Solved Norton 360 reports tidserv activity and cannot remove

[Bobbye]

Okay, first order of business is to get the firewall configured correctly:It appears that the firewall on the system has not been correctly set as there should not be a separate entry for each executable if the program has been properly set. I think this may be what is causing all of the open ports.

To configure a program rule in Norton 360 to allow a program to access the Internet:

1. . Start Norton 360> Click Settings> Click Firewall Protection..
2. . Select the Firewall Program Rules tab
   [*]. Select Leagues of Legendsin the list of programs
   [*]. Go to the Access column> click on the Down arrow> Choose Allow
   [*]. Click the Apply
   Note: The Access column also has choices of Auto or Custom. Please check the Norton Help for assistance in setting these.
   Normally, with a new firewall, the first time you access the internet using one of the program on the computer, a firewall will ask if you want to allow the connection. There may be a choice also of 'always allow' or 'allow only this time.
   
   Reset Norton 360 firewall ruleslist=1]
   
   [*]. Start Norton 360> Click Settings> Click Firewall Protection..
   [*]. On the General Settings Tab, click Reset.
   [*]. Click Yers to confirm.
   [*]. Click on Close on the Firewall Protection Window.

Modify firewall rules

1. . Start Norton 360> Click Settings> Click Firewall Protection..
2. . Select Traffic Rules tab.
   [*]. Choose the rule you want to modify
   [*]. Click Modify
   [*]. Make the changes you want in the Modify Rule Window
   [*]. When finished, click on OK.

===========================================
There are 88 separate executable files with firewall permissions. But they are only from a few programs:
"c:\\Program Files\\Messenger
"c:\\Program Files\\uTorrent
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\HP\\Digital Imaging
"c:\\Program Files\\Windows Live\\Messenger
"c:\\Program Files\\Pando Networks\\Media Booster
"c:\\Program Files\\Steam\\SteamApps
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus
"c:\\Program Files\\Skype\\Phone\
"c:\\Riot Games\\League of Legends\\lol.launcher.exe"=
----------------------------------------
If each of these programs had permission to pas through the firewall to the internet, that would only be 11 entries. This reduces your connection exposure immensely!
=========================================
Did you copy all of the script I set up to run through Combofix? I see that some of the entries remain. There is also a locked registry key I had set for deletion, but it also remains.

 

[fractoral]

I modified the league of legends entry, but it disappeared after the rules reset. I can just modify it again when it pops back up. After the reset two entries remained in program rules section: internet explorer, and generic host process for win32 services; both are on auto. I don't know what most of the traffic rules do, so I'm not sure if I should modify any of them. I am personally certain that I copied the script completely, but since it disappeared from the desktop when dragged over combofix, I can't verify that.

 

[Bobbye]

Holiday Notice! I will not be working on the threads Sat. Dec. 24 or Sunday Dec. 25. I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that. Please do not send a PM during those days.
-----------------------------------------
About the firewall: You need to take some responsibility for the firewall if you're going to use one. Someone with experience is telling you it's not set up correctly and poses a vulnerability o the system. I would guess that if you looked in the Symantec Support or perhaps one of their forums, you could possibly learn more that would make you confident the settings. I have given you the information, I have given you the tools- using it-or not-is up to you.
===============================

internet explorer, and generic host process for win32 services; both are on auto.

If IE is your default browser, these 2 are fine.
==============================
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

File::
Folder::
C:\2f285ebdfb9ed59c8a6875e3ff4699e2
C:\3a7e93e5a4606a81ac8ad4
C:\TDSSKiller_Quarantine
ClearJavaCache::
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = c:\documents and settings\Main\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?m%3d%26is-debug%3d%26rom-version%3d%26part-number%3d%26product-n????7?2? ??????????????
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5000:TCP"=- 
"5001:TCP"=-
"5002:TCP"=-
"5003:TCP"=-
"5004:TCP"=-
"5005:TCP"=-
"5006:TCP"=-
"5007:TCP"=-
"5008:TCP"=-
"5009:TCP"=-
"5010:TCP"=-
"5011:TCP"=-
"5012:TCP"=-
"5013:TCP"=-
"5014:TCP"=-
"5015:TCP"=-
"5016:TCP"=-
"5017:TCP"=-
"5018:TCP"=-
"5018:TCP"=-
"5020:TCP"=-


Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
This needs to be removed: My scanners can't read the characters. This is the registry entry
[HKEY_USERS\S-1-5-21-1844237615-1957994488-839522115-1004\Software\KISS\«0¹0¿0à0á0¤0É03*D*]
"InstallPath"="c:\\MST3K\\mtadfk.com\\custom maid\\ƒJƒXƒ^ƒ€ƒƒCƒh3D"

This is the program: ƒJƒXƒ^ƒ€ƒƒCƒh3D
Jan 28, 2011 – Game Information English: Custom Maid 3D Japanese: カスタムメイド3D Company: KISS Release: 2011-01-28 Game.
hxxp://scratchpad.wikia.com/wiki/Custom_Maid_3D
====================
First, set up a Directory for HijackThis as follows:
Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
Exit Explorer
You now have a folder C:\HijackThis
-----------------------------------------
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.

• Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
• Extract it to the directory on your hard drive you created C:\HijackThis.
• Then navigate to that directory and double-click on the hijackthis.exe file.
• When started click on the Scan button and then the Save Log button to create a log of your information.
• The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
=================================
Please let me know if any problems remain.

 

[fractoral]

ComboFix 11-12-22.04 - Main 12/23/2011 0:37.3.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2406 [GMT -5:00]
Running from: c:\documents and settings\Main\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Main\Desktop\CFScript.txt
AV: Norton 360 Premier Edition *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 Premier Edition *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\2f285ebdfb9ed59c8a6875e3ff4699e2
c:\2f285ebdfb9ed59c8a6875e3ff4699e2\amd64\filterpipelineprintproc.dll
c:\2f285ebdfb9ed59c8a6875e3ff4699e2\amd64\msxpsdrv.cat
c:\2f285ebdfb9ed59c8a6875e3ff4699e2\amd64\msxpsdrv.inf
c:\2f285ebdfb9ed59c8a6875e3ff4699e2\amd64\msxpsinc.gpd
c:\2f285ebdfb9ed59c8a6875e3ff4699e2\amd64\msxpsinc.ppd
c:\2f285ebdfb9ed59c8a6875e3ff4699e2\amd64\mxdwdrv.dll
c:\2f285ebdfb9ed59c8a6875e3ff4699e2\amd64\xpssvcs.dll
c:\2f285ebdfb9ed59c8a6875e3ff4699e2\i386\filterpipelineprintproc.dll
c:\2f285ebdfb9ed59c8a6875e3ff4699e2\i386\msxpsdrv.cat
c:\2f285ebdfb9ed59c8a6875e3ff4699e2\i386\msxpsdrv.inf
c:\2f285ebdfb9ed59c8a6875e3ff4699e2\i386\msxpsinc.gpd
c:\2f285ebdfb9ed59c8a6875e3ff4699e2\i386\msxpsinc.ppd
c:\2f285ebdfb9ed59c8a6875e3ff4699e2\i386\mxdwdrv.dll
c:\2f285ebdfb9ed59c8a6875e3ff4699e2\i386\xpssvcs.dll
C:\3a7e93e5a4606a81ac8ad4
c:\3a7e93e5a4606a81ac8ad4\amd64\filterpipelineprintproc.dll
c:\3a7e93e5a4606a81ac8ad4\amd64\msxpsdrv.cat
c:\3a7e93e5a4606a81ac8ad4\amd64\msxpsdrv.inf
c:\3a7e93e5a4606a81ac8ad4\amd64\msxpsinc.gpd
c:\3a7e93e5a4606a81ac8ad4\amd64\msxpsinc.ppd
c:\3a7e93e5a4606a81ac8ad4\amd64\mxdwdrv.dll
c:\3a7e93e5a4606a81ac8ad4\amd64\xpssvcs.dll
c:\3a7e93e5a4606a81ac8ad4\i386\filterpipelineprintproc.dll
c:\3a7e93e5a4606a81ac8ad4\i386\msxpsdrv.cat
c:\3a7e93e5a4606a81ac8ad4\i386\msxpsdrv.inf
c:\3a7e93e5a4606a81ac8ad4\i386\msxpsinc.gpd
c:\3a7e93e5a4606a81ac8ad4\i386\msxpsinc.ppd
c:\3a7e93e5a4606a81ac8ad4\i386\mxdwdrv.dll
c:\3a7e93e5a4606a81ac8ad4\i386\xpssvcs.dll
C:\TDSSKiller_Quarantine
c:\tdsskiller_quarantine\15.12.2011_18.09.52\rtkt0000\object.ini
c:\tdsskiller_quarantine\15.12.2011_18.09.52\rtkt0000\svc0000\object.ini
c:\tdsskiller_quarantine\15.12.2011_18.09.52\rtkt0000\svc0000\tsk0000.dta
c:\tdsskiller_quarantine\15.12.2011_18.09.52\rtkt0000\svc0000\tsk0000.ini
c:\windows\system32\oobe\isperror
c:\windows\system32\oobe\isperror\ispcnerr.htm
c:\windows\system32\oobe\isperror\ispdtone.htm
c:\windows\system32\oobe\isperror\isphdshk.htm
c:\windows\system32\oobe\isperror\ispins.htm
c:\windows\system32\oobe\isperror\ispnoanw.htm
c:\windows\system32\oobe\isperror\isppberr.htm
c:\windows\system32\oobe\isperror\ispphbsy.htm
c:\windows\system32\oobe\isperror\ispsbusy.htm
.
.
((((((((((((((((((((((((( Files Created from 2011-11-23 to 2011-12-23 )))))))))))))))))))))))))))))))
.
.
2011-12-17 21:35 . 2011-12-17 21:35 -------- d-----w- c:\program files\ESET
2011-12-17 21:14 . 2011-12-17 21:14 -------- d-----w- c:\program files\Common Files\Java
2011-12-17 21:14 . 2011-12-17 21:13 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-12-17 21:14 . 2011-12-17 21:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-17 21:13 . 2011-12-17 21:13 -------- d-----w- c:\program files\Java
2011-12-15 17:09 . 2011-12-15 17:09 -------- d-----w- c:\documents and settings\Main\Application Data\Malwarebytes
2011-12-15 17:09 . 2011-12-15 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-15 17:09 . 2011-12-15 17:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-15 17:09 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-14 15:54 . 2011-12-15 02:27 -------- d-----w- c:\documents and settings\Main\Local Settings\Application Data\SanctionedMedia
2011-12-09 01:26 . 2008-05-02 13:25 465920 -c----w- c:\windows\system32\dllcache\imapi2fs.dll
2011-12-09 01:26 . 2008-05-02 13:25 465920 ------w- c:\windows\system32\imapi2fs.dll
2011-12-09 01:26 . 2008-05-02 13:25 317952 -c----w- c:\windows\system32\dllcache\imapi2.dll
2011-12-09 01:26 . 2008-05-02 13:25 317952 ------w- c:\windows\system32\imapi2.dll
2011-12-09 01:26 . 2008-05-02 10:49 62976 -c----w- c:\windows\system32\dllcache\cdrom.sys
2011-12-02 16:44 . 2011-12-02 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Playrix Entertainment
2011-11-26 12:44 . 2011-07-07 23:21 876136 ----a-w- c:\windows\system32\nvhdagenco3220102.dll
2011-11-26 12:33 . 2007-06-29 19:47 34304 ----a-w- c:\windows\system32\drivers\AmdLLD.sys
2011-11-26 12:33 . 2011-11-26 12:33 -------- d-----w- c:\program files\AMD
2011-11-26 12:33 . 2011-11-26 12:33 -------- d-----w- c:\documents and settings\Main\Local Settings\Application Data\Downloaded Installations
2011-11-26 12:18 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-11-26 12:18 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-11-26 12:18 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-11-26 12:18 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-16 02:46 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-11-26 12:57 . 2009-08-18 16:30 564632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\wlidui.dll
2011-11-26 12:57 . 2009-08-18 16:24 18328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-11-23 13:25 . 2004-08-04 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-04 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2004-08-04 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 08:55 . 2011-10-24 08:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-18 11:13 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2008-12-01 14:48 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-08 04:50 . 2011-07-27 17:11 298304 ----a-w- c:\windows\system32\nvsvc32.exe
2011-10-08 04:50 . 2011-07-27 17:11 602432 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2011-10-08 04:50 . 2011-07-27 17:11 54272 ----a-w- c:\windows\system32\nvwddi.dll
2011-10-08 04:50 . 2011-07-27 17:11 220992 ----a-w- c:\windows\system32\nvcolor.exe
2011-10-08 04:50 . 2011-07-27 17:11 203072 ----a-w- c:\windows\system32\nvmctray.dll
2011-10-08 04:50 . 2011-07-27 17:11 16744256 ----a-w- c:\windows\system32\nvcpl.dll
2011-10-08 04:50 . 2010-12-16 19:22 919872 ----a-w- c:\windows\system32\nvdispco32.dll
2011-10-08 04:50 . 2010-12-16 19:22 877376 ----a-w- c:\windows\system32\nvgenco32.dll
2011-10-08 04:50 . 2010-12-16 19:22 65536 ----a-w- c:\windows\system32\OpenCL.dll
2011-10-08 04:50 . 2010-12-16 19:22 5595136 ----a-w- c:\windows\system32\nvcuda.dll
2011-10-08 04:50 . 2010-12-16 19:22 2398016 ----a-w- c:\windows\system32\nvcuvid.dll
2011-10-08 04:50 . 2010-12-16 19:22 2099520 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-10-08 04:50 . 2010-12-16 19:22 17956864 ----a-w- c:\windows\system32\nvoglnt.dll
2011-10-08 04:50 . 2010-12-16 19:22 2449408 ----a-w- c:\windows\system32\nvapi.dll
2011-10-08 04:50 . 2010-12-16 19:22 17240064 ----a-w- c:\windows\system32\nvcompiler.dll
2011-10-08 04:50 . 2004-08-04 07:56 4226688 ----a-w- c:\windows\system32\nv4_disp.dll
2011-10-08 04:50 . 2004-08-04 05:29 12791488 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2011-09-28 22:45 . 2011-09-28 22:45 15453832 ----a-w- c:\windows\system32\xlive.dll
2011-09-28 22:45 . 2011-09-28 22:45 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2011-09-28 07:06 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2010-03-18 14:09 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-12-18_00.20.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-23 05:52 . 2011-12-23 05:52 16384 c:\windows\Temp\Perflib_Perfdata_5f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="c:\documents and settings\Main\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2010-12-15 79872]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-26 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-09-30 718688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256]
"NvMediaCenter"="NvMCTray.dll" [2011-10-08 203072]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2011-10-08 1632360]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-08-26 15:24 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\alien swarm\\srcds.exe"=
"c:\\Riot Games\\League of Legends\\lol.launcher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\deus ex\\System\\DeusEx.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\chantelise\\chantelise.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\chantelise\\custom.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\tidalis\\Tidalis.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\plants vs zombies\\PlantsVsZombies.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dreddvsdeath\\Dredd.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\titan quest\\Titan Quest.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\titan quest\\help.htm"=
"c:\\Program Files\\Steam\\SteamApps\\common\\ghost master\\ghost.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\thief deadly shadows\\System\\runme.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\star raiders\\StarRaiders.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\the undergarden\\TheUndergarden.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\ghostbusters sanctum of slime\\Game\\GhostBustersSOS.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\universe at war earth assault\\LaunchUAW.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\space siege\\Space Siege\\SpaceSiege.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\aaaaaaaaaaaaaaaaaaaaaaaaa!!!\\main.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\oddworld abes oddysee\\AbeWin.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\oddworld abes exoddus\\Exoddus.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\on the rain-slick precipice of darkness - episode one\\RainSlickEp1.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\penny arcade adventures on the rain-slick precipice of darkness episode 2\\RainSlickEp2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\puzzle chronicles\\PuzzleChronicles.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\mrrobot\\MrRobot.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\shatter\\ShatterSettingsEditor.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\project aftermath\\ProjectAftermath.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\spectromancer\\Spectromancer.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\droplitz\\Cascade.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\the last remnant\\Binaries\\TLR.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\poker night at the inventory\\CelebrityPoker.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\zombie driver\\Release\\ZombieDriver.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\light of altair\\Altair.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\avencast\\Avencast.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\grotesque tactics\\GrotesqueTactics.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\armada 2526\\bin\\Armada2526.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\command and conquer 4 tiberian twilight\\CNC4.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\command and conquer 4 tiberian twilight\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\Steam\\SteamApps\\common\\age of wonders\\Launcher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\age of wonders\\AoWSetup.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\age of wonders\\Readme.txt"=
"c:\\Program Files\\Steam\\SteamApps\\common\\age of wonders\\QuickStart.pdf"=
"c:\\Program Files\\Steam\\SteamApps\\common\\age of wonders\\AoWEd.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\recettear\\recettear.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\recettear\\custom.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\ares\\ARES.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\spiral knights\\java_vm\\bin\\javaw.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\breath of death vii\\BoDVIIPC.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\cthulhu saves the world\\CSTW.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\alien swarm\\swarm.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\team fortress 2 meet the medic\\smp.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\post apocalyptic mayhem\\PAMMainGame.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\sid meier's civilization v\\Launcher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\portal 2\\portal2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\titan quest immortal throne\\Tqit.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\titan quest immortal throne\\help.htm"=
"c:\\Program Files\\Steam\\SteamApps\\common\\deus ex - human revolution\\dxhr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\sanctum\\Binaries\\Win32\\SanctumGame-Win32-Shipping.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\back to the future ep 2\\BackToTheFuture102.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\tomb raider anniversary\\tra.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\bejeweled 3\\Bejeweled3.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\magicka\\Magicka.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\4 elements\\4 Elements.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\batman2\\Binaries\\Win32\\BatmanAC.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\batman2\\RunLauncher.bat"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dungeon defenders\\Binaries\\Win32\\DungeonDefenders.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\defensegridtheawakening\\DefenseGrid.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"135:TCP"= 135:TCP:TCP Port 135
"5019:TCP"= 5019:TCP:TCP Port 5019
"50942:TCP"= 50942:TCP:CharBuilderFull
"50942:UDP"= 50942:UDP:CharBuilderFull
"19585:TCP"= 19585:TCP:CharBuilderFull
"19585:UDP"= 19585:UDP:CharBuilderFull
"57330:TCP"= 57330:TCPando Media Booster
"57330:UDP"= 57330:UDPando Media Booster
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
"8382:TCP"= 8382:TCP:League of Legends Launcher
"8382:UDP"= 8382:UDP:League of Legends Launcher
"8383:TCP"= 8383:TCP:League of Legends Launcher
"8383:UDP"= 8383:UDP:League of Legends Launcher
"8397:TCP"= 8397:TCP:League of Legends Launcher
"8397:UDP"= 8397:UDP:League of Legends Launcher
"6968:TCP"= 6968:TCP:League of Legends Launcher
"6968:UDP"= 6968:UDP:League of Legends Launcher
"8398:TCP"= 8398:TCP:League of Legends Launcher
"8398:UDP"= 8398:UDP:League of Legends Launcher
"8393:TCP"= 8393:TCP:League of Legends Lobby
"8393:UDP"= 8393:UDP:League of Legends Lobby
"8390:TCP"= 8390:TCP:League of Legends Game Client
"8390:UDP"= 8390:UDP:League of Legends Game Client
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\SymDS.sys [5/18/2011 3:23 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\SymEFA.sys [5/18/2011 3:23 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20111221.003\BHDrvx86.sys [12/21/2011 7:46 PM 819320]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [3/23/2009 1:07 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 1:07 PM 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\Ironx86.sys [5/18/2011 3:23 PM 136312]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/15/2011 12:09 PM 366152]
R2 N360;Norton 360;c:\program files\Norton 360 Premier Edition\Engine\5.1.0.29\ccSvcHst.exe [5/18/2011 3:22 PM 130008]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [7/27/2011 12:11 PM 2253120]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/15/2011 2:08 PM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20111222.001\IDSXpx86.sys [12/22/2011 8:21 PM 356280]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/15/2011 12:09 PM 22216]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [7/27/2011 12:10 PM 119656]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/3/2009 10:10 AM 717296]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\mst3k\Titan\SlaveMaker15x5\Hitomi - My Stepsister\Hitomi\VMLaunch\BuddyVM.sys --> c:\mst3k\Titan\SlaveMaker15x5\Hitomi - My Stepsister\Hitomi\VMLaunch\BuddyVM.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 1:07 PM 12872]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.thenorthernempire.com/forum/index.php
TCP: DhcpNameServer = 216.104.96.22 216.104.98.222
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-23 00:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = c:\documents and settings\Main\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?m%3d%26is-debug%3d%26rom-version%3d%26part-number%3d%26product-n????7?2? ??????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360 Premier Edition\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360 Premier Edition\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1844237615-1957994488-839522115-1004\Software\KISS\«0¹0¿0à0á0¤0É03*D*]
"InstallPath"="c:\\MST3K\\mtadfk.com\\custom maid\\ƒJƒXƒ^ƒ€ƒƒCƒh3D"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1472)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\RunDLL32.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2011-12-23 00:56:07 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-23 05:56
ComboFix2.txt 2011-12-18 00:23
ComboFix3.txt 2011-12-16 03:46
.
Pre-Run: 68,510,912,512 bytes free
Post-Run: 68,518,604,800 bytes free
.
- - End Of File - - FEFA82E8DDB6BAA6AB22087E38A00D30

 

[fractoral]

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:07:39 AM, on 12/23/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Norton 360 Premier Edition\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Documents and Settings\Main\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Norton 360 Premier Edition\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thenorthernempire.com/forum/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360 Premier Edition\Engine\5.1.0.29\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360 Premier Edition\Engine\5.1.0.29\IPS\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360 Premier Edition\Engine\5.1.0.29\coIEPlg.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Main\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1311560637109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: intu-tt2010 - {97A0575E-2309-4E75-8509-B1F9390C4DE7} - C:\Program Files\TurboTax 2010\ic2010pp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360 Premier Edition\Engine\5.1.0.29\ccSvcHst.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

--
End of file - 8506 bytes

 

[fractoral]

As to the holidays, I will be out of town and therefore unable to work on my computer from the 27th on to the 3rd.

 

[fractoral]

It has occured to me that we are talking at cross purposes on the open ports/norton firewall issue and It's completely my fault. When you first asked if I opened those ports I mistakenly thought you meant forwarding the ports in my router, which I have done; but I now realize you said the norton 360 firewall, which I have not touched except rarely to change a game from 'auto' to 'allow' when experiencing performance issue. My apologies for the misunderstanding, and for any difficulty this has caused in our work.

 

[Bobbye]

We'll talk when we both return.

Holiday Notice! I will not be working on the threads Sat. Dec. 24 or Sunday Dec. 25. I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that. Please do not send a PM during those days.

 

[Bobbye]

I had posted another notice that I would not be on the board Dec. 31 and Jan.1. I am trying to get caught up now.

Please attempt to update and scan with the Eset Online Virus scanner again.

Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.
When scan has finished, you will see this image:

• Click on OK to close box and continue.
• Click on the Show Results button.
• Click on the Remove Selected button to remove all the listed malware.
• At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.

================================
Please advise me of any changes in the system and/or of original problem has been resolved.
================================
Does the Norton tidserv alert look anything like this?

=

 

[fractoral]

As I mentioned in reply #17 the tidserv warning stopped early in the cleaning process, but there were other issues you mentioned; a rootkit with a backdoor, and a rogue program that pretends to be a security update for windows (reply #16).

Going back through my security history I found the alert, it looked a little different from the image you posted:
-Activity:An intrusion attempt by 27.255.64.111 requiring manual removal was detected.
-Recommended action: You need to remove this threat manually.
-replace Risk Name with IPS Alert Name: System Infected:Tidserv Activity 2
-Default Action and Action Taken: removal instructions
-the IP addresses involved were different and mine was in VOLUME3
-instead of "Stop notifying me" it was "removal instructions"

The romval instructions at the time led me to the Norton TDSS fix, which did not work.

Scan results will follow.

 

[fractoral]

ESET Scan:
C:\Qoobox\Quarantine\C\TDSSKiller_Quarantine\15.12.2011_18.09.52\rtkt0000\svc0000\tsk0000.dta.vir a variant of Win32/Rootkit.Kryptik.GY trojan

 

[fractoral]

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.03.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Main :: HOME [administrator]

Protection: Disabled

1/4/2012 12:37:16 AM
mbam-log-2012-01-04 (00-37-16).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 385126
Time elapsed: 1 hour(s), 33 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

[fractoral]

As to changes in the system I have not installed or uninstalled any programs. I used regedit to get rid of the Japanese character registry entry. I can't think of any other possible changes.

 

[Bobbye]

Did you intentionally download this: Malwarebytes Anti-Malware (Trial) 1.60.0.1800. This is not the link we gave you. You were instructed not to make any changes in the registry while I was helping you.

Have the problems been resolved? Have the Norton alerts stopped?

 

[fractoral]

I clicked 'Check for updates' in malware bytes.

The norton alerts have stopped.

 

[Bobbye]

Sound like we got it all! IF there are not more problems, you canremove all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
  [o] Click START> then RUN
  [o] Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
• Download OTCleanIt by OldTimer and save it to your Desktop.
  [o] Double click OTCleanIt.exe.
  [o] Click the CleanUp! button.
  [o] If you are prompted to Reboot during the cleanup, select Yes.
  [o]The tool will delete itself once it finishes.
  Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
  
• Set a new, clean Restore Point
  [o] Click on Start> right click on Computer> Properties
  [o] Select System Protection
  [o] Click on the Create button (near bottom)
  [o] Type a name for the Restore Point
  [o] Click on Create again to save the restore point.
  
• Deleting all but the most recent System Protection point in Windows 7
  [o] Click Start> Computer> right click the C Drive and choose Properties> enter.
  [o] Click Disk Cleanup from there.
  
  
  
  [o] Click Clean up system files
  This restarts Disk Cleanup to run in elevated mode.
  [o] Click the More Options tab
  
  
  
  [o] Click the Clean up under System Restore and Shadow Copies.
  [o] Click OK.
  [o] You will get a confirmation screen> Just click Delete.
  [o] Click OK on the Disk Cleanup Screen.
  [o] Click Delete Files on the Confirmation screen.

This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
Images courtesy lytebyte.

Empty the Recycle Bin

 

[fractoral]

Thank you very much for your time, patience and hard work. I really appreciate this.

 

[Bobbye]

You're very welcome. Stay safe!