TechSpot

My desktop is infected with Backdoor.Tidserv.I!inf and only starts in safe mode

By debdubey
Aug 15, 2011
  1. Hi, My desktop runs windows XP prof. and is infected with Backdoor.Tidserv.I!inf. It has Norton Antivirus 2011 but this obviously is no help. I originally ran a scan and it told me my pc was infected, and to download tdsskiller and run that.(Per Norton website) I did, but it didn't get rid of it. But after that initial try to remove it, it no longer shows up in a scan. When I reboot my pc it freezes at the blue screen, so the removal tool never finishes because one of it's steps reboots the computer. The only way I can run the pc is if I start it in safe mode, and it does run with limited connectivity in safe mode. However when I try to disable norton antivirus to run the Gmer tool there is no way for me disable it. No matter how I click on it, it just asks me if I want to run a virus scan. So I did run the tools in safe mode but with norton still active as far as I could tell. I'll post the log files I have and if you need me to run anything else, I'm more than happy to. I appreciate any help you can give me, it seems like you've helped a lot of people with this one.
    Thanks,
    Deb

    Here is the malwarebytes log:
    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7390

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    8/5/2011 7:25:35 PM
    mbam-log-2011-08-05 (19-25-35).txt

    Scan type: Quick scan
    Objects scanned: 244149
    Time elapsed: 3 minute(s), 12 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)



    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-08-15 15:05:34
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3160811AS rev.3.AAE
    Running: lp8ejilt.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fxldapog.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    ? SYMDS.SYS The system cannot find the file specified. !
    ? SYMEFA.SYS The system cannot find the file specified. !

    ---- Devices - GMER 1.0.15 ----

    Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\InprocServer32@ C:\WINDOWS\system32\scardssp.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\InprocServer32@ThreadingModel Free
    Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\ProgID@ Scardssp.SCardDatabase.1
    Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\TypeLib@ {82C38704-19F1-11D3-A11F-00C04F79F800}
    Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\VersionIndependentProgID@ Scardssp.SCardDatabase

    ---- EOF - GMER 1.0.15 ----

    .DDS.txt
    DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK
    Internet Explorer: 8.0.6001.18702
    Run by Administrator at 15:13:11 on 2011-08-15
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1487 [GMT -4:00]
    .
    AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Administrator\Desktop\lp8ejilt.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    .
    ============== Pseudo HJT Report ===============
    .
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: Freecause Toolbar BHO: {614bda1f-9bef-4cd1-bde4-fa4804929b4a} - c:\program files\mypoints toolbar 2.0\Toolbar.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\18.6.0.29\ips\IPSBHO.DLL
    BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\prxtbZyn2.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    TB: MyPoints Point Finder: {89a2510a-b4b6-4683-bec9-1b96700bc7f1} - c:\program files\mypoints toolbar 2.0\Toolbar.dll
    TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\prxtbZyn2.dll
    uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10d.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [SMCWUSB-N2 Wireless Utility] "c:\program files\smc\smcwusb-n2\SMCWUSB-N2 Wireless Utility.exe" -nogui
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRunOnce: [FixTDSS] cmd /c start /D "c:\documents and settings\administrator\Desktop" /B FixTDSS.exe -postboot
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {000F1EA4-5E08-4564-A29B-29076F63A37A} - hxxp://launch.soe.com/plugin/web/SOEWebInstaller.cab
    DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://echat.bellsouth.net/sdccommon/download/tgctlcm.cab
    DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} - hxxp://www.worldwinner.com/games/v47/scrabblecubes/scrabblecubes.cab
    DPF: {038E2507-7A48-41E2-94AD-7F23D199AF4E} - hxxp://www.worldwinner.com/games/v54/zengems/zengems.cab
    DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} - hxxp://www.worldwinner.com/games/v41/mines/mines.cab
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
    DPF: {0B195D55-0AB4-48C7-828F-34BE10BA4266} - hxxp://www.worldwinner.com/games/v53/dealornodeal/dealornodeal.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
    DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} - hxxp://www.worldwinner.com/games/v47/skillgam/skillgam.cab
    DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
    DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
    DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} - hxxp://www.worldwinner.com/games/v48/brickout/brickout.cab
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
    DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - hxxp://www.worldwinner.com/games/v50/pool/pool.cab
    DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} - hxxp://www.auctiva.com/Aurigma/ImageUploader55.cab
    DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} - hxxp://www.freerealms.com/gamedata/FreeRealmsInstaller.cab
    DPF: {3D3DBC64-0D21-4EA4-94EE-86D6D9B31C0C} - hxxp://www.worldwinner.com/games/v45/moneylist/moneylist.cab
    DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
    DPF: {41D1977F-4161-4720-800F-EA4903983A38} - hxxp://www.worldwinner.com/games/v43/jigsaw/jigsaw.cab
    DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} - hxxp://www.worldwinner.com/games/v53/wwhearts/wwhearts.cab
    DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} - hxxp://www.worldwinner.com/games/v63/bjattack/bja.cab
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
    DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - hxxp://www.worldwinner.com/games/v51/bejeweled/bejeweled.cab
    DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} - hxxp://www.worldwinner.com/games/v49/blockwerx/blockwerx.cab
    DPF: {64CD313F-F079-4D93-959F-4D28B5519449} - hxxp://www.worldwinner.com/games/v56/jeopardy/jeopardy.cab
    DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} - hxxp://www.worldwinner.com/games/v41/freecell/freecell.cab
    DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172154408062
    DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://www.disneyphotopass.com/software/ImageUploader4.cab
    DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
    DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://kingsisle.hs.llnwd.net/e1/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {94299420-321F-4FF9-A247-62A23EBB640B} - hxxp://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
    DPF: {95A311CD-EC8E-452A-BCEC-B844EB616D03} - hxxp://www.worldwinner.com/games/v51/bejeweledtwist/bejeweledtwist.cab
    DPF: {97438FE9-D361-4279-BA82-98CC0877A717} - hxxp://www.worldwinner.com/games/v57/cubis/cubis.cab
    DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} - hxxp://www.worldwinner.com/games/v46/sol/sol.cab
    DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
    DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} - hxxp://www.worldwinner.com/games/v50/luxor/luxor.cab
    DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} - hxxp://www.worldwinner.com/games/v67/swapit/swapit.cab
    DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} - hxxp://www.worldwinner.com/games/v41/hangman/hangman.cab
    DPF: {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} - hxxp://www.worldwinner.com/games/v46/monopoly/monopoly.cab
    DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} - hxxp://www.worldwinner.com/games/v42/tilecity/tilecity.cab
    DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} - hxxp://www.worldwinner.com/games/v45/royal/royal.cab
    DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} - hxxp://www.worldwinner.com/games/v52/dinerdash/dinerdash.cab
    DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} - file:///D:/MEMDISC/ALBUM_A/VIEW/PLUGIN/HPODPCFC.CAB
    DPF: {C82BB209-F528-46F9-96D5-69DEF7260916} - hxxp://www.worldwinner.com/games/v45/mysterypi/mysterypi.cab
    DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} - hxxp://www.worldwinner.com/games/v43/paint/paint.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
    DPF: {DABFA9AD-4E31-43F4-9D60-4CDD20F57F28} - hxxp://www.photomax.com/web/PhotomaxUploader.CAB
    DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} - hxxp://www.worldwinner.com/games/v44/golfsol/golfsol.cab
    DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} - hxxp://www.worldwinner.com/games/v53/wwspades/wwspades.cab
    DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
    DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - hxxp://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab
    DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://www.disneyphotopass.com/software/ImageUploader4.cab
    TCP: DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{6E6154BC-1DA8-4D9B-9526-E9D09ECE7C1F} : DhcpNameServer = 192.168.2.1
    Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 FixTDSS;TDSS Fixtool driver;c:\windows\system32\drivers\FixTDSS.sys [2011-8-5 26872]
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1206000.01d\symds.sys [2011-5-9 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1206000.01d\symefa.sys [2011-5-9 744568]
    R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2007-2-20 11264]
    R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
    R3 arusb(SMC);SMCWUSB-N2 802.11n Wireless USB 2.0 Adapter Service(SMC);c:\windows\system32\drivers\arusb.sys [2010-3-29 458240]
    S1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\bashdefs\20110518.001\BHDrvx86.sys [2011-5-18 802936]
    S1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2007-2-20 13696]
    S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1206000.01d\ironx86.sys [2011-5-9 136312]
    S2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2010-10-26 3744]
    S2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2010-10-26 3904]
    S2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\18.6.0.29\ccsvchst.exe [2011-5-9 130008]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-10 105592]
    S3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\ipsdefs\20110603.003\IDSXpx86.sys [2011-6-4 341944]
    S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\virusdefs\20110603.038\NAVENG.SYS [2011-6-4 86008]
    S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\virusdefs\20110603.038\NAVEX15.SYS [2011-6-4 1542392]
    S3 s3chipid;s3chipid;\??\c:\docume~1\debora~1\locals~1\temp\s3chipid.sys --> c:\docume~1\debora~1\locals~1\temp\s3chipid.sys [?]
    S3 TIDHOOK;TIDHOOK;\??\c:\docume~1\admini~1\locals~1\temp\fxpbjvd1.tmp\tidhook.sys --> c:\docume~1\admini~1\locals~1\temp\fxpbjvd1.tmp\tidhook.sys [?]
    .
    =============== Created Last 30 ================
    .
    2011-08-05 22:04:17 26872 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
    2011-08-05 22:04:17 -------- d-----w- c:\documents and settings\administrator\application data\FixTDSS
    2011-08-05 20:42:08 -------- d-sha-r- C:\cmdcons
    2011-08-05 20:38:45 98816 ----a-w- c:\windows\sed.exe
    2011-08-05 20:38:45 518144 ----a-w- c:\windows\SWREG.exe
    2011-08-05 20:38:45 256000 ----a-w- c:\windows\PEV.exe
    2011-08-05 20:38:45 208896 ----a-w- c:\windows\MBR.exe
    2011-08-05 20:32:46 -------- d-----w- c:\documents and settings\administrator\application data\Tific
    .
    ==================== Find3M ====================
    .
    2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2008-03-08 15:58:34 774144 -c--a-w- c:\program files\RngInterstitial.dll
    2007-06-24 14:25:36 1803952 -c--a-w- c:\program files\KODAK EASYSHARE Gallery Upload Software, V2.1.exe
    .
    ============= FINISH: 15:13:34.62 ===============




    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 2/20/2007 1:26:45 PM
    System Uptime: 8/5/2011 6:07:20 PM (237 hours ago)
    .
    Motherboard: | | K8M800-8237
    Processor: AMD Sempron(tm) Processor 3400+ | Socket 940 | 1999/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 149 GiB total, 64.794 GiB free.
    D: is CDROM (UDF)
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    .
    23_24_2500Tour
    2400
    2400_2500Help
    2400_2500trb
    Adobe Acrobat 5.0
    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe Flash Player 10 ActiveX
    Adobe PhotoDeluxe Home Edition 4.0
    Adobe Reader 8.1.2
    Adobe Reader 8.1.2 Security Update 1 (KB403742)
    Adobe Shockwave Player 11
    AiO_Scan
    AiOSoftware
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AT&T Self Support Tool
    Bonjour
    BroadJump Client Foundation
    Bubble Bonanza
    BufferChm
    CCleaner
    CheckIt Diagnostics
    Compatibility Pack for the 2007 Office system
    Cook'n Recipe Organizer
    Copy
    CreativeProjects
    CreativeProjectsTemplates
    Critical Update for Windows Media Player 11 (KB959772)
    CueTour
    Defraggler
    Destinations
    Director
    DocProc
    DocumentViewer
    EasyRecovery Professional
    EVGA Display Driver
    Fax
    Free Realms Installer
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Extended Capabilities 4.7
    HP Image Zone 4.7
    HP Product Assistant
    HP PSC & OfficeJet 4.2
    HP Update
    HPODiscovery
    HPSystemDiagnostics
    InstantShare
    Intel® Create & Share® Software
    iTunes
    Jane’s Combat Simulations USAF
    Java(TM) 6 Update 13
    Java(TM) 6 Update 7
    JumpStart Languages
    Kazoo Player
    Malwarebytes' Anti-Malware version 1.51.1.1800
    MarketResearch
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2003 Primary Interop Assemblies
    Microsoft Office Professional Edition 2003
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable - KB2467175
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual Studio 2005 Tools for Office Runtime
    Microsoft Web Publishing Wizard
    MobileMe Control Panel
    MSN
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB933579)
    MyPoints Toolbar 2.0
    Nero 7 Essentials
    NetJet 2.0
    Norton AntiVirus
    Norton Security Scan
    Norton Security Scan (Symantec Corporation)
    NVIDIA Display Control Panel
    NVIDIA Drivers
    NVIDIA nView Desktop Manager
    OGA Notifier 2.0.0048.0
    OmniFile Collection Software
    OpenOffice.org Installer 1.0
    overland
    Pando Media Booster
    PanoStandAlone
    PayPal Plug-In
    PhotoGallery
    Picasa 3
    Platform
    PowerDVD
    PrintScreen
    ProductContext
    QFolder
    QuickProjects
    QuickTime
    Readme
    RealArcade
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    Realtek AC'97 Audio
    RealUpgrade 1.0
    RealUpgrade 1.1
    Safari
    Scan
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB917734)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Sierra Home Architect
    SimCity™ Societies
    SimCity™ Societies Destinations
    SkinsHP1
    SMCWUSB-N2 Wireless Utility
    SPORE™ Creature Creator Trial Edition
    System Requirements Lab
    TrayApp
    U.B. Funkeys
    Unload
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB968220)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VIA Platform Device Manager
    VIA Rhine-Family Fast Ethernet Adapter
    VIA/S3G Display Driver
    Visual Studio 2005 Tools for Office Second Edition Runtime
    VoiceOver Kit
    WebFldrs XP
    WebReg
    Windows Defender
    Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live OneCare safety scanner
    Windows Media Format 11 runtime
    Windows Media Format SDK Hotfix - KB891122
    Windows Media Player 11
    Windows Presentation Foundation
    Windows XP Service Pack 3
    Wizard101
    XML Paper Specification Shared Components Pack 1.0
    Yahoo! Install Manager
    Yahoo! Software Update
    Yahoo! Toolbar
    Zynga Toolbar
    .
    ==== Event Viewer Messages From Past Week ========
    .
    8/15/2011 3:05:25 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    .
    ==== End Of File =================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot!

    Did you get a log after running this? If, yes, I'd like to see it. Please do not run it again now- just leave log if you have it.
    2011-08-05 22:04:17 26872 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
    2011-08-05 22:04:17 -------- d-----w- c:\documents and settings\administrator\application data\FixTDSS
    =======================================
    You also have 25+ Active X entries for worldwinner.com games. This is a tremendous vulnerability! They have to get that cash to give away- did you ever wonder how?
    =======================================
    Both the Adobe Reader and Java are way out of date. These are more vulnerabilities
    =======================================
    There is a multitude of bad entries that need to be removed. They are contributing to more malware.
    You need to run Combofix- You can download it to a flash drive, update on the download, then run on the problem computer. Just skip the Recovery Console if you're in Safe Mode:

    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    =============================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    Please hold off on those games while I'm helping clean the system
     
  3. debdubey

    debdubey TS Rookie Topic Starter

    Ready to run combofix, but can't stop antivirus.

    Thanks for the quick response. I looked for a log from running FixTDSS and couldn't find one. At some point during its process it restarts my computer which ends up freezing at the blue screen and the program never finishes. All I can find are the sys files. I've uninstalled combofix and reinstalled from your link and I'm ready to run, but I can't seem to stop norton antivirus. When I click on it it asks me if I want to run a full scan. Even right clicking only gives me the option to run a scan, not disable. The instructions from the website say to click on the icon in my system tray in the bottom right corner of my screen, but in safe mode I don't have any icons there. Should I still run combofix or can you help me disable Norton Antivirus 2011?
    I know there is a lot of issues with my desktop- my 12 yr old is the one that uses it the most. My husband and I have our own laptops. Now that they are back in school I need to get their pc up and running again.LOL The virus was a good excuse over the summer for not using it at all.
    Is it OK that I downloaded combofix directly onto this computer, or should I use the flash drive method? I'll download using my laptop onto a flash if you think that would be best. But I can connect with this computer.
    I'll wait to hear from you before proceeding. Thanks.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

  5. debdubey

    debdubey TS Rookie Topic Starter

    I don't have symantec endpoint protection

    I checked the link you posted and the beginning item is to open endpoint protection, but I just have Norton Antivirus 2011 and no matter what I click, my only option is to run a full scan or cancel. I'm in safe mode and there is no icon in my system tray, and I can't reboot my computer in standard mode because it freezes at the blue screen. Is my only option to uninstall? and is it safe to to that? Sorry, I seem to be running in circles here. I feel kinda ridiculous that I can't figure out how to stop my virus software temporarily. Can I just run combofix anyway?
    Thanks, Deb

    BTW-Can I stop it using Task Manager?
     
  6. debdubey

    debdubey TS Rookie Topic Starter

    Wondering if I can run combofix

    I'm wondering if I can run combofix in safe mode even though I can't disable Norton Antivirus 2011
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I think you may be having the problem because you have 3 Norton installs:
    --------------------------------------
    Let me clarify some things for you. There were no instructions to disable the AV to run GMER, DDS or Malwarebytes.
    There is a direction to disable security when running Combofix
    ==========================================
    Norton has a feature called Auto Protect That's what needs to be disabled for Combofix
    From Symantec: Turn off Auto-Protect temporarily
    • Right-click the Auto-Protect icon, which is located by the clock in the Windows system tray.
    • Click Disable.
    • If an Options popup Window appears > select the period for which you want Auto-Protect turned off, and then click OK.
    • A red circle with a slash through its center appears, which indicates that Auto-Protect is disabled.
    ----------------------------------
    1. Please go ahead and run Combofix in Safe Mode if you can't run it in Normal Mode.
    2. Please do a right click> Delete on this file:
    C:\Documents and Settings\Administrator\Desktop\lp8ejilt.exe
    3. Uninstall this program FixTDSS Make sure it's gone from the Startup Menu. Use Windows Explorer (right click on Start> Explore_> My Computer> Double click on Local Drive(C)> Programs> find the program folder for FixTDSS and do a right click> Delete.
    ===============================================
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.

    =========================================
    What are you doing with the Task Manager? And why are you doing it?

    Logs from Combofix and TDSSKiller in next reply please.
     
  8. debdubey

    debdubey TS Rookie Topic Starter

    There are no Icons in my system tray

    I didn't worry about the AV when I ran the other scans. I'm at the point where I want to run combofix but can't disable auto protect. The only icon in my system tray next to the clock is a microphone. None of the icons that are usually present are there, otherwise I would have been able to stop AV temporarily. When I go to programs the only things there are Norton Antivirus and Security Scan, but left or right clicking either doesn't give any option to disable. That was why I asked about task manager. I haven't done anything but run the scans you originally asked me to run, I'm just stuck at the combofix one because a warning popped up telling me to stop my AV software before running combofix. When I checked the symantec website it gave the same instructions that you just did, but I have no icon to right click. I've tried expanding the system tray, thinking they were hidden but there are no icons in the system tray. I do understand the directions you're giving me, I just can't complete them. So.. is there another way to stop auto protect, or do I run combofix anyway?
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If you can bypass the AV warning, go ahead and do it to run Combofix. If you can't override it, run Combofix in Safe Mode.
     
  10. debdubey

    debdubey TS Rookie Topic Starter

    Logs for combofix and TDSSKiller

    Ran combofix then TDSSKiller both in safe mode. TDSSKiller said it didn't find anything so there was no quarantine and reboot after running it. I also removed FixTDSS per your instructions and did everything in the order you had them in. Thanks


    ComboFix 11-08-19.01 - Administrator 08/19/2011 15:22:37.4.1 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1417 [GMT -4:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-19 to 2011-08-19 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-05 22:04 . 2011-08-05 22:04 26872 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
    2011-08-05 22:04 . 2011-08-05 22:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\FixTDSS
    2011-08-05 20:32 . 2011-08-05 20:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Tific
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-16 12:59 . 2010-10-26 21:43 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2011-08-16 12:59 . 2010-10-26 21:43 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-07-06 23:52 . 2010-06-24 14:10 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-06 23:52 . 2010-06-24 14:10 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2008-03-08 15:58 . 2008-03-08 15:58 774144 -c--a-w- c:\program files\RngInterstitial.dll
    2007-06-24 14:25 . 2007-06-24 14:25 1803952 -c--a-w- c:\program files\KODAK EASYSHARE Gallery Upload Software, V2.1.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{614BDA1F-9BEF-4CD1-BDE4-FA4804929B4A}]
    2009-11-29 23:25 1444864 ----a-w- c:\program files\MyPoints Toolbar 2.0\Toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
    2011-03-28 16:22 176936 ----a-w- c:\program files\Zynga\prxtbZyn2.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Toolbar 2.0\Toolbar.dll" [2009-11-29 1444864]
    "{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\prxtbZyn2.dll" [2011-03-28 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
    [HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]
    [HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
    [HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]
    .
    [HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-30 2356088]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
    "SMCWUSB-N2 Wireless Utility"="c:\program files\SMC\SMCWUSB-N2\SMCWUSB-N2 Wireless Utility.exe" [2009-08-07 557171]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-05-26 273544]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "FixTDSS"="start" [X]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
    backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
    backup=c:\windows\pss\HotSync Manager.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk.disabled]
    backup=c:\windows\pss\HP Image Zone Fast Start.lnk.disabledCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2011-04-20 16:48 58656 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-04-27 05:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2010-07-09 20:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2006-11-04 00:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe"
    "HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
    "NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    "SoundMan"=SOUNDMAN.EXE
    "HPDJ Taskbar Utility"=c:\windows\system32\spool\drivers\w32x86\3\hpztsb99.exe
    "NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    "LoadMSvcmm"="c:\program files\Movielink\MovielinkManager\Movielink User.exe"
    "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
    "Symantec NetDriver Monitor"=c:\progra~1\SYMNET~1\SNDMon.exe /Consumer
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\drivers\\svchost.exe"=
    "c:\\Program Files\\MyPoints Toolbar 2.0\\TroubleShooter.exe"=
    "c:\\Program Files\\MyPoints Toolbar 2.0\\ToolbarUpdate.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "56951:TCP"= 56951:TCP:pando Media Booster
    "56951:UDP"= 56951:UDP:pando Media Booster
    .
    R0 FixTDSS;TDSS Fixtool driver;c:\windows\system32\drivers\FixTDSS.sys [8/5/2011 6:04 PM 26872]
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1206000.01D\symds.sys [5/9/2011 7:03 PM 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1206000.01D\symefa.sys [5/9/2011 7:03 PM 744568]
    R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
    R3 arusb(SMC);SMCWUSB-N2 802.11n Wireless USB 2.0 Adapter Service(SMC);c:\windows\system32\drivers\arusb.sys [3/29/2010 7:58 AM 458240]
    S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110518.001\BHDrvx86.sys [5/18/2011 5:36 PM 802936]
    S1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2/20/2007 4:37 PM 13696]
    S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1206000.01D\ironx86.sys [5/9/2011 7:03 PM 136312]
    S2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [10/26/2010 5:07 PM 3744]
    S2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [10/26/2010 5:07 PM 3904]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/24/2010 10:10 AM 366640]
    S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.6.0.29\ccsvchst.exe [5/9/2011 7:03 PM 130008]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/10/2011 8:08 PM 105592]
    S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110603.003\IDSXpx86.sys [6/4/2011 7:57 AM 341944]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/24/2010 10:10 AM 22712]
    S3 s3chipid;s3chipid;\??\c:\docume~1\DEBORA~1\LOCALS~1\Temp\s3chipid.sys --> c:\docume~1\DEBORA~1\LOCALS~1\Temp\s3chipid.sys [?]
    S3 TIDHOOK;TIDHOOK;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\fxpbjvd1.tmp\tidhook.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\fxpbjvd1.tmp\tidhook.sys [?]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - IPOD_SERVICE
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
    .
    2011-02-01 c:\windows\Tasks\Disk Cleanup.job
    - c:\windows\system32\cleanmgr.exe [2004-08-04 00:12]
    .
    2011-08-17 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
    .
    2011-08-16 c:\windows\Tasks\Norton AntiVirus.job
    - c:\progra~1\NORTON~3\Engine\1860~1.29\uistub.exe [2011-05-09 00:28]
    .
    2011-06-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-220523388-1425521274-725345543-1009.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-220523388-1425521274-725345543-1010.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-220523388-1425521274-725345543-1011.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-220523388-1425521274-725345543-1013.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-220523388-1425521274-725345543-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-220523388-1425521274-725345543-1009.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-05-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-220523388-1425521274-725345543-1010.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-220523388-1425521274-725345543-1011.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-220523388-1425521274-725345543-1012.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-220523388-1425521274-725345543-1013.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-04 c:\windows\Tasks\User_Feed_Synchronization-{9607B5EA-95BD-4B0B-840F-917E9456301F}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    TCP: DhcpNameServer = 192.168.2.1
    DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://kingsisle.hs.llnwd.net/e1/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB
    DPF: {DABFA9AD-4E31-43F4-9D60-4CDD20F57F28} - hxxp://www.photomax.com/web/PhotomaxUploader.CAB
    DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - hxxp://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-19 15:28
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NAV]
    "ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-220523388-1425521274-725345543-1007\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    [HKEY_USERS\S-1-5-21-220523388-1425521274-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,e7,cb,9b,7a,5b,25,4e,b4,1c,6d,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,e7,cb,9b,7a,5b,25,4e,b4,1c,6d,\
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,e7,cb,9b,7a,5b,25,4e,b4,1c,6d,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3568)
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'explorer.exe'(3148)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    .
    - - - - - - - > 'explorer.exe'(4092)
    c:\windows\system32\WININET.dll
    .
    Completion time: 2011-08-19 15:30:49
    ComboFix-quarantined-files.txt 2011-08-19 19:30
    ComboFix2.txt 2011-08-05 21:38
    .
    Pre-Run: 69,448,327,168 bytes free
    Post-Run: 69,465,939,968 bytes free
    .
    - - End Of File - - 2F99BA398911A8F0802488821E738D15

    2011/08/19 15:46:57.0546 2820 TDSS rootkit removing tool 2.5.16.0 Aug 19 2011 17:48:17
    2011/08/19 15:46:57.0843 2820 ================================================================================
    2011/08/19 15:46:57.0843 2820 SystemInfo:
    2011/08/19 15:46:57.0843 2820
    2011/08/19 15:46:57.0843 2820 OS Version: 5.1.2600 ServicePack: 3.0
    2011/08/19 15:46:57.0843 2820 Product type: Workstation
    2011/08/19 15:46:57.0843 2820 ComputerName: DESKTOP
    2011/08/19 15:46:57.0843 2820 UserName: Administrator
    2011/08/19 15:46:57.0843 2820 Windows directory: C:\WINDOWS
    2011/08/19 15:46:57.0843 2820 System windows directory: C:\WINDOWS
    2011/08/19 15:46:57.0843 2820 Processor architecture: Intel x86
    2011/08/19 15:46:57.0843 2820 Number of processors: 1
    2011/08/19 15:46:57.0843 2820 Page size: 0x1000
    2011/08/19 15:46:57.0843 2820 Boot type: Safe boot with network
    2011/08/19 15:46:57.0843 2820 ================================================================================
    2011/08/19 15:46:58.0437 2820 Initialize success
    2011/08/19 15:47:20.0000 2628 ================================================================================
    2011/08/19 15:47:20.0000 2628 Scan started
    2011/08/19 15:47:20.0000 2628 Mode: Manual;
    2011/08/19 15:47:20.0000 2628 ================================================================================
    2011/08/19 15:47:23.0359 2628 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys
    2011/08/19 15:47:23.0718 2628 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/08/19 15:47:23.0859 2628 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/08/19 15:47:24.0265 2628 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/08/19 15:47:24.0421 2628 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
    2011/08/19 15:47:25.0109 2628 ALCXWDM (5003d2e3f6b220ed3b0f1ac2816c2a18) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
    2011/08/19 15:47:25.0531 2628 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2011/08/19 15:47:25.0703 2628 arusb(SMC) (d8aa72b3760402b4a30925d9778e4688) C:\WINDOWS\system32\DRIVERS\arusb.sys
    2011/08/19 15:47:26.0406 2628 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/08/19 15:47:26.0546 2628 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/08/19 15:47:26.0843 2628 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/08/19 15:47:27.0015 2628 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/08/19 15:47:27.0125 2628 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys
    2011/08/19 15:47:27.0343 2628 BCMNTIO (90a87d49205b3893281203a477f66fe5) C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys
    2011/08/19 15:47:27.0515 2628 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/08/19 15:47:27.0796 2628 BHDrvx86 (925a191c8c06124426c63ceb2ea93085) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110518.001\BHDrvx86.sys
    2011/08/19 15:47:27.0968 2628 BIOS (be5d50529799b9bab6be879ec768b6cf) C:\WINDOWS\system32\drivers\BIOS.sys
    2011/08/19 15:47:28.0406 2628 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/08/19 15:47:28.0562 2628 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2011/08/19 15:47:28.0859 2628 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/08/19 15:47:28.0968 2628 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/08/19 15:47:29.0171 2628 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/08/19 15:47:30.0171 2628 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/08/19 15:47:30.0406 2628 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/08/19 15:47:30.0578 2628 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/08/19 15:47:30.0671 2628 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/08/19 15:47:30.0875 2628 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/08/19 15:47:31.0218 2628 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/08/19 15:47:31.0359 2628 eeCtrl (5461f01b7def17dc90d90b029f874c3b) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    2011/08/19 15:47:31.0531 2628 EraserUtilRebootDrv (17fcc372d03ba39f3aee85198c0ec594) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    2011/08/19 15:47:31.0765 2628 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/08/19 15:47:31.0937 2628 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/08/19 15:47:32.0078 2628 FETND5BV (cfc4cc73c903152a23e1db28eaba1f03) C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
    2011/08/19 15:47:32.0250 2628 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
    2011/08/19 15:47:32.0328 2628 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/08/19 15:47:32.0437 2628 FixTDSS (77d6ffaa3010b66fb4692532d75a585f) C:\WINDOWS\system32\drivers\FixTDSS.sys
    2011/08/19 15:47:32.0593 2628 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/08/19 15:47:32.0750 2628 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/08/19 15:47:32.0937 2628 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/08/19 15:47:33.0250 2628 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/08/19 15:47:33.0484 2628 gagp30kx (3a74c423cf6bcca6982715878f450a3b) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys
    2011/08/19 15:47:33.0609 2628 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
    2011/08/19 15:47:33.0796 2628 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
    2011/08/19 15:47:33.0953 2628 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/08/19 15:47:34.0203 2628 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/08/19 15:47:34.0500 2628 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
    2011/08/19 15:47:34.0640 2628 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
    2011/08/19 15:47:34.0765 2628 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
    2011/08/19 15:47:34.0953 2628 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/08/19 15:47:35.0359 2628 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/08/19 15:47:35.0515 2628 ICAM3NT5 (67ad57ae9aa6a2f02561325ea1b3e4b2) C:\WINDOWS\system32\Drivers\ICAM3D2.SYS
    2011/08/19 15:47:35.0859 2628 IDSxpx86 (50fa4c70534cf3b5c17ec83debe07afd) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110603.003\IDSxpx86.sys
    2011/08/19 15:47:36.0031 2628 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/08/19 15:47:36.0218 2628 InCDfs (38fb07e8d1d1ef073048630a64f20bbd) C:\WINDOWS\system32\drivers\InCDFs.sys
    2011/08/19 15:47:36.0390 2628 InCDPass (36bf2c76b64868479c2f4028301753e7) C:\WINDOWS\system32\drivers\InCDPass.sys
    2011/08/19 15:47:36.0531 2628 InCDrec (148385c44b3449a4d66162a804e7f713) C:\WINDOWS\system32\drivers\InCDrec.sys
    2011/08/19 15:47:36.0656 2628 incdrm (cb7eee4831e3b57f8e97eec6f3d6be7c) C:\WINDOWS\system32\drivers\InCDRm.sys
    2011/08/19 15:47:37.0140 2628 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/08/19 15:47:37.0312 2628 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/08/19 15:47:37.0406 2628 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/08/19 15:47:37.0500 2628 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/08/19 15:47:37.0687 2628 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/08/19 15:47:37.0843 2628 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/08/19 15:47:38.0015 2628 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/08/19 15:47:38.0203 2628 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/08/19 15:47:38.0296 2628 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2011/08/19 15:47:38.0437 2628 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/08/19 15:47:38.0593 2628 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/08/19 15:47:39.0062 2628 MAPMEM (61330a29bd4230505a7618bc41693cbb) C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys
    2011/08/19 15:47:39.0234 2628 MBAMProtector (eca00eed9ab95489007b0ef84c7149de) C:\WINDOWS\system32\drivers\mbam.sys
    2011/08/19 15:47:39.0453 2628 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/08/19 15:47:39.0546 2628 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/08/19 15:47:39.0750 2628 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/08/19 15:47:39.0875 2628 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/08/19 15:47:40.0171 2628 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
    2011/08/19 15:47:40.0421 2628 MREMPR5 (2bc9e43f55de8c30fc817ed56d0ee907) C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS
    2011/08/19 15:47:40.0593 2628 MRENDIS5 (594b9d8194e3f4ecbf0325bd10bbeb05) C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
    2011/08/19 15:47:40.0718 2628 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
    2011/08/19 15:47:40.0984 2628 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/08/19 15:47:41.0140 2628 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/08/19 15:47:41.0375 2628 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys
    2011/08/19 15:47:41.0531 2628 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/08/19 15:47:41.0703 2628 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/08/19 15:47:41.0843 2628 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/08/19 15:47:41.0984 2628 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/08/19 15:47:42.0125 2628 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/08/19 15:47:42.0265 2628 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    2011/08/19 15:47:42.0437 2628 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys
    2011/08/19 15:47:42.0625 2628 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/08/19 15:47:42.0765 2628 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2011/08/19 15:47:43.0031 2628 NAVENG (920d9701bba90dbb7ccfd3536ea4d6f9) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20110603.038\NAVENG.SYS
    2011/08/19 15:47:43.0375 2628 NAVEX15 (31b1a9b53c3319b97f7874347cd992d2) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\VirusDefs\20110603.038\NAVEX15.SYS
    2011/08/19 15:47:43.0578 2628 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/08/19 15:47:43.0703 2628 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2011/08/19 15:47:43.0859 2628 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/08/19 15:47:43.0953 2628 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/08/19 15:47:44.0046 2628 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/08/19 15:47:44.0187 2628 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/08/19 15:47:44.0312 2628 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/08/19 15:47:44.0437 2628 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/08/19 15:47:44.0703 2628 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2011/08/19 15:47:44.0875 2628 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/08/19 15:47:44.0984 2628 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/08/19 15:47:45.0171 2628 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/08/19 15:47:45.0625 2628 nv (ed9816dbaf6689542ea7d022631906a1) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2011/08/19 15:47:46.0093 2628 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/08/19 15:47:46.0187 2628 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/08/19 15:47:46.0343 2628 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2011/08/19 15:47:46.0546 2628 PalmUSBD (dc450992eba6f914080c1f7fbeeed72c) C:\WINDOWS\system32\drivers\PalmUSBD.sys
    2011/08/19 15:47:46.0718 2628 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/08/19 15:47:46.0843 2628 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/08/19 15:47:47.0031 2628 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/08/19 15:47:47.0187 2628 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/08/19 15:47:47.0453 2628 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/08/19 15:47:47.0578 2628 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/08/19 15:47:48.0718 2628 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/08/19 15:47:48.0906 2628 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    2011/08/19 15:47:49.0093 2628 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/08/19 15:47:49.0234 2628 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/08/19 15:47:49.0437 2628 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/08/19 15:47:50.0203 2628 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/08/19 15:47:50.0406 2628 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/08/19 15:47:50.0609 2628 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/08/19 15:47:50.0718 2628 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/08/19 15:47:50.0890 2628 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/08/19 15:47:51.0015 2628 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/08/19 15:47:51.0203 2628 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/08/19 15:47:51.0359 2628 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/08/19 15:47:51.0484 2628 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/08/19 15:47:52.0015 2628 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/08/19 15:47:52.0187 2628 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/08/19 15:47:52.0359 2628 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/08/19 15:47:52.0562 2628 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
    2011/08/19 15:47:52.0890 2628 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2011/08/19 15:47:53.0062 2628 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
    2011/08/19 15:47:53.0343 2628 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/08/19 15:47:53.0546 2628 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/08/19 15:47:53.0765 2628 SRTSP (83726cf02eced69138948083e06b6eac) C:\WINDOWS\System32\Drivers\NAV\1206000.01D\SRTSP.SYS
    2011/08/19 15:47:53.0937 2628 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\WINDOWS\system32\drivers\NAV\1206000.01D\SRTSPX.SYS
    2011/08/19 15:47:54.0140 2628 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/08/19 15:47:54.0375 2628 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2011/08/19 15:47:54.0531 2628 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/08/19 15:47:54.0640 2628 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/08/19 15:47:55.0109 2628 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\WINDOWS\system32\drivers\NAV\1206000.01D\SYMDS.SYS
    2011/08/19 15:47:55.0265 2628 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\WINDOWS\system32\drivers\NAV\1206000.01D\SYMEFA.SYS
    2011/08/19 15:47:55.0437 2628 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    2011/08/19 15:47:55.0609 2628 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\WINDOWS\system32\drivers\NAV\1206000.01D\Ironx86.SYS
    2011/08/19 15:47:55.0781 2628 SYMTDI (dec35ccaf7a222df918306cd2fdfbd39) C:\WINDOWS\System32\Drivers\NAV\1206000.01D\SYMTDI.SYS
    2011/08/19 15:47:56.0234 2628 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/08/19 15:47:56.0468 2628 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/08/19 15:47:56.0625 2628 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/08/19 15:47:56.0765 2628 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/08/19 15:47:56.0906 2628 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/08/19 15:47:57.0437 2628 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/08/19 15:47:57.0750 2628 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/08/19 15:47:57.0984 2628 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2011/08/19 15:47:58.0125 2628 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
    2011/08/19 15:47:58.0312 2628 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/08/19 15:47:58.0453 2628 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/08/19 15:47:58.0593 2628 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/08/19 15:47:58.0687 2628 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/08/19 15:47:58.0812 2628 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/08/19 15:47:58.0984 2628 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/08/19 15:47:59.0156 2628 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/08/19 15:47:59.0281 2628 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/08/19 15:47:59.0437 2628 viagfx (58d3c5bc2cbe43f127d768c020b0b018) C:\WINDOWS\system32\DRIVERS\vtmini.sys
    2011/08/19 15:47:59.0609 2628 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
    2011/08/19 15:47:59.0781 2628 videX32 (c8ee49fa76eb7c41a9cddfe58151a74e) C:\WINDOWS\system32\DRIVERS\videX32.sys
    2011/08/19 15:47:59.0875 2628 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/08/19 15:48:00.0109 2628 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/08/19 15:48:00.0390 2628 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/08/19 15:48:00.0671 2628 WinDriver6 (097a8291df541f9b9af2c500797cdcaa) C:\WINDOWS\system32\drivers\windrvr6.sys
    2011/08/19 15:48:01.0000 2628 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
    2011/08/19 15:48:01.0187 2628 WSIMD (43f767d59bfc25d8f4fc2eb42043ec1e) C:\WINDOWS\system32\DRIVERS\wsimd.sys
    2011/08/19 15:48:01.0296 2628 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2011/08/19 15:48:01.0468 2628 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/08/19 15:48:01.0562 2628 WUDFRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\WUDFRd.sys
    2011/08/19 15:48:01.0750 2628 xfilt (fcbc27869092850cdb75139f3818653a) C:\WINDOWS\system32\DRIVERS\xfilt.sys
    2011/08/19 15:48:01.0968 2628 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
    2011/08/19 15:48:02.0156 2628 Boot (0x1200) (1f542a05d5cfd60266ba8e0fc2d6bca8) \Device\Harddisk0\DR0\Partition0
    2011/08/19 15:48:02.0187 2628 ================================================================================
    2011/08/19 15:48:02.0187 2628 Scan finished
    2011/08/19 15:48:02.0187 2628 ================================================================================
    2011/08/19 15:48:02.0250 3304 Detected object count: 0
    2011/08/19 15:48:02.0250 3304 Actual detected object count: 0
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I think I may have found the problem in Combofix. This might be the problem stopping Norton:
    This is what is running: Symantec Host IDS
    Click on Start> Run> type in services.msc> enter> look for this Service: Symantec Host IDS Agent> double click to open> Change Startup type to Disabled> Stop the Service.
    Exit Services and run the Combofix script in Normal Mode
    ================================
    Be sure to copy all of the script in the code box- there is a lot of it. You system, is full of undesirable entries.
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\drivers\FixTDSS.sys
    c:\docume~1\DEBORA~1\LOCALS~1\Temp\s3chipid.sys
    c:\docume~1\ADMINI~1\LOCALS~1\Temp\fxpbjvd1.tmp\tidhook .sy
    Folder::
    c:\documents and settings\Administrator\Application Data\FixTDSS
    c:\documents and settings\Administrator\Application Data\Tific
    Registry::
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{614BDA1F-9BEF-4CD1-BDE4-FA4804929B4A}]
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"=-
    "{7b13ec3e-999a-4b70-b9cb-2617b8323822}"=-
    [HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
    [HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]
    [HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
    [HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]
    [HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "FixTDSS"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\drivers\\svchost.exe"=
    "c:\\Program Files\\MyPoints Toolbar 2.0\\TroubleShooter.exe"=-
    "c:\\Program Files\\MyPoints Toolbar 2.0\\ToolbarUpdate.exe"=-
    DDS::
    BHO: Freecause Toolbar BHO: {614bda1f-9bef-4cd1-bde4-fa4804929b4a} - c:\program files\mypoints toolbar 2.0\Toolbar.dll
    BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\prxtbZyn2.dll
    TB: MyPoints Point Finder: {89a2510a-b4b6-4683-bec9-1b96700bc7f1} - c:\program files\mypoints toolbar 2.0\Toolbar.dll
    TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\prxtbZyn2.dll
    mRunOnce: [FixTDSS] cmd /c start /D "c:\documents and settings\administrator\Desktop" /B FixTDSS.exe -postboot
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    Driver::
    FixTDSS
    s3chipid
    TIDHOOK
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
     
  12. debdubey

    debdubey TS Rookie Topic Starter

    There is no 'Symantec Host IDS Agent'

    I still can only boot my system in SAFE mode. When I try to boot into normal mode it gets to the Windows blue screen and I can see it trying to start then after about a minute the screen just goes blank, black and stays there. In safe mode when I type in 'services.msc' in my run box, it opens to Services(local). When I scroll down looking for symantec host IDS agent, it is not there. the items that have 'started' next to them are
    Computer Browser
    CryptSvc
    DCOM Server Process Launcher
    DHCP Client
    DNS Client
    Event Log
    Help and Support
    Logical Disk Manager
    Network Connections
    Plug and play
    Remote Procedure Call(RPC)
    Server
    System Restore Service
    TCP/IP NetBIOS Helper
    Terminal Services
    Windows Management Instrumentation
    Wireless Zero Configuration
    Workstation

    I haven't proceeded beyond trying to do that first task since I can't find that service. Although when I first turned on my desktop I let it try to boot normally and it just freezes, so I know it still only boots in safe mode. The thing is- if I highlight the Norton Antivirus line under services - off to the left it says ' Start the service ' like it isn't running, but combofix says that it is active. I did not run Combofix again though since I couldn't disable 'symantec host IDS agent' or try to run in normal mode. I also can't copy and paste the whole services page for you to see, that was why I gave you what it said was running. Do you still want me to copy that code into notepad and drag into combofix?
    Deb
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay. Boot into Safe Mode and run the script:

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
     
  14. debdubey

    debdubey TS Rookie Topic Starter

    Here is the log

    Copied the script and drag n dropped onto the combofix icon on my desktop. It asked me to update combofix and warned me again about antivirus.

    ComboFix 11-08-22.04 - Administrator 08/22/2011 23:36:35.5.1 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1756 [GMT -4:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
    AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    .
    FILE ::
    "c:\docume~1\ADMINI~1\LOCALS~1\Temp\fxpbjvd1.tmp\tidhook .sy"
    "c:\docume~1\DEBORA~1\LOCALS~1\Temp\s3chipid.sys"
    "c:\windows\system32\drivers\FixTDSS.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\Application Data\FixTDSS
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\ACPI.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\afd.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\atapi.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\Beep.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\BHDrvx86.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\BIOS.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\Cdaudio.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\cdrom.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\disk.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\dmio.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\dmload.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\eeCtrl.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\Fips.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\FixTDSS.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\fltmgr.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\ftdisk.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\gagp30kx.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\i8042prt.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\imapi.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\InCDPass.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\InCDRm.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\ipsec.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\Ironx86.SYS
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\isapnp.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\kbdclass.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\kbdhid.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\KSecDD.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\MBR.dat
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\mnmdd.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\mouclass.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\MountMgr.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\mrxsmb.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\Msfs.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\Mup.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\NDIS.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\netbios.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\netbt.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\Npfs.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\Null.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\ohci1394.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\PartMgr.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\pci.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\pciide.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\processr.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\PxHelp20.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\rasacd.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\rdbss.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\RDPCDD.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\redbook.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\serial.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\sr.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\SRTSPX.SYS
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\SYMDS.SYS
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\SYMEFA.SYS
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\SYMTDI.SYS
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\tcpip.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\termdd.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\vga.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\viaide.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\videX32.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\VolSnap.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\WudfPf.sys
    c:\documents and settings\Administrator\Application Data\FixTDSS\Archive\xfilt.sys
    c:\documents and settings\Administrator\Application Data\Tific
    c:\documents and settings\Administrator\Application Data\Tific\Environment.tfc
    c:\documents and settings\Administrator\Application Data\Tific\tificocs.symantec.com.tfc
    c:\program files\mypoints toolbar 2.0\Toolbar.dll
    c:\program files\zynga\prxtbZyn2.dll
    c:\windows\system32\drivers\FixTDSS.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_FIXTDSS
    -------\Legacy_S3CHIPID
    -------\Legacy_TIDHOOK
    -------\Service_FixTDSS
    -------\Service_s3chipid
    -------\Service_TIDHOOK
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-23 to 2011-08-23 )))))))))))))))))))))))))))))))
    .
    .
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-16 12:59 . 2010-10-26 21:43 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2011-08-16 12:59 . 2010-10-26 21:43 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-07-06 23:52 . 2010-06-24 14:10 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-06 23:52 . 2010-06-24 14:10 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2008-03-08 15:58 . 2008-03-08 15:58 774144 -c--a-w- c:\program files\RngInterstitial.dll
    2007-06-24 14:25 . 2007-06-24 14:25 1803952 -c--a-w- c:\program files\KODAK EASYSHARE Gallery Upload Software, V2.1.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-30 2356088]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
    "SMCWUSB-N2 Wireless Utility"="c:\program files\SMC\SMCWUSB-N2\SMCWUSB-N2 Wireless Utility.exe" [2009-08-07 557171]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-05-26 273544]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
    backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
    backup=c:\windows\pss\HotSync Manager.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk.disabled]
    backup=c:\windows\pss\HP Image Zone Fast Start.lnk.disabledCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2011-04-20 16:48 58656 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-04-27 05:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2010-07-09 20:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2006-11-04 00:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe"
    "HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
    "NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    "SoundMan"=SOUNDMAN.EXE
    "HPDJ Taskbar Utility"=c:\windows\system32\spool\drivers\w32x86\3\hpztsb99.exe
    "NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    "LoadMSvcmm"="c:\program files\Movielink\MovielinkManager\Movielink User.exe"
    "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
    "Symantec NetDriver Monitor"=c:\progra~1\SYMNET~1\SNDMon.exe /Consumer
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\drivers\\svchost.exe"=
    "c:\\Program Files\\MyPoints Toolbar 2.0\\TroubleShooter.exe"=
    "c:\\Program Files\\MyPoints Toolbar 2.0\\ToolbarUpdate.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "56951:TCP"= 56951:TCP:pando Media Booster
    "56951:UDP"= 56951:UDP:pando Media Booster
    .
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1206000.01D\symds.sys [5/9/2011 7:03 PM 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1206000.01D\symefa.sys [5/9/2011 7:03 PM 744568]
    R3 arusb(SMC);SMCWUSB-N2 802.11n Wireless USB 2.0 Adapter Service(SMC);c:\windows\system32\drivers\arusb.sys [3/29/2010 7:58 AM 458240]
    S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110518.001\BHDrvx86.sys [5/18/2011 5:36 PM 802936]
    S1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2/20/2007 4:37 PM 13696]
    S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1206000.01D\ironx86.sys [5/9/2011 7:03 PM 136312]
    S2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [10/26/2010 5:07 PM 3744]
    S2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [10/26/2010 5:07 PM 3904]
    S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.6.0.29\ccsvchst.exe [5/9/2011 7:03 PM 130008]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/10/2011 8:08 PM 105592]
    S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110603.003\IDSXpx86.sys [6/4/2011 7:57 AM 341944]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/24/2010 10:10 AM 22712]
    S3 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
    S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/24/2010 10:10 AM 366640]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
    .
    2011-02-01 c:\windows\Tasks\Disk Cleanup.job
    - c:\windows\system32\cleanmgr.exe [2004-08-04 00:12]
    .
    2011-08-22 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
    .
    2011-08-22 c:\windows\Tasks\Norton AntiVirus.job
    - c:\progra~1\NORTON~3\Engine\1860~1.29\uistub.exe [2011-05-09 00:28]
    .
    2011-06-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-220523388-1425521274-725345543-1009.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-220523388-1425521274-725345543-1010.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-220523388-1425521274-725345543-1011.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-220523388-1425521274-725345543-1013.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-220523388-1425521274-725345543-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-220523388-1425521274-725345543-1009.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-05-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-220523388-1425521274-725345543-1010.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-220523388-1425521274-725345543-1011.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-220523388-1425521274-725345543-1012.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-220523388-1425521274-725345543-1013.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-04 c:\windows\Tasks\User_Feed_Synchronization-{9607B5EA-95BD-4B0B-840F-917E9456301F}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    TCP: DhcpNameServer = 192.168.2.1
    DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://kingsisle.hs.llnwd.net/e1/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB
    DPF: {DABFA9AD-4E31-43F4-9D60-4CDD20F57F28} - hxxp://www.photomax.com/web/PhotomaxUploader.CAB
    DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - hxxp://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-23 00:03
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NAV]
    "ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-220523388-1425521274-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,e7,cb,9b,7a,5b,25,4e,b4,1c,6d,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,e7,cb,9b,7a,5b,25,4e,b4,1c,6d,\
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,e7,cb,9b,7a,5b,25,4e,b4,1c,6d,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(1552)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    .
    Completion time: 2011-08-23 00:08:10 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-23 04:08
    ComboFix2.txt 2011-08-19 19:30
    ComboFix3.txt 2011-08-05 21:38
    .
    Pre-Run: 69,483,728,896 bytes free
    Post-Run: 69,344,382,976 bytes free
    .
    - - End Of File - - FE3FAABD167BF7CE095D7EE04ED27B98
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I can't reconcile the scan dates given in the logs:

    1.Combofix shows it was run on ComboFix3.txt 2011-08-05 21:38, before we started
    2. You ran ran the Fix TDSS program on 8/5
    3. mbam-log-2011-08-05 (19-25-35).txt> before we started
    4. DDS & GMER were run on 8/15
    5. ComboFix2.txt 2011-08-19 19:30<<<<< This is what you finally ran for me
    6. ComboFix-quarantined-files.txt 2011-08-23 04:08<<<< This was from running the script

    So you gave me an old Mbam log and didn't follow the directions in Combofix which said:
    If you had done the above, I would not see the 8/5 date that you ran Combofix. Although I didn't see that log, I also didn't see whether it removed anything or had to replace any files.
    =======================================
    I am surprised this system moves at all! There are over 20 programs starting on boot. You only need the AV, FW, touchpad process if on laptop.
    =======================================
    Be sure to copy all of the script in the code box- there is a lot of it. You system, is full of undesirable entries.
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    DDS::
    BHO: Freecause Toolbar BHO: {614bda1f-9bef-4cd1-bde4-fa4804929b4a} - c:\program files\mypoints toolbar 2.0\Toolbar.dll
    BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\prxtbZyn2.dll
    TB: MyPoints Point Finder: {89a2510a-b4b6-4683-bec9-1b96700bc7f1} - c:\program files\mypoints toolbar 2.0\Toolbar.dll
    TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\prxtbZyn2.dll
    uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
    mRunOnce: [FixTDSS] cmd /c start /D "c:\documents and settings\administrator\Desktop" /B FixTDSS.exe -postboot
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    
    DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} - hxxp://www.worldwinner.com/games/v47/scrabblecubes/scrabblecubes.cab
    DPF: {038E2507-7A48-41E2-94AD-7F23D199AF4E} - hxxp://www.worldwinner.com/games/v54/zengems/zengems.cab
    DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} - hxxp://www.worldwinner.com/games/v41/mines/mines.cab
    DPF: {0B195D55-0AB4-48C7-828F-34BE10BA4266} - hxxp://www.worldwinner.com/games/v53/dealornodeal/dealornodeal.cab
    DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} - hxxp://www.worldwinner.com/games/v47/skillgam/skillgam.cab
    DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
    DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab
    DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} - hxxp://www.worldwinner.com/games/v48/brickout/brickout.cab
    DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - hxxp://www.worldwinner.com/games/v50/pool/pool.cab
    DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} - hxxp://www.freerealms.com/gamedata/FreeRealmsInstaller.cab
    DPF: {3D3DBC64-0D21-4EA4-94EE-86D6D9B31C0C} - hxxp://www.worldwinner.com/games/v45/moneylist/moneylist.cab
    DPF: {41D1977F-4161-4720-800F-EA4903983A38} - hxxp://www.worldwinner.com/games/v43/jigsaw/jigsaw.cab
    DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} - hxxp://www.worldwinner.com/games/v53/wwhearts/wwhearts.cab
    DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} - hxxp://www.worldwinner.com/games/v63/bjattack/bja.cab
    DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} - hxxp://www.worldwinner.com/games/v51/bejeweled/bejeweled.cab
    DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} - hxxp://www.worldwinner.com/games/v49/blockwerx/blockwerx.cab
    DPF: {64CD313F-F079-4D93-959F-4D28B5519449} - hxxp://www.worldwinner.com/games/v56/jeopardy/jeopardy.cab
    DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} - hxxp://www.worldwinner.com/games/v41/freecell/freecell.cab
    DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {94299420-321F-4FF9-A247-62A23EBB640B} - hxxp://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
    DPF: {95A311CD-EC8E-452A-BCEC-B844EB616D03} - hxxp://www.worldwinner.com/games/v51/bejeweledtwist/bejeweledtwist.cab
    DPF: {97438FE9-D361-4279-BA82-98CC0877A717} - hxxp://www.worldwinner.com/games/v57/cubis/cubis.cab
    DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} - hxxp://www.worldwinner.com/games/v46/sol/sol.cab
    DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
    DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} - hxxp://www.worldwinner.com/games/v50/luxor/luxor.cab
    DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} - hxxp://www.worldwinner.com/games/v67/swapit/swapit.cab
    DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} - hxxp://www.worldwinner.com/games/v41/hangman/hangman.cab
    DPF: {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} - hxxp://www.worldwinner.com/games/v46/monopoly/monopoly.cab
    DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} - hxxp://www.worldwinner.com/games/v42/tilecity/tilecity.cab
    DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} - hxxp://www.worldwinner.com/games/v45/royal/royal.cab
    DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} - hxxp://www.worldwinner.com/games/v52/dinerdash/dinerdash.cab
    DPF: {C82BB209-F528-46F9-96D5-69DEF7260916} - hxxp://www.worldwinner.com/games/v45/mysterypi/mysterypi.cab
    DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} - hxxp://www.worldwinner.com/games/v43/paint/paint.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} - hxxp://www.worldwinner.com/games/v44/golfsol/golfsol.cab
    DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} - hxxp://www.worldwinner.com/games/v53/wwspades/wwspades.cab
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\drivers\\svchost.exe"=
    "c:\\Program Files\\MyPoints Toolbar 2.0\\TroubleShooter.exe"=-
    "c:\\Program Files\\MyPoints Toolbar 2.0\\ToolbarUpdate.exe"=-
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe
    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Go on to next reply.
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Update both of these
    Java: Java Updates
    Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.

    Adobe Reader: Adobe Reader site
    After the updates, remove the outdated versions of each In add/Remove Programs. They are vulnerabilities.
    ============================================
    There will be malware in the Java cache:
    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
    ==============================================
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
    =======================================
    [​IMG]
    SuperAntiSpyware Home Edition Free Version
    • Please download SuperAntiSpyware from HERE
    • Launch SuperAntiSpyware and click on 'Check for updates'.
    • Wait for the updates to be installed
    • On the main screen click on 'Scan your computer'.
    • Check: 'Perform Complete Scan then Click 'Next' to start the scan.
    • Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
    • Make sure everything found has a checkmark next to it,then press 'Next'.
    • Click on 'Finish' when you've done.
    It's possible that the program will ask you to reboot in order to delete some files.

    Obtain the SuperAntiSpyware log as follows:
    • Click on 'Preferences'.
    • Click on the 'Statistics/Logs' tab.
    • Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
    It will then open in your default text editor,such as Notepad. Paste the notepad file here on your reply
     
  17. debdubey

    debdubey TS Rookie Topic Starter

    Response

    1+2. In my first post I explained I had tried removing the virus before contacting the forum hence the Fix TDSS(this didn't work or produce a log, as previously explained), combofix(no fix was performed), malwarebytes already on my computer. When that didn't work I came to this forum after looking at multiple help sights.

    3.After joining this sight(on 8/5) I read the Preliminary removal instructions and proceeded to follow those steps. The mbam-log-2011-08-05(19-25-35).txt was the first one I ran for this post(Not an old one), and yes it was before my first post because I was following the steps.

    4. DDS and GMER were run on 8/15 because of time constraints on my part. Nothing else was done to the PC in between running Mbam and the other two, it just took me time to get all three done to post in my first thread.

    5. ComboFix2.txt 2011-08-19 19:30 I ran at your request and I DID follow directions. I ran the ComboFix /Uninstall and thought it had worked. The icon was removed from my desktop and when I checked the folder it was gone. I've had to do all this in SAFE mode and my PC has trouble rebooting each time, so I don't know if that matters, but I did think the older version was gone before I clicked on your link to download it new. Again, had to run combofix in safe mode with AV warning popping up(previously explained).

    6. ComboFix-Quarantined-Files.txt on 2011-08-23 04:08 as stated from your first scrpt.

    Here is the log from the second script you provided:

    ComboFix 11-08-23.06 - Administrator 08/23/2011 22:24:29.6.1 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1763 [GMT -4:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
    AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\progra~1\common~1\micros~1\dw\dwtrig20.exe
    c:\program files\common files\adobe\updater5\AdobeUpdater.exe
    c:\windows\system32\comct332.ocx
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-24 to 2011-08-24 )))))))))))))))))))))))))))))))
    .
    .
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-16 12:59 . 2010-10-26 21:43 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2011-08-16 12:59 . 2010-10-26 21:43 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-07-06 23:52 . 2010-06-24 14:10 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-06 23:52 . 2010-06-24 14:10 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2008-03-08 15:58 . 2008-03-08 15:58 774144 -c--a-w- c:\program files\RngInterstitial.dll
    2007-06-24 14:25 . 2007-06-24 14:25 1803952 -c--a-w- c:\program files\KODAK EASYSHARE Gallery Upload Software, V2.1.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
    "SMCWUSB-N2 Wireless Utility"="c:\program files\SMC\SMCWUSB-N2\SMCWUSB-N2 Wireless Utility.exe" [2009-08-07 557171]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-05-26 273544]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
    backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
    backup=c:\windows\pss\HotSync Manager.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk.disabled]
    backup=c:\windows\pss\HP Image Zone Fast Start.lnk.disabledCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2011-04-20 16:48 58656 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-04-27 05:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2010-07-09 20:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2006-11-04 00:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe"
    "HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
    "NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    "SoundMan"=SOUNDMAN.EXE
    "HPDJ Taskbar Utility"=c:\windows\system32\spool\drivers\w32x86\3\hpztsb99.exe
    "NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    "LoadMSvcmm"="c:\program files\Movielink\MovielinkManager\Movielink User.exe"
    "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
    "Symantec NetDriver Monitor"=c:\progra~1\SYMNET~1\SNDMon.exe /Consumer
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\drivers\\svchost.exe"=
    "c:\\Program Files\\MyPoints Toolbar 2.0\\TroubleShooter.exe"=
    "c:\\Program Files\\MyPoints Toolbar 2.0\\ToolbarUpdate.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "56951:TCP"= 56951:TCP:pando Media Booster
    "56951:UDP"= 56951:UDP:pando Media Booster
    .
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1206000.01D\symds.sys [5/9/2011 7:03 PM 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1206000.01D\symefa.sys [5/9/2011 7:03 PM 744568]
    R3 arusb(SMC);SMCWUSB-N2 802.11n Wireless USB 2.0 Adapter Service(SMC);c:\windows\system32\drivers\arusb.sys [3/29/2010 7:58 AM 458240]
    S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110518.001\BHDrvx86.sys [5/18/2011 5:36 PM 802936]
    S1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2/20/2007 4:37 PM 13696]
    S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1206000.01D\ironx86.sys [5/9/2011 7:03 PM 136312]
    S2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [10/26/2010 5:07 PM 3744]
    S2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [10/26/2010 5:07 PM 3904]
    S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.6.0.29\ccsvchst.exe [5/9/2011 7:03 PM 130008]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/10/2011 8:08 PM 105592]
    S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110603.003\IDSXpx86.sys [6/4/2011 7:57 AM 341944]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/24/2010 10:10 AM 22712]
    S3 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
    S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/24/2010 10:10 AM 366640]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
    .
    2011-02-01 c:\windows\Tasks\Disk Cleanup.job
    - c:\windows\system32\cleanmgr.exe [2004-08-04 00:12]
    .
    2011-08-22 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
    .
    2011-08-22 c:\windows\Tasks\Norton AntiVirus.job
    - c:\progra~1\NORTON~3\Engine\1860~1.29\uistub.exe [2011-05-09 00:28]
    .
    2011-06-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-220523388-1425521274-725345543-1009.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-220523388-1425521274-725345543-1010.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-220523388-1425521274-725345543-1011.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-220523388-1425521274-725345543-1013.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-220523388-1425521274-725345543-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-220523388-1425521274-725345543-1009.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-05-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-220523388-1425521274-725345543-1010.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-220523388-1425521274-725345543-1011.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-220523388-1425521274-725345543-1012.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-220523388-1425521274-725345543-1013.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-06-04 c:\windows\Tasks\User_Feed_Synchronization-{9607B5EA-95BD-4B0B-840F-917E9456301F}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    TCP: DhcpNameServer = 192.168.2.1
    DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://kingsisle.hs.llnwd.net/e1/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB
    DPF: {DABFA9AD-4E31-43F4-9D60-4CDD20F57F28} - hxxp://www.photomax.com/web/PhotomaxUploader.CAB
    DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - hxxp://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKU-Default-Run-DWQueuedReporting - c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-23 22:32
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NAV]
    "ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-220523388-1425521274-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,e7,cb,9b,7a,5b,25,4e,b4,1c,6d,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,e7,cb,9b,7a,5b,25,4e,b4,1c,6d,\
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,e7,cb,9b,7a,5b,25,4e,b4,1c,6d,\
    .
    Completion time: 2011-08-23 22:35:26
    ComboFix-quarantined-files.txt 2011-08-24 02:35
    ComboFix2.txt 2011-08-23 04:08
    ComboFix3.txt 2011-08-19 19:30
    ComboFix4.txt 2011-08-05 21:38
    .
    Pre-Run: 69,280,120,832 bytes free
    Post-Run: 69,297,549,312 bytes free
    .
    - - End Of File - - 1F717EBE95A13409F89773A3E8B92CB6


    Next I updated Java without yahoo toolbar being offered, so not installed to my knowledge.
    Updated Adobe Reader and removed older version
    Cleared the Jave Plug-in cache

    Downloaded HijackThis and ran + saved log:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:12:14 PM, on 8/23/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\18.6.0.29\IPS\IPSBHO.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SMCWUSB-N2 Wireless Utility] "C:\Program Files\SMC\SMCWUSB-N2\SMCWUSB-N2 Wireless Utility.exe" -nogui
    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {000F1EA4-5E08-4564-A29B-29076F63A37A} (SOE Web Installer) - http://launch.soe.com/plugin/web/SOEWebInstaller.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://echat.bellsouth.net/sdccommon/download/tgctlcm.cab
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} (Auctiva Image Uploader Control) - http://www.auctiva.com/Aurigma/ImageUploader55.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
    O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} (ContactExtractor Class) - http://www.facebook.com/controls/contactx.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172154408062
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.disneyphotopass.com/software/ImageUploader4.cab
    O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
    O16 - DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} (Wizard101GameLauncher) - https://kingsisle.hs.llnwd.net/e1/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} (HpodPCFileCtrl2 Class) - file:///D:/MEMDISC/ALBUM_A/VIEW/PLUGIN/HPODPCFC.CAB
    O16 - DPF: {DABFA9AD-4E31-43F4-9D60-4CDD20F57F28} (PhotomaxUploader.ActiveXControl) - http://www.photomax.com/web/PhotomaxUploader.CAB
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
    O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab
    O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.disneyphotopass.com/software/ImageUploader4.cab
    O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - (no file)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
    O23 - Service: Norton AntiVirus (NAV) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

    --
    End of file - 9277 bytes
    See next post for superantispyware log
     
  18. debdubey

    debdubey TS Rookie Topic Starter

    Superantispyware log

    Downloaded SuperAntiSpyware and updated and ran complete scan. I checked everything found and let the program fix and the computer rebooted with some trouble.(took a few trys to fully reboot and still only in safe mode)

    Here is that log:



    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 08/24/2011 at 01:57 AM

    Application Version : 5.0.1118

    Core Rules Database Version : 7595
    Trace Rules Database Version: 5407

    Scan type : Complete Scan
    Total Scan Time : 00:50:59

    Operating System Information
    Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
    Administrator

    Memory items scanned : 271
    Memory threats detected : 0
    Registry items scanned : 39934
    Registry threats detected : 0
    File items scanned : 46807
    File threats detected : 302

    Adware.Tracking Cookie
    C:\Documents and Settings\Administrator\Cookies\administrator@account.norton[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@account.norton[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@account.norton[3].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@ads.bleepingcomputer[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@ads.webkinz[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@anrtx.tacoda[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@ar.atwola[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@at.atwola[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@avgtechnologies.112.2o7[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@c.gigcount[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@collective-media[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@content.yieldmanager[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@content.yieldmanager[3].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@insightexpressai[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@interclick[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@invitemedia[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@kontera[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@legolas-media[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@liveperson[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@liveperson[3].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@lucidmedia[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@media6degrees[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@mediabrandsww[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@msnbc.112.2o7[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@mynortonaccount[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@pointroll[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@r1-ads.ace.advertising[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@revsci[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@ru4[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@segment-pixel.invitemedia[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@server.iad.liveperson[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@statse.webtrendslive[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@tacoda.at.atwola[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@www.burstnet[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@www.googleadservices[1].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@www.googleadservices[3].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@www.mynortonaccount[2].txt
    C:\Documents and Settings\Administrator\Cookies\administrator@yieldmanager[1].txt
    .media6degrees.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .media6degrees.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .collective-media.net [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .collective-media.net [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .collective-media.net [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .collective-media.net [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .atdmt.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .atdmt.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .advertising.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .advertising.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .doubleclick.net [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .pointroll.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .collective-media.net [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .collective-media.net [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .collective-media.net [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .collective-media.net [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .specificclick.net [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .specificclick.net [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .specificclick.net [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .specificclick.net [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .specificmedia.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .pointroll.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .advertising.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .advertising.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .advertising.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .tribalfusion.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .collective-media.net [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .questionmarket.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .questionmarket.com [ C:\DOCUMENTS AND SETTINGS\ASHLEY\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    C:\DOCUMENTS AND SETTINGS\DEBORAH DUBEY\COOKIES\DEBORAH_DUBEY@MEDIA6DEGREES[2].TXT
    C:\DOCUMENTS AND SETTINGS\DEBORAH DUBEY\COOKIES\DEBORAH_DUBEY@TRIBALFUSION[1].TXT
    ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .atdmt.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .atdmt.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .sonyonlineentertainment.112.2o7.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .liveperson.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    server.iad.liveperson.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .kitnmedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .microsoftwlsearchcrm.112.2o7.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .doubleclick.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .adbrite.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .content.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .advertising.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    media303.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .trafficmp.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .azjmp.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .azjmp.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .azjmp.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .adxpose.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .collective-media.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .collective-media.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .collective-media.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .pointroll.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .collective-media.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .mediaplex.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .lfstmedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .lfstmedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .interclick.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .interclick.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .advertising.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .247realmedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .oasn04.247realmedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .2o7.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .2o7.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .www.burstnet.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .burstnet.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .c.gigcount.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .apmebf.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .adecn.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .adbrite.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .interclick.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .adserver.adtechus.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .revsci.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .mediabrandsww.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ru4.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ru4.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .apmebf.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .fastclick.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .fastclick.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .fastclick.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    ad.doubleclick.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .doubleclick.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .yieldmanager.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .zedo.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .zedo.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .realmedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .network.realmedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .realmedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .realmedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .zedo.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ru4.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ru4.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ru4.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ru4.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    cdn1.trafficmp.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    cdn1.trafficmp.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    www.googleadservices.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .casalemedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .burstnet.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    www.addfreestats.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .casalemedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .casalemedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .casalemedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .casalemedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .casalemedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .casalemedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    cms.trafficmp.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ads.addynamix.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .media.adfrontiers.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .pro-market.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ads.addynamix.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    dc.tremormedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .mediaplex.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    ads.bridgetrack.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    ads.bridgetrack.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    ads.bridgetrack.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    ads.bridgetrack.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .googleads.g.doubleclick.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    www.tltrack.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .fastclick.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .fastclick.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ru4.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    www.pixeltrack66.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ru4.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ads.addynamix.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    trafficking.nabbr.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .adserver.adtechus.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .zedo.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .zedo.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .zedo.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .media.adfrontiers.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .trafficmp.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .trafficmp.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .trafficmp.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .trafficmp.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .trafficmp.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .trafficmp.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .adbrite.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    www.trafficrevenue.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    www.sellmeyourtraffic.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .trafficrevenue.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .adbrite.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .revsci.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .revsci.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .pointroll.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .ads.pointroll.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .adknowledge.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .adknowledge.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .adknowledge.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    optimize.indieclick.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .a1.interclick.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .a1.interclick.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .a1.interclick.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .a1.interclick.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .a1.interclick.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .bs.serving-sys.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .serving-sys.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .serving-sys.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .serving-sys.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .serving-sys.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .serving-sys.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .serving-sys.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .serving-sys.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .collective-media.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .collective-media.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .collective-media.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .lucidmedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .collective-media.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .collective-media.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .a1.interclick.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .a1.interclick.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .a1.interclick.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .a1.interclick.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .realmedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .collective-media.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .realmedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .zedo.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .advertising.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .advertising.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .advertising.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .advertising.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .adbrite.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .adbrite.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .adbrite.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .adbrite.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .specificclick.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .specificclick.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .specificclick.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .specificclick.net [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .specificmedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .content.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .tribalfusion.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .lfstmedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .questionmarket.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .questionmarket.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    pixel.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .invitemedia.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .media6degrees.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .media6degrees.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .media6degrees.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
    .media6degrees.com [ C:\DOCUMENTS AND SETTINGS\KATIE\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]

    PUP.Whitesmoke
    C:\Program Files\WHITESMOKE
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, let's start with this: Each of the account names below need to have Cookies reset:

    administrator
    ASHLEY
    DEBORAH DUBEY
    KATIE

    This should prevent the Tracking Cookies, ads and some of the 'junk' that gets picked up on sites.

    Reset Cookies

    For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

    For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List

    For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    (First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
    =====================================
    Please check and see how much RAM is on the system: Click on Start> Control Panel> System> the Properties page will have the RAM figure.

    There is good possibility that your system doesn't have enough RAM to load all the startups you have and run in Normal Mode. Additionally, you have several excess Scheduled Tasks. These will load on boot and each will be contacting the internet all day, every day, looking for updates:

    To stop the Tasks:
    • Click on All Programs> Accessories> System Tools> Scheduled Tasks
    • Right click on each Tasks
    • Click End Task.
    • You might experience a delay (up to three minutes) before the task shuts down.
    • Exit when finished
    Note: Some of these Tasks were set several years ago
    Stop these Scheduled Tasks:
    [o]AppleSoftwareUpdate
    [o]RealUpgradeLogonTask>>> There are 13 0f these> all dated 2011-03-29
    [o]Disk Cleanup <<<< Do you still use this and want the task?
    [o]MP Scheduled Scan <<<< Do you still use this and want the tasks? (Windows Defender)
    [o]Norton AntiVirus uistub.exe<<< This is or Norton Protection Center. If it's on the Startu menu, you don't need to set it here. The AV will update regularly and you can scan intermittanly.
    [o]User_Feed_Synchronization<<< Set up in 2006-10-17.<<<< Do you still use this and want the tasks?

    If it turns up that you are short of RAM, you are going to have to stop as much as you can, safely, so that resources can be used to run the system, not check for updates.
    ======================================.
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys
    c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys
    C:\Documents and Settings\Administrator\Desktop\lp8ejilt.exe
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\drivers\\svchost.exe"=
    "c:\\Program Files\\MyPoints Toolbar 2.0\\TroubleShooter.exe"=-
    "c:\\Program Files\\MyPoints Toolbar 2.0\\ToolbarUpdate.exe"=-
    Driver::
    BCMNTIO
    MAPMEM
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
     
  20. debdubey

    debdubey TS Rookie Topic Starter

    Cookies reset

    I reset the cookies on each account. BTW I use Internet explorer, so you don't need to list instructions for firefox, hope that will save you time and effort. Sorry if I had not given you that info previously.

    I checked my RAM and I have 2GB,

    Looks like the tasks got scheduled under multiple accounts. I can still only boot in safe mode, so when I go to scheduled tasks and right click each one, the menu pops up, but 'end task' was non-clickable. when I clicked on properties it said 'Task Scheduler Service is not running" When I clicked OK on that notice another window pops up with the task schedule and settings. Under 'Schedule task' the choice selected on every one was either start 'at logon' or 'daily'. There was not a choice for 'never'. but you could choose run task 'once'. Under settings there is a box for 'Delete task if it is not scheduled to run again" which sets the next run time to 'never', but doesn't remove the task until it is completed.
    Right now I don't need any of those tasks scheduled. I'd like as little as possible to start up when the computer is booted up. But I don't think I'll be able to completely get rid of those scheduled tasks until I can boot into normal mode where the programs have full function, and I can click on 'end Task'. Then I can just schedule my virus scan or do it manually as you suggested.

    I ran the CFScript and it asked me to update and then restarted, but it took me 3 tries to get the computer booted back into safe mode. When CF started back up automatically it warned me that Norton Antivirus was running and I still have no way to stop it, so bypassed again and ran CF

    Here is the log from CF:

    ComboFix 11-08-27.01 - Administrator 08/27/2011 0:31.7.1 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1734 [GMT -4:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
    AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    .
    FILE ::
    "c:\documents and settings\Administrator\Desktop\lp8ejilt.exe"
    "c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys"
    "c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys
    c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_BCMNTIO
    -------\Legacy_MAPMEM
    -------\Service_BCMNTIO
    -------\Service_MAPMEM
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-27 to 2011-08-27 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-24 06:31 . 2011-08-16 12:48 7152464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{2D141A6B-724F-43D2-AA17-CC26E2B30103}\mpengine.dll
    2011-08-24 04:48 . 2011-08-24 04:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
    2011-08-24 04:48 . 2011-08-24 04:48 -------- d-----w- c:\documents and settings\All Users\Application Data\!SASCORE
    2011-08-24 04:48 . 2011-08-25 14:47 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-08-24 04:48 . 2011-08-24 04:48 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-08-24 03:05 . 2010-05-14 20:08 388608 ----a-w- C:\HijackThis.exe
    2011-08-24 02:45 . 2011-08-24 02:45 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2011-08-24 02:40 . 2011-07-19 09:05 472808 ----a-w- c:\windows\system32\deployJava1.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-24 03:10 . 2011-08-24 03:04 305771 ----a-w- C:\HijackThis.zip
    2011-08-16 12:59 . 2010-10-26 21:43 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2011-08-16 12:59 . 2010-10-26 21:43 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2011-08-16 12:48 . 2010-10-31 11:59 7152464 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll
    2011-07-19 06:40 . 2008-10-08 12:28 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-07-06 23:52 . 2010-06-24 14:10 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-06 23:52 . 2010-06-24 14:10 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2008-03-08 15:58 . 2008-03-08 15:58 774144 -c--a-w- c:\program files\RngInterstitial.dll
    2007-06-24 14:25 . 2007-06-24 14:25 1803952 -c--a-w- c:\program files\KODAK EASYSHARE Gallery Upload Software, V2.1.exe
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-08-19_19.28.57 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2007-02-20 18:27 . 2011-08-24 06:52 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2007-02-20 18:27 . 2008-09-05 02:01 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2007-02-20 18:27 . 2011-08-24 06:52 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2007-02-20 18:27 . 2008-09-05 02:01 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2011-08-24 06:52 . 2011-08-24 06:52 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2011-08-24 02:45 . 2011-08-24 02:45 28160 c:\windows\Installer\295139.msi
    - 2009-12-17 21:35 . 2011-02-02 22:11 222080 c:\windows\system32\MpSigStub.exe
    + 2009-12-17 21:35 . 2011-05-24 23:14 222080 c:\windows\system32\MpSigStub.exe
    + 2011-08-24 02:40 . 2011-07-19 09:05 157472 c:\windows\system32\javaws.exe
    + 2011-08-24 02:40 . 2011-07-19 09:05 145184 c:\windows\system32\javaw.exe
    + 2011-08-24 02:40 . 2011-07-19 09:05 145184 c:\windows\system32\java.exe
    + 2011-08-24 06:52 . 2011-08-24 06:52 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
    + 2011-08-24 02:41 . 2011-08-24 02:41 203776 c:\windows\Installer\295134.msi
    + 2011-08-24 02:49 . 2011-08-24 02:49 2295808 c:\windows\Installer\295426.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-24 4603264]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
    "SMCWUSB-N2 Wireless Utility"="c:\program files\SMC\SMCWUSB-N2\SMCWUSB-N2 Wireless Utility.exe" [2009-08-07 557171]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-05-26 273544]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
    backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
    backup=c:\windows\pss\HotSync Manager.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk.disabled]
    backup=c:\windows\pss\HP Image Zone Fast Start.lnk.disabledCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2011-04-20 16:48 58656 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-04-27 05:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2010-07-09 20:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2006-11-04 00:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe"
    "HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
    "NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    "SoundMan"=SOUNDMAN.EXE
    "HPDJ Taskbar Utility"=c:\windows\system32\spool\drivers\w32x86\3\hpztsb99.exe
    "NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    "LoadMSvcmm"="c:\program files\Movielink\MovielinkManager\Movielink User.exe"
    "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
    "Symantec NetDriver Monitor"=c:\progra~1\SYMNET~1\SNDMon.exe /Consumer
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\drivers\\svchost.exe"=
    "c:\\Program Files\\MyPoints Toolbar 2.0\\TroubleShooter.exe"=
    "c:\\Program Files\\MyPoints Toolbar 2.0\\ToolbarUpdate.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "56951:TCP"= 56951:TCP:pando Media Booster
    "56951:UDP"= 56951:UDP:pando Media Booster
    .
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1206000.01D\symds.sys [5/9/2011 7:03 PM 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1206000.01D\symefa.sys [5/9/2011 7:03 PM 744568]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [7/18/2011 8:02 PM 116608]
    R3 arusb(SMC);SMCWUSB-N2 802.11n Wireless USB 2.0 Adapter Service(SMC);c:\windows\system32\drivers\arusb.sys [3/29/2010 7:58 AM 458240]
    S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110812.001\BHDrvx86.sys [7/22/2011 8:21 PM 815736]
    S1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2/20/2007 4:37 PM 13696]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
    S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1206000.01D\ironx86.sys [5/9/2011 7:03 PM 136312]
    S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.6.0.29\ccsvchst.exe [5/9/2011 7:03 PM 130008]
    S3 EraserUtilDrv11113;EraserUtilDrv11113;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11113.sys [8/24/2011 2:44 AM 105592]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/10/2011 8:08 PM 105592]
    S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110822.031\IDSXpx86.sys [8/23/2011 12:17 AM 356280]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/24/2010 10:10 AM 22712]
    S3 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
    S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/24/2010 10:10 AM 366640]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-27 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
    .
    2011-08-27 c:\windows\Tasks\Disk Cleanup.job
    - c:\windows\system32\cleanmgr.exe [2004-08-04 00:12]
    .
    2011-08-27 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
    .
    2011-08-22 c:\windows\Tasks\Norton AntiVirus.job
    - c:\progra~1\NORTON~3\Engine\1860~1.29\uistub.exe [2011-05-09 00:28]
    .
    2011-08-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-220523388-1425521274-725345543-1009.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-08-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-220523388-1425521274-725345543-1010.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-08-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-220523388-1425521274-725345543-1011.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-08-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-220523388-1425521274-725345543-1013.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-08-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-220523388-1425521274-725345543-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-08-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-220523388-1425521274-725345543-1009.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-08-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-220523388-1425521274-725345543-1010.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-08-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-220523388-1425521274-725345543-1011.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-08-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-220523388-1425521274-725345543-1012.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-08-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-220523388-1425521274-725345543-1013.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
    .
    2011-08-27 c:\windows\Tasks\User_Feed_Synchronization-{9607B5EA-95BD-4B0B-840F-917E9456301F}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    TCP: DhcpNameServer = 192.168.2.1
    DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://kingsisle.hs.llnwd.net/e1/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB
    DPF: {DABFA9AD-4E31-43F4-9D60-4CDD20F57F28} - hxxp://www.photomax.com/web/PhotomaxUploader.CAB
    DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - hxxp://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-27 00:53
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NAV]
    "ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-220523388-1425521274-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,e7,cb,9b,7a,5b,25,4e,b4,1c,6d,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,e7,cb,9b,7a,5b,25,4e,b4,1c,6d,\
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2d,e7,cb,9b,7a,5b,25,4e,b4,1c,6d,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(948)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'explorer.exe'(860)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    .
    Completion time: 2011-08-27 00:58:08 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-27 04:58
    ComboFix2.txt 2011-08-24 02:35
    ComboFix3.txt 2011-08-23 04:08
    ComboFix4.txt 2011-08-19 19:30
    ComboFix5.txt 2011-08-27 04:30
    .
    Pre-Run: 68,849,946,624 bytes free
    Post-Run: 68,877,889,536 bytes free
    .
    - - End Of File - - 84DB7B5EF545038AE4D017FA8F971E35
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Deb, I'd like to try and find out what is causing the BSOD when you try to boot into Normal Mode. The next time you get the BSOD, note the time on the computer clock- that's important and you can try to force it if you want.

    With that time in mind:

    Start> Run> type in eventvwr

    Do this on each the System and the Applications logs:
    [1]. Click to open the log>
    [2]. Look for an Error that corresponds to the time of the BSOD>
    [3] .Right click on the Error> Properties>
    [4]. Click on Copy button, top right, below the down arrow >
    [5]. Paste here (Ctrl V)
    [6].NOTES
    • You can ignore Warnings and Information Events.
    • If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
    • You don't need to include the lines of code in the box below the Description, if any.
    • Please do not copy the entire Event log.
    Since you are in Safe Mode, there will be a lot of Errors about various Services not starting>>>> this is to be expected and it's not what we're looking for, that's why the time of important. Errors are time coded.
    ==========================================
    I will share this with you. Many Norton users have complained about the following, thinking Norton is advising them of the infection:
    [​IMG]
    [​IMG]

    If you look on the right, you may see: Blocked and No action required and lastly, a button to click on saying Stop notifying me

    Both screen show Risk Name: HTTP TIDserv Request
    -----------------------------------------
    This has fooled many Norton users into thinking they have the rootkit- but they are actually only seeing normal internet traffic. Are you seeing either of the above?
     
  22. debdubey

    debdubey TS Rookie Topic Starter

    Error log

    I restarted the computer and wrote down the time. Under 'system', the errors logged at that time are below. When I click on 'application' The most recent error is logged on the 23rd of Aug. and the most recent date for an 'information' line is the 27th. There is nothing for today's date

    These 2 errors were right next to each other in the event log, even though there is @ 6 min time difference.
    Event Type: Error
    Event Source: DCOM
    Event Category: None
    Event ID: 10005
    Date: 8/30/2011
    Time: 3:33:07 PM
    User: NT AUTHORITY\SYSTEM
    Computer: DESKTOP
    Description:
    DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
    {1BE1F766-5536-11D1-B726-00C04FB926AF}

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7026
    Date: 8/30/2011
    Time: 3:39:45 PM
    User: N/A
    Computer: DESKTOP
    Description:
    The following boot-start or system-start driver(s) failed to load:
    BHDrvx86
    BIOS
    eeCtrl
    Fips
    Processor
    SASDIFSV
    SASKUTIL
    SRTSPX
    SymIRON
    SYMTDI

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    When I originally ran Norton Antivirus it was in normal mode, and when I got the results of the scan it said it had found the Tidserv and couldn't fix it. (I ran the scan because my daughter told me the pc was randomly rebooting itself and I saw it do this) I got a message to go to the Norton website to download a fix tool that might remove it. That was the Fix TDSS that I tried to run. But that tool restarts the pc as part of the removal process and by that time my pc wouldn't reboot into normal mode, so I could never verify if the virus was gone. Malwarebytes showed it the first time I ran that but hadn't shown it again after that first run. I don't know if any of the warning windows popped up- it's definately possible that happened while the kids were on the pc. It's also possible that I'm not remembering 100% from that first scan. It was quite a while ago, and I haven't run any programs since joining this site except the ones I've been told to. If you think it might be gone or was never there, we can concentrate on why it won't boot into normal. I know that might be something totally different, so I'm open to any suggestions you might have. I do know that I got the suggestion to go to the Symantec website for the fix tool. I wasn't surprised because a number of years ago I had that happen with a different trojan and I was able to get rid of it without any problems. This one has me stumped and I didn;t want to try anything else on my own after the original fix tool didn't seem to work. That was when I searched and found this forum.
    Sorry so long,
    Deb
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The 2 error events you left are examples of what I referred to above and of no use to use for this problem. These are the errors I told you to ignore.

    When you get the BSOD on an attempt to boot into Normal Mode, I either need you to tell me what the white writing is on the blue screen-or-see if there is a corresponding error at that attempt time.

    This is what I'm trying to identify:
    And I need to distinguish "blue screen." For instance, what I boot my laptop, I get a quick black screen, followed by the white dots going across the screen. When that finishes, I get a brief plain blue screen, followed immediately by my logon with password box. That is all normal with no freezing. But the BSOD is different- there is white writing on it with the error message, but it difficult to read it quickly. So by checking the Event Viewer, looking only at that specific time for an error that corresponds to the BSOD, it gives us something o work with.

    I am not sure you ever had that infection and one thing I noticed was the large number of entries for the FixTSS. I'm not familiar with that program. But when the TDSSKiller is run, it makes a nice, neat entry with the quarantines and doesn't spread entries all over the system.

    I want you to boot into Normal Mode. When whatever happens when you try to do this happens>>> look at the time<<< then see if there is any error tht corresponds to that time.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...