TechSpot

Virus removal help needed

By napol3on
Aug 28, 2010
  1. Hello,

    I have a virus that has three major charistics: blocks all windows updates, dramatically slows down computer, constantly causes my antivirus software to block "security intrusions." I am running Windows XP (pro?)

    I have (I hope) followed the "UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions" and have 4 logs that I would like to post as per the instructions. I also have an additional "hijackthis" log as well.

    Also, I am currently running Avira, Ad-Aware, and Norton Antivirus- all have deleted files but not fixed the problem

    I am new to this and not really sure what to do with all of this information so I thank you for your help and patience!
     
  2. napol3on

    napol3on TS Rookie Topic Starter Posts: 27

    Log 1 of 4

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4493

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    8/28/2010 1:06:43 PM
    mbam-log-2010-08-28 (13-06-43).txt

    Scan type: Quick scan
    Objects scanned: 141429
    Time elapsed: 22 minute(s), 13 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 5
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 2
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\GabPath (Adware.Adparatus) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\IEBarProperties (Adware.Mirar) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\GabPath (Adware.GabPath) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ResultDns (Adware.ResultDns) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\ResultDns (Adware.ResultDns) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Documents and Settings\All Users\Application Data\ResultDns (Adware.ResultDns) -> Quarantined and deleted successfully.
    C:\Program Files\ResultDns (Adware.ResultDns) -> Quarantined and deleted successfully.

    Files Infected:
    (No malicious items detected)
     
  3. napol3on

    napol3on TS Rookie Topic Starter Posts: 27

    Log 2 of 4

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-08-28 14:46:09
    Windows 5.1.2600 Service Pack 3
    Running: 1le6bgmg.exe; Driver: C:\DOCUME~1\Claire\LOCALS~1\Temp\kgwyifow.sys


    ---- System - GMER 1.0.15 ----

    SSDT 823C2DD0 ZwAlertResumeThread
    SSDT 823C2EB0 ZwAlertThread
    SSDT 823AC700 ZwAllocateVirtualMemory
    SSDT 823C2578 ZwAssignProcessToJobObject
    SSDT 82C6FAC8 ZwConnectPort
    SSDT F8CCF83E ZwCreateKey
    SSDT 823C2B20 ZwCreateMutant
    SSDT 823C2398 ZwCreateSymbolicLinkObject
    SSDT F8CCF834 ZwCreateThread
    SSDT 823C2658 ZwDebugActiveProcess
    SSDT F8CCF843 ZwDeleteKey
    SSDT F8CCF84D ZwDeleteValueKey
    SSDT 823AC8D0 ZwDuplicateObject
    SSDT 823AC520 ZwFreeVirtualMemory
    SSDT 823C2C10 ZwImpersonateAnonymousToken
    SSDT 823C2CF0 ZwImpersonateThread
    SSDT 82C6F838 ZwLoadDriver
    SSDT F8CCF852 ZwLoadKey
    SSDT 823AC420 ZwMapViewOfSection
    SSDT 823C2A40 ZwOpenEvent
    SSDT F8CCF820 ZwOpenProcess
    SSDT 823AC7F0 ZwOpenProcessToken
    SSDT 823C2880 ZwOpenSection
    SSDT F8CCF825 ZwOpenThread
    SSDT 823C2488 ZwProtectVirtualMemory
    SSDT F8CCF85C ZwReplaceKey
    SSDT F8CCF857 ZwRestoreKey
    SSDT 823AFB38 ZwResumeThread
    SSDT 823AC170 ZwSetContextThread
    SSDT 823AC250 ZwSetInformationProcess
    SSDT 823C2738 ZwSetSystemInformation
    SSDT F8CCF848 ZwSetValueKey
    SSDT 823C2960 ZwSuspendProcess
    SSDT 823C2F90 ZwSuspendThread
    SSDT 823ACBE8 ZwTerminateProcess
    SSDT 823AC090 ZwTerminateThread
    SSDT 823AC340 ZwUnmapViewOfSection
    SSDT 823AC610 ZwWriteVirtualMemory

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!_abnormal_termination + 98 804E2704 1 Byte [78]
    .text ntoskrnl.exe!_abnormal_termination + 450 804E2ABC 8 Bytes CALL 10D0658C
    ? SYMEFA.SYS The system cannot find the file specified. !
    .rsrc C:\WINDOWS\System32\DRIVERS\redbook.sys entry point in ".rsrc" section [0xF88DEF94]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Mozilla Firefox\firefox.exe[308] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0132000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[308] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0133000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[308] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0131000C
    .text C:\Program Files\Mozilla Firefox\firefox.exe[308] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 02B0003A
    .text C:\WINDOWS\Explorer.EXE[348] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
    .text C:\WINDOWS\Explorer.EXE[348] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
    .text C:\WINDOWS\Explorer.EXE[348] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[1216] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 1044721D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\WINDOWS\System32\svchost.exe[1732] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
    .text C:\WINDOWS\System32\svchost.exe[1732] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
    .text C:\WINDOWS\System32\svchost.exe[1732] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
    .text C:\WINDOWS\System32\svchost.exe[1732] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 029A000A
    .text C:\WINDOWS\System32\svchost.exe[1732] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00AF000A
    .text C:\WINDOWS\system32\SearchIndexer.exe[2248] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

    AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device -> \Driver\atapi \Device\Harddisk0\DR0 82D0BEC5

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\System32\DRIVERS\redbook.sys suspicious modification
    File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----
     
  4. napol3on

    napol3on TS Rookie Topic Starter Posts: 27

    DDS log 3 of 4 unable to post as attachment or copy and paste. The browser says that the page is unopenable when I try to post a reply with the DDS log
     
  5. napol3on

    napol3on TS Rookie Topic Starter Posts: 27

    log 4 of 4

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 6/14/2009 7:52:42 PM
    System Uptime: 8/28/2010 12:15:44 PM (2 hours ago)

    Motherboard: IBM | | 1842SUU
    Processor: Intel(R) Pentium(R) M processor 1.60GHz | None | 591/400mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 51 GiB total, 29.433 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Intel(R) PRO/Wireless 2200BG Network Connection
    Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_27118086&REV_05\4&39A85202&0&10F0
    Manufacturer: Intel(R) Corporation
    Name: Intel(R) PRO/Wireless 2200BG Network Connection
    PNP Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_27118086&REV_05\4&39A85202&0&10F0
    Service: w22n51

    ==== System Restore Points ===================

    RP121: 6/2/2010 6:23:20 PM - System Checkpoint
    RP122: 6/4/2010 4:09:19 PM - System Checkpoint
    RP123: 6/5/2010 8:34:54 PM - System Checkpoint
    RP124: 6/10/2010 10:38:58 AM - System Checkpoint
    RP125: 6/11/2010 7:26:22 AM - Software Distribution Service 3.0
    RP126: 6/12/2010 7:37:55 PM - System Checkpoint
    RP127: 6/14/2010 8:57:18 AM - System Checkpoint
    RP128: 6/16/2010 7:02:33 PM - System Checkpoint
    RP129: 6/19/2010 4:22:44 PM - System Checkpoint
    RP130: 6/20/2010 4:57:02 PM - System Checkpoint
    RP131: 6/25/2010 10:44:01 PM - System Checkpoint
    RP132: 6/26/2010 1:54:52 AM - Software Distribution Service 3.0
    RP133: 6/27/2010 7:08:10 PM - System Checkpoint
    RP134: 6/30/2010 10:03:42 PM - System Checkpoint
    RP135: 7/15/2010 12:34:27 AM - Software Distribution Service 3.0
    RP136: 7/17/2010 6:23:58 PM - System Checkpoint
    RP137: 7/19/2010 6:47:28 PM - System Checkpoint
    RP138: 7/23/2010 2:48:04 PM - System Checkpoint
    RP139: 7/27/2010 5:01:06 AM - System Checkpoint
    RP140: 7/28/2010 8:19:20 PM - System Checkpoint
    RP141: 8/3/2010 9:10:23 PM - System Checkpoint
    RP142: 8/4/2010 3:00:30 AM - Software Distribution Service 3.0
    RP143: 8/5/2010 3:24:25 AM - System Checkpoint
    RP144: 8/6/2010 1:33:15 PM - System Checkpoint
    RP145: 8/7/2010 5:34:15 PM - System Checkpoint
    RP146: 8/9/2010 5:50:08 PM - System Checkpoint
    RP147: 8/10/2010 6:19:15 PM - System Checkpoint
    RP148: 8/12/2010 8:42:38 PM - Software Distribution Service 3.0
    RP149: 8/13/2010 8:56:51 PM - System Checkpoint
    RP150: 8/16/2010 2:30:47 AM - System Checkpoint
    RP151: 8/16/2010 9:48:46 PM - Installed HiJackThis
    RP152: 8/28/2010 4:35:52 AM - System Checkpoint

    ==== Installed Programs ======================

    AAC Decoder
    Access IBM
    Acrobat.com
    Ad-Aware
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.1
    Apple Mobile Device Support
    Apple Software Update
    AutoUpdate
    Avira AntiVir Personal - Free Antivirus
    Bonjour
    CCleaner
    Compatibility Pack for the 2007 Office system
    Defraggler
    DivX Codec
    DivX Converter
    DivX Player
    DivX Plus DirectShow Filters
    DivX Version Checker
    DivX Web Player
    Google Talk Plugin
    H.264 Decoder
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    IBM 32-bit Runtime Environment for Java 2, v1.4.1
    IBM Access Connections
    IBM DLA
    IBM RecordNow!
    IBM Rescue and Recovery with Rapid Restore
    IBM Themes
    IBM ThinkPad Battery MaxiMiser and Power Management Features
    IBM ThinkPad Configuration
    IBM ThinkPad EasyEject Utility
    IBM ThinkPad Keyboard Customizer Utility
    IBM ThinkPad Presentation Director
    IBM ThinkVantage Technologies Welcome Message
    IBM TrackPoint Accessibility Features
    IBM Update Connector
    Intel(R) Extreme Graphics 2 Driver
    Intel(R) Network Connections Drivers
    Intel(R) Sebring API
    InterVideo WinDVD
    InterVideo WinDVD Creator
    iPod for Windows 2005-09-23
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 18
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft VC9 runtime libraries
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Word 2000 SR-1
    Microsoft Works 2001 Setup Launcher
    Microsoft Works 6.0
    Microsoft Works Suite Add-in for Microsoft Word
    MKV Splitter
    Mozilla Firefox (3.6.8)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Norton AntiVirus
    PC-Doctor for Windows
    PCFriendly
    QuickTime
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Skype™ 4.2
    Sonic Update Manager
    Tango
    Teachers Report Assistant
    Themen aktuell 1
    ThinkPad FullScreen Magnifier
    ThinkPad Integrated 56K Modem
    ThinkPad Power Management Driver
    ThinkPad Software Installer
    ThinkPad TrackPoint Driver
    upapp
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Windows (KB971513)
    Update for Windows Internet Explorer 8 (KB971180)
    Update for Windows Internet Explorer 8 (KB975364)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VC80CRTRedist - 8.0.50727.762
    Viewpoint Media Player
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    Wallpapers
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows PowerShell(TM) 1.0
    Windows Search 4.0
    Windows XP Service Pack 3
    Works Suite OS Pack
    Works Synchronization

    ==== Event Viewer Messages From Past Week ========

    8/28/2010 12:07:36 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    8/28/2010 12:07:35 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    8/28/2010 12:07:33 PM, error: Service Control Manager [7034] - The Viewpoint Manager Service service terminated unexpectedly. It has done this 1 time(s).
    8/28/2010 12:07:33 PM, error: Service Control Manager [7034] - The RegSrvc service terminated unexpectedly. It has done this 1 time(s).
    8/28/2010 12:07:33 PM, error: Service Control Manager [7034] - The IBM Rapid Restore Ultra Service service terminated unexpectedly. It has done this 1 time(s).
    8/28/2010 12:07:33 PM, error: Service Control Manager [7034] - The IBM KCU Service service terminated unexpectedly. It has done this 1 time(s).
    8/28/2010 12:07:32 PM, error: Service Control Manager [7034] - The QCONSVC service terminated unexpectedly. It has done this 1 time(s).
    8/28/2010 12:07:32 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    8/28/2010 12:07:32 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    8/28/2010 12:07:21 PM, error: Service Control Manager [7034] - The ThinkPad PM Service service terminated unexpectedly. It has done this 1 time(s).
    8/28/2010 12:07:21 PM, error: Service Control Manager [7034] - The Spectrum24 Event Monitor service terminated unexpectedly. It has done this 1 time(s).
    8/27/2010 11:16:21 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Avira AntiVir Guard service to connect.
    8/27/2010 11:16:21 PM, error: Service Control Manager [7000] - The Avira AntiVir Guard service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    8/27/2010 10:22:10 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
    8/27/2010 10:22:10 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\Claire\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
    8/27/2010 10:22:10 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
    8/25/2010 6:59:37 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Norton AntiVirus service.
    8/25/2010 6:47:17 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    8/25/2010 6:47:17 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

    ==== End Of File ===========================
     
  6. napol3on

    napol3on TS Rookie Topic Starter Posts: 27

    DDS log retry in multiple parts:

    S (Ver_10-03-17.01) - NTFSx86
    Run by Claire at 14:52:05.98 on Sat 08/28/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.31 [GMT 2:00]

    AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
     
  7. napol3on

    napol3on TS Rookie Topic Starter Posts: 27

    ============== Running Processes ===============

    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\S24EvMon.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\WINDOWS\system32\RegSrvc.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
    C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\IBMTOOLS\UTILS\ibmprc.exe
    C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\WINDOWS\system32\RunDll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Documents and Settings\Claire\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Documents and Settings\Claire\My Documents\Downloads\dds.scr
     
  8. napol3on

    napol3on TS Rookie Topic Starter Posts: 27

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://mail.yahoo.com/
    mWinlogon: Userinit=c:\windows\system32\userinit.exe
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.8.0.41\IPSBHO.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
     
  9. napol3on

    napol3on TS Rookie Topic Starter Posts: 27

    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
    uRun: [Google Update] "c:\documents and settings\claire\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [TrackPointSrv] c:\program files\lenovo\trackpoint\tp4serv.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
    mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
    mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
    mRun: [UC_Start] c:\program files\ibm\updater\\ucstartup.exe
    mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
    mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
    mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
    mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
    mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
    mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
     
  10. napol3on

    napol3on TS Rookie Topic Starter Posts: 27

    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
     
  11. napol3on

    napol3on TS Rookie Topic Starter Posts: 27

    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
     
  12. napol3on

    napol3on TS Rookie Topic Starter Posts: 27

    NOTE: browser will not load next line- it is about windows update being a trusted zone!
     
  13. napol3on

    napol3on TS Rookie Topic Starter Posts: 27

    DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
    DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/56.20/uploader2.cab
    DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/55.16/uploader2.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1281986790632
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.1/jinstall-141-win.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxsrvc.dll
    Notify: QConGina - QConGina.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    LSA: Notification Packages = scecli pwdmon

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\claire\applic~1\mozilla\firefox\profiles\wf7v1w6y.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoomail.com/
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
    FF - plugin: c:\documents and settings\claire\application data\mozilla\firefox\profiles\wf7v1w6y.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
    FF - plugin: c:\documents and settings\claire\application data\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\documents and settings\claire\application data\mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: c:\documents and settings\claire\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
     
  14. napol3on

    napol3on TS Rookie Topic Starter Posts: 27

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============


    =============== Created Last 30 ================

    2010-08-28 10:37:43 0 d-----w- c:\docume~1\claire\applic~1\Malwarebytes
    2010-08-28 10:36:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-28 10:35:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-08-28 10:35:44 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-28 10:35:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-27 21:03:25 0 d-----w- c:\docume~1\claire\applic~1\Avira
    2010-08-27 20:27:33 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-08-27 20:27:10 0 d-----w- c:\program files\Avira
    2010-08-27 20:27:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
    2010-08-16 19:48:50 0 d-----w- c:\program files\Trend Micro
    2010-08-15 23:27:21 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-08-15 20:04:43 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-08-15 20:04:33 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-08-15 19:55:54 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
    2010-08-13 19:32:12 0 d-----w- c:\docume~1\claire\applic~1\181E1E3F17457910F65DBD9D24359169

    ==================== Find3M ====================

    2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
    2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
    2010-06-24 15:51:58 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll
    2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-24 12:22:03 916480 ------w- c:\windows\system32\dllcache\wininet.dll
    2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
    2010-06-24 12:22:02 1210368 ------w- c:\windows\system32\dllcache\urlmon.dll
    2010-06-24 12:22:01 611840 ------w- c:\windows\system32\dllcache\mstime.dll
    2010-06-24 12:22:01 5951488 ------w- c:\windows\system32\dllcache\mshtml.dll
    2010-06-24 12:22:01 206848 ------w- c:\windows\system32\dllcache\occache.dll
    2010-06-24 12:21:59 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
    2010-06-24 12:21:59 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
    2010-06-24 12:21:59 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
    2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
    2010-06-24 12:21:58 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll
    2010-06-24 12:21:58 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
    2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
    2010-06-24 12:21:55 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
    2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
    2010-06-23 12:08:09 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
    2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys
    2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
    2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
    2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-14 07:41:45 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll

    ============= FINISH: 14:59:02.69 ===============
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Goodness, this thread almost didn't get picked up! We see 13 posts which would usually indicate someone is handling it. IF you are still running the multiple antivirus programs, please uninstall one of them- or if you have more than Avira and Norton, get it down to 1 AV program.

    I am reviewing your logs now- it will take me a little while. In the meantime:

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You did a good job getting all these logs on! Please don't shoot me- I'm going to have you run 2 more programs which I'm checking. It appears that you may have a rootkit infection and those programs will help me to help you:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply. OK to split if needed.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    =======================================
    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
       redbook.*
       atapi.*
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply- OK to attach this one.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    EDIT: There is a section in the DDS log named ============= SERVICES / DRIVERS ===============
    There is nothing showing. There should be similar section in the Combofix log that I can use. Just be sure when you paste a log in that everything is included. Chin up- you've done most of the pasting!

    About the Trusted Zone Nothing needs to be in that Zone- not even the Windows Updates. Best to remove any sites there:
    Click on the Control Panel-or Tools in IE> Internet Options> Security tab> Trusted Sites> Sites> Highlight any sites showing here, one at a time> Click on Remove for each> Click on OK> Apply> OK.

    Security is lower in this Zone and it's best not to put any Domains in there.
     
  17. napol3on

    napol3on TS Rookie Topic Starter Posts: 27

    Thanks for picking up the thread.

    I have uninstalled Avira, and removed Windows Updates from the trusted zone in IE. Do I need to remove it from firefox as well?

    I will now run the other two log checks and get back to you soon.
     
  18. napol3on

    napol3on TS Rookie Topic Starter Posts: 27

    Combofix log:

    ComboFix 10-08-28.01 - Claire 08/29/2010 12:13:19.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.250 [GMT 2:00]
    Running from: c:\documents and settings\Claire\Desktop\ComboFix.exe
    AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\pwdmon.dll

    Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-29 )))))))))))))))))))))))))))))))
    .

    2010-08-29 09:38 . 2010-08-29 09:41 -------- d-----w- C:\32788R22FWJFW.1.tmp
    2010-08-28 14:49 . 2010-08-28 14:52 -------- d-----w- c:\program files\QuickTime
    2010-08-28 14:37 . 2010-08-28 14:40 -------- d-----w- c:\program files\iTunes
    2010-08-28 14:37 . 2010-08-28 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-08-28 13:51 . 2010-08-28 13:52 -------- d-----w- c:\program files\Bonjour
    2010-08-28 13:46 . 2010-08-28 13:46 -------- d-----w- c:\documents and settings\Claire\.java
    2010-08-28 10:37 . 2010-08-28 10:37 -------- d-----w- c:\documents and settings\Claire\Application Data\Malwarebytes
    2010-08-28 10:36 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-28 10:35 . 2010-08-28 10:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-08-28 10:35 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-28 10:35 . 2010-08-28 10:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-16 19:48 . 2010-08-16 19:48 -------- d-----w- c:\program files\Trend Micro
    2010-08-15 23:27 . 2010-07-12 08:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-08-15 20:04 . 2010-07-12 08:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-08-15 20:04 . 2010-08-15 20:04 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-08-15 20:00 . 2010-08-15 20:00 -------- d-----w- c:\documents and settings\Claire\Local Settings\Application Data\Sunbelt Software
    2010-08-15 19:55 . 2010-08-15 19:56 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
    2010-08-13 19:54 . 2010-08-13 19:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-08-13 19:45 . 2010-08-13 19:45 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2010-08-13 19:32 . 2010-08-13 19:33 -------- d-----w- c:\documents and settings\Claire\Application Data\181E1E3F17457910F65DBD9D24359169

    .
     
  19. napol3on

    napol3on TS Rookie Topic Starter Posts: 27

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-29 08:51 . 2009-06-14 20:27 -------- d-----w- c:\documents and settings\Claire\Application Data\Apple Computer
    2010-08-28 14:38 . 2009-06-14 20:24 -------- d-----w- c:\program files\iPod
    2010-08-28 14:38 . 2009-06-14 20:04 -------- d-----w- c:\program files\Common Files\Apple
    2010-08-28 13:27 . 2010-08-28 13:27 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
    2010-08-26 15:58 . 2009-07-05 16:12 -------- d-----w- c:\documents and settings\Claire\Application Data\Skype
    2010-08-26 15:54 . 2009-07-05 16:23 -------- d-----w- c:\documents and settings\Claire\Application Data\skypePM
    2010-08-16 19:49 . 2010-08-16 19:49 388096 ----a-r- c:\documents and settings\Claire\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-08-15 19:53 . 2009-06-15 02:56 -------- d-----w- c:\program files\Lavasoft
    2010-08-15 19:53 . 2009-06-15 02:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2010-08-03 18:53 . 2010-08-03 18:53 61440 ----a-w- c:\documents and settings\Claire\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-729743f2-n\decora-sse.dll
    2010-08-03 18:53 . 2010-08-03 18:53 503808 ----a-w- c:\documents and settings\Claire\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6833b5d4-n\msvcp71.dll
    2010-08-03 18:53 . 2010-08-03 18:53 499712 ----a-w- c:\documents and settings\Claire\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6833b5d4-n\jmc.dll
    2010-08-03 18:53 . 2010-08-03 18:53 348160 ----a-w- c:\documents and settings\Claire\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6833b5d4-n\msvcr71.dll
    2010-08-03 18:53 . 2010-08-03 18:53 12800 ----a-w- c:\documents and settings\Claire\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-729743f2-n\decora-d3d.dll
    2010-07-12 08:56 . 2010-08-15 19:55 2979280 -c--a-w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
    2010-06-30 12:31 . 1980-01-01 04:00 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22 . 1980-01-01 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44 . 1980-01-01 04:00 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-21 15:27 . 1980-01-01 04:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03 . 1980-01-01 04:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31 . 2003-02-20 13:10 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
    2010-06-14 07:41 . 1980-01-01 04:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-11 14:51 . 2010-06-11 14:51 3055600 ----a-w- c:\documents and settings\Claire\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
    2010-06-11 14:36 . 2010-06-11 14:36 275952 ----a-w- c:\documents and settings\Claire\Application Data\Mozilla\plugins\npgoogletalk.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739]
    "Google Update"="c:\documents and settings\Claire\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-25 135664]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2008-03-04 92960]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-07-30 118784]
    "TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-04 897024]
    "TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-08-06 94208]
    "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-12-25 208896]
    "UC_Start"="c:\program files\IBM\Updater\\ucstartup.exe" [2004-06-25 36864]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-09-02 127035]
    "IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2004-03-19 90112]
    "QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2004-08-18 81920]
    "BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2004-07-29 110592]
    "BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2004-07-29 20480]
    "BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2004-07-29 395776]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-07-30 155648]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-6-14 24576]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
    2004-08-18 07:30 258048 ----a-w- c:\windows\system32\QConGina.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
    @="FSFilter Activity Monitor"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
    backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2009-12-25 19:43 135664 ----atw- c:\documents and settings\Claire\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-07-21 13:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
    2000-08-08 20:00 311350 ----a-w- c:\program files\Microsoft Works\wkssb.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
    2000-08-08 20:00 28739 ----a-w- c:\program files\Microsoft Works\WkDetect.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-08-10 03:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3TRAY2]
    2001-10-12 03:32 69632 ----a-w- c:\windows\system32\S3Tray2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
    2002-09-04 05:05 53248 ----a-w- c:\windows\system32\TP4EX.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
    2003-08-19 05:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
    2000-08-08 20:00 24576 ----a-w- c:\program files\Microsoft Works\wkfud.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
     
  20. napol3on

    napol3on TS Rookie Topic Starter Posts: 27

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%ProgramFiles%\\IBM\\Updater\\jre\\bin\\javaw.exe"=
    "%ProgramFiles%\\IBM\\Updater\\jre\\bin\\java.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
    "c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Documents and Settings\\Claire\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
    "c:\\Documents and Settings\\Claire\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/15/2010 10:04 PM 64288]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1008000.029\SymEFA.sys [2/7/2010 1:13 AM 310320]
    R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1008000.029\BHDrvx86.sys [2/7/2010 1:13 AM 259632]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1008000.029\cchpx86.sys [2/7/2010 1:11 AM 482432]
    R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100827.001\IDSXpx86.sys [8/28/2010 3:34 AM 331640]
    R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [6/14/2009 7:36 PM 16384]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 10:55 AM 1355416]
    R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe [2/7/2010 1:12 AM 117640]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/14/2009 9:53 PM 24652]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/26/2010 10:00 AM 102448]
    R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1/1/1980 6:00 AM 22568]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/15/2010 10:04 PM 15008]
    S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [6/14/2009 7:34 PM 12288]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 20:04]

    2010-08-03 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2009-06-14 c:\windows\Tasks\BMMTask.job
    - c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2009-06-14 05:37]

    2010-08-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2308305695-2515139700-4276091907-1005Core.job
    - c:\documents and settings\Claire\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-25 19:43]

    2010-08-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2308305695-2515139700-4276091907-1005UA.job
    - c:\documents and settings\Claire\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-25 19:43]
    .
    .
     
  21. napol3on

    napol3on TS Rookie Topic Starter Posts: 27

    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://mail.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/56.20/uploader2.cab
    FF - ProfilePath - c:\documents and settings\Claire\Application Data\Mozilla\Firefox\Profiles\wf7v1w6y.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoomail.com/
    FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
    FF - plugin: c:\documents and settings\Claire\Application Data\Mozilla\Firefox\Profiles\wf7v1w6y.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
    FF - plugin: c:\documents and settings\Claire\Application Data\Mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\documents and settings\Claire\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: c:\documents and settings\Claire\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)
    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    MSConfigStartUp-GabPath - c:\documents and settings\Claire\Application Data\GabPath\GabPath.exe
    MSConfigStartUp-SfKg6wIPuSp - c:\documents and settings\Claire\Application Data\Microsoft\Windows\jnipmo.exe
    MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    MSConfigStartUp-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
    AddRemove-Teachers Report Assistant - f:\teachers report assistant\trhelpun.exe
     
  22. napol3on

    napol3on TS Rookie Topic Starter Posts: 27

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-29 12:41
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
    "ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(424)
    c:\windows\system32\WININET.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\IEFRAME.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ibmpmsvc.exe
    c:\windows\system32\S24EvMon.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\System32\QCONSVC.EXE
    c:\windows\system32\RegSrvc.exe
    c:\windows\system32\TpKmpSVC.exe
    c:\windows\system32\SearchIndexer.exe
    c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\RunDll32.exe
    c:\windows\system32\rundll32.exe
    c:\windows\System32\wbem\unsecapp.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
    .
    **************************************************************************
    .
    Completion time: 2010-08-29 12:49:24 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-08-29 10:48

    Pre-Run: 31,054,331,904 bytes free
    Post-Run: 31,017,230,336 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

    - - End Of File - - FC561A2FAFEFB3518EBDFAA59233D902
     
  23. napol3on

    napol3on TS Rookie Topic Starter Posts: 27

    this is all that SystemLook produced:

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 13:11 on 29/08/2010 by Claire (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for " redbook.*"
    No files found.

    Searching for " atapi.*"
    No files found.

    -=End Of File=-
     
  24. napol3on

    napol3on TS Rookie Topic Starter Posts: 27

    Ok, I think Ive done everything and have fingers crossed. Thanks again for your help.
     
  25. napol3on

    napol3on TS Rookie Topic Starter Posts: 27

    I was just able to do windows update again and not a single antivirus popup blocking something has come up since my computer last restarted! This is great : )
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...