Jump to content


Photo
- - - - -

HDD.exe


  • This topic is locked This topic is locked
22 replies to this topic

#1 ryan3k3

ryan3k3

    New Member

  • Members
  • Pip
  • 12 posts

Posted 28 February 2011 - 03:32 PM

HDD.exe.exe keeps reappearing. I have not really had any issues with my computer or any other virus symptoms besides system slowness. Below are my MBAM and dds logs.



Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5906

Windows 6.0.6000
Internet Explorer 7.0.6000.16982

2/28/2011 3:20:18 PM
mbam-log-2011-02-28 (15-20-18).txt

Scan type: Quick scan
Objects scanned: 175590
Time elapsed: 23 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{T5TBB77L-4678-0MKC-421Q-14416031DYU6} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{T5TBB77L-4678-0MKC-421Q-14416031DYU6} (Password.Stealer) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HDD (Password.Stealer) -> Value: HDD -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\System32\hdd.exe.exe (Password.Stealer) -> Quarantined and deleted successfully.





DDS (Ver_10-12-12.02) - NTFSx86
Run by Dad at 15:25:14.67 on Mon 02/28/2011
Internet Explorer: 7.0.6000.16982 BrowserJavaVersion: 1.6.0_22
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.894.211 [GMT -5:00]


============== Running Processes ===============

C:\windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\LEXBCES.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\LEXPPS.EXE
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k Akamai
C:\Windows\system32\inetsrv\inetinfo.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxcycoms.exe
C:\Windows\system32\lxdxcoms.exe
C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
C:\Windows\Explorer.EXE
C:\windows\system32\taskeng.exe
C:\Program Files\IObit\Game Booster 2\GameBox.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\Dad\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Users\Dad\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Users\Dad\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dad\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Java\jre6\launch4j-tmp\jvm.exe
C:\Users\Dad\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Dad\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Dad\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Presario&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.5.0.125\ips\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {65F8A3D2-4C22-4A33-9633-73167EAEEC45} - No File
uRun: [Google Update] "c:\users\dad\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [snkbot42] c:\users\dad\appdata\roaming\snkbot42\snkbot42.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [Java™ Virtual Machine] c:\program files\java\jre6\bin\jvm.exe
mRun: [snkbot42] c:\users\dad\appdata\roaming\snkbot42\snkbot42.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
uExplorerRun: [Policies] c:\program files\common files\google\windir86.exe
mExplorerRun: [Policies] c:\program files\common files\google\windir86.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Search
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {12F492E2-04A9-E5D9-3761-63FF3ECA329E} - cmd /q /c start "" /i /b javaw -classpath "c:\users\dad\appdata\local\temp\jar_cache3883580663895650304.tmp" a
mASetup: {963286B6-02C8-BEF8-51D9-D5335BAC568B} - cmd /q /c start "" /i /b javaw -classpath "c:\users\dad\appdata\local\temp\jar_cache3006798271820481536.tmp" a
mASetup: {J71T6Q7B-70SW-C8J8-32PK-8361QR5M1G54} - c:\program files\common files\google\windir86.exe

================= FIREFOX ===================

FF - ProfilePath - c:\users\dad\appdata\roaming\mozilla\firefox\profiles\az1hwvx6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\users\dad\appdata\roaming\mozilla\firefox\profiles\az1hwvx6.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\dad\appdata\roaming\mozilla\firefox\profiles\az1hwvx6.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\dad\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\users\dad\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\dad\appdata\roaming\mozilla\firefox\profiles\az1hwvx6.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Autofill Forms: autofillForms@blueimp.net - %profile%\extensions\autofillForms@blueimp.net
FF - Ext: Battlefield Heroes Updater: battlefieldheroespatcher@ea.com - %profile%\extensions\battlefieldheroespatcher@ea.com
FF - Ext: fireform: fireform@mozilla.org - %profile%\extensions\fireform@mozilla.org
FF - Ext: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Ext: ReloadEvery: {888d99e7-e8b5-46a3-851e-1ec45da1e644} - %profile%\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\coFFPlgn

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1205000.07d\symds.sys [2011-1-6 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1205000.07d\symefa.sys [2011-1-6 652336]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20110114.001\BHDrvx86.sys [2011-1-18 691248]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20110225.001\IDSvix86.sys [2011-2-25 353912]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1205000.07d\ironx86.sys [2011-1-6 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1205000.07d\symtdiv.sys [2011-1-6 330360]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2006-11-2 22016]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-11-1 20328]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-29 102448]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2006-11-2 16896]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2006-11-2 19968]
S3 TesDrvPt;TesDrvPt;c:\windows\system32\TesDrvPt.sys [2010-4-4 16976]
S3 TesSafe;TesSafe;c:\windows\system32\TesSafe.sys [2010-4-4 189752]

=============== File Associations ===============

jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*

=============== Created Last 30 ================

2011-02-28 20:22:39 54016 ----a-w- c:\windows\system32\drivers\hcvpyl.sys
2011-02-26 22:47:08 -------- d-----w- c:\program files\common files\Google
2011-02-26 07:10:25 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{4f27afdd-d092-4822-ae87-92150b1a91e9}\mpengine.dll
2011-02-22 22:02:03 -------- d-----w- c:\windows\system32\System32
2011-02-22 22:01:43 -------- d-sh--w- c:\users\dad\appdata\roaming\snkbot42
2011-02-19 18:54:15 -------- d-----w- c:\program files\PowerISO
2011-01-30 20:14:26 -------- d-----w- c:\users\dad\appdata\roaming\Macro Recorder
2011-01-30 20:13:25 44032 ----a-w- c:\windows\system32\SystemHookCore.dll

==================== Find3M ====================

2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe

============= FINISH: 15:28:15.50 ===============

#2 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 01 March 2011 - 12:58 AM

Hi and welcome to Malwarebytes.


I'm afraid I have bad news.

Your logs reveal a keylogging trojan. A keylogger severely compromises system integrity.

A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Let me know what you decide.
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3 ryan3k3

ryan3k3

    New Member

  • Members
  • Pip
  • 12 posts

Posted 01 March 2011 - 06:37 AM

I don't do any online banking or anything else with a credit card at all on this computer, so I don't think i would be at risk for CC fraud. I would like to continue to try and clean this computer up. Thank you.

#4 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 01 March 2011 - 02:10 PM

Okay thanks for letting me know.


Please go to VirusTotal, and upload the following files for analysis:
c:\users\dad\appdata\roaming\snkbot42\snkbot42.exe
c:\program files\java\jre6\bin\jvm.exe


Post the results in your reply.


Next, update MBAM, run a Quick Scan, and post its log.


Next, please visit this webpage for instructions for running ComboFix:
http://www.bleepingc...to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.


-screen317
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#5 ryan3k3

ryan3k3

    New Member

  • Members
  • Pip
  • 12 posts

Posted 01 March 2011 - 04:19 PM

Hello. I was unable to find the snkbot file where you said it would be located, and a search of the system did not reveal it. I uploaded the other file and it had no results at all. Below are the MBAM, ComboFix, and DDS logs.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5919

Windows 6.0.6000
Internet Explorer 7.0.6000.16982

3/1/2011 2:58:40 PM
mbam-log-2011-03-01 (14-58-40).txt

Scan type: Quick scan
Objects scanned: 175788
Time elapsed: 16 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{J71T6Q7B-70SW-C8J8-32PK-8361QR5M1G54} (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{J71T6Q7B-70SW-C8J8-32PK-8361QR5M1G54} (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{J71T6Q7B-70SW-C8J8-32PK-8361QR5M1G54} (Backdoor.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies (Backdoor.Agent) -> Value: Policies -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies (Backdoor.Agent) -> Value: Policies -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\snkbot42 (Backdoor.Agent) -> Value: snkbot42 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\snkbot42 (Backdoor.Agent) -> Value: snkbot42 -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\Users\Dad\AppData\Roaming\snkbot42 (Backdoor.Agent) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\common files\Google\windir86.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
c:\Users\Dad\AppData\Roaming\snkbot42\snkbot42.exe (Backdoor.Agent) -> Quarantined and deleted successfully.




ComboFix 11-02-28.07 - Dad 03/01/2011 15:26:16.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.894.253 [GMT -5:00]
Running from: c:\users\Dad\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\CFLog
c:\cflog\CrashLog_20101016.txt
c:\cflog\CrashLog_20101017.txt
c:\cflog\CrashLog_20101205.txt
c:\cflog\CrashLog_20101206.txt
c:\program files\Java\jre6\bin\jvm.exe
c:\users\Dad\AppData\Roaming\sysdirec.dll
c:\windows\ST6UNST.000
c:\windows\system32\system32
c:\windows\system32\system32\data.dat
c:\windows\system32\system32\debug.log
c:\windows\system32\system32\plugin.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TESSAFE
-------\Service_TesSafe


((((((((((((((((((((((((( Files Created from 2011-02-01 to 2011-03-01 )))))))))))))))))))))))))))))))
.

2011-03-01 20:47 . 2011-03-01 20:53 -------- d-----w- c:\users\Dad\AppData\Local\temp
2011-03-01 20:08 . 2011-03-01 20:09 -------- d-----w- C:\32788R22FWJFW
2011-03-01 07:14 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B8DDBD4D-4E40-4F5D-9003-A99204C2DE04}\mpengine.dll
2011-02-26 22:47 . 2011-03-01 19:58 -------- d-----w- c:\program files\Common Files\Google
2011-02-19 18:54 . 2011-02-26 04:11 -------- d-----w- c:\program files\PowerISO
2011-02-05 22:11 . 2011-02-05 22:11 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 22:11 . 2009-10-05 06:01 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-20 23:09 . 2010-12-11 14:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-12-11 14:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Dad\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-07-17 136176]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-01 4390912]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R0 svkswf;svkswf;c:\windows\System32\drivers\ciqq.sys [x]
R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdxserv.exe [2008-02-28 98984]
R3 dump_wmimmc;dump_wmimmc;c:\program files\Softnyx\WolfTeam\GameGuard\dump_wmimmc.sys [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-03-31 3612600]
R3 TesDrvPt;TesDrvPt;c:\windows\system32\TesDrvPt.sys [2010-04-04 16976]
R3 TKFsAc;TKFsAc;c:\windows\system32\TKFsAc2k.sys [x]
R3 TKFsAv;TKFsAv;c:\windows\system32\TKFsAv2k.sys [x]
R3 TKFsFt;TKFsFt;c:\windows\system32\TKFsFt2k.sys [x]
R3 TKRgAc;TKRgAc;c:\windows\system32\TKRgAc2k.sys [x]
R3 TKRgFt;TKRgFt;c:\windows\system32\TKRgFtXp.sys [x]
R3 XDva310;XDva310;c:\windows\system32\XDva310.sys [x]
R3 XDva311;XDva311;c:\windows\system32\XDva311.sys [x]
R3 XDva315;XDva315;c:\windows\system32\XDva315.sys [x]
R3 XDva317;XDva317;c:\windows\system32\XDva317.sys [x]
R3 XDva327;XDva327;c:\windows\system32\XDva327.sys [x]
R3 XDva328;XDva328;c:\windows\system32\XDva328.sys [x]
R3 XDva337;XDva337;c:\windows\system32\XDva337.sys [x]
R3 XDva341;XDva341;c:\windows\system32\XDva341.sys [x]
R3 XDva342;XDva342;c:\windows\system32\XDva342.sys [x]
R3 XDva343;XDva343;c:\windows\system32\XDva343.sys [x]
R3 XDva344;XDva344;c:\windows\system32\XDva344.sys [x]
R3 XDva345;XDva345;c:\windows\system32\XDva345.sys [x]
R3 XDva346;XDva346;c:\windows\system32\XDva346.sys [x]
R3 XDva347;XDva347;c:\windows\system32\XDva347.sys [x]
R3 XDva348;XDva348;c:\windows\system32\XDva348.sys [x]
R3 XDva349;XDva349;c:\windows\system32\XDva349.sys [x]
R3 XDva352;XDva352;c:\windows\system32\XDva352.sys [x]
R3 XDva358;XDva358;c:\windows\system32\XDva358.sys [x]
R3 XDva359;XDva359;c:\windows\system32\XDva359.sys [x]
R3 XDva365;XDva365;c:\windows\system32\XDva365.sys [x]
R3 XDva366;XDva366;c:\windows\system32\XDva366.sys [x]
R3 XDva370;XDva370;c:\windows\system32\XDva370.sys [x]
R3 XDva374;XDva374;c:\windows\system32\XDva374.sys [x]
R3 XDva377;XDva377;c:\windows\system32\XDva377.sys [x]
R3 XDva379;XDva379;c:\windows\system32\XDva379.sys [x]
R3 XDva380;XDva380;c:\windows\system32\XDva380.sys [x]
R3 XDva382;XDva382;c:\windows\system32\XDva382.sys [x]
R4 APPSTREAM;APPSTREAM;c:\windows\System32\Drivers\APPSTREAM.SYS [x]
R4 OracleDBConsoletest;OracleDBConsoletest;c:\oracle\Home\bin\nmesrvc.exe [2006-11-14 24064]
R4 OracleJobSchedulerORCL;OracleJobSchedulerORCL;c:\oracle\home\Bin\extjob.exe ORCL [x]
R4 OracleJobSchedulerTEST;OracleJobSchedulerTEST;c:\oracle\home\Bin\extjob.exe TEST [x]
R4 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\Home\BIN\TNSLSNR [x]
R4 OracleServiceORCL;OracleServiceORCL;c:\oracle\home\bin\ORACLE.EXE ORCL [x]
R4 OracleServiceTEST;OracleServiceTEST;c:\oracle\home\bin\ORACLE.EXE TEST [x]
R4 REGHOOK;REGHOOK;c:\windows\System32\Drivers\REGHOOK.SYS [x]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R4 VSPD;VSPD;c:\windows\System32\Drivers\VSPD.SYS [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1205000.07D\SYMDS.SYS [2010-10-21 340016]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1205000.07D\SYMEFA.SYS [2010-11-18 652336]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110225.002\BHDrvx86.sys [2011-02-25 800376]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110228.002\IDSvix86.sys [2010-11-09 353912]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1205000.07D\Ironx86.SYS [2010-11-16 136312]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NIS\1205000.07D\SYMTDIV.SYS [2010-12-01 330360]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2006-11-02 22016]
S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-07-09 20328]
S2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe [2007-06-20 537264]
S2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe [2008-02-28 594600]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe [2010-11-24 130000]
S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-10-06 2002728]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2006-11-02 16896]
S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2006-11-02 19968]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - IPNAT

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2011-03-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3758997513-403006732-2371151243-1000Core.job
- c:\users\Dad\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-17 00:27]

2011-03-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3758997513-403006732-2371151243-1000UA.job
- c:\users\Dad\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-17 00:27]

2011-02-28 c:\windows\Tasks\User_Feed_Synchronization-{B63ABED8-8A03-47C4-954C-857E69B27A43}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]

2011-03-01 c:\windows\Tasks\User_Feed_Synchronization-{B809D5F3-DF9E-48E6-9B67-CACD3BBF1ECB}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
FF - ProfilePath - c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\az1hwvx6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Autofill Forms: autofillForms@blueimp.net - %profile%\extensions\autofillForms@blueimp.net
FF - Ext: Battlefield Heroes Updater: battlefieldheroespatcher@ea.com - %profile%\extensions\battlefieldheroespatcher@ea.com
FF - Ext: fireform: fireform@mozilla.org - %profile%\extensions\fireform@mozilla.org
FF - Ext: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Ext: ReloadEvery: {888d99e7-e8b5-46a3-851e-1ec45da1e644} - %profile%\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\coFFPlgn
.
.
------- File Associations -------
.
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{65F8A3D2-4C22-4A33-9633-73167EAEEC45} - (no file)
HKLM-Run-Java™ Virtual Machine - c:\program files\Java\jre6\bin\jvm.exe
HKLM_ActiveSetup-{12F492E2-04A9-E5D9-3761-63FF3ECA329E} - start
HKLM_ActiveSetup-{963286B6-02C8-BEF8-51D9-D5335BAC568B} - start
AddRemove-Age of Mythology 1.0 - c:\program files\Microsoft Games\Age of Mythology\UNINSTAL.EXE
AddRemove-Cheat Engine 5.6.1_is1 - c:\program files\Cheat Engine\unins000.exe
AddRemove-CPUID CPU-Z_is1 - c:\program files\CPUID\CPU-Z\unins000.exe
AddRemove-Dev-C++ - c:\dev-cpp\uninstall.exe
AddRemove-GhostMouse 2.0 - c:\gmouse20\DeIsL1.isu
AddRemove-PowerISO - c:\program files\PowerISO\uninstall.exe
AddRemove-{16C3C822-052E-4CD7-8CEB-AE5352F1E76E}_is1 - c:\program files\MacroRecorder\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-01 15:55
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\OracleOraDb10g_home1TNSListener]
"ImagePath"="c:\oracle\Home\BIN\TNSLSNR "
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4212)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
c:\windows\System32\netshell.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\windows\System32\LEXBCES.EXE
c:\windows\System32\LEXPPS.EXE
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\WUDFHost.exe
c:\program files\IObit\Game Booster 2\GameBox.exe
c:\windows\system32\DllHost.exe
c:\users\Dad\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe
c:\windows\RtHDVCpl.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\lpremove.exe
c:\windows\system32\lpksetup.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2011-03-01 16:10:48 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-01 21:10

Pre-Run: 77,819,138,048 bytes free
Post-Run: 81,113,767,936 bytes free

- - End Of File - - 67E7ABF05127302C723DEEC848B67B7A





DDS (Ver_10-12-12.02) - NTFSx86
Run by Dad at 16:13:06.11 on Tue 03/01/2011
Internet Explorer: 7.0.6000.16982 BrowserJavaVersion: 1.6.0_22
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.894.160 [GMT -5:00]


============== Running Processes ===============

C:\windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\LEXBCES.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\LEXPPS.EXE
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k Akamai
C:\Windows\system32\inetsrv\inetinfo.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxcycoms.exe
C:\Windows\system32\lxdxcoms.exe
C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\taskeng.exe
C:\Windows\System32\alg.exe
C:\Program Files\IObit\Game Booster 2\GameBox.exe
C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
C:\Windows\system32\DllHost.exe
C:\Users\Dad\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Users\Dad\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Explorer.exe
C:\windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Dad\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.5.0.125\ips\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [Google Update] "c:\users\dad\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\dad\appdata\roaming\mozilla\firefox\profiles\az1hwvx6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\users\dad\appdata\roaming\mozilla\firefox\profiles\az1hwvx6.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\dad\appdata\roaming\mozilla\firefox\profiles\az1hwvx6.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Autofill Forms: autofillForms@blueimp.net - %profile%\extensions\autofillForms@blueimp.net
FF - Ext: Battlefield Heroes Updater: battlefieldheroespatcher@ea.com - %profile%\extensions\battlefieldheroespatcher@ea.com
FF - Ext: fireform: fireform@mozilla.org - %profile%\extensions\fireform@mozilla.org
FF - Ext: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Ext: ReloadEvery: {888d99e7-e8b5-46a3-851e-1ec45da1e644} - %profile%\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\coFFPlgn

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1205000.07d\symds.sys [2011-1-6 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1205000.07d\symefa.sys [2011-1-6 652336]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20110225.002\BHDrvx86.sys [2011-2-25 800376]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20110228.002\IDSvix86.sys [2011-3-1 353912]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1205000.07d\ironx86.sys [2011-1-6 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1205000.07d\symtdiv.sys [2011-1-6 330360]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2006-11-2 22016]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-11-1 20328]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.5.0.125\ccsvchst.exe [2011-1-6 130000]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-10-8 2002728]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-29 102448]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2006-11-2 16896]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2006-11-2 19968]
S2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [2009-5-28 98984]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 TesDrvPt;TesDrvPt;c:\windows\system32\TesDrvPt.sys [2010-4-4 16976]
S4 OracleDBConsoletest;OracleDBConsoletest;c:\oracle\home\bin\nmesrvc.exe [2008-6-4 24064]
S4 OracleJobSchedulerORCL;OracleJobSchedulerORCL;c:\oracle\home\bin\extjob.exe orcl --> c:\oracle\home\bin\extjob.exe ORCL [?]
S4 OracleJobSchedulerTEST;OracleJobSchedulerTEST;c:\oracle\home\bin\extjob.exe test --> c:\oracle\home\bin\extjob.exe TEST [?]
S4 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\home\bin\tnslsnr --> c:\oracle\home\bin\TNSLSNR [?]
S4 OracleServiceORCL;OracleServiceORCL;c:\oracle\home\bin\oracle.exe orcl --> c:\oracle\home\bin\ORACLE.EXE ORCL [?]
S4 OracleServiceTEST;OracleServiceTEST;c:\oracle\home\bin\oracle.exe test --> c:\oracle\home\bin\ORACLE.EXE TEST [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-2 24652]

=============== File Associations ===============

jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*

=============== Created Last 30 ================

2011-03-01 21:10:56 -------- d-----w- c:\users\dad\appdata\local\temp
2011-03-01 21:06:22 -------- d-sh--w- C:\$RECYCLE.BIN
2011-03-01 20:12:26 98816 ----a-w- c:\windows\sed.exe
2011-03-01 20:12:26 89088 ----a-w- c:\windows\MBR.exe
2011-03-01 20:12:26 256512 ----a-w- c:\windows\PEV.exe
2011-03-01 20:12:26 161792 ----a-w- c:\windows\SWREG.exe
2011-03-01 20:09:55 -------- d-----w- C:\ComboFix
2011-03-01 07:14:56 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{b8ddbd4d-4e40-4f5d-9003-a99204c2de04}\mpengine.dll
2011-02-26 22:47:08 -------- d-----w- c:\program files\common files\Google
2011-02-19 18:54:15 -------- d-----w- c:\program files\PowerISO

==================== Find3M ====================

2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe

============= FINISH: 16:14:33.20 ===============

#6 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 01 March 2011 - 04:28 PM

Hi,

What security software are you currently running?

Please update MBAM again, run a Quick Scan, and post its log.



Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.


Next, please open Notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the box below into Notepad:

DDS::
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
KILLALL::
File::
c:\windows\System32\drivers\ciqq.sys
Driver::
svkswf
TKFsAc
TKFsAv
TKFsFt
TKRgAc
TKRgFt
XDva310
XDva311
XDva315
XDva317
XDva327
XDva328
XDva337
XDva341
XDva342
XDva343
XDva344
XDva345
XDva346
XDva347
XDva348
XDva349
XDva352
XDva358
XDva359
XDva365
XDva366
XDva370
XDva374
XDva377
XDva379
XDva380
XDva382

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.


-screen317
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#7 ryan3k3

ryan3k3

    New Member

  • Members
  • Pip
  • 12 posts

Posted 01 March 2011 - 05:34 PM

Hello. After running the combofix script, an IE icon appeared on my desktop. I didn't click on it at all, but the homepage is something from Norton. To your other question, im using Norton Internet Security 2009. Here are the logs you wanted.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5920

Windows 6.0.6000
Internet Explorer 7.0.6000.16982

3/1/2011 4:37:01 PM
mbam-log-2011-03-01 (16-37-01).txt

Scan type: Quick scan
Objects scanned: 176927
Time elapsed: 7 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





ComboFix 11-02-28.07 - Dad 03/01/2011 16:43:01.2.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.894.287 [GMT -5:00]
Running from: c:\users\Dad\Desktop\ComboFix.exe
Command switches used :: c:\users\Dad\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"c:\windows\System32\drivers\ciqq.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TKFSAC
-------\Legacy_TKFSAV
-------\Legacy_TKFSFT
-------\Legacy_TKRGAC
-------\Legacy_TKRGFT
-------\Legacy_XDVA310
-------\Legacy_XDVA311
-------\Legacy_XDVA315
-------\Legacy_XDVA317
-------\Legacy_XDVA327
-------\Legacy_XDVA328
-------\Legacy_XDVA337
-------\Legacy_XDVA341
-------\Legacy_XDVA342
-------\Legacy_XDVA343
-------\Legacy_XDVA344
-------\Legacy_XDVA345
-------\Legacy_XDVA346
-------\Legacy_XDVA347
-------\Legacy_XDVA348
-------\Legacy_XDVA349
-------\Legacy_XDVA352
-------\Legacy_XDVA358
-------\Legacy_XDVA359
-------\Legacy_XDVA365
-------\Legacy_XDVA366
-------\Legacy_XDVA370
-------\Legacy_XDVA374
-------\Legacy_XDVA377
-------\Legacy_XDVA379
-------\Legacy_XDVA380
-------\Legacy_XDVA382
-------\Service_svkswf
-------\Service_TKFsAc
-------\Service_TKFsAv
-------\Service_TKFsFt
-------\Service_TKRgAc
-------\Service_TKRgFt
-------\Service_XDva310
-------\Service_XDva311
-------\Service_XDva315
-------\Service_XDva317
-------\Service_XDva327
-------\Service_XDva328
-------\Service_XDva337
-------\Service_XDva341
-------\Service_XDva342
-------\Service_XDva343
-------\Service_XDva344
-------\Service_XDva345
-------\Service_XDva346
-------\Service_XDva347
-------\Service_XDva348
-------\Service_XDva349
-------\Service_XDva352
-------\Service_XDva358
-------\Service_XDva359
-------\Service_XDva365
-------\Service_XDva366
-------\Service_XDva370
-------\Service_XDva374
-------\Service_XDva377
-------\Service_XDva379
-------\Service_XDva380
-------\Service_XDva382


((((((((((((((((((((((((( Files Created from 2011-02-01 to 2011-03-01 )))))))))))))))))))))))))))))))
.

2011-03-01 22:01 . 2011-03-01 22:06 -------- d-----w- c:\users\Dad\AppData\Local\temp
2011-03-01 22:01 . 2011-03-01 22:01 -------- d-----w- c:\users\Mom\AppData\Local\temp
2011-03-01 22:01 . 2011-03-01 22:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-01 22:01 . 2011-03-01 22:01 -------- d-----w- c:\users\Boys\AppData\Local\temp
2011-03-01 21:39 . 2011-03-01 21:40 -------- d-----w- C:\32788R22FWJFW
2011-03-01 07:14 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B8DDBD4D-4E40-4F5D-9003-A99204C2DE04}\mpengine.dll
2011-02-26 22:47 . 2011-03-01 19:58 -------- d-----w- c:\program files\Common Files\Google
2011-02-19 18:54 . 2011-02-26 04:11 -------- d-----w- c:\program files\PowerISO
2011-02-05 22:11 . 2011-02-05 22:11 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 22:11 . 2009-10-05 06:01 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-20 23:09 . 2010-12-11 14:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-12-11 14:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Dad\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-07-17 136176]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-01 4390912]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdxserv.exe [2008-02-28 98984]
R3 dump_wmimmc;dump_wmimmc;c:\program files\Softnyx\WolfTeam\GameGuard\dump_wmimmc.sys [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-03-31 3612600]
R3 TesDrvPt;TesDrvPt;c:\windows\system32\TesDrvPt.sys [2010-04-04 16976]
R4 APPSTREAM;APPSTREAM;c:\windows\System32\Drivers\APPSTREAM.SYS [x]
R4 OracleDBConsoletest;OracleDBConsoletest;c:\oracle\Home\bin\nmesrvc.exe [2006-11-14 24064]
R4 OracleJobSchedulerORCL;OracleJobSchedulerORCL;c:\oracle\home\Bin\extjob.exe ORCL [x]
R4 OracleJobSchedulerTEST;OracleJobSchedulerTEST;c:\oracle\home\Bin\extjob.exe TEST [x]
R4 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;c:\oracle\Home\BIN\TNSLSNR [x]
R4 OracleServiceORCL;OracleServiceORCL;c:\oracle\home\bin\ORACLE.EXE ORCL [x]
R4 OracleServiceTEST;OracleServiceTEST;c:\oracle\home\bin\ORACLE.EXE TEST [x]
R4 REGHOOK;REGHOOK;c:\windows\System32\Drivers\REGHOOK.SYS [x]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R4 VSPD;VSPD;c:\windows\System32\Drivers\VSPD.SYS [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1205000.07D\SYMDS.SYS [2010-10-21 340016]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1205000.07D\SYMEFA.SYS [2010-11-18 652336]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110225.002\BHDrvx86.sys [2011-02-25 800376]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110228.002\IDSvix86.sys [2010-11-09 353912]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1205000.07D\Ironx86.SYS [2010-11-16 136312]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NIS\1205000.07D\SYMTDIV.SYS [2010-12-01 330360]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2006-11-02 22016]
S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-07-09 20328]
S2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe [2007-06-20 537264]
S2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe [2008-02-28 594600]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe [2010-11-24 130000]
S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-10-06 2002728]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2006-11-02 16896]
S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2006-11-02 19968]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2011-03-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3758997513-403006732-2371151243-1000Core.job
- c:\users\Dad\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-17 00:27]

2011-03-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3758997513-403006732-2371151243-1000UA.job
- c:\users\Dad\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-17 00:27]

2011-02-28 c:\windows\Tasks\User_Feed_Synchronization-{B63ABED8-8A03-47C4-954C-857E69B27A43}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]

2011-03-01 c:\windows\Tasks\User_Feed_Synchronization-{B809D5F3-DF9E-48E6-9B67-CACD3BBF1ECB}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
FF - ProfilePath - c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\az1hwvx6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Autofill Forms: autofillForms@blueimp.net - %profile%\extensions\autofillForms@blueimp.net
FF - Ext: Battlefield Heroes Updater: battlefieldheroespatcher@ea.com - %profile%\extensions\battlefieldheroespatcher@ea.com
FF - Ext: fireform: fireform@mozilla.org - %profile%\extensions\fireform@mozilla.org
FF - Ext: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Ext: ReloadEvery: {888d99e7-e8b5-46a3-851e-1ec45da1e644} - %profile%\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\coFFPlgn
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-01 17:05
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\OracleOraDb10g_home1TNSListener]
"ImagePath"="c:\oracle\Home\BIN\TNSLSNR "
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5644)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
c:\windows\System32\NLSData0009.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\windows\System32\LEXBCES.EXE
c:\windows\System32\LEXPPS.EXE
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\WUDFHost.exe
c:\program files\IObit\Game Booster 2\GameBox.exe
c:\windows\system32\DllHost.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\RtHDVCpl.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\users\Dad\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe
c:\windows\system32\lpremove.exe
c:\windows\system32\RacAgent.exe
c:\windows\system32\lpksetup.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2011-03-01 17:23:01 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-01 22:19
ComboFix2.txt 2011-03-01 21:10

Pre-Run: 81,117,040,640 bytes free
Post-Run: 80,965,464,064 bytes free

- - End Of File - - 2E1D708D09F55D5F26CC6D01A6E08BF8






DDS (Ver_10-12-12.02) - NTFSx86
Run by Dad at 17:27:26.96 on Tue 03/01/2011
Internet Explorer: 7.0.6000.16982 BrowserJavaVersion: 1.6.0_22

============== Running Processes ===============

C:\windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\LEXBCES.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\LEXPPS.EXE
C:\Windows\system32\inetsrv\inetinfo.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxcycoms.exe
C:\Windows\system32\lxdxcoms.exe
C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\windows\system32\taskeng.exe
C:\Windows\System32\alg.exe
C:\windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\IObit\Game Booster 2\GameBox.exe
C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Users\Dad\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\Dad\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\Explorer.exe
C:\windows\system32\taskeng.exe
C:\Windows\system32\lpremove.exe
C:\Windows\system32\lpksetup.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Dad\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k Akamai
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup

#8 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 04 March 2011 - 03:47 PM

Hi,

My apologies for the delay.

Next, please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Next, download my Security Check from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#9 ryan3k3

ryan3k3

    New Member

  • Members
  • Pip
  • 12 posts

Posted 04 March 2011 - 09:06 PM

Here are the logs. Things have been going well, but on a side note, for some time, I have been unable to install Windows updates of any kind. Should i make a new thread in PC help or continue here?

Results of screen317's Security Check version 0.99.9
Windows Vista (UAC is disabled!)
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
ESET Online Scanner v3
Norton Internet Security
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 22
Java™ SE Development Kit 6 Update 21
Out of date Java installed!
Adobe Flash Player 10.1.102.64
Adobe Reader 9.2
Out of date Adobe Reader installed!
Mozilla Firefox (3.5.11) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
``````````End of Log````````````


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=a850d5f0515bf54cbdfba110549408d0
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-05 01:55:16
# local_time=2011-03-04 08:55:16 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=6.0.6000 NT
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3588 16777190 85 82 364056 8382354 0 0
# compatibility_mode=5892 16776573 100 100 0 135886562 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=216796
# found=2
# cleaned=2
# scan_time=11145
C:\Program Files\Java\jre6\bin\proc.exe a variant of MSIL/Injector.EA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Java\jre6\bin\proc2.exe a variant of MSIL/Injector.EA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

#10 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 06 March 2011 - 10:21 PM

Hi,

Open Firefox, then click Help --> Check for Updates; ensure that you get version 3.6.15


After that, navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.



After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java™ 6 Update 22
Java™ SE Development Kit 6 Update 21
Adobe Flash Player 10.1.102.64
Adobe Reader 9.2


Restart your computer.

Get the latest version of Java, Adobe Reader, and Adobe Flash Player.


Please download CCleaner and save it to your desktop.
  • Run the CCleaner installer.
  • During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  • Please do NOT run a scan yet!
Now, open CCleaner:
  • Click the "Windows" tab.
  • Select the following:
    • Check everything under the "Internet Explorer" section.
    • Check everything under the "Windows Explorer" section.
    • Check everything under the "System" section.
    • Check ONLY "Old Prefetch data" under the "Advanced" section.
  • Then, click the "Applications" tab:
    • CHECK everything there.
  • Next, click the "Options" button in the left pane, then click the "Advanced" button:
    • CHECK : "Only delete files in Windows Temp folders older than 48 hours".
  • Next, click the "Cleaner" button in the left pane, then click the "Run Cleaner" button (bottom right), click "OK" at the prompt.
  • When done, please exit CCleaner.
CAUTION: Please do NOT use the "Issues" button in the left pane. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.


Try doing a Windows Update. Are there any errors? If so, post them here.

-screen317
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#11 ryan3k3

ryan3k3

    New Member

  • Members
  • Pip
  • 12 posts

Posted 06 March 2011 - 11:43 PM

I get two errors. One is "Windows cannot check for updates" with the error code 8024D008. I also have many failed attempts (Seems like over two years) at updating Windows Update software 7.4.7600.226.

Installation date: ?3/?6/?2011 11:33 PM

Installation status: Failed

Error details: Code 8007041D

Update type: Important

#12 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 07 March 2011 - 12:15 AM

Do you know what Service Pack you currently have installed?
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#13 ryan3k3

ryan3k3

    New Member

  • Members
  • Pip
  • 12 posts

Posted 07 March 2011 - 02:48 PM

I checked what service pack I have in the properties under My Computer, but it does not say I have any installed. It says it was successfully installed SP1 under my update history though.

#14 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 07 March 2011 - 05:12 PM

Download Service Pack 2 manually from here:

http://www.microsoft...&displaylang=en


Ensure that you are disconnected from the Internet and that all security programs are disabled while installing it.


When it finishes, restart your computer, enable your security software, and reconnect to the Internet. See if you can access Windows Update now.
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#15 ryan3k3

ryan3k3

    New Member

  • Members
  • Pip
  • 12 posts

Posted 08 March 2011 - 05:09 PM

Just a heads up on what i'm doing. I never did have SP1 installed, so i guess it was a failed installation. I downloaded the standalone SP1 which i installed successfully, and i'm in the middle of installing SP2 at the moment.

#16 ryan3k3

ryan3k3

    New Member

  • Members
  • Pip
  • 12 posts

Posted 09 March 2011 - 08:16 PM

I have now successfully installed both SP1 and SP2, but I am still failing the update for windows update.

#17 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 11 March 2011 - 03:13 AM

Are you still getting both errors?

Can you post a screenshot of them?
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#18 ryan3k3

ryan3k3

    New Member

  • Members
  • Pip
  • 12 posts

Posted 11 March 2011 - 08:59 PM

Well, I tried updating last night and I installed multiple security fixes and others successfully, but I am still failing Windows Update software 7.4.7600.226. When I tried to search for updates, I got this..
Posted Image

#19 ryan3k3

ryan3k3

    New Member

  • Members
  • Pip
  • 12 posts

Posted 12 March 2011 - 11:03 AM

Well, It looks my problem is fixed. I looked some things up online and re-registered wuaeng.dll, and I successfully downloaded that update for Windows update. Thank you for all your help.

#20 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 12 March 2011 - 06:27 PM

Glad to hear it! :D

Run SecurityCheck again please (get a fresh copy) and post its log.
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users