Jump to content

ottimo

Members
 View Profile  See their activity

  • Posts

    15

  • Joined

  • Last visited

Reputation

0 Neutral
  1. ottimo
  2. ottimo
    No, that takes care of it...no more questions. Thank you again for your help. I'm impressed with your service/help and will keep that in mind. Take care.
  3. ottimo
    Okay, ComboFix was uninstalled...it asked me to turn off Norton first, then once I did that, I got the "successfully uninstalled" message. (I did turn Norton back on.) Re-did the defogger to make sure CD emulators are enabled. So, just one more question to make sure I've got this: When I opened up the Windows "Security Center" from control panel, it shows reports on three things: Firewall, Automatic Updates, and Virus Protection. All three are listed as "on." Below those three bars are three buttons, including the one to "Windows Firewall." When I click on that, it opens up a window that allows me to select whether the windows firewall is on or off--and it shows that the "off" option is selected. So, the fact that it is showing that a firewall is on but windows firewall is off suggests to me that, perhaps, when I installed Zone Alarm, the windows firewall was turned off, but the main windows security center shows "firewall on" because Zone Alarm is functioning. Does that sound generally right and all o.k.?
  4. ottimo
    Hi Elise - Thanks so much for your help and for providing this service in general. Also, "Kitty had a snack"...some kind of inside fun? Before I go, a few questions about the "all clean" instructions and finishing up: 1. I did "combofix /uninstall" in start > run, but the ComboFix icon is still on my desktop. Did it not uninstall? 2. Before you started helping me, I tried working through the pinned post, "I'm infected, what do I do now." In doing so, I ran or attempted to run the defogger. I don't see an icon for it on my desktop, but I did delete a couple of logs it created. Is there anything I need to do to make sure it's gone and all is returned to normal regarding that application (or whatever it should be called)? 3. I installed the free Zone Alarm firewall. Is there any conflict between it and Windows Firewall? Can I keep both of them on? 4. Regarding SpyBot, MBAM, and Super Antispyware: Is there any problem to keeping all three on my computer? 5. Teatimer: Do you have any recommendation about whether to enable it? I have limited space on this old computer and if it's redundant, I'd just as soon leave it off. Basically, to summarize, this is what I've got now: Norton AntiVirus Spyware Blaster Windows Firewall Windows Defender Zone Alarm Firewall SpyBot S&D w/its TeaTimer MBAM Super AntiSpyware (and the recommended MVPs hosts file) Overall, I guess I just want to make sure there are no conflicts or ridiculous redundancies. Thanks, ottimo
  5. ottimo
    ESET results -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BugDoctor7.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BugDoctor8.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined C:\Documents and Settings\Nate\My Documents\Recent Downloads for Improved Perfromance\BugdoctorSetup.exe Win32/Adware.BugDoctor application deleted - quarantined
  6. ottimo
    I figured it out. Under the audio tab in the "sounds and audio devices properties" window, the sound playback and sound recording default devices had been changed to "modem #2 line playback" and "modem #2 line record" instead of santa cruz. Sorry, but I thought I'd checked that already--maybe I was remembering having done so prior to your help with the rootkit, so my change maybe didn't take effect or was reversed? Or maybe I thought I changed it but never did... Anyway, the sound is working again. Sorry again for the added hassel.
  7. ottimo
    Sorry, that shouldn't have been two lines. "Unimodem Half-Duplex Audio Device" was one line. I tried updating that one anyway, and nothing was found.
  8. ottimo
    I don't see any devices with ?, !, or X in front of them. Under the "Sound, Video and Game Controllers" these are listed: Audio Codecs Legacy Audio Drivers Legacy Video Drivers Media Control Devices Santa Cruz Santa Cruz Game port Santa Cruz WDM interface Unimodem Half-Duplex Audio Device Video Codecs
  9. ottimo
    Oh, okay--good. I see the SQL entries in add/remove, but I'm not sure what to replace them with from Microsoft. I don't know what the SQL application(s) do or if I use them--so if it's not a problem having that error, I suppose I can figure out later if I want to reinstall a replacement. I couldn't figure out what download I needed from a quick look at the Microsoft site, but I can go back and take my time later. I have all the CD's that came with my computer, including a Santa Cruz/Turtle Beach CD and two "Drivers and Utilities" CDs. But I'm not sure what's missing or how to reinstall it. The device manager says that Santa Cruz is working properly.
  10. ottimo
    Hi - Thanks for the information. Windows Update appears to be functioning again and automatically installed some updates while I was away from the computer. And I'm no longer getting the extraneous Windows Security icons in the system tray. However, the sound is still not functioning. When I open the "Sounds and Audio Devices" through the control panel, under the volume tab, it says, "No Audio Device." Also, when I startup the computer, I get an "SQL Writer" message that says, "SQLDUMPER library failed initialization. Your installation is either corrupt or has been tampered with. Please uninstall then re-run to correct this problem." This message was appearing prior to my recent problems with the rootkit, but I mention it in case it is a problem with the system that needs to be fixed--or that you can help me fix anyway, or at least point me in the right direction. Finally, while I was running the MBAM scan, I got a message from Norton AntiVirus saying it had blocked a virus ("Backdoor.Tidserv!inf"). I've attached a screenshot of the Norton message--I think. It says it requires "manual removal," but I don't know how to do that. I had been on the internet shortly before that, so I may have messed up again and clicked another dangerous link?? Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4267 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 7/2/2010 1:24:55 PM mbam-log-2010-07-02 (13-24-55).txt Scan type: Full scan (A:\|C:\|D:\|E:\|) Objects scanned: 284343 Time elapsed: 1 hour(s), 59 minute(s), 48 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  11. ottimo
    Let's proceed. When ComboFix was opening, a message appeared saying there was a newer version of ComboFix and asking whether to update. I clicked "no" and it continued...just wanted to let you know in case that was the wrong thing to do. Also, before this happened, I'd never heard of a "rootkit." Can you provide more information or a link to more information about what that is or what it means? Thank you. ComboFix 10-06-30.03 - Nate 07/01/2010 15:52:43.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.223 [GMT -4:00] Running from: c:\documents and settings\Nate\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Nate\Desktop\CFScript.txt AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} . ((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 ))))))))))))))))))))))))))))))) . 2010-07-01 17:50 . 2008-04-13 18:36 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys 2010-07-01 17:50 . 2008-04-13 18:36 37248 ----a-w- c:\windows\system32\dllcache\isapnp.sys 2010-06-29 02:41 . 2010-06-29 02:41 -------- d-----w- c:\documents and settings\Nate\Application Data\Tific 2010-06-27 00:18 . 2010-06-27 00:17 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL 2010-06-27 00:18 . 2010-06-27 00:17 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2010-06-27 00:17 . 2010-06-27 00:18 -------- d-----w- c:\program files\Symantec 2010-06-27 00:15 . 2010-06-27 00:15 -------- d-----w- c:\program files\NortonInstaller 2010-06-26 23:13 . 2010-06-26 23:13 46640 ----a-w- c:\windows\system32\msln.exe 2010-06-26 23:03 . 2010-06-26 23:13 14434 ----a-w- c:\windows\system32\drivers\SymSMR100.dat 2010-06-26 23:03 . 2010-06-26 23:03 58928 ----a-w- c:\windows\system32\drivers\SymSMR100.SYS 2010-06-26 23:02 . 2010-06-26 23:21 -------- d-----w- c:\documents and settings\Nate\Local Settings\Application Data\NPE 2010-06-26 23:00 . 2010-06-26 23:00 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS 2010-06-26 22:59 . 2010-06-28 15:35 -------- d-----w- c:\windows\LMI92.tmp 2010-06-26 22:54 . 2010-06-26 22:54 -------- d-----w- c:\documents and settings\Nate\Application Data\ElevatedDiagnostics 2010-06-26 21:40 . 2010-06-26 21:44 -------- dc-h--w- c:\windows\ie8 2010-06-26 20:56 . 2010-06-26 20:56 0 ----a-w- c:\windows\nsreg.dat 2010-06-26 20:56 . 2010-06-26 20:56 -------- d-----w- c:\documents and settings\Nate\Local Settings\Application Data\Mozilla 2010-06-26 15:57 . 2010-06-26 15:57 -------- d-----r- c:\program files\Norton Support 2010-06-23 22:57 . 2010-06-23 22:57 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2010-06-22 21:33 . 2010-06-22 21:33 -------- d-----w- c:\documents and settings\Nate\Application Data\SUPERAntiSpyware.com 2010-06-22 20:23 . 2010-06-22 20:23 -------- d-----w- c:\documents and settings\Nate\Application Data\Malwarebytes 2010-06-22 20:22 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-22 20:22 . 2010-06-22 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-06-22 20:22 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-22 20:22 . 2010-06-22 20:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-06-22 11:40 . 2010-06-22 19:53 -------- d-----w- c:\program files\Windows Live Safety Center 2010-06-21 04:56 . 2010-06-21 04:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-06-20 23:41 . 2010-06-21 09:22 -------- d-----w- c:\documents and settings\Nate\Local Settings\Application Data\ujtvfvdwa 2010-06-10 03:12 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-29 03:15 . 2002-11-23 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2010-06-29 03:15 . 2002-11-23 03:26 -------- d-----w- c:\program files\Common Files\Symantec Shared 2010-06-29 02:04 . 2006-01-06 09:01 -------- d-----w- c:\program files\Google 2010-06-27 01:16 . 2002-12-05 22:30 -------- d-----w- c:\program files\Common Files\Adobe 2010-06-27 00:17 . 2010-06-27 00:18 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF 2010-06-27 00:17 . 2010-06-27 00:18 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT 2010-06-27 00:15 . 2005-05-16 18:13 -------- d-----w- c:\program files\Norton AntiVirus 2010-06-26 23:42 . 2008-10-31 06:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller 2010-06-26 23:03 . 2008-10-31 06:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2010-06-23 22:31 . 2010-06-22 21:36 63488 ----a-w- c:\documents and settings\Nate\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll 2010-06-23 22:31 . 2010-06-22 21:35 117760 ----a-w- c:\documents and settings\Nate\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-06-22 21:35 . 2010-06-22 21:35 52224 ----a-w- c:\documents and settings\Nate\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-06-21 10:10 . 2003-01-12 22:00 -------- d-----w- c:\program files\Lavasoft Ad-Aware 2010-06-10 07:54 . 2008-08-23 04:48 -------- d-----w- c:\program files\Microsoft Silverlight 2010-05-23 04:01 . 2010-05-23 04:01 503808 ----a-w- c:\documents and settings\Nate\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-23c2cddb-n\msvcp71.dll 2010-05-23 04:01 . 2010-05-23 04:01 499712 ----a-w- c:\documents and settings\Nate\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-23c2cddb-n\jmc.dll 2010-05-23 04:01 . 2010-05-23 04:01 348160 ----a-w- c:\documents and settings\Nate\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-23c2cddb-n\msvcr71.dll 2010-05-21 18:14 . 2009-10-03 08:38 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-13 01:38 . 2006-02-02 18:27 1100 ----a-w- c:\windows\system32\d3d8caps.dat 2010-05-02 05:22 . 2002-02-21 00:46 1851264 ----a-w- c:\windows\system32\win32k.sys 2010-04-20 05:30 . 2001-08-18 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll 2006-07-11 12:30 . 2006-07-11 12:30 658432 ----a-w- c:\program files\LogFinder.exe 2006-07-11 12:30 . 2006-07-11 12:30 435712 ----a-w- c:\program files\TiVoWmlPublisher.exe 2006-07-11 12:29 . 2006-07-11 12:29 335872 ----a-w- c:\program files\TiVoAutoUpdate.exe 2006-07-11 12:29 . 2006-07-11 12:29 1881088 ----a-w- c:\program files\TiVoDesktop.exe 2006-07-11 12:26 . 2006-07-11 12:26 1313792 ----a-w- c:\program files\TiVoServer.exe 2006-07-11 12:24 . 2006-07-11 12:24 341504 ----a-w- c:\program files\TiVoNotify.exe 2006-07-11 12:21 . 2006-07-11 12:21 43008 ----a-w- c:\program files\History.dll 2006-07-11 12:21 . 2006-07-11 12:21 283648 ----a-w- c:\program files\Http.dll 2006-07-11 12:20 . 2006-07-11 12:20 821760 ----a-w- c:\program files\Videos.dll 2006-07-11 12:17 . 2006-07-11 12:17 251904 ----a-w- c:\program files\Mpeg2.dll 2006-07-11 12:16 . 2006-07-11 12:16 73216 ----a-w- c:\program files\Photos.dll 2006-07-11 12:16 . 2006-07-11 12:16 73216 ----a-w- c:\program files\Music.dll 2006-07-11 12:16 . 2006-07-11 12:16 116224 ----a-w- c:\program files\WMedia.dll 2006-07-11 12:15 . 2006-07-11 12:15 114688 ----a-w- c:\program files\WAmp3.dll 2006-07-11 12:15 . 2006-07-11 12:15 84480 ----a-w- c:\program files\WAmp.dll 2006-07-11 12:15 . 2006-07-11 12:15 125440 ----a-w- c:\program files\Folder.dll 2006-07-11 12:14 . 2006-07-11 12:14 253952 ----a-w- c:\program files\Mp3.dll 2006-07-11 12:12 . 2006-07-11 12:12 91136 ----a-w- c:\program files\Image.dll 2006-07-11 12:11 . 2006-07-11 12:11 85504 ----a-w- c:\program files\Cache.dll 2006-07-11 12:11 . 2006-07-11 12:11 192512 ----a-w- c:\program files\TiVoConverter.exe 2006-07-10 21:58 . 2006-07-10 21:58 21297 ----a-w- c:\program files\ReadMe.rtf 2006-04-28 06:23 . 2006-04-28 06:23 135168 ----a-w- c:\program files\Zip32.dll 2006-04-28 06:22 . 2006-04-28 06:22 684032 ----a-w- c:\program files\LibEay32.dll 2006-04-28 06:22 . 2006-04-28 06:22 155648 ----a-w- c:\program files\SslEay32.dll 2006-04-28 06:22 . 2006-04-28 06:22 1645320 ----a-w- c:\program files\GdiPlus.dll 2006-04-28 06:21 . 2006-04-28 06:21 1781 ----a-w- c:\program files\PrivateKey.pem 2006-04-28 06:21 . 2006-04-28 06:21 1674 ----a-w- c:\program files\Certificate.pem . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376] "mSpotAlltelRemix"="c:\program files\Alltel Jump Music\Remix\msptcmd.exe" [2007-12-14 1503232] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-06 68856] "NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560] "AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936] "Dell|Alert"="c:\program files\Dell\Support\Alert\bin\DAMon.exe" [2002-07-11 270336] "Omnipage"="c:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-02-21 49152] "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-13 198160] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280] "nwiz"="nwiz.exe" [2003-10-06 741376] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-12-10 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2002-11-22 45056] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472] Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON] 2002-03-25 03:34 886272 ----a-w- c:\windows\SYSTEM32\LXSUPMON.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot] 2005-05-10 20:04 11776 ----a-w- c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] 2003-10-06 18:16 741376 ----a-w- c:\windows\SYSTEM32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2006-09-01 20:57 282624 ----a-w- c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoNotify] 2006-07-11 12:24 341504 ----a-w- c:\program files\TiVoNotify.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoServer] 2006-07-11 12:26 1313792 ----a-w- c:\program files\TiVoServer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoTransfer] 2006-07-11 12:23 1174528 ----a-w- c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2009-09-13 16:33 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R0 SymDS;Symantec Data Store;c:\windows\SYSTEM32\DRIVERS\NAV\1107000.00C\symds.sys [6/27/2010 1:19 AM 328752] R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\NAV\1107000.00C\symefa.sys [6/27/2010 1:19 AM 173104] R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\BASHDefs\20100619.001\BHDrvx86.sys [6/19/2010 12:46 AM 691248] R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\NAV\1107000.00C\cchpx86.sys [6/27/2010 1:19 AM 501888] R1 SymIRON;Symantec Iron Driver;c:\windows\SYSTEM32\DRIVERS\NAV\1107000.00C\ironx86.sys [6/27/2010 1:19 AM 116784] R1 SymSMR100;SMR Utility Service;c:\windows\SYSTEM32\DRIVERS\SymSMR100.SYS [6/26/2010 7:03 PM 58928] R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\17.7.0.12\ccsvchst.exe [6/27/2010 1:19 AM 126392] R2 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [7/11/2006 8:22 AM 857088] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 1:46 AM 24652] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/27/2010 11:36 AM 102448] R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\IPSDefs\20100630.006\IDSXpx86.sys [6/30/2010 9:31 PM 331640] R3 tbcspud;Santa Cruz Driver;c:\windows\SYSTEM32\DRIVERS\tbcspud.sys [1/1/1980 2:00 AM 144768] R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\SYSTEM32\DRIVERS\tbcwdm.sys [1/1/1980 2:00 AM 545088] S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592] S3 Bulk503;Chameleon Mega Digital Camera;c:\windows\SYSTEM32\DRIVERS\Bulk503.sys [10/15/2001 12:45 PM 10599] S3 ISO503;Chameleon Mega Video Camera;c:\windows\SYSTEM32\DRIVERS\ISO503.SYS [4/9/2002 10:49 AM 526885] S3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [11/22/2002 11:25 PM 19232] . Contents of the 'Scheduled Tasks' folder 2010-06-30 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 19:21] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.loc.gov/poetry/180/p180-list.html uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game13.zylom.com/activex/zylomgamesplayer.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-07-01 16:06 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Dell|Alert = c:\program files\Dell\Support\Alert\bin\DAMon.exe?p?o?r?t?\?A?l?e?r?t?\?b?i?n?\?D?A?M?o?n?.?e?x?e???????????x:??????x??? ???X??? ??????? ???P????(?w'(?w????????????(???u??????w????????????0????$?w7(?w?o?wS??w???w????????????X*@?????????X????????%@?e????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV] "ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\17.7.0.12\diMaster.dll\" /prefetch:1" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(532) c:\windows\system32\L3CODECA.ACM - - - - - - - > 'explorer.exe'(1600) c:\program files\ScanSoft\OmniPageSE\ophook32.dll c:\program files\Windows Media Player\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\msls31.dll c:\windows\system32\OneX.DLL c:\windows\system32\eappprxy.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\L3CODECA.ACM . Completion time: 2010-07-01 16:14:06 ComboFix-quarantined-files.txt 2010-07-01 20:14 ComboFix2.txt 2010-07-01 18:29 Pre-Run: 10,311,110,656 bytes free Post-Run: 10,307,043,328 bytes free - - End Of File - - 6652D850913E306943FE50D5579AC805
  12. ottimo
    Okay, I did that. ComboFix 10-06-30.03 - Nate 07/01/2010 13:56:21.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.231 [GMT -4:00] Running from: c:\documents and settings\Nate\Desktop\ComboFix.exe AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server c:\documents and settings\Nate\Recent\Thumbs.db c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server c:\windows\system32\Thumbs.db c:\windows\xpsp1hfm.log Infected copy of c:\windows\system32\DRIVERS\isapnp.sys was found and disinfected Restored copy from - Kitty had a snack . ((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 ))))))))))))))))))))))))))))))) . 2010-07-01 17:50 . 2008-04-13 18:36 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys 2010-07-01 17:50 . 2008-04-13 18:36 37248 ----a-w- c:\windows\system32\dllcache\isapnp.sys 2010-06-29 02:41 . 2010-06-29 02:41 -------- d-----w- c:\documents and settings\Nate\Application Data\Tific 2010-06-27 00:18 . 2010-06-27 00:17 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL 2010-06-27 00:18 . 2010-06-27 00:17 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2010-06-27 00:17 . 2010-06-27 00:18 -------- d-----w- c:\program files\Symantec 2010-06-27 00:15 . 2010-06-27 00:15 -------- d-----w- c:\program files\NortonInstaller 2010-06-26 23:13 . 2010-06-26 23:13 46640 ----a-w- c:\windows\system32\msln.exe 2010-06-26 23:03 . 2010-06-26 23:13 14434 ----a-w- c:\windows\system32\drivers\SymSMR100.dat 2010-06-26 23:03 . 2010-06-26 23:03 58928 ----a-w- c:\windows\system32\drivers\SymSMR100.SYS 2010-06-26 23:02 . 2010-06-26 23:21 -------- d-----w- c:\documents and settings\Nate\Local Settings\Application Data\NPE 2010-06-26 23:00 . 2010-06-26 23:00 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS 2010-06-26 22:59 . 2010-06-28 15:35 -------- d-----w- c:\windows\LMI92.tmp 2010-06-26 22:54 . 2010-06-26 22:54 -------- d-----w- c:\documents and settings\Nate\Application Data\ElevatedDiagnostics 2010-06-26 21:40 . 2010-06-26 21:44 -------- dc-h--w- c:\windows\ie8 2010-06-26 20:56 . 2010-06-26 20:56 0 ----a-w- c:\windows\nsreg.dat 2010-06-26 20:56 . 2010-06-26 20:56 -------- d-----w- c:\documents and settings\Nate\Local Settings\Application Data\Mozilla 2010-06-26 15:57 . 2010-06-26 15:57 -------- d-----r- c:\program files\Norton Support 2010-06-23 22:57 . 2010-06-23 22:57 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2010-06-22 21:33 . 2010-06-22 21:33 -------- d-----w- c:\documents and settings\Nate\Application Data\SUPERAntiSpyware.com 2010-06-22 20:23 . 2010-06-22 20:23 -------- d-----w- c:\documents and settings\Nate\Application Data\Malwarebytes 2010-06-22 20:22 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-22 20:22 . 2010-06-22 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-06-22 20:22 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-22 20:22 . 2010-06-22 20:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-06-22 11:40 . 2010-06-22 19:53 -------- d-----w- c:\program files\Windows Live Safety Center 2010-06-21 04:56 . 2010-06-21 04:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-06-20 23:41 . 2010-06-21 09:22 -------- d-----w- c:\documents and settings\Nate\Local Settings\Application Data\ujtvfvdwa 2010-06-10 03:12 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-29 03:15 . 2002-11-23 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2010-06-29 03:15 . 2002-11-23 03:26 -------- d-----w- c:\program files\Common Files\Symantec Shared 2010-06-29 02:04 . 2006-01-06 09:01 -------- d-----w- c:\program files\Google 2010-06-27 01:16 . 2002-12-05 22:30 -------- d-----w- c:\program files\Common Files\Adobe 2010-06-27 00:17 . 2010-06-27 00:18 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF 2010-06-27 00:17 . 2010-06-27 00:18 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT 2010-06-27 00:15 . 2005-05-16 18:13 -------- d-----w- c:\program files\Norton AntiVirus 2010-06-26 23:42 . 2008-10-31 06:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller 2010-06-26 23:03 . 2008-10-31 06:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2010-06-23 22:31 . 2010-06-22 21:36 63488 ----a-w- c:\documents and settings\Nate\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll 2010-06-23 22:31 . 2010-06-22 21:35 117760 ----a-w- c:\documents and settings\Nate\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-06-22 21:35 . 2010-06-22 21:35 52224 ----a-w- c:\documents and settings\Nate\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-06-21 10:10 . 2003-01-12 22:00 -------- d-----w- c:\program files\Lavasoft Ad-Aware 2010-06-10 07:54 . 2008-08-23 04:48 -------- d-----w- c:\program files\Microsoft Silverlight 2010-05-23 04:01 . 2010-05-23 04:01 503808 ----a-w- c:\documents and settings\Nate\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-23c2cddb-n\msvcp71.dll 2010-05-23 04:01 . 2010-05-23 04:01 499712 ----a-w- c:\documents and settings\Nate\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-23c2cddb-n\jmc.dll 2010-05-23 04:01 . 2010-05-23 04:01 348160 ----a-w- c:\documents and settings\Nate\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-23c2cddb-n\msvcr71.dll 2010-05-21 18:14 . 2009-10-03 08:38 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-13 01:38 . 2006-02-02 18:27 1100 ----a-w- c:\windows\system32\d3d8caps.dat 2010-05-02 05:22 . 2002-02-21 00:46 1851264 ----a-w- c:\windows\system32\win32k.sys 2010-04-20 05:30 . 2001-08-18 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll 2006-07-11 12:30 . 2006-07-11 12:30 658432 ----a-w- c:\program files\LogFinder.exe 2006-07-11 12:30 . 2006-07-11 12:30 435712 ----a-w- c:\program files\TiVoWmlPublisher.exe 2006-07-11 12:29 . 2006-07-11 12:29 335872 ----a-w- c:\program files\TiVoAutoUpdate.exe 2006-07-11 12:29 . 2006-07-11 12:29 1881088 ----a-w- c:\program files\TiVoDesktop.exe 2006-07-11 12:26 . 2006-07-11 12:26 1313792 ----a-w- c:\program files\TiVoServer.exe 2006-07-11 12:24 . 2006-07-11 12:24 341504 ----a-w- c:\program files\TiVoNotify.exe 2006-07-11 12:21 . 2006-07-11 12:21 43008 ----a-w- c:\program files\History.dll 2006-07-11 12:21 . 2006-07-11 12:21 283648 ----a-w- c:\program files\Http.dll 2006-07-11 12:20 . 2006-07-11 12:20 821760 ----a-w- c:\program files\Videos.dll 2006-07-11 12:17 . 2006-07-11 12:17 251904 ----a-w- c:\program files\Mpeg2.dll 2006-07-11 12:16 . 2006-07-11 12:16 73216 ----a-w- c:\program files\Photos.dll 2006-07-11 12:16 . 2006-07-11 12:16 73216 ----a-w- c:\program files\Music.dll 2006-07-11 12:16 . 2006-07-11 12:16 116224 ----a-w- c:\program files\WMedia.dll 2006-07-11 12:15 . 2006-07-11 12:15 114688 ----a-w- c:\program files\WAmp3.dll 2006-07-11 12:15 . 2006-07-11 12:15 84480 ----a-w- c:\program files\WAmp.dll 2006-07-11 12:15 . 2006-07-11 12:15 125440 ----a-w- c:\program files\Folder.dll 2006-07-11 12:14 . 2006-07-11 12:14 253952 ----a-w- c:\program files\Mp3.dll 2006-07-11 12:12 . 2006-07-11 12:12 91136 ----a-w- c:\program files\Image.dll 2006-07-11 12:11 . 2006-07-11 12:11 85504 ----a-w- c:\program files\Cache.dll 2006-07-11 12:11 . 2006-07-11 12:11 192512 ----a-w- c:\program files\TiVoConverter.exe 2006-07-10 21:58 . 2006-07-10 21:58 21297 ----a-w- c:\program files\ReadMe.rtf 2006-04-28 06:23 . 2006-04-28 06:23 135168 ----a-w- c:\program files\Zip32.dll 2006-04-28 06:22 . 2006-04-28 06:22 684032 ----a-w- c:\program files\LibEay32.dll 2006-04-28 06:22 . 2006-04-28 06:22 155648 ----a-w- c:\program files\SslEay32.dll 2006-04-28 06:22 . 2006-04-28 06:22 1645320 ----a-w- c:\program files\GdiPlus.dll 2006-04-28 06:21 . 2006-04-28 06:21 1781 ----a-w- c:\program files\PrivateKey.pem 2006-04-28 06:21 . 2006-04-28 06:21 1674 ----a-w- c:\program files\Certificate.pem . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376] "mSpotAlltelRemix"="c:\program files\Alltel Jump Music\Remix\msptcmd.exe" [2007-12-14 1503232] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-06 68856] "NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560] "AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936] "Dell|Alert"="c:\program files\Dell\Support\Alert\bin\DAMon.exe" [2002-07-11 270336] "Omnipage"="c:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-02-21 49152] "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-13 198160] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280] "nwiz"="nwiz.exe" [2003-10-06 741376] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-12-10 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2002-11-22 45056] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472] Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON] 2002-03-25 03:34 886272 ----a-w- c:\windows\SYSTEM32\LXSUPMON.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot] 2005-05-10 20:04 11776 ----a-w- c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] 2003-10-06 18:16 741376 ----a-w- c:\windows\SYSTEM32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2006-09-01 20:57 282624 ----a-w- c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoNotify] 2006-07-11 12:24 341504 ----a-w- c:\program files\TiVoNotify.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoServer] 2006-07-11 12:26 1313792 ----a-w- c:\program files\TiVoServer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoTransfer] 2006-07-11 12:23 1174528 ----a-w- c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2009-09-13 16:33 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R0 SymDS;Symantec Data Store;c:\windows\SYSTEM32\DRIVERS\NAV\1107000.00C\symds.sys [6/27/2010 1:19 AM 328752] R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\NAV\1107000.00C\symefa.sys [6/27/2010 1:19 AM 173104] R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\BASHDefs\20100619.001\BHDrvx86.sys [6/19/2010 12:46 AM 691248] R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\NAV\1107000.00C\cchpx86.sys [6/27/2010 1:19 AM 501888] R1 SymIRON;Symantec Iron Driver;c:\windows\SYSTEM32\DRIVERS\NAV\1107000.00C\ironx86.sys [6/27/2010 1:19 AM 116784] R1 SymSMR100;SMR Utility Service;c:\windows\SYSTEM32\DRIVERS\SymSMR100.SYS [6/26/2010 7:03 PM 58928] R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\17.7.0.12\ccsvchst.exe [6/27/2010 1:19 AM 126392] R2 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [7/11/2006 8:22 AM 857088] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 1:46 AM 24652] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/27/2010 11:36 AM 102448] R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\IPSDefs\20100630.006\IDSXpx86.sys [6/30/2010 9:31 PM 331640] R3 tbcspud;Santa Cruz Driver;c:\windows\SYSTEM32\DRIVERS\tbcspud.sys [1/1/1980 2:00 AM 144768] R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\SYSTEM32\DRIVERS\tbcwdm.sys [1/1/1980 2:00 AM 545088] S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592] S3 Bulk503;Chameleon Mega Digital Camera;c:\windows\SYSTEM32\DRIVERS\Bulk503.sys [10/15/2001 12:45 PM 10599] S3 ISO503;Chameleon Mega Video Camera;c:\windows\SYSTEM32\DRIVERS\ISO503.SYS [4/9/2002 10:49 AM 526885] S3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [11/22/2002 11:25 PM 19232] . Contents of the 'Scheduled Tasks' folder 2010-06-30 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 19:21] 2010-07-01 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.loc.gov/poetry/180/p180-list.html uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyServer = http=127.0.0.1:5555 uInternet Settings,ProxyOverride = <local> uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game13.zylom.com/activex/zylomgamesplayer.cab . - - - - ORPHANS REMOVED - - - - Toolbar-Locked - (no file) MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe AddRemove-Google Desktop - c:\program files\Google\Google Desktop Search\GoogleDesktopSetup.exe AddRemove-Mozilla Firefox (3.6.4) - c:\program files\Mozilla Firefox\uninstall\helper.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-07-01 14:16 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Dell|Alert = c:\program files\Dell\Support\Alert\bin\DAMon.exe?p?o?r?t?\?A?l?e?r?t?\?b?i?n?\?D?A?M?o?n?.?e?x?e???????????x:??????x??? ???X??? ??????? ???P????(?w'(?w????????????(???u??????w????????????0????$?w7(?w?o?wS??w???w????????????X*@?????????X????????%@?e????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV] "ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\17.7.0.12\diMaster.dll\" /prefetch:1" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(532) c:\windows\system32\L3CODECA.ACM - - - - - - - > 'explorer.exe'(2848) c:\program files\ScanSoft\OmniPageSE\ophook32.dll c:\program files\Windows Media Player\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\msls31.dll c:\windows\system32\OneX.DLL c:\windows\system32\eappprxy.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\L3CODECA.ACM . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\HPZipm12.exe c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe c:\windows\system32\RUNDLL32.EXE c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2010-07-01 14:29:16 - machine was rebooted ComboFix-quarantined-files.txt 2010-07-01 18:29 Pre-Run: 10,075,860,992 bytes free Post-Run: 10,387,234,816 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn - - End Of File - - C0D96EC7323F77DF4F96BDC1A8F4D99C
  13. ottimo
    Forgot to add: another current sign/symptom is that Norton AntiVirus is regularly blocking things, every 10 min. or so, and especially when I open up Internet Explorer pages.
  14. ottimo
    Hi - I got the fake AV security thing clicking on link from a Google search for "The Impossible Quiz Answers." I couldn't open either Norton AntiVirus or SpyBot Search and Destroy. I couldn't open the task manager. The virus or whatever it is would shut down all windows/programs as soon as they began opening. Other than the fake security messages opening, internet sites were opening up, as well as multiple red Windows Security Center icons in the task bar. I eventually managed to keep a task manager window open long enough to hit "end task" on the AV thing. After that, I was able to open SpyBot, and it deleted some things. Then, when I opened Internet Explorer, it would not connect. I reset the Explorer settings and it began connecting to most websites, but not all. It would not open Windows Update pages, for example. After this, did several scans using Norton AntiVirus. I don't remeber it finding anything significant. Then, I downloaded Malwarebytes, which I'd used before on a different computer. It did not find anything. I ran several scans over a couple days using both Malwarebytes and SpyBot. On one day, they both found a group of about six items, but both could only delete/fix 5/6 of those items. SpyBot recommended restarting and running in safe mode. I did that, but it was still not able to delete the last of the six items. Since then, I have run SpyBot and Malwarebytes a few times, and they no longer find those six items. All during this time, I still had one red shield Windows Security icon in the task bar that was saying Norton AntiVirus was not up to date, even though Norton was saying it was updated, and I had manually run an update several times. At some point, I think I ran a scan from a Microsoft website that said it found/deleted a few things. The next thing I did was contact and chat with a Norton/Symantec person. He did a separate scan of my computer and appeared to find and delete/fix two items. Then, he uninstalled and reinstalled Norton AntiVirus. After he did that, the red Windows Security icon saying Norton was out of date went away. The only other thing I think I did was try to follow the directions from the pinned post on this forum as mentioned in my first post. But I got lost or messed that up somehow. Currently, the symptoms I can notice are these: 1. My sound has been disabled, sometime after the original problem (i.e., that did not immediately happen at the ttime the AV security thing came up). 2. My ability to change my desktop background picture is interfered with (and the previous picture gone). This happened most recently. 3. I get an occasional yellow Windows Security shield in the task bar. When I hover my mouse over it, it says something like, "dowloading updates, 0%." When I leave my computer for many hours in a row (e.g. overnight) and come back and wake it up, there will be several of these yellow shield icons, and the computer will be more or less frozen. If I am working on it and it doesn't go into sleep mode, these yellow shields tend to disappear after a while. 4. I still cannot connect to Windows Update sites. This is all I can remember, though I've been dealing with this for a week or so, so I might've forgotten a few things. Here are the files you asked me to copy: (Note that, after GMER was done scanning, a window popped up saying, "Windows -- Delayed Write Failed. Windows was unable to save all the data for the file \Device\HardDiskVolume2\Documents and Settings\Nate\Local Settings\Temp. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere." I clicked ok, for better or worse. Then I went ahead with clicking the save button in GMER.) OTListIt.txt: OTL logfile created on: 6/30/2010 4:10:35 PM - Run 1 OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\Nate\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 511.00 Mb Total Physical Memory | 63.00 Mb Available Physical Memory | 12.00% Memory free 1.00 Gb Paging File | 1.00 Gb Available in Paging File | 45.00% Paging File free Paging file location(s): C:\pagefile.sys 768 1536 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 55.84 Gb Total Space | 9.67 Gb Free Space | 17.31% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: DB9SJ321 Current User Name: Nate Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard ========== Processes (SafeList) ========== PRC - [2010/06/30 16:08:47 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nate\Desktop\OTL.exe PRC - [2010/02/25 20:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\17.7.0.12\ccsvchst.exe PRC - [2009/09/13 12:33:32 | 000,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2008/04/05 23:49:28 | 000,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe PRC - [2007/08/09 03:27:52 | 000,073,728 | ---- | M] (HP) -- C:\WINDOWS\SYSTEM32\HPZipm12.exe PRC - [2007/01/04 17:38:18 | 000,112,336 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe PRC - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe PRC - [2006/11/03 18:20:12 | 000,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe PRC - [2006/11/03 18:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe PRC - [2006/07/11 08:22:40 | 000,857,088 | ---- | M] (TiVo Inc.) -- C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe PRC - [2002/07/11 17:15:20 | 000,270,336 | ---- | M] () -- C:\Program Files\Dell\Support\Alert\bin\DAMon.exe PRC - [2002/04/10 18:44:04 | 000,679,936 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe PRC - [2002/03/27 04:35:00 | 000,045,056 | ---- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe PRC - [2002/02/20 21:01:32 | 000,049,152 | ---- | M] (ScanSoft, Inc) -- C:\Program Files\ScanSoft\OmniPageSE\opware32.exe PRC - [2001/08/07 19:06:54 | 000,024,633 | ---- | M] (Microsoft
  15. ottimo
    When I tried to follow the instructions under "I'm infected..." it only made things worse. Where can I get some help? I can provide more details when/if I know I'm in the right place.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.