problems after anti virus soft removal

View previous topic View next topic Go down

problems after anti virus soft removal

Post by cob on Wed 3 Mar - 0:39

I followed the instructions found on this site to get rid of anti virus soft and was able to get rid of it. :smile2: However, now I have a few new problems. First, my computer now will not ever shutdown using the start, turn off computer, restart (or turn off) sequence which I always used before. Now I either have to power it off or, not infrequently, I have to actually remove the battery. Secondly, it is freezing up fairly frequently (numerous times everyday); it rarely did this before (maybe once a month). After it freezes I have to power it off or remove the battery to restart it. And sometimes when it freezes I get a loud humming noise like maybe the hard drive is working to unfreeze it. Also in my Norton security logs it still says there are unauthorized accesses taking place to the Norton Internet security engine from notepad.exe, rstrui.exe, ipod etc (in short from the progs that I run). I wonder if there are still traces of this virus on my machine. BTW, Norton never picked up any indication of the virus-I wonder if the virus compromised it somehow. In any case, does anybody have any ideas as to how i can solve these new problems? Thanks in advance.

cob
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-03-03
OS OS : xp home
Points Points : 24929
# Likes # Likes : 0

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by Belahzur on Wed 3 Mar - 0:56

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-04
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by cob on Wed 3 Mar - 1:22

Extras log:

OTL Extras logfile created on: 3/2/2010 9:05:27 AM - Run 1
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Documents and Settings\jharris\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 557.00 Mb Available Physical Memory | 55.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 15.25 Gb Total Space | 2.57 Gb Free Space | 16.85% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PC627117302126
Current User Name: jharris
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~4\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}" = HttpWatch Basic 6.1.29
"{0517F875-BBB2-4812-A63E-733B33CEF215}" = Roxio Instant Restore
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{162B71B8-8464-4680-A086-601D555B331D}" = Apple Mobile Device Support
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{275E7C8F-5407-4E2D-9506-0DC5BC59B14E}" = MigoMobile DESKTOP 4
"{2B682751-E749-441C-A4B3-1F538E26E56E}" = Roxio Instant Restore Recovery Disk
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{32F9BACF-FCD3-4B6A-AD85-255A449B6FA5}" = Roxio BackOnTrack
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4F2AF17E-94F0-4F22-943D-216CE46AC502}" = HP Mobile Broadband Setup Utility
"{5A06423A-210C-49FB-950E-CB0EB8C5CEC7}" = Roxio BackOnTrack
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69DAC00A-7665-4E9B-B441-093D40736429}" = HP BatteryCheck 2.10 A2
"{6A370610-3778-44AF-9AAC-69B2FD1A3356}" = Microsoft Live Search Toolbar
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{87A83C6F-F53C-448A-B078-FF00E3EAEB29}" = Roxio Disaster Recovery
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ULTIMATER_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ULTIMATER_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ULTIMATER_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ULTIMATER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ULTIMATER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{909B62B0-8ACA-4061-A83B-09CAEF609619}" = MSXML 6.0 Parser
"{91120000-002E-0000-0000-0000000FF1CE}" = Microsoft Office Ultimate 2007
"{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{9ADABDDE-9644-461B-9E73-83FA3EFCAB50}" = HP Wireless Assistant
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{B5B25043-42A0-4490-A425-C7A6284213E6}" = HP User Guides 0130
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C13AF9C7-8E06-4354-B629-DF6192CE4A66}" = PANTECH UM175 Driver
"{C26B06A9-27BB-45B0-9873-9C623EC2BA38}" = iTunes
"{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDC85536-A0EF-4401-82A6-25D8EFC7EFAC}" = VZAccess Manager
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"AIM_6" = AIM 6
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Fiddler2" = Fiddler2
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.18)" = Mozilla Firefox (3.0.18)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NIS" = Norton Internet Security
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Security Task Manager" = Security Task Manager 1.7h
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"ULTIMATER" = Microsoft Office Ultimate 2007
"ViewpointMediaPlayer" = Viewpoint Media Player
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Circuit Construction Kit (DC Only)" = Circuit Construction Kit (DC Only)
"WinDirStat" = WinDirStat 1.1.2

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/19/2010 12:41:18 AM | Computer Name = PC627117302126 | Source = Application Error | ID = 1000
Description = Faulting application vzaccess manager.exe, version 6.10.10.2290, faulting
module smwifi.dll, version 4.8.5.2175, fault address 0x0001f91e.

Error - 2/3/2010 5:33:43 AM | Computer Name = PC627117302126 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at:
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 2/3/2010 5:33:43 AM | Computer Name = PC627117302126 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at:
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 2/3/2010 5:33:43 AM | Computer Name = PC627117302126 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The server name or address could not be resolved

Error - 2/19/2010 1:28:57 AM | Computer Name = PC627117302126 | Source = Application Error | ID = 1000
Description = Faulting application vzaccess manager.exe, version 6.10.10.2290, faulting
module smwifi.dll, version 4.8.5.2175, fault address 0x0001f91e.

Error - 2/28/2010 2:49:02 AM | Computer Name = PC627117302126 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16981, faulting
module 3difr.x3d, version 9.0.0.0, fault address 0x0001d5be.

Error - 3/1/2010 12:49:06 AM | Computer Name = PC627117302126 | Source = Application Error | ID = 1000
Description = Faulting application safebootkeyrepair.exe, version 0.0.0.0, faulting
module kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

Error - 3/1/2010 3:30:09 AM | Computer Name = PC627117302126 | Source = pctsSvc.exe | ID = 0
Description =

[ System Events ]
Error - 3/1/2010 1:01:31 AM | Computer Name = PC627117302126 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 3/1/2010 1:02:54 AM | Computer Name = PC627117302126 | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 3/1/2010 1:02:56 AM | Computer Name = PC627117302126 | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2

Error - 3/1/2010 1:19:10 AM | Computer Name = PC627117302126 | Source = PlugPlayManager | ID = 12
Description = The device 'Marvell Yukon 88E8040 PCI-E Fast Ethernet Controller'
(PCI\VEN_11AB&DEV_4354&SUBSYS_361A103C&REV_00\4&23c6fc68&0&00E1) disappeared from
the system without first being prepared for removal.

Error - 3/1/2010 1:39:10 AM | Computer Name = PC627117302126 | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 3/1/2010 1:39:11 AM | Computer Name = PC627117302126 | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2

Error - 3/1/2010 3:08:43 AM | Computer Name = PC627117302126 | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 3/1/2010 3:08:44 AM | Computer Name = PC627117302126 | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2

Error - 3/1/2010 6:58:01 AM | Computer Name = PC627117302126 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.

Error - 3/1/2010 6:58:26 AM | Computer Name = PC627117302126 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AliIde IntelIde ViaIde

< End of report >

cob
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-03-03
OS OS : xp home
Points Points : 24929
# Likes # Likes : 0

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by cob on Wed 3 Mar - 1:25

OTL part 1:

OTL log created on: 3/2/2010 9:05:27 AM - Run 1
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Documents and Settings\jharris\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 557.00 Mb Available Physical Memory | 55.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 15.25 Gb Total Space | 2.57 Gb Free Space | 16.85% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PC627117302126
Current User Name: jharris
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/02 09:01:02 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jharris\Desktop\OTL.exe
PRC - [2009/08/22 02:21:19 | 000,117,640 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
PRC - [2008/12/25 21:28:00 | 000,203,248 | ---- | M] (Sonic Solutions) -- C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe
PRC - [2008/12/12 01:46:22 | 000,125,424 | ---- | M] () -- C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
PRC - [2008/12/02 21:57:30 | 000,729,088 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\AESTFltr.exe
PRC - [2008/09/11 06:00:10 | 000,446,556 | ---- | M] (IDT, Inc.) -- C:\WINDOWS\sttray.exe
PRC - [2008/09/11 06:00:10 | 000,237,650 | ---- | M] (IDT, Inc.) -- c:\Program Files\IDT\WDM\stacsv.exe
PRC - [2008/04/14 23:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/15 08:46:46 | 000,135,168 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
PRC - [2008/02/15 08:46:06 | 000,249,856 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe


========== Modules (SafeList) ==========

MOD - [2010/03/02 09:01:02 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jharris\Desktop\OTL.exe
MOD - [2009/08/22 02:21:16 | 000,419,696 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\16.8.0.41\asOEHook.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/08/22 02:21:19 | 000,117,640 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe -- (Norton Internet Security)
SRV - [2008/12/25 21:28:00 | 000,203,248 | ---- | M] (Sonic Solutions) [Auto | Running] -- C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe -- (BOTService)
SRV - [2008/12/12 01:46:22 | 000,125,424 | ---- | M] () [Auto | Running] -- C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe -- (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269)
SRV - [2008/10/25 10:44:08 | 000,065,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2008/09/11 06:00:10 | 000,237,650 | ---- | M] (IDT, Inc.) [Auto | Running] -- c:\Program Files\IDT\WDM\stacsv.exe -- (STacSV)
SRV - [2008/04/14 23:00:00 | 000,295,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\termsrv32.dll -- (TermService)


========== Driver Services (SafeList) ==========

DRV - [2010/02/03 04:00:00 | 001,324,720 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100301.054\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/02/03 04:00:00 | 000,084,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100301.054\NAVENG.SYS -- (NAVENG)
DRV - [2010/02/02 22:51:57 | 000,482,432 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\ccHPx86.sys -- (ccHP)
DRV - [2009/10/28 17:37:22 | 000,329,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSXpx86.sys -- (IDSxpx86)
DRV - [2009/09/09 23:21:35 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/08/26 03:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/08/26 03:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2009/08/22 02:21:19 | 000,310,320 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1008000.029\SYMEFA.SYS -- (SymEFA)
DRV - [2009/08/22 02:21:19 | 000,308,272 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\SRTSP.SYS -- (SRTSP)
DRV - [2009/08/22 02:21:19 | 000,259,632 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\BHDrvx86.sys -- (BHDrvx86)
DRV - [2009/08/22 02:21:19 | 000,217,136 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\SYMTDI.SYS -- (SYMTDI)
DRV - [2009/08/22 02:21:19 | 000,089,904 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\SYMFW.SYS -- (SYMFW)
DRV - [2009/08/22 02:21:19 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1008000.029\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2009/08/22 02:21:19 | 000,036,400 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\SYMNDIS.SYS -- (SYMNDIS)
DRV - [2009/08/22 02:21:19 | 000,033,072 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\SYMIDS.SYS -- (SYMIDS)
DRV - [2009/08/22 02:21:06 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIMMP)
DRV - [2009/08/22 02:21:06 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIM)
DRV - [2009/08/12 06:13:32 | 000,160,272 | ---- | M] (DEVGURU Co., LTD.([You must be registered and logged in to see this link.] [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PTDUMdm.sys -- (PTDUMdm)
DRV - [2009/08/12 06:13:32 | 000,113,680 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PTDUWWAN.sys -- (PTDUWWAN)
DRV - [2009/08/12 06:13:32 | 000,054,416 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PTDUBus.sys -- (PTDUBus)
DRV - [2009/08/12 06:13:28 | 000,160,272 | ---- | M] (DEVGURU Co., LTD.([You must be registered and logged in to see this link.] [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PTDUVsp.sys -- (PTDUVsp)
DRV - [2009/08/12 06:13:28 | 000,011,920 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PTDUWFLT.sys -- (PTDUWFLT)
DRV - [2009/05/25 15:43:58 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMSIVZAM5.sys -- (SMSIVZAM5)
DRV - [2009/01/31 23:50:30 | 001,294,200 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2009/01/15 12:19:36 | 000,023,848 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/12/11 04:00:00 | 000,025,584 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SaibVd32.sys -- (SaibVd32)
DRV - [2008/12/11 04:00:00 | 000,021,488 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\SahdIa32.sys -- (SahdIa32)
DRV - [2008/12/11 04:00:00 | 000,015,856 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\SaibIa32.sys -- (SaibIa32)
DRV - [2008/12/04 17:55:14 | 000,204,976 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2008/12/02 21:57:32 | 000,112,128 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AESTAud.sys -- (AESTAud)
DRV - [2008/09/25 01:09:40 | 000,103,792 | ---- | M] (Sonic Solutions) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\syscow32x.sys -- (SysCow)
DRV - [2008/09/11 06:00:10 | 001,390,323 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2008/06/27 13:02:00 | 000,289,024 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2008/06/16 06:00:00 | 000,044,944 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/04/14 23:00:00 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/14 23:00:00 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/14 23:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2008/04/14 10:06:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/14 10:06:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/02/15 09:12:06 | 005,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2001/08/18 00:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/18 00:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/18 00:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/18 00:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/18 00:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 23:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 23:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 23:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 23:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 23:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 23:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 23:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 23:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 23:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 23:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.3.3
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:0.1.8
FF - prefs.js..extensions.enabledItems: {9AA46F4F-4DC7-4c06-97AF-5035170634FE}:3.2.8
FF - prefs.js..extensions.enabledItems: {9c51bd27-6ed8-4000-a2bf-36cb95c0c947}:10.1.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:2.2.1.4

FF - HKLM\software\mozilla\Firefox\Extensions\\{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\ [2010/03/02 07:00:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.18\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/21 12:36:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.18\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/21 12:36:58 | 000,000,000 | ---D | M]

[2009/05/29 23:38:19 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\jharris\Application Data\Mozilla\Extensions
[2010/03/01 23:44:17 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\jharris\Application Data\Mozilla\Firefox\Profiles\euuboh14.default\extensions
[2009/08/09 04:53:33 | 000,000,000 | -H-D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\jharris\Application Data\Mozilla\Firefox\Profiles\euuboh14.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/06/24 06:03:54 | 000,000,000 | -H-D | M] (ImTranslator) -- C:\Documents and Settings\jharris\Application Data\Mozilla\Firefox\Profiles\euuboh14.default\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170634FE}
[2009/05/30 00:12:54 | 000,000,000 | -H-D | M] (Tamper Data) -- C:\Documents and Settings\jharris\Application Data\Mozilla\Firefox\Profiles\euuboh14.default\extensions\{9c51bd27-6ed8-4000-a2bf-36cb95c0c947}
[2009/05/29 23:56:19 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\jharris\Application Data\Mozilla\Firefox\Profiles\euuboh14.default\extensions\firebug@software.joehewitt.com
[2009/06/24 06:03:38 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\jharris\Application Data\Mozilla\Firefox\Profiles\euuboh14.default\extensions\ubiquity@labs.mozilla.com
[2010/03/01 23:26:13 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2008/04/14 23:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Microsoft Live Search Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O2 - BHO: (HttpWatch Basic) - {F1F69322-008F-4895-B2BF-AD194219825A} - C:\Program Files\HttpWatch\httpwatchsc.dll (Simtec Limited)
O3 - HKLM\..\Toolbar: (Microsoft Live Search Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\CoIEPlg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [AESTFltr] C:\WINDOWS\System32\AESTFltr.exe (Andrea Electronics Corporation)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [HP Mobile Broadband] c:\SWsetup\HPQWWAN\HPMobileBroadband.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [IDTSysTrayApp] C:\WINDOWS\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - C:\Program Files\Fiddler2\Fiddler.exe (Eric Lawrence)
O9 - Extra 'Tools' menuitem : Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - C:\Program Files\Fiddler2\Fiddler.exe (Eric Lawrence)
O9 - Extra Button: HttpWatch Basic - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwatch.dll (Simtec Limited)
O9 - Extra 'Tools' menuitem : HttpWatch Basic - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - Reg Error: Value error. File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_07)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\CoIEPlg.dll (Symantec Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{210c5c0e-1eb7-11de-8e1c-002481479fee}\Shell - "" = AutoRun
O33 - MountPoints2\{210c5c0e-1eb7-11de-8e1c-002481479fee}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{210c5c0e-1eb7-11de-8e1c-002481479fee}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -- File not found
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/02 09:04:36 | 000,551,424 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\jharris\Desktop\OTL.exe
[2010/03/02 00:35:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2010/03/02 00:35:02 | 000,000,000 | ---D | C] -- C:\Program Files\Security Task Manager
[2010/03/01 03:24:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jharris\Application Data\Malwarebytes
[2010/03/01 03:24:08 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/01 03:23:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/03/01 03:23:27 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/01 03:23:24 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/01 03:19:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jharris\Desktop\backups
[2010/03/01 03:16:58 | 000,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\jharris\Desktop\iexplore.exe
[2010/02/28 23:12:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/02/28 23:02:00 | 000,288,654 | ---- | C] ( ) -- C:\Documents and Settings\jharris\Desktop\SafeBootKeyRepair.exe
[2010/02/28 01:48:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jharris\Local Settings\Application Data\ybsovx
[2010/02/22 13:04:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jharris\Application Data\Verizon Wireless
[2010/02/22 13:02:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WEngineLite
[2010/02/22 13:01:31 | 000,000,000 | ---D | C] -- C:\Program Files\Verizon Wireless
[2010/02/22 12:58:55 | 000,113,680 | ---- | C] (DEVGURU Co., LTD.) -- C:\WINDOWS\System32\drivers\PTDUWWAN.sys
[2010/02/22 12:58:55 | 000,011,920 | ---- | C] (DEVGURU Co., LTD.) -- C:\WINDOWS\System32\drivers\PTDUWFLT.sys
[2010/02/22 12:58:44 | 000,160,272 | ---- | C] (DEVGURU Co., LTD.([You must be registered and logged in to see this link.] -- C:\WINDOWS\System32\drivers\PTDUVsp.sys
[2010/02/22 12:58:39 | 000,160,272 | ---- | C] (DEVGURU Co., LTD.([You must be registered and logged in to see this link.] -- C:\WINDOWS\System32\drivers\PTDUMdm.sys
[2010/02/22 12:58:36 | 000,054,416 | ---- | C] (DEVGURU Co., LTD.) -- C:\WINDOWS\System32\drivers\PTDUBus.sys
[2010/02/22 12:58:33 | 000,111,704 | ---- | C] (DEVGURU) -- C:\WINDOWS\System32\PTDUWmcp64.dll
[2010/02/22 12:58:33 | 000,100,952 | ---- | C] (DEVGURU) -- C:\WINDOWS\System32\PTDUWmcp.dll
[2010/02/22 12:58:31 | 000,319,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\DIFxAPI.dll
[2010/02/13 21:15:04 | 002,145,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ntoskrnl.exe
[2010/02/13 21:15:04 | 002,145,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2010/02/13 21:15:02 | 002,189,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2010/02/13 21:14:57 | 002,023,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2010/02/13 21:14:57 | 002,023,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ntkrnlpa.exe
[2010/02/13 21:14:56 | 002,066,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2010/02/10 23:10:16 | 000,353,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srv.sys
[2010/02/10 23:08:51 | 000,455,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys
[2009/08/28 04:55:43 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/07/30 12:21:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/01/31 23:11:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/01/31 23:11:01 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/02 09:10:16 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\BackOnTrack Instant Restore Idle.job
[2010/03/02 09:01:02 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jharris\Desktop\OTL.exe
[2010/03/02 07:31:13 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\jharris\Local Settings\Application Data\PUTTY.RND
[2010/03/02 07:00:01 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/02 06:59:37 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/02 06:59:34 | 1064,620,032 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/01 23:56:03 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/03/01 23:24:23 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\jharris\ntuser.ini
[2010/03/01 13:52:42 | 003,231,054 | -H-- | M] () -- C:\Documents and Settings\jharris\Local Settings\Application Data\IconCache.db
[2010/03/01 03:32:52 | 000,579,532 | ---- | M] () -- C:\WINDOWS\System32\drivers\NIS\1008000.029\Cat.DB
[2010/03/01 03:24:20 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/01 03:17:01 | 000,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\jharris\Desktop\iexplore.exe
[2010/03/01 03:07:28 | 003,932,160 | -H-- | M] () -- C:\Documents and Settings\jharris\NTUSER.DAT
[2010/02/28 23:02:07 | 000,288,654 | ---- | M] ( ) -- C:\Documents and Settings\jharris\Desktop\SafeBootKeyRepair.exe
[2010/02/25 21:04:59 | 000,014,469 | ---- | M] () -- C:\Documents and Settings\jharris\Desktop\ul1.docx
[2010/02/25 09:55:01 | 000,394,752 | ---- | M] () -- C:\Documents and Settings\jharris\Desktop\modemss.doc
[2010/02/22 13:03:05 | 000,001,013 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VZAccess Manager.lnk
[2010/02/18 07:21:03 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/15 00:31:00 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/09 02:08:39 | 000,396,800 | ---- | M] () -- C:\Documents and Settings\jharris\Desktop\carss.doc
[2010/02/09 01:53:21 | 000,052,856 | ---- | M] () -- C:\Documents and Settings\jharris\Desktop\819875463.jpg
[2010/02/06 07:04:12 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\jharris\Desktop\BIG11BB.xls
[2010/02/03 04:34:00 | 000,001,973 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton Internet Security.lnk
[2010/02/02 22:51:57 | 000,482,432 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1008000.029\cchpx86.sys
[2010/02/02 22:50:11 | 000,000,172 | ---- | M] () -- C:\WINDOWS\System32\drivers\NIS\1008000.029\isolate.ini
[2010/01/31 11:12:54 | 000,707,584 | ---- | M] () -- C:\Documents and Settings\jharris\Desktop\nk.doc
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/01 03:24:18 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/01 00:02:20 | 1064,620,032 | -HS- | C] () -- C:\hiberfil.sys
[2010/02/28 23:45:49 | 000,000,282 | ---- | C] () -- C:\WINDOWS\tasks\BackOnTrack Instant Restore Idle.job
[2010/02/25 21:04:59 | 000,014,469 | ---- | C] () -- C:\Documents and Settings\jharris\Desktop\ul1.docx
[2010/02/25 09:54:58 | 000,394,752 | ---- | C] () -- C:\Documents and Settings\jharris\Desktop\modemss.doc
[2010/02/22 13:03:01 | 000,001,013 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VZAccess Manager.lnk
[2010/02/09 02:04:57 | 000,396,800 | ---- | C] () -- C:\Documents and Settings\jharris\Desktop\carss.doc
[2010/02/09 01:57:41 | 000,052,856 | ---- | C] () -- C:\Documents and Settings\jharris\Desktop\819875463.jpg
[2010/02/06 07:01:28 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\jharris\Desktop\BIG11BB.xls
[2010/01/31 11:12:52 | 000,707,584 | ---- | C] () -- C:\Documents and Settings\jharris\Desktop\nk.doc
[2009/09/05 22:04:37 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2009/06/23 08:35:11 | 000,000,600 | -H-- | C] () -- C:\Documents and Settings\jharris\Application Data\winscp.rnd
[2009/04/23 09:44:52 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\jharris\Local Settings\Application Data\PUTTY.RND
[2009/04/01 00:02:53 | 000,001,548 | -H-- | C] () -- C:\Documents and Settings\jharris\Application Data\wklnhst.dat
[2009/02/01 00:01:24 | 000,028,510 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2009/01/31 23:37:23 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2008/06/24 12:48:20 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

cob
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-03-03
OS OS : xp home
Points Points : 24929
# Likes # Likes : 0

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by Belahzur on Wed 3 Mar - 1:25

Hello.
You posted Extras.txt twice, but nevermind, OTL can't fix this, the infection is hiding in the MBR.

Please download Stealth MBR Rootkit Detector by GMER from [You must be registered and logged in to see this link.], and save to your Desktop.
  • Double-click mbr.exe to start the program.
  • When done scanning, it will save a log on the Desktop called mbr.log.
  • Please post the contents of that log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-04
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by cob on Wed 3 Mar - 1:51

I downloaded it but it is called m4cwcsnf.exe now. I ran it and 10 mins into the scan I got a blue screen with the following info:
---------
A problem has been detected and windows has been shut down to prevent damage to your computer.
The problem file is awtyifod.sys
page fault in non paged area
---------

Whats going on?

cob
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-03-03
OS OS : xp home
Points Points : 24929
# Likes # Likes : 0

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by Belahzur on Wed 3 Mar - 1:53

Hmm, possible more than I though, another rootkit is here.


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-04
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by cob on Wed 3 Mar - 3:00

log.txt
ComboFix 10-03-01.03 - jharris 03/02/2010 10:13:59.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1256.964.1033.18.1015.411 [GMT -5:00]
Running from: c:\documents and settings\jharris\Desktop\Combo-Fix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\jharris\Local Settings\Temporary Internet Files\Fiddler_3-28-17.htm
c:\documents and settings\jharris\Local Settings\Temporary Internet Files\Fiddler_7-39-33.htm
c:\documents and settings\jharris\Local Settings\Temporary Internet Files\Fiddler_7-41-43.xml
c:\documents and settings\jharris\Local Settings\Temporary Internet Files\Fiddler_7-42-51.xml
c:\documents and settings\jharris\Local Settings\Temporary Internet Files\Fiddler_7-45-46.htm
c:\documents and settings\jharris\Local Settings\Temporary Internet Files\Fiddler_7-52-16.htm
c:\documents and settings\jharris\Local Settings\Temporary Internet Files\nofile.htm
c:\documents and settings\jharris\Local Settings\Temporary Internet Files\RawFile.htm
c:\recycler\S-1-5-21-2163646829-2411094946-3273491994-1003
C:\test.txt
c:\windows\system32\oem1.inf
c:\windows\system32\stacsv.exe

.
((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.

2010-03-02 15:03 . 2010-03-02 15:10 -------- d-----w- C:\Combo-Fix9867C
2010-03-02 15:02 . 2010-03-02 15:03 -------- d-----w- C:\Combo-Fix
2010-03-02 14:41 . 2010-02-12 22:41 558448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-03-02 12:14 . 2010-02-03 09:00 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100301.054\NAVEX15.SYS
2010-03-02 12:14 . 2009-08-25 08:00 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100301.054\NAVENG32.DLL
2010-03-02 12:14 . 2009-08-25 08:00 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100301.054\NAVEX32A.DLL
2010-03-02 12:14 . 2010-02-03 09:00 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100301.054\NAVENG.SYS
2010-03-02 12:14 . 2009-12-09 09:00 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100301.054\CCERASER.DLL
2010-03-02 12:14 . 2009-09-22 08:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100301.054\ECMSVR32.DLL
2010-03-02 12:14 . 2009-08-26 08:00 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100301.054\EECTRL.SYS
2010-03-02 12:14 . 2009-08-26 08:00 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100301.054\ERASER.SYS
2010-03-02 05:35 . 2010-03-02 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-03-02 05:35 . 2010-03-02 05:35 -------- d-----w- c:\program files\Security Task Manager
2010-03-02 04:26 . 2010-02-02 00:20 165240 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2010-03-01 09:28 . 2010-03-01 09:28 -------- d-----w- c:\documents and settings\HelpAssistant\mindterm
2010-03-01 08:24 . 2010-03-01 08:24 -------- d-----w- c:\documents and settings\jharris\Application Data\Malwarebytes
2010-03-01 08:24 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-01 08:23 . 2010-03-01 08:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-01 08:23 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-01 08:23 . 2010-03-01 10:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-01 04:12 . 2010-03-01 07:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-28 06:48 . 2010-03-01 10:21 -------- d-----w- c:\documents and settings\jharris\Local Settings\Application Data\ybsovx
2010-02-26 01:34 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\Scxpx86.dll
2010-02-26 01:34 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSvix86.sys
2010-02-26 01:34 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSXpx86.sys
2010-02-26 01:34 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSxpx86.dll
2010-02-26 01:34 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSviA64.sys
2010-02-22 18:04 . 2010-02-22 18:04 -------- d-----w- c:\documents and settings\jharris\Application Data\Verizon Wireless
2010-02-22 18:02 . 2010-02-22 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\WEngineLite
2010-02-22 18:01 . 2010-02-22 18:01 -------- d-----w- c:\program files\Verizon Wireless
2010-02-22 17:58 . 2009-08-12 11:13 113680 ----a-w- c:\windows\system32\drivers\PTDUWWAN.sys
2010-02-22 17:58 . 2009-08-12 11:13 11920 ----a-w- c:\windows\system32\drivers\PTDUWFLT.sys
2010-02-22 17:58 . 2009-08-12 11:13 160272 ----a-w- c:\windows\system32\drivers\PTDUVsp.sys
2010-02-22 17:58 . 2009-08-12 11:13 160272 ----a-w- c:\windows\system32\drivers\PTDUMdm.sys
2010-02-22 17:58 . 2009-08-12 11:13 54416 ----a-w- c:\windows\system32\drivers\PTDUBus.sys
2010-02-22 17:58 . 2009-08-12 11:19 111704 ----a-w- c:\windows\system32\PTDUWmcp64.dll
2010-02-22 17:58 . 2009-08-12 11:18 100952 ----a-w- c:\windows\system32\PTDUWmcp.dll
2010-02-22 17:58 . 2009-08-11 11:19 319456 ----a-w- c:\windows\system32\DIFxAPI.dll
2010-02-22 17:48 . 2010-02-22 17:53 29253144 ---ha-w- c:\documents and settings\jharris\Application Data\Smith Micro\Updates\VZAM_7.2.1_2420b_Pantech_UM175.exe
2010-02-20 03:23 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\Scxpx86.dll
2010-02-20 03:23 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSvix86.sys
2010-02-20 03:23 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSXpx86.sys
2010-02-20 03:23 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSxpx86.dll
2010-02-20 03:23 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSviA64.sys
2010-02-14 02:15 . 2009-12-08 19:26 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-14 02:15 . 2009-12-08 19:26 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-14 02:15 . 2009-12-08 19:27 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-14 02:14 . 2009-12-08 18:43 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-14 02:14 . 2009-12-08 18:43 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-14 02:14 . 2009-12-08 18:43 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-11 04:10 . 2009-12-31 16:50 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-11 04:10 . 2009-12-31 16:50 353792 ------w- c:\windows\system32\dllcache\srv.sys
2010-02-11 04:08 . 2009-12-04 18:22 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-11 04:08 . 2009-12-04 18:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-22 18:01 . 2009-04-01 12:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Verizon Wireless
2010-02-22 17:48 . 2009-04-01 12:47 -------- d--h--w- c:\documents and settings\jharris\Application Data\Smith Micro
2010-02-12 04:41 . 2009-08-03 08:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-20 05:19 . 2009-02-01 05:02 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-05 10:00 . 2010-01-05 10:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2010-01-05 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2010-01-05 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-16 18:43 . 2009-12-16 18:43 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2009-12-14 07:08 33280 ----a-w- c:\windows\system32\csrsrv.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"IDTSysTrayApp"="sttray.exe" [2008-09-11 446556]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-09-11 446556]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-12-03 729088]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-04 1410344]
"HP Mobile Broadband"="c:\swsetup\HPQWWAN\HPMobileBroadband.exe" [2008-07-08 439600]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [1/31/2009 11:53 PM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [1/31/2009 11:53 PM 15856]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SymEFA.sys [2/2/2010 10:59 PM 310320]
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [9/25/2008 1:09 AM 103792]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1008000.029\BHDrvx86.sys [2/2/2010 10:59 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1008000.029\cchpx86.sys [2/2/2010 10:51 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSXpx86.sys [2/25/2010 8:34 PM 329592]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [1/31/2009 11:53 PM 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [12/12/2008 1:46 AM 125424]
R2 BOTService;BOTService;c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [12/25/2008 9:28 PM 203248]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2/2/2010 10:54 PM 117640]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [1/31/2009 11:38 PM 112128]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 3:00 AM 102448]
R3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2/22/2010 12:58 PM 54416]
R3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2/22/2010 12:58 PM 160272]
R3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2/22/2010 12:58 PM 160272]
R3 PTDUWFLT;PTDUWWAN Filter Driver;c:\windows\system32\drivers\PTDUWFLT.sys [2/22/2010 12:58 PM 11920]
R3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2/22/2010 12:58 PM 113680]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 3:43 PM 32408]
.
Contents of the 'Scheduled Tasks' folder

2009-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-02 c:\windows\Tasks\BackOnTrack Instant Restore Idle.job
- c:\program files\Roxio\BackOnTrack\Instant Restore\RstIdle.exe [2008-12-26 02:28]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: {C4990AD2-BD68-46EE-864C-D7BE23FB952D} = 66.174.95.44 69.78.96.14
FF - ProfilePath - c:\documents and settings\jharris\Application Data\Mozilla\Firefox\Profiles\euuboh14.default\
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
AddRemove-HijackThis - c:\documents and settings\jharris\Desktop\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-03-02 10:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x866D4CC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76acf28
\Driver\ACPI -> ACPI.sys @ 0xf751fcb8
\Driver\atapi -> atapi.sys @ 0xf74d7852
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Marvell Yukon 88E8040 PCI-E Fast Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xf737cbb0
PacketIndicateHandler -> NDIS.sys @ 0xf736ba0d
SendHandler -> NDIS.sys @ 0xf737fb40
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
Completion time: 2010-03-02 10:51:58
ComboFix-quarantined-files.txt 2010-03-02 15:51

Pre-Run: 2,756,374,528 bytes free
Post-Run: 2,940,678,144 bytes free

- - End Of File - - 13634C7319849AA0293D2499843E9CF8

cob
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-03-03
OS OS : xp home
Points Points : 24929
# Likes # Likes : 0

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by Belahzur on Wed 3 Mar - 3:03


  • Download [You must be registered and logged in to see this link.] and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-04
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by cob on Wed 3 Mar - 3:08

11:06:53:703 0564 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
11:06:53:703 0564 ================================================================================
11:06:53:703 0564 SystemInfo:

11:06:53:703 0564 OS Version: 5.1.2600 ServicePack: 3.0
11:06:53:703 0564 Product type: Workstation
11:06:53:703 0564 ComputerName: PC627117302126
11:06:53:703 0564 UserName: jharris
11:06:53:703 0564 Windows directory: C:\WINDOWS
11:06:53:703 0564 Processor architecture: Intel x86
11:06:53:703 0564 Number of processors: 2
11:06:53:703 0564 Page size: 0x1000
11:06:53:703 0564 Boot type: Normal boot
11:06:53:703 0564 ================================================================================
11:06:53:718 0564 UnloadDriverW: NtUnloadDriver error 2
11:06:53:718 0564 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
11:06:54:203 0564 Initialize success
11:06:54:203 0564
11:06:54:203 0564 Scanning Services ...
11:06:54:203 0564 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
11:06:54:203 0564 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
11:06:54:203 0564 wfopen_ex: Trying to KLMD file open
11:06:54:203 0564 wfopen_ex: File opened ok (Flags 2)
11:06:54:203 0564 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
11:06:54:203 0564 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
11:06:54:203 0564 wfopen_ex: Trying to KLMD file open
11:06:54:203 0564 wfopen_ex: File opened ok (Flags 2)
11:06:56:031 0564 GetAdvancedServicesInfo: Raw services enum returned 365 services
11:06:56:031 0564 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
11:06:56:031 0564 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
11:06:56:031 0564
11:06:56:031 0564 Scanning Kernel memory ...
11:06:56:046 0564 Devices to scan: 2
11:06:56:046 0564
11:06:56:046 0564 Driver Name: Disk
11:06:56:046 0564 IRP_MJ_CREATE : F76AEBB0
11:06:56:046 0564 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
11:06:56:046 0564 IRP_MJ_CLOSE : F76AEBB0
11:06:56:046 0564 IRP_MJ_READ : F76A8D1F
11:06:56:046 0564 IRP_MJ_WRITE : F76A8D1F
11:06:56:046 0564 IRP_MJ_QUERY_INFORMATION : 804F4562
11:06:56:046 0564 IRP_MJ_SET_INFORMATION : 804F4562
11:06:56:046 0564 IRP_MJ_QUERY_EA : 804F4562
11:06:56:046 0564 IRP_MJ_SET_EA : 804F4562
11:06:56:046 0564 IRP_MJ_FLUSH_BUFFERS : F76A92E2
11:06:56:046 0564 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
11:06:56:046 0564 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
11:06:56:046 0564 IRP_MJ_DIRECTORY_CONTROL : 804F4562
11:06:56:046 0564 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
11:06:56:046 0564 IRP_MJ_DEVICE_CONTROL : F76A93BB
11:06:56:046 0564 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76ACF28
11:06:56:046 0564 IRP_MJ_SHUTDOWN : F76A92E2
11:06:56:046 0564 IRP_MJ_LOCK_CONTROL : 804F4562
11:06:56:046 0564 IRP_MJ_CLEANUP : 804F4562
11:06:56:046 0564 IRP_MJ_CREATE_MAILSLOT : 804F4562
11:06:56:046 0564 IRP_MJ_QUERY_SECURITY : 804F4562
11:06:56:046 0564 IRP_MJ_SET_SECURITY : 804F4562
11:06:56:046 0564 IRP_MJ_POWER : F76AAC82
11:06:56:046 0564 IRP_MJ_SYSTEM_CONTROL : F76AF99E
11:06:56:046 0564 IRP_MJ_DEVICE_CHANGE : 804F4562
11:06:56:046 0564 IRP_MJ_QUERY_QUOTA : 804F4562
11:06:56:046 0564 IRP_MJ_SET_QUOTA : 804F4562
11:06:56:046 0564 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
11:06:56:046 0564 sion
11:06:56:062 0564 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
11:06:56:062 0564
11:06:56:062 0564 Driver Name: atapi
11:06:56:062 0564 IRP_MJ_CREATE : F74DB6F2
11:06:56:062 0564 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
11:06:56:062 0564 IRP_MJ_CLOSE : F74DB6F2
11:06:56:062 0564 IRP_MJ_READ : 804F4562
11:06:56:062 0564 IRP_MJ_WRITE : 804F4562
11:06:56:062 0564 IRP_MJ_QUERY_INFORMATION : 804F4562
11:06:56:062 0564 IRP_MJ_SET_INFORMATION : 804F4562
11:06:56:062 0564 IRP_MJ_QUERY_EA : 804F4562
11:06:56:062 0564 IRP_MJ_SET_EA : 804F4562
11:06:56:062 0564 IRP_MJ_FLUSH_BUFFERS : 804F4562
11:06:56:062 0564 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
11:06:56:062 0564 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
11:06:56:062 0564 IRP_MJ_DIRECTORY_CONTROL : 804F4562
11:06:56:062 0564 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
11:06:56:062 0564 IRP_MJ_DEVICE_CONTROL : F74DB712
11:06:56:062 0564 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74D7852
11:06:56:062 0564 IRP_MJ_SHUTDOWN : 804F4562
11:06:56:062 0564 IRP_MJ_LOCK_CONTROL : 804F4562
11:06:56:062 0564 IRP_MJ_CLEANUP : 804F4562
11:06:56:062 0564 IRP_MJ_CREATE_MAILSLOT : 804F4562
11:06:56:062 0564 IRP_MJ_QUERY_SECURITY : 804F4562
11:06:56:062 0564 IRP_MJ_SET_SECURITY : 804F4562
11:06:56:062 0564 IRP_MJ_POWER : F74DB73C
11:06:56:062 0564 IRP_MJ_SYSTEM_CONTROL : F74E2336
11:06:56:062 0564 IRP_MJ_DEVICE_CHANGE : 804F4562
11:06:56:062 0564 IRP_MJ_QUERY_QUOTA : 804F4562
11:06:56:062 0564 IRP_MJ_SET_QUOTA : 804F4562
11:06:56:062 0564 siohd: 0
11:06:56:078 0564 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
11:06:56:078 0564
11:06:56:078 0564 Completed
11:06:56:078 0564
11:06:56:078 0564 Results:
11:06:56:078 0564 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
11:06:56:078 0564 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
11:06:56:078 0564 File objects infected / cured / cured on reboot: 0 / 0 / 0
11:06:56:078 0564
11:06:56:093 0564 KLMD(ARK) unloaded successfully

cob
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-03-03
OS OS : xp home
Points Points : 24929
# Likes # Likes : 0

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by Belahzur on Wed 3 Mar - 3:11

Hello.
Okay, good work, were nearly half way through now.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    KILLALL::

    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "65533:TCP"=-
    "52344:TCP"=-
    "3246:TCP"=-
    "2479:TCP"=-
    "3389:TCP"=-
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-04
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by cob on Wed 3 Mar - 3:54

ComboFix 10-03-01.04 - jharris 03/02/2010 11:21:16.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1256.964.1033.18.1015.362 [GMT -5:00]
Running from: c:\documents and settings\jharris\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\jharris\Desktop\CFscript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.

2010-03-02 15:03 . 2010-03-02 15:10 -------- d-----w- C:\Combo-Fix9867C
2010-03-02 15:02 . 2010-03-02 15:03 -------- d-----w- C:\Combo-Fix
2010-03-02 05:35 . 2010-03-02 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-03-02 05:35 . 2010-03-02 05:35 -------- d-----w- c:\program files\Security Task Manager
2010-03-01 09:28 . 2010-03-01 09:28 -------- d-----w- c:\documents and settings\HelpAssistant\mindterm
2010-03-01 08:24 . 2010-03-01 08:24 -------- d-----w- c:\documents and settings\jharris\Application Data\Malwarebytes
2010-03-01 08:24 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-01 08:23 . 2010-03-01 08:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-01 08:23 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-01 08:23 . 2010-03-01 10:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-01 04:12 . 2010-03-01 07:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-28 06:48 . 2010-03-01 10:21 -------- d-----w- c:\documents and settings\jharris\Local Settings\Application Data\ybsovx
2010-02-22 18:04 . 2010-02-22 18:04 -------- d-----w- c:\documents and settings\jharris\Application Data\Verizon Wireless
2010-02-22 18:02 . 2010-02-22 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\WEngineLite
2010-02-22 18:01 . 2010-02-22 18:01 -------- d-----w- c:\program files\Verizon Wireless
2010-02-22 17:58 . 2009-08-12 11:13 113680 ----a-w- c:\windows\system32\drivers\PTDUWWAN.sys
2010-02-22 17:58 . 2009-08-12 11:13 11920 ----a-w- c:\windows\system32\drivers\PTDUWFLT.sys
2010-02-22 17:58 . 2009-08-12 11:13 160272 ----a-w- c:\windows\system32\drivers\PTDUVsp.sys
2010-02-22 17:58 . 2009-08-12 11:13 160272 ----a-w- c:\windows\system32\drivers\PTDUMdm.sys
2010-02-22 17:58 . 2009-08-12 11:13 54416 ----a-w- c:\windows\system32\drivers\PTDUBus.sys
2010-02-22 17:58 . 2009-08-12 11:19 111704 ----a-w- c:\windows\system32\PTDUWmcp64.dll
2010-02-22 17:58 . 2009-08-12 11:18 100952 ----a-w- c:\windows\system32\PTDUWmcp.dll
2010-02-22 17:58 . 2009-08-11 11:19 319456 ----a-w- c:\windows\system32\DIFxAPI.dll
2010-02-14 02:15 . 2009-12-08 19:26 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-14 02:15 . 2009-12-08 19:26 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-14 02:15 . 2009-12-08 19:27 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-14 02:14 . 2009-12-08 18:43 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-14 02:14 . 2009-12-08 18:43 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-14 02:14 . 2009-12-08 18:43 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-11 04:10 . 2009-12-31 16:50 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-11 04:10 . 2009-12-31 16:50 353792 ------w- c:\windows\system32\dllcache\srv.sys
2010-02-11 04:08 . 2009-12-04 18:22 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-11 04:08 . 2009-12-04 18:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-22 18:01 . 2009-04-01 12:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Verizon Wireless
2010-02-22 17:53 . 2010-02-22 17:48 29253144 ---ha-w- c:\documents and settings\jharris\Application Data\Smith Micro\Updates\VZAM_7.2.1_2420b_Pantech_UM175.exe
2010-02-22 17:48 . 2009-04-01 12:47 -------- d--h--w- c:\documents and settings\jharris\Application Data\Smith Micro
2010-02-12 22:41 . 2010-03-02 16:36 558448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-02-12 04:41 . 2009-08-03 08:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-03 09:00 . 2010-03-02 12:14 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100301.054\NAVEX15.SYS
2010-02-03 09:00 . 2010-03-02 12:14 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100301.054\NAVENG.SYS
2010-02-02 00:20 . 2010-03-02 16:36 165240 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2010-01-20 05:19 . 2009-02-01 05:02 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-05 10:00 . 2010-01-05 10:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2010-01-05 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2010-01-05 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-16 18:43 . 2009-12-16 18:43 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2009-12-14 07:08 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-09 09:00 . 2010-03-02 12:14 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100301.054\CCERASER.DLL
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 1601-01-01 00:00 . 1601-01-01 00:00 0 c:\windows\temp\Perflib_Perfdata_884.dat
+ 2010-03-02 16:37 . 2010-03-02 16:37 16384 c:\windows\temp\Perflib_Perfdata_47c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"IDTSysTrayApp"="sttray.exe" [2008-09-11 446556]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-09-11 446556]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-12-03 729088]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-04 1410344]
"HP Mobile Broadband"="c:\swsetup\HPQWWAN\HPMobileBroadband.exe" [2008-07-08 439600]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5989:TCP"= 5989:TCP:Services

R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [1/31/2009 11:53 PM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [1/31/2009 11:53 PM 15856]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SymEFA.sys [2/2/2010 10:59 PM 310320]
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [9/25/2008 1:09 AM 103792]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1008000.029\BHDrvx86.sys [2/2/2010 10:59 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1008000.029\cchpx86.sys [2/2/2010 10:51 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSXpx86.sys [2/25/2010 8:34 PM 329592]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [1/31/2009 11:53 PM 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [12/12/2008 1:46 AM 125424]
R2 BOTService;BOTService;c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [12/25/2008 9:28 PM 203248]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2/2/2010 10:54 PM 117640]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [1/31/2009 11:38 PM 112128]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 3:00 AM 102448]
R3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2/22/2010 12:58 PM 54416]
R3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2/22/2010 12:58 PM 160272]
R3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2/22/2010 12:58 PM 160272]
R3 PTDUWFLT;PTDUWWAN Filter Driver;c:\windows\system32\drivers\PTDUWFLT.sys [2/22/2010 12:58 PM 11920]
R3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2/22/2010 12:58 PM 113680]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 3:43 PM 32408]

NETSVCS REQUIRES REPAIRS - current entries shown

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.
Contents of the 'Scheduled Tasks' folder

2009-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-02 c:\windows\Tasks\BackOnTrack Instant Restore Idle.job
- c:\program files\Roxio\BackOnTrack\Instant Restore\RstIdle.exe [2008-12-26 02:28]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: {C4990AD2-BD68-46EE-864C-D7BE23FB952D} = 66.174.95.44 69.78.96.14
FF - ProfilePath - c:\documents and settings\jharris\Application Data\Mozilla\Firefox\Profiles\euuboh14.default\
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-03-02 11:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system.ini 227 bytes

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85A62ED0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76acf28
\Driver\ACPI -> ACPI.sys @ 0xf751fcb8
\Driver\atapi -> atapi.sys @ 0xf74d7852
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3804)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\idt\wdm\stacsv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\MSN\Toolbar\3.0.0541.0\msntask.exe
c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
.
**************************************************************************
.
Completion time: 2010-03-02 11:53:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-02 16:52
ComboFix2.txt 2010-03-02 15:52

Pre-Run: 2,949,640,192 bytes free
Post-Run: 2,874,265,600 bytes free

- - End Of File - - 940A5CEB87060E9399F697D56D543FC5

cob
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-03-03
OS OS : xp home
Points Points : 24929
# Likes # Likes : 0

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by Belahzur on Wed 3 Mar - 4:03

Hello.

Good work, were winning, last bit to take out, that HelpAssistant account. Follow my instructions in the order they are written.

Please create a folder on your Desktop called SWReg.

  1. Download SWReg.exe from [You must be registered and logged in to see this link.].
  2. Save SWReg.exe inside the SWReg folder you just created.

    Do not run SWReg.exe.

    Now open a new Notepad file, and input this into the Notepad file:

    @echo off
    swreg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" /s >>log.txt
    swreg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /s >>log.txt
    start notepad log.txt

    Save this as SWReg.bat, save it inside the SWReg folder as well.
    Double click SWReg.bat and the black cmd window will open and close, this is normal.

  3. Make sure both SWReg.exe and SWReg.bat as located next to each other for this to work.
  4. Now, double click on SWReg.bat to run the script.
  5. Once done, a Notepad log file will open, copy and paste that log back here.


Next,

Now open a new Notepad file, and input this into the Notepad file:

@echo off
net user HelpAssistant>"%userprofile%\desktop\log.txt"
start notepad "%userprofile%\desktop\log.txt"
exit

Save this as fix.bat, save it to your desktop.
Double click fix.bat and the black cmd window will open and close, this is normal.



Copy and paste the 2 logs back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-04
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by cob on Wed 3 Mar - 4:12

SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist
ProfilesDirectory REG_EXPAND_SZ %SystemDrive%\Documents and Settings
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-18
Flags REG_DWORD 12 (0xc)
State REG_DWORD 0 (0x0)
RefCount REG_DWORD 1 (0x1)
Sid REG_BINARY 010100000000000512000000
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService
Sid REG_BINARY 010100000000000513000000
Flags REG_DWORD 9 (0x9)
State REG_DWORD 0 (0x0)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 1810464718 (0x6be97fce)
ProfileLoadTimeHigh REG_DWORD 30063142 (0x1caba26)
RefCount REG_DWORD 3 (0x3)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService
Sid REG_BINARY 010100000000000514000000
Flags REG_DWORD 9 (0x9)
State REG_DWORD 0 (0x0)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 1717652218 (0x66614afa)
ProfileLoadTimeHigh REG_DWORD 30063142 (0x1caba26)
RefCount REG_DWORD 2 (0x2)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-3012544437-3765494630-634258370-1005
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant
Sid REG_BINARY 010500000000000515000000b5c78fb366e370e0c203ce25ed030000
Flags REG_DWORD 1 (0x1)
State REG_DWORD 260 (0x104)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 731707316 (0x2b9cf7b4)
ProfileLoadTimeHigh REG_DWORD 30062879 (0x1cab91f)
RefCount REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-3012544437-3765494630-634258370-1006
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\jharris
Sid REG_BINARY 010500000000000515000000b5c78fb366e370e0c203ce25ee030000
Flags REG_DWORD 0 (0x0)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 1816245968 (0x6c41b6d0)
ProfileLoadTimeHigh REG_DWORD 30063142 (0x1caba26)
RefCount REG_DWORD 1 (0x1)
RunLogonScriptSync REG_DWORD 0 (0x0)
OptimizedLogonStatus REG_DWORD 11 (0xb)

SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll
Certificate REG_BINARY 01000000010000000100000006005c005253413148000000000200003f000000010001005dee9e952327b332b80f779c29b83ad4311ce1bd863d9f495505e0ad3640c742f95ae28c8171d9dcec5c7ba5e1787c8c7cf6f1ff1b8c2ab7c74dc9ba27e40edb000000000000000008004800382cfb9b12377521e13a169303e17d94f576c45c9fc25ab9721087440546d13ba17b1ffed3221ac7cc644f1adcb0d780079caac2f3da3e3834471be0c67154350000000000000000
=============
User name HelpAssistant
Full Name Remote Desktop Help Assistant Account
Comment Account for Providing Remote Assistance
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never

Password last set 3/1/2010 4:10 AM
Password expires Never
Password changeable 3/1/2010 4:10 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 3/1/2010 4:10 AM

Logon hours allowed All

Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.

cob
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-03-03
OS OS : xp home
Points Points : 24929
# Likes # Likes : 0

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by Belahzur on Wed 3 Mar - 4:24

Hello.

Good work, now delete fix.bat from your Desktop, because now I have the info I want, we need to delete the user account that the rootkit made.

Now open a new Notepad file, and input this into the Notepad file:

@echo off
net user HelpAssistant /active:no
net localgroup Administrators HelpAssistant /delete
net user HelpAssistant>"%userprofile%\desktop\log.txt"
start notepad "%userprofile%\desktop\log.txt"
exit

Save this as fix.bat, save it to your desktop.
Double click fix.bat and the black cmd window will open and close, this is normal.
Please post the resulting log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-04
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by cob on Wed 3 Mar - 4:29

User name HelpAssistant
Full Name Remote Desktop Help Assistant Account
Comment Account for Providing Remote Assistance
User's comment
Country code 000 (System Default)
Account active No
Account expires Never

Password last set 3/1/2010 4:10 AM
Password expires Never
Password changeable 3/1/2010 4:10 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 3/1/2010 4:10 AM

Logon hours allowed All

Local Group Memberships
Global Group memberships *None
The command completed successfully.

cob
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-03-03
OS OS : xp home
Points Points : 24929
# Likes # Likes : 0

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by Belahzur on Wed 3 Mar - 4:32

Hello.
Good work, now this next bit may take some time to finish up after reboot because it's deleting a huge folder.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.]

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Folders to delete:
C:\Documents and Settings\HelpAssistant

Registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-3012544437-3765494630-634258370-1005

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-04
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by cob on Wed 3 Mar - 4:38

oops disregard that post

cob
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-03-03
OS OS : xp home
Points Points : 24929
# Likes # Likes : 0

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by Belahzur on Wed 3 Mar - 4:40

Post deleted Smile

Standing by.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-04
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by cob on Wed 3 Mar - 4:51

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "C:\Documents and Settings\HelpAssistant" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-3012544437-3765494630-634258370-1005" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

cob
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-03-03
OS OS : xp home
Points Points : 24929
# Likes # Likes : 0

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by Belahzur on Wed 3 Mar - 4:57

Well done, I think we have this beat, but there is one last thing I want to check, your Combofix log showed me something concerning, and I'm not sure that is fixed, I want one last check.

Please run Combofix as normal one more time.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-04
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by cob on Wed 3 Mar - 5:29

ComboFix 10-03-01.04 - jharris 03/02/2010 13:07:12.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1256.964.1033.18.1015.503 [GMT -5:00]
Running from: c:\documents and settings\jharris\Desktop\Combo-Fix.exe
AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.

2010-03-02 17:44 . 2010-02-12 22:41 558448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-03-02 17:44 . 2010-02-02 00:20 165240 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2010-03-02 15:03 . 2010-03-02 15:10 -------- d-----w- C:\Combo-Fix9867C
2010-03-02 15:02 . 2010-03-02 15:03 -------- d-----w- C:\Combo-Fix
2010-03-02 12:14 . 2010-02-03 09:00 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100301.054\NAVEX15.SYS
2010-03-02 12:14 . 2009-08-25 08:00 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100301.054\NAVENG32.DLL
2010-03-02 12:14 . 2009-08-25 08:00 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100301.054\NAVEX32A.DLL
2010-03-02 12:14 . 2010-02-03 09:00 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100301.054\NAVENG.SYS
2010-03-02 12:14 . 2009-12-09 09:00 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100301.054\CCERASER.DLL
2010-03-02 12:14 . 2009-09-22 08:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100301.054\ECMSVR32.DLL
2010-03-02 12:14 . 2009-08-26 08:00 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100301.054\EECTRL.SYS
2010-03-02 12:14 . 2009-08-26 08:00 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100301.054\ERASER.SYS
2010-03-02 05:35 . 2010-03-02 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-03-02 05:35 . 2010-03-02 05:35 -------- d-----w- c:\program files\Security Task Manager
2010-03-01 08:24 . 2010-03-01 08:24 -------- d-----w- c:\documents and settings\jharris\Application Data\Malwarebytes
2010-03-01 08:24 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-01 08:23 . 2010-03-01 08:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-01 08:23 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-01 08:23 . 2010-03-01 10:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-01 04:12 . 2010-03-01 07:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-28 06:48 . 2010-03-01 10:21 -------- d-----w- c:\documents and settings\jharris\Local Settings\Application Data\ybsovx
2010-02-26 01:34 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\Scxpx86.dll
2010-02-26 01:34 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSvix86.sys
2010-02-26 01:34 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSXpx86.sys
2010-02-26 01:34 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSxpx86.dll
2010-02-26 01:34 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSviA64.sys
2010-02-22 18:04 . 2010-02-22 18:04 -------- d-----w- c:\documents and settings\jharris\Application Data\Verizon Wireless
2010-02-22 18:02 . 2010-02-22 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\WEngineLite
2010-02-22 18:01 . 2010-02-22 18:01 -------- d-----w- c:\program files\Verizon Wireless
2010-02-22 17:58 . 2009-08-12 11:13 113680 ----a-w- c:\windows\system32\drivers\PTDUWWAN.sys
2010-02-22 17:58 . 2009-08-12 11:13 11920 ----a-w- c:\windows\system32\drivers\PTDUWFLT.sys
2010-02-22 17:58 . 2009-08-12 11:13 160272 ----a-w- c:\windows\system32\drivers\PTDUVsp.sys
2010-02-22 17:58 . 2009-08-12 11:13 160272 ----a-w- c:\windows\system32\drivers\PTDUMdm.sys
2010-02-22 17:58 . 2009-08-12 11:13 54416 ----a-w- c:\windows\system32\drivers\PTDUBus.sys
2010-02-22 17:58 . 2009-08-12 11:19 111704 ----a-w- c:\windows\system32\PTDUWmcp64.dll
2010-02-22 17:58 . 2009-08-12 11:18 100952 ----a-w- c:\windows\system32\PTDUWmcp.dll
2010-02-22 17:58 . 2009-08-11 11:19 319456 ----a-w- c:\windows\system32\DIFxAPI.dll
2010-02-22 17:48 . 2010-02-22 17:53 29253144 ---ha-w- c:\documents and settings\jharris\Application Data\Smith Micro\Updates\VZAM_7.2.1_2420b_Pantech_UM175.exe
2010-02-20 03:23 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\Scxpx86.dll
2010-02-20 03:23 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSvix86.sys
2010-02-20 03:23 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSXpx86.sys
2010-02-20 03:23 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSxpx86.dll
2010-02-20 03:23 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSviA64.sys
2010-02-14 02:15 . 2009-12-08 19:26 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-14 02:15 . 2009-12-08 19:26 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-14 02:15 . 2009-12-08 19:27 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-14 02:14 . 2009-12-08 18:43 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-14 02:14 . 2009-12-08 18:43 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-14 02:14 . 2009-12-08 18:43 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-11 04:10 . 2009-12-31 16:50 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-11 04:10 . 2009-12-31 16:50 353792 ------w- c:\windows\system32\dllcache\srv.sys
2010-02-11 04:08 . 2009-12-04 18:22 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-11 04:08 . 2009-12-04 18:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-22 18:01 . 2009-04-01 12:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Verizon Wireless
2010-02-22 17:48 . 2009-04-01 12:47 -------- d--h--w- c:\documents and settings\jharris\Application Data\Smith Micro
2010-02-12 04:41 . 2009-08-03 08:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-20 05:19 . 2009-02-01 05:02 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-05 10:00 . 2010-01-05 10:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2010-01-05 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2010-01-05 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-16 18:43 . 2009-12-16 18:43 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2009-12-14 07:08 33280 ----a-w- c:\windows\system32\csrsrv.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-02 17:52 . 2010-03-02 17:52 16384 c:\windows\temp\Perflib_Perfdata_e5c.dat
+ 2010-03-02 17:45 . 2010-03-02 17:45 16384 c:\windows\temp\Perflib_Perfdata_c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5989:TCP"= 5989:TCP:Services
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"7537:TCP"= 7537:TCP:Services

R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [1/31/2009 11:53 PM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [1/31/2009 11:53 PM 15856]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SymEFA.sys [2/2/2010 10:59 PM 310320]
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [9/25/2008 1:09 AM 103792]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1008000.029\BHDrvx86.sys [2/2/2010 10:59 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1008000.029\cchpx86.sys [2/2/2010 10:51 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100224.002\IDSXpx86.sys [2/25/2010 8:34 PM 329592]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [1/31/2009 11:53 PM 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [12/12/2008 1:46 AM 125424]
R2 BOTService;BOTService;c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [12/25/2008 9:28 PM 203248]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2/2/2010 10:54 PM 117640]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [1/31/2009 11:38 PM 112128]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 3:00 AM 102448]
R3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2/22/2010 12:58 PM 54416]
R3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2/22/2010 12:58 PM 160272]
R3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2/22/2010 12:58 PM 160272]
R3 PTDUWFLT;PTDUWWAN Filter Driver;c:\windows\system32\drivers\PTDUWFLT.sys [2/22/2010 12:58 PM 11920]
R3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2/22/2010 12:58 PM 113680]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 3:43 PM 32408]
.
Contents of the 'Scheduled Tasks' folder

2009-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-02 c:\windows\Tasks\BackOnTrack Instant Restore Idle.job
- c:\program files\Roxio\BackOnTrack\Instant Restore\RstIdle.exe [2008-12-26 02:28]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: {C4990AD2-BD68-46EE-864C-D7BE23FB952D} = 66.174.95.44 69.78.96.14
FF - ProfilePath - c:\documents and settings\jharris\Application Data\Mozilla\Firefox\Profiles\euuboh14.default\
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-03-02 13:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86735050]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76bcf28
\Driver\ACPI -> ACPI.sys @ 0xf751fcb8
\Driver\atapi -> atapi.sys @ 0xf74d7852
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(520)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-02 13:26:26
ComboFix-quarantined-files.txt 2010-03-02 18:26
ComboFix2.txt 2010-03-02 16:53
ComboFix3.txt 2010-03-02 15:52

Pre-Run: 2,935,635,968 bytes free
Post-Run: 2,929,369,088 bytes free

- - End Of File - - 21DA0DC97EC6B6019361B2EE36B9621F

cob
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-03-03
OS OS : xp home
Points Points : 24929
# Likes # Likes : 0

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by Belahzur on Wed 3 Mar - 5:37

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Adobe Reader 9
    Java(TM) 6 Update 7
    Viewpoint Media Player

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    atapi.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-04
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by cob on Wed 3 Mar - 5:47

Belahzur-I very much appreciate your time and help and fixing my comp is very important to me. However, I have to go to work right now. Will you be here later tonight at all?

cob
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-03-03
OS OS : xp home
Points Points : 24929
# Likes # Likes : 0

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by Belahzur on Wed 3 Mar - 5:48

Probably not, it's already 6pm here and I'll likely be in bed by the time your back.

Right now, the machine looks good, just that atapi.sys that might be infected.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-04
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by cob on Wed 3 Mar - 5:53

I'll be gone for about 9 hours then I'll be on after that. If theres anything I should do beyond the instructions per your last post maybe I could do all that and then wait for your response. In any case, I really appreciate your help.

cob
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-03-03
OS OS : xp home
Points Points : 24929
# Likes # Likes : 0

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by Belahzur on Wed 3 Mar - 6:04

Okay, catch ya soon.
Can't really go any further until I know atapi.sys is okay, leaving it to chance isn't worth the damage it will cause.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-04
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by cob on Wed 3 Mar - 23:50

Hi, I'm back now. Could you tell me, given what we did yesterday, what was found on my computer ad what was removed? Thanks.

cob
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-03-03
OS OS : xp home
Points Points : 24929
# Likes # Likes : 0

View user profile

Back to top Go down

Re: problems after anti virus soft removal

Post by Belahzur on Thu 4 Mar - 0:29

Follow instructions in this post:
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-04
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum