiller shows nothing found.
    3. You are trying to fix a rigged system. I am at a loss how someone is trying to work at accounting- for "business" with such a bad, outdated set up. I didn't even know they still made zip drives.

    I am not surprised that whoever worked on it 2 weeks ago couldn't fix it. Norton wasn't installed until 7/25. There is nothing more I can do for you.

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.