Anti-virus closes when scanning, intermitent pop-ups

View previous topic View next topic Go down

Anti-virus closes when scanning, intermitent pop-ups

Post by Phixius on Sun Sep 27, 2009 8:20 am

Hello
I have been having the same issue as others that I have read on this post. Intermitet pop-ups and all virus scanning software I try closes and will not restart unless the application is reƖ.
I have been at this all day and it's very late so please excuse the typos.
I am running windows XP full version SP, IE7, Java 6 up16. and as of a month ago had the most recent critical updates. I have (had) Norton internet security, latest download, running (it has since been removed) I though it was corrupted before I realised what was going on. I have tried Spybot and Adaware, they run but don't produce anything but DSO Exploit and possable extention hack, but don't seem to clean them out. I have also tried Hijack this and Malwarebytes, but they also only run for a few seconds so I cannot generate a log file. I have tried both of the above in safe mode as well. I don't usually get beat by these things but this one is smarter than I am, at least at this hour.

Could you posssably point me in the right direction to try to track down what this devil is and how to remove it. I was about to reformat, but I thought since the post here are very consise and seem to be well executed, I would hold off on the big format project.

Thank you in advance for any suggestio you can make.

Phixius
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-09-27
OS OS : XP
Points Points : 26269
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Anti-virus closes when scanning, intermitent pop-ups

Post by Belahzur on Sun Sep 27, 2009 5:10 pm

Hello.
Do you get any permission denied errors when running programs?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Anti-virus closes when scanning, intermitent pop-ups

Post by Phixius on Sun Sep 27, 2009 6:34 pm

Not when I run programs (yet). It's only when I try to perform a virus scan, they run for about 7 sec then just close. When I try to restart them I get the "can't find or you do not have permission to access window". I did reƖ Norton and upgraded to Internet 2010. I tried to run a scan and it closed like normal so I had to reinstall. I did however manage to get hijack this to run, I had an older version (1.98), I don't know if it matters. Another thing I did not mention is I cannot get to Windows update, the page never loads (it does on my other computers), so the site is fine.I tried Malware again after I got the log file from Hijack, but Malware just closes after a couple of seconds. When I try to delete the old Hijack.exe files that failed, I get an access denied. Something is blocking the scans and then diabeling the EXE file, I just can't track it down.
Below is the log file from Hijack:

Logfile of HijackThis v1.98.0
Scan saved at 11:23:21 AM, on 9/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IKON\IKON VPN Client\cvpnd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\eCopy\Desktop 9.2\Bin\eDP2eD.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\PROGRA~1\WINZIP\winzip32.exe
D:\Vscan\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Embarq Toolbar - {4E7BD74F-2B8D-469E-92BE-BF2DFE9AAE2C} - C:\PROGRA~1\EMBARQ~1\EMBARQ~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\coIEPlg.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eDP2eD] "C:\Program Files\eCopy\Desktop 9.2\Bin\eDP2eD.exe"
O4 - HKLM\..\Run: [eCopy Scan Inbox Monitor] "C:\Program Files\eCopy\Desktop 9.2\Bin\InboxMonitor.exe" -run
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: IKON Office Solutions IKON VPN Client.lnk = C:\Program Files\IKON\IKON VPN Client\ipsecdialer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [You must be registered and logged in to see this link.]
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} (iolo.ProductDetector) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{86BD7EF7-A701-4460-8FF3-E160F0123B38}: Domain = cloud
O17 - HKLM\System\CCS\Services\Tcpip\..\{86BD7EF7-A701-4460-8FF3-E160F0123B38}: NameServer = 192.168.10.1
O20 - AppInit_DLLs: bafazigi.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

Phixius
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-09-27
OS OS : XP
Points Points : 26269
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Anti-virus closes when scanning, intermitent pop-ups

Post by Belahzur on Sun Sep 27, 2009 6:45 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O20 - AppInit_DLLs: bafazigi.dll


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Anti-virus closes when scanning, intermitent pop-ups

Post by Phixius on Sun Sep 27, 2009 7:05 pm

I got through the Hijack this process OK, but when I ran the Malware scan it ran for 7 sec and closed, to rerun it again I will have to uninstall and reinstall. The location you gave me downloaded but would not install, I had a download from before that I had renamed to windum and that one would install.
Thanks for your help

Phixius
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-09-27
OS OS : XP
Points Points : 26269
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Anti-virus closes when scanning, intermitent pop-ups

Post by Belahzur on Sun Sep 27, 2009 7:06 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Anti-virus closes when scanning, intermitent pop-ups

Post by Phixius on Sun Sep 27, 2009 7:50 pm

Well that was a proccess. Below is the log file from ComboFix:
What's the next steps are we clean or do we need additional steps?

ComboFix 09-09-25.01 - Curtis 09/27/2009 12:35.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.1059 [GMT -7:00]
Running from: d:\vscan\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\agyw.lib
c:\documents and settings\All Users\Application Data\fulur.pif
c:\documents and settings\All Users\Application Data\kupuwiw.scr
c:\documents and settings\All Users\Documents\dilody.exe
c:\documents and settings\All Users\Documents\ehequg.ban
c:\documents and settings\All Users\Documents\omiwagel.ban
c:\documents and settings\Curtis\Application Data\ivawylah.scr
c:\documents and settings\Curtis\Application Data\syhuja.scr
c:\documents and settings\Curtis\Application Data\wiaserva.log
c:\documents and settings\Curtis\Application Data\ysetequf.inf
c:\documents and settings\Curtis\Local Settings\Application Data\gokuru.scr
c:\documents and settings\Curtis\Local Settings\Temporary Internet Files\udyx.bin
c:\documents and settings\Curtis\Local Settings\Temporary Internet Files\ynoruhuzuw.db
c:\documents and settings\Curtis\Local Settings\Temporary Internet Files\yziwazamo._dl
c:\documents and settings\LocalService\Application Data\NetMon
c:\documents and settings\LocalService\Application Data\NetMon\domains.txt
c:\documents and settings\LocalService\Application Data\NetMon\log.txt
c:\recycler\NPROTECT
c:\windows\elarulog.bat
c:\windows\Installer\1c0124.msp
c:\windows\Installer\2cb131.msi
c:\windows\Installer\359b34.msi
c:\windows\mega.pif
c:\windows\system\SYSRegC.dll
c:\windows\system32\18467.exe
c:\windows\system32\41.exe
c:\windows\system32\6334.exe
c:\windows\system32\arilux.exe
c:\windows\system32\fubatuzo.exe
c:\windows\system32\iniasd.txt
c:\windows\system32\isifaxym.pif
c:\windows\system32\juruzuhu.dll
c:\windows\system32\logomafe.exe
c:\windows\system32\ratyso.bin
c:\windows\system32\sudinasu.exe
c:\windows\system32\system
c:\windows\system32\system\msxml4.dll
c:\windows\system32\system\msxml4r.dll
c:\windows\system32\vehusuru.exe
c:\windows\system32\winhelper.dll
c:\windows\yfulegodah.dll
c:\windows\zaponce52621.dat
c:\windows\zaponce52689.dat

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-08-27 to 2009-09-27 )))))))))))))))))))))))))))))))
.

2009-09-27 19:42 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-27 19:17 . 2009-09-27 19:17 -------- d-----w- c:\documents and settings\Curtis\Local Settings\Application Data\Tific
2009-09-27 19:17 . 2009-09-27 19:17 -------- d-----w- c:\documents and settings\Curtis\Application Data\Tific
2009-09-27 17:45 . 2009-09-27 17:45 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-09-27 17:45 . 2009-09-27 17:45 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-27 17:45 . 2009-09-27 17:45 -------- d-----w- c:\program files\Symantec
2009-09-27 17:44 . 2009-09-27 17:44 -------- d-----w- c:\windows\system32\drivers\NIS
2009-09-27 17:44 . 2009-09-27 17:44 -------- d-----w- c:\program files\Norton Internet Security
2009-09-27 01:32 . 2009-09-27 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-09-27 00:11 . 2009-09-27 00:11 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-09-27 00:11 . 2009-09-27 00:11 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-09-27 00:11 . 2009-09-27 00:11 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-09-26 19:23 . 2009-09-26 19:23 -------- d-----w- c:\program files\CCleaner
2009-09-20 07:44 . 2009-09-20 07:44 48640 ----a-w- C:\mdnsq.exe
2009-09-10 22:03 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-06 20:14 . 2008-01-30 03:03 33032 ------w- c:\windows\system32\eCopyDesktopPrinterMon.DLL
2009-09-06 20:13 . 2009-09-06 20:13 -------- d-----w- c:\program files\eCopy
2009-09-06 20:13 . 2009-09-06 20:13 -------- d-----w- C:\eCopy
2009-09-06 20:12 . 2009-09-06 20:12 -------- d-----w- c:\documents and settings\Curtis\Local Settings\Application Data\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-27 19:43 . 2007-08-26 08:04 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000001-00001102-00000002-80271102}.dat
2009-09-27 19:43 . 2007-08-26 08:04 24 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000001-00001102-00000002-80271102}.dat
2009-09-27 19:20 . 2005-02-19 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-27 19:20 . 2005-02-19 22:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-27 17:51 . 2003-12-27 05:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-27 17:45 . 2009-09-27 17:45 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-27 17:45 . 2009-09-27 17:45 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-27 17:44 . 2009-09-27 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-09-27 17:44 . 2009-09-27 17:44 -------- d-----w- c:\program files\NortonInstaller
2009-09-27 17:25 . 2009-09-27 17:25 -------- d-----w- c:\program files\Windows Sidebar
2009-09-27 17:19 . 2007-08-16 05:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-27 17:19 . 2003-12-27 05:29 -------- d-----w- c:\documents and settings\Curtis\Application Data\Symantec
2009-09-27 17:14 . 2009-09-27 17:14 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2009-09-27 07:09 . 2003-12-27 04:57 -------- d-----w- c:\program files\Setup Files
2009-09-27 05:56 . 2009-09-27 05:56 -------- d-----w- c:\program files\Trend Micro
2009-09-27 05:49 . 2009-09-27 05:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-27 05:49 . 2009-09-27 05:49 -------- d-----w- c:\program files\Java
2009-09-27 05:22 . 2009-09-27 05:22 -------- d-----w- c:\documents and settings\Curtis\Application Data\Malwarebytes
2009-09-27 05:22 . 2009-09-27 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-27 01:31 . 2008-09-10 02:18 -------- d-----w- c:\documents and settings\Curtis\Application Data\EMBARQTOOLBAR
2009-09-26 21:43 . 2007-08-19 05:53 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2009-09-26 17:29 . 2003-12-27 08:02 -------- d-----w- c:\program files\Microsoft Games
2009-09-26 17:29 . 2007-11-26 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-09-26 17:28 . 2005-05-23 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2009-09-26 17:28 . 2004-04-23 02:48 -------- d-----w- c:\documents and settings\Curtis\Application Data\Roxio
2009-09-26 17:28 . 2007-08-19 05:53 -------- d-----w- c:\documents and settings\Curtis\Application Data\iolo
2009-09-26 17:28 . 2004-04-10 06:08 -------- d-----w- c:\documents and settings\Curtis\Application Data\EPSON
2009-09-26 17:28 . 2007-08-19 05:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\iolo
2009-09-24 22:46 . 2009-06-24 22:45 53248 --sha-w- c:\windows\system32\wezavova.dll
2009-09-24 22:45 . 2009-06-24 22:45 38400 --sha-w- c:\windows\system32\serevudo.dll
2009-09-20 19:50 . 2009-06-20 19:50 50688 --sha-w- c:\windows\system32\vufurajo.dll
2009-09-20 07:50 . 2009-06-20 07:50 38400 --sha-w- c:\windows\system32\napokoku.dll
2009-08-29 16:56 . 2003-12-30 02:53 95864 ----a-w- c:\documents and settings\Curtis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-28 17:29 . 2007-08-19 05:55 2116008 ----a-w- c:\windows\system32\Incinerator.dll
2009-08-26 22:42 . 2007-08-19 05:55 30208 ----a-w- c:\windows\system32\iolobtdfg.exe
2009-08-26 22:42 . 2007-08-19 05:55 12288 ----a-w- c:\windows\system32\smrgdf.exe
2009-08-05 09:11 . 2003-12-27 08:27 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2003-12-27 03:24 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2003-12-27 08:29 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2003-08-27 22:19 . 2005-11-05 01:16 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
2009-02-18 02:20 . 2009-02-18 02:20 8456 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R300 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-27 149280]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"PCLEPCI"="c:\progra~1\Pinnacle\PPE\ppe.exe" [2002-06-25 32768]
"Motive SmartBridge"="c:\progra~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe" [2006-04-21 438359]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"eDP2eD"="c:\program files\eCopy\Desktop 9.2\Bin\eDP2eD.exe" [2008-01-30 144648]
"eCopy Scan Inbox Monitor"="c:\program files\eCopy\Desktop 9.2\Bin\InboxMonitor.exe" [2008-01-30 79112]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-26 335872]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"WINDVDPatch"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2002-07-03 24576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R300 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2009-1-1 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-1-4 113664]
IKON Office Solutions IKON VPN Client.lnk - c:\program files\IKON\IKON VPN Client\ipsecdialer.exe [2004-8-1 1216588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\documents and settings\Curtis\Application Data\iolo\

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\IKON\\IKON VPN Client\\ipsecdialer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"d:\\Program Files\\Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Civilization4.exe"=
"d:\\Program Files\\Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10000:TCP"= 10000:TCP:Ikon Dialer
"10000:UDP"= 10000:UDP:Ikon Dialer
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1100000.088\SymDS.sys [9/27/2009 10:45 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1100000.088\SymEFA.sys [9/27/2009 10:45 AM 169008]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20090911.001\BHDrvx86.sys [9/11/2009 3:45 PM 507440]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1100000.088\ccHPx86.sys [9/27/2009 10:45 AM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1100000.088\Ironx86.sys [9/27/2009 10:45 AM 114736]
R2 CVPNDRV;IKON Office Solutions IPsec Driver;c:\windows\system32\drivers\CVPNDrv.sys [8/1/2004 12:57 PM 160327]
R3 DVC150B;Dazzle DVC 150B;c:\windows\system32\drivers\dvc150b.sys [8/22/2004 6:42 PM 30976]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/27/2009 10:49 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20090911.001\IDSXpx86.sys [9/27/2009 10:50 AM 329080]
S2 DVC150;DVC 150B;c:\windows\system32\drivers\dvc150b.sys [8/22/2004 6:42 PM 30976]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe [9/27/2009 10:45 AM 126392]
S3 HwIOctl;HwIOctl;\??\c:\program files\Setup Files\MS-6728 v2.50\HwIOctl.sys --> c:\program files\Setup Files\MS-6728 v2.50\HwIOctl.sys [?]
S3 laguna;laguna;c:\windows\system32\drivers\cl546xm.sys [12/26/2003 11:44 AM 248064]
S3 mdxgthkn;mdxgthkn;\??\c:\docume~1\Curtis\LOCALS~1\Temp\mdxgthkn.sys --> c:\docume~1\Curtis\LOCALS~1\Temp\mdxgthkn.sys [?]
S3 MTK;Media Technology Kernel Driver;c:\windows\system32\drivers\FIDE.SYS [12/19/2005 9:19 PM 15271]
S3 NUVision;NUVision Video Service;c:\windows\system32\drivers\NUVvid2.sys [12/27/2003 4:06 PM 153824]
.
Contents of the 'Scheduled Tasks' folder

2009-05-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-09-27 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Curtis.job
- c:\program files\Norton Internet Security\Engine\17.0.0.136\Navw32.exe [2009-09-27 08:22]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {86BD7EF7-A701-4460-8FF3-E160F0123B38} = 192.168.10.1
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} - [You must be registered and logged in to see this link.]
.
.
------- File Associations -------
.
inifile=c:\windows\$NtServicePackUninstall$\notepad.exe %1
JSEFile=NOTEPAD.EXE %1
txtfile=c:\windows\$NtServicePackUninstall$\notepad.exe %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-27 12:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.0.0.136\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,b5,50,7f,91,7e,
54,ed,b4,c8,28,51,af,b0,29,a3,98,b4,ae,80,5e,94,55,a4,ba,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0,92,4b,c7,ef,d3,9a,6c,ae,d5,
95,53,e8,71,3b,04,66,8b,46,0d,96,e3,de,b4,05,2e,77,2c,af,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,5e,71,93,2e,9d,
bd,9b,60,25,da,ec,7e,55,20,c9,26,2f,5b,6c,90,4b,f9,85,51,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,52,b8,4e,66,76,
91,35,61,3e,1e,9e,e0,57,5a,93,61,dc,33,15,18,84,0b,34,dc,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,19,a2,d3,91,77,
d6,02,35,cd,44,cd,b9,a6,33,6c,cd,d6,d5,f2,65,7f,34,04,9d,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,47,25,76,f5,22,
83,fd,34,b0,18,ed,a7,3f,8d,37,a4,83,e1,b7,38,29,4a,af,02,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,9d,a3,de,56,ef,
49,bf,d6,31,77,e1,ba,b1,f8,68,02,ea,a4,1e,9a,9f,83,47,63,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,98,a3,8b,ff,ee,
ea,9c,a7,83,6c,56,8b,a0,85,96,ab,fa,82,7d,55,f0,00,c3,43,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,4e,b8,c9,0c,14,
a1,e4,53,51,fa,6e,91,28,9e,14,cc,d2,95,64,19,86,5b,e1,84,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,08,cb,06,36,c8,
e2,9c,6b,b1,cd,45,5a,a8,c4,f8,b9,50,e7,2c,c3,d0,1c,62,1d,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,a5,13,61,65,ff,
b5,27,d9,e3,0e,66,d5,eb,bc,2f,6b,d0,f7,d5,5a,bc,74,39,21,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,d8,fa,3b,f2,39,
f9,d2,f0,fa,ea,66,7f,d4,3b,6b,70,05,ed,9f,60,60,2a,5a,38,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1024)
c:\windows\system32\CSGina.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3352)
c:\windows\system32\WININET.dll
c:\progra~1\VIRTUA~1\SMARTB~1\SBHook.dll
c:\windows\system32\ctagent.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\IKON\IKON VPN Client\cvpnd.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\E_S00RP1.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\SAgent4.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-09-27 12:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-27 19:49

Pre-Run: 34,603,102,208 bytes free
Post-Run: 34,588,532,736 bytes free

367 --- E O F --- 2009-09-26 21:45

Phixius
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-09-27
OS OS : XP
Points Points : 26269
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Anti-virus closes when scanning, intermitent pop-ups

Post by Belahzur on Sun Sep 27, 2009 8:03 pm


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    C:\mdnsq.exe
    c:\windows\system32\wezavova.dll
    c:\windows\system32\serevudo.dll
    c:\windows\system32\vufurajo.dll
    c:\windows\system32\napokoku.dll

    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    [-HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

    Driver::
    mdxgthkn

    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Anti-virus closes when scanning, intermitent pop-ups

Post by Phixius on Sun Sep 27, 2009 8:26 pm

Log contents from the latest procedure:
Thanks for your prompt response.

ComboFix 09-09-25.01 - Curtis 09/27/2009 13:13.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.958 [GMT -7:00]
Running from: d:\vscan\Combo-Fix.exe
Command switches used :: d:\vscan\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"C:\mdnsq.exe"
"c:\windows\system32\napokoku.dll"
"c:\windows\system32\serevudo.dll"
"c:\windows\system32\vufurajo.dll"
"c:\windows\system32\wezavova.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\mdnsq.exe
c:\windows\system32\napokoku.dll
c:\windows\system32\serevudo.dll
c:\windows\system32\vufurajo.dll
c:\windows\system32\wezavova.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MDXGTHKN
-------\Service_mdxgthkn


((((((((((((((((((((((((( Files Created from 2009-08-27 to 2009-09-27 )))))))))))))))))))))))))))))))
.

2009-09-27 19:30 . 2009-09-27 19:49 -------- d-----w- C:\Combo-Fix
2009-09-27 19:17 . 2009-09-27 19:17 -------- d-----w- c:\documents and settings\Curtis\Local Settings\Application Data\Tific
2009-09-27 19:17 . 2009-09-27 19:17 -------- d-----w- c:\documents and settings\Curtis\Application Data\Tific
2009-09-27 17:45 . 2009-09-27 17:45 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-09-27 17:45 . 2009-09-27 17:45 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-27 17:45 . 2009-09-27 17:45 -------- d-----w- c:\program files\Symantec
2009-09-27 17:44 . 2009-09-27 17:44 -------- d-----w- c:\windows\system32\drivers\NIS
2009-09-27 17:44 . 2009-09-27 17:44 -------- d-----w- c:\program files\Norton Internet Security
2009-09-27 01:32 . 2009-09-27 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-09-27 00:11 . 2009-09-27 00:11 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-09-27 00:11 . 2009-09-27 00:11 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-09-27 00:11 . 2009-09-27 00:11 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-09-26 19:23 . 2009-09-26 19:23 -------- d-----w- c:\program files\CCleaner
2009-09-10 22:03 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-06 20:14 . 2008-01-30 03:03 33032 ------w- c:\windows\system32\eCopyDesktopPrinterMon.DLL
2009-09-06 20:13 . 2009-09-06 20:13 -------- d-----w- c:\program files\eCopy
2009-09-06 20:13 . 2009-09-06 20:13 -------- d-----w- C:\eCopy
2009-09-06 20:12 . 2009-09-06 20:12 -------- d-----w- c:\documents and settings\Curtis\Local Settings\Application Data\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-27 20:19 . 2007-08-26 08:04 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000001-00001102-00000002-80271102}.dat
2009-09-27 20:19 . 2007-08-26 08:04 24 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000001-00001102-00000002-80271102}.dat
2009-09-27 19:20 . 2005-02-19 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-27 19:20 . 2005-02-19 22:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-27 17:51 . 2003-12-27 05:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-27 17:45 . 2009-09-27 17:45 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-27 17:45 . 2009-09-27 17:45 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-27 17:44 . 2009-09-27 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-09-27 17:44 . 2009-09-27 17:44 -------- d-----w- c:\program files\NortonInstaller
2009-09-27 17:25 . 2009-09-27 17:25 -------- d-----w- c:\program files\Windows Sidebar
2009-09-27 17:19 . 2007-08-16 05:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-27 17:19 . 2003-12-27 05:29 -------- d-----w- c:\documents and settings\Curtis\Application Data\Symantec
2009-09-27 17:14 . 2009-09-27 17:14 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2009-09-27 07:09 . 2003-12-27 04:57 -------- d-----w- c:\program files\Setup Files
2009-09-27 05:56 . 2009-09-27 05:56 -------- d-----w- c:\program files\Trend Micro
2009-09-27 05:49 . 2009-09-27 05:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-27 05:49 . 2009-09-27 05:49 -------- d-----w- c:\program files\Java
2009-09-27 05:22 . 2009-09-27 05:22 -------- d-----w- c:\documents and settings\Curtis\Application Data\Malwarebytes
2009-09-27 05:22 . 2009-09-27 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-27 01:31 . 2008-09-10 02:18 -------- d-----w- c:\documents and settings\Curtis\Application Data\EMBARQTOOLBAR
2009-09-26 21:43 . 2007-08-19 05:53 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2009-09-26 17:29 . 2003-12-27 08:02 -------- d-----w- c:\program files\Microsoft Games
2009-09-26 17:29 . 2007-11-26 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-09-26 17:28 . 2005-05-23 21:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2009-09-26 17:28 . 2004-04-23 02:48 -------- d-----w- c:\documents and settings\Curtis\Application Data\Roxio
2009-09-26 17:28 . 2007-08-19 05:53 -------- d-----w- c:\documents and settings\Curtis\Application Data\iolo
2009-09-26 17:28 . 2004-04-10 06:08 -------- d-----w- c:\documents and settings\Curtis\Application Data\EPSON
2009-09-26 17:28 . 2007-08-19 05:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\iolo
2009-08-29 16:56 . 2003-12-30 02:53 95864 ----a-w- c:\documents and settings\Curtis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-28 17:29 . 2007-08-19 05:55 2116008 ----a-w- c:\windows\system32\Incinerator.dll
2009-08-26 22:42 . 2007-08-19 05:55 30208 ----a-w- c:\windows\system32\iolobtdfg.exe
2009-08-26 22:42 . 2007-08-19 05:55 12288 ----a-w- c:\windows\system32\smrgdf.exe
2009-08-05 09:11 . 2003-12-27 08:27 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2003-12-27 03:24 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2003-12-27 08:29 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2003-08-27 22:19 . 2005-11-05 01:16 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
2009-02-18 02:20 . 2009-02-18 02:20 8456 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-27 20:21 . 2009-09-27 20:21 16384 c:\windows\temp\Perflib_Perfdata_398.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R300 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-27 149280]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"PCLEPCI"="c:\progra~1\Pinnacle\PPE\ppe.exe" [2002-06-25 32768]
"Motive SmartBridge"="c:\progra~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe" [2006-04-21 438359]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"eDP2eD"="c:\program files\eCopy\Desktop 9.2\Bin\eDP2eD.exe" [2008-01-30 144648]
"eCopy Scan Inbox Monitor"="c:\program files\eCopy\Desktop 9.2\Bin\InboxMonitor.exe" [2008-01-30 79112]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-26 335872]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"WINDVDPatch"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2002-07-03 24576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R300 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2009-1-1 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-1-4 113664]
IKON Office Solutions IKON VPN Client.lnk - c:\program files\IKON\IKON VPN Client\ipsecdialer.exe [2004-8-1 1216588]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\documents and settings\Curtis\Application Data\iolo\

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\IKON\\IKON VPN Client\\ipsecdialer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"d:\\Program Files\\Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Civilization4.exe"=
"d:\\Program Files\\Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10000:TCP"= 10000:TCP:Ikon Dialer
"10000:UDP"= 10000:UDP:Ikon Dialer
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1100000.088\SymDS.sys [9/27/2009 10:45 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1100000.088\SymEFA.sys [9/27/2009 10:45 AM 169008]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20090911.001\BHDrvx86.sys [9/11/2009 3:45 PM 507440]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1100000.088\ccHPx86.sys [9/27/2009 10:45 AM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1100000.088\Ironx86.sys [9/27/2009 10:45 AM 114736]
R2 CVPNDRV;IKON Office Solutions IPsec Driver;c:\windows\system32\drivers\CVPNDrv.sys [8/1/2004 12:57 PM 160327]
R3 DVC150B;Dazzle DVC 150B;c:\windows\system32\drivers\dvc150b.sys [8/22/2004 6:42 PM 30976]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/27/2009 10:49 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20090911.001\IDSXpx86.sys [9/27/2009 10:50 AM 329080]
S2 DVC150;DVC 150B;c:\windows\system32\drivers\dvc150b.sys [8/22/2004 6:42 PM 30976]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe [9/27/2009 10:45 AM 126392]
S3 HwIOctl;HwIOctl;\??\c:\program files\Setup Files\MS-6728 v2.50\HwIOctl.sys --> c:\program files\Setup Files\MS-6728 v2.50\HwIOctl.sys [?]
S3 laguna;laguna;c:\windows\system32\drivers\cl546xm.sys [12/26/2003 11:44 AM 248064]
S3 MTK;Media Technology Kernel Driver;c:\windows\system32\drivers\FIDE.SYS [12/19/2005 9:19 PM 15271]
S3 NUVision;NUVision Video Service;c:\windows\system32\drivers\NUVvid2.sys [12/27/2003 4:06 PM 153824]
.
Contents of the 'Scheduled Tasks' folder

2009-05-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-09-27 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Curtis.job
- c:\program files\Norton Internet Security\Engine\17.0.0.136\Navw32.exe [2009-09-27 08:22]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {86BD7EF7-A701-4460-8FF3-E160F0123B38} = 192.168.10.1
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-27 13:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.0.0.136\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,b5,50,7f,91,7e,
54,ed,b4,c8,28,51,af,b0,29,a3,98,b4,ae,80,5e,94,55,a4,ba,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0,92,4b,c7,ef,d3,9a,6c,ae,d5,
95,53,e8,71,3b,04,66,8b,46,0d,96,e3,de,b4,05,2e,77,2c,af,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,5e,71,93,2e,9d,
bd,9b,60,25,da,ec,7e,55,20,c9,26,2f,5b,6c,90,4b,f9,85,51,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,52,b8,4e,66,76,
91,35,61,3e,1e,9e,e0,57,5a,93,61,dc,33,15,18,84,0b,34,dc,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,19,a2,d3,91,77,
d6,02,35,cd,44,cd,b9,a6,33,6c,cd,d6,d5,f2,65,7f,34,04,9d,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,47,25,76,f5,22,
83,fd,34,b0,18,ed,a7,3f,8d,37,a4,83,e1,b7,38,29,4a,af,02,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,9d,a3,de,56,ef,
49,bf,d6,31,77,e1,ba,b1,f8,68,02,ea,a4,1e,9a,9f,83,47,63,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,98,a3,8b,ff,ee,
ea,9c,a7,83,6c,56,8b,a0,85,96,ab,fa,82,7d,55,f0,00,c3,43,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,4e,b8,c9,0c,14,
a1,e4,53,51,fa,6e,91,28,9e,14,cc,d2,95,64,19,86,5b,e1,84,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,08,cb,06,36,c8,
e2,9c,6b,b1,cd,45,5a,a8,c4,f8,b9,50,e7,2c,c3,d0,1c,62,1d,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,a5,13,61,65,ff,
b5,27,d9,e3,0e,66,d5,eb,bc,2f,6b,d0,f7,d5,5a,bc,74,39,21,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,d8,fa,3b,f2,39,
f9,d2,f0,fa,ea,66,7f,d4,3b,6b,70,05,ed,9f,60,60,2a,5a,38,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1024)
c:\windows\system32\CSGina.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4020)
c:\windows\system32\WININET.dll
c:\progra~1\VIRTUA~1\SMARTB~1\SBHook.dll
c:\windows\system32\ctagent.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\IKON\IKON VPN Client\cvpnd.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\E_S00RP1.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\SAgent4.exe
c:\windows\system32\wscntfy.exe
c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-09-27 13:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-27 20:26
ComboFix2.txt 2009-09-27 19:49

Pre-Run: 34,603,896,832 bytes free
Post-Run: 34,556,915,712 bytes free

300 --- E O F --- 2009-09-26 21:45

Phixius
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-09-27
OS OS : XP
Points Points : 26269
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Anti-virus closes when scanning, intermitent pop-ups

Post by Belahzur on Sun Sep 27, 2009 8:45 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Anti-virus closes when scanning, intermitent pop-ups

Post by Phixius on Sun Sep 27, 2009 8:58 pm

I haven't seen any unusual pop ups from IE, I will have to reinstall Norton to see if it will scan. My major problem was not being able to scan for viruses.
I must say you guy's are amazing. I plan on Donating something, it will certainly not amount to the value of you assistance, but it will be what I can handle for now.

Can I start reinstalling my AV and system mechanic.

Phixius
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-09-27
OS OS : XP
Points Points : 26269
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Anti-virus closes when scanning, intermitent pop-ups

Post by Belahzur on Sun Sep 27, 2009 9:20 pm

I don't recommend Norton.

Please install Avira antivirus otherwise you won't be protected.

1) [You must be registered and logged in to see this link.]
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Anti-virus closes when scanning, intermitent pop-ups

Post by Phixius on Sun Sep 27, 2009 9:25 pm

Thanks agian for all your help, this all started when my wife clicked a popup she shouldn't have. I broke her fingers so that won't happen again.
I'll work it back up from here.

Phixius
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-09-27
OS OS : XP
Points Points : 26269
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum