ATAPI.SYS backdoor.tidserv!inf help requested

View previous topic View next topic Go down

ATAPI.SYS backdoor.tidserv!inf help requested

Post by Snowshark on Tue Mar 30, 2010 5:22 pm

Aloha, attached is my Hijack This file. Any help would be appreciated. Adobe and Java are updated. Windows updates as far as I know. Unable to access currently.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:59 AM, on 3/30/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\progra~1\common~1\instal~1\update~1\issch.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Owner\My Documents\Downloads\winlogon.scr

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\4.0.0.127\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\4.0.0.127\IPSBHO.DLL
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\4.0.0.127\coIEPlg.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [ISUSScheduler] "c:\progra~1\common~1\instal~1\update~1\issch.exe" -start
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - [You must be registered and logged in to see this link.]
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} (WNICheck2 Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {B0C45AFD-2802-4285-BE1F-714C50FEE6D9} (HprmfPCFileCtrl1 Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe (file missing)

--
End of file - 10265 bytes

Snowshark
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2010-03-30
Gender : Male
OS : Windows XP home SP3

View user profile

Back to top Go down

Re: ATAPI.SYS backdoor.tidserv!inf help requested

Post by Belahzur on Tue Mar 30, 2010 10:43 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: ATAPI.SYS backdoor.tidserv!inf help requested

Post by Snowshark on Tue Mar 30, 2010 11:37 pm

Aloha again here is the log text...

ComboFix 10-03-29.04 - Compaq_Owner 03/30/2010 16:09:49.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1627 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\Combo-Fix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\eSellerateEngine.dll
D:\Autorun.inf

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-30 )))))))))))))))))))))))))))))))
.

2010-03-30 18:08 . 2010-03-30 18:08 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-03-30 16:44 . 2010-03-30 16:46 -------- dc-h--w- c:\windows\ie8
2010-03-30 16:13 . 2010-03-30 16:13 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-30 16:12 . 2010-03-30 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-30 01:05 . 2010-03-30 01:05 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-03-29 17:52 . 2010-03-29 17:52 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-03-29 17:52 . 2010-03-29 17:52 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-29 17:52 . 2010-03-29 17:52 -------- d-----w- c:\program files\Symantec
2010-03-29 17:51 . 2010-03-29 17:51 -------- d-----w- c:\windows\system32\drivers\N360
2010-03-29 17:51 . 2010-03-29 17:51 -------- d-----w- c:\program files\Norton 360
2010-03-29 17:51 . 2010-03-29 17:51 -------- d-----w- c:\program files\Windows Sidebar
2010-03-29 17:51 . 2010-03-29 17:51 -------- d-----w- c:\program files\NortonInstaller
2010-03-29 17:51 . 2010-03-29 17:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-03-29 17:49 . 2010-03-29 17:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-03-28 21:45 . 2010-03-28 21:45 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\TeamViewer
2010-03-28 21:45 . 2010-03-28 21:45 -------- d-----w- c:\program files\TeamViewer
2010-03-28 20:45 . 2010-03-28 20:45 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-03-28 20:23 . 2010-03-28 20:23 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-28 20:22 . 2010-03-28 22:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-19 15:17 . 2010-03-19 15:17 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-19 10:51 . 2010-03-19 10:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-03-19 10:51 . 2010-03-19 10:51 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-03-18 16:57 . 2010-03-30 01:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-18 16:01 . 2010-03-18 16:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-03-18 15:59 . 2010-03-19 15:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-03-18 15:57 . 2010-03-18 15:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-03-18 15:55 . 2009-11-11 18:14 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-03-18 15:55 . 2009-11-11 18:14 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-03-18 15:55 . 2009-11-11 18:14 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-03-18 15:51 . 2009-11-11 18:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-03-18 15:46 . 2010-03-29 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-10 15:17 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-05 19:41 . 2010-03-05 19:41 -------- d-----w- c:\program files\NCI SEER
2010-03-05 19:40 . 2010-03-05 19:40 -------- d-----w- c:\windows\Cache
2010-03-03 00:23 . 2010-03-03 00:23 -------- d--h--w- c:\windows\PIF
2010-03-03 00:23 . 2010-03-03 00:23 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Windows Search
2010-03-03 00:16 . 2010-03-03 00:18 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-03 00:11 . 2010-03-03 00:11 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-03 00:11 . 2010-03-03 00:11 -------- d-----w- c:\windows\system32\XPSViewer
2010-03-03 00:10 . 2010-03-03 00:10 -------- d-----w- c:\program files\MSBuild
2010-03-03 00:10 . 2010-03-03 00:10 -------- d-----w- c:\program files\Reference Assemblies
2010-03-03 00:10 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-03-03 00:10 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-03-03 00:10 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-03-03 00:10 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-03-03 00:10 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-03-03 00:10 . 2010-03-03 00:10 -------- d-----w- C:\729a5a57e6f2258be8a94c
2010-03-03 00:10 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-03-03 00:10 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-03-03 00:10 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-03-03 00:10 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-03-03 00:06 . 2010-03-03 00:06 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Windows Desktop Search
2010-03-03 00:06 . 2010-03-03 15:10 -------- d-----w- c:\program files\Windows Desktop Search
2010-03-03 00:06 . 2010-03-03 00:06 -------- d-----w- c:\windows\system32\GroupPolicy
2010-03-03 00:04 . 2008-03-07 17:02 98304 ------w- c:\windows\system32\dllcache\nlhtml.dll
2010-03-03 00:04 . 2008-03-07 17:02 29696 ------w- c:\windows\system32\dllcache\mimefilt.dll
2010-03-03 00:04 . 2008-03-07 17:02 192000 ------w- c:\windows\system32\dllcache\offfilt.dll
2010-03-03 00:04 . 2010-03-03 00:04 -------- d-----w- c:\program files\Windows Media Connect 2
2010-03-03 00:02 . 2010-03-03 00:03 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-03-02 23:28 . 2010-03-02 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-03-02 23:28 . 2010-03-02 23:28 -------- d-----w- c:\program files\NVIDIA Corporation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-30 20:18 . 2010-02-01 17:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 16:14 . 2008-01-29 20:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-30 16:09 . 2007-01-27 18:11 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\AdobeUM
2010-03-30 16:07 . 2006-08-10 04:19 -------- d-----w- c:\program files\Java
2010-03-30 07:46 . 2010-02-01 17:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2010-02-01 17:04 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-30 00:15 . 2004-08-04 11:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-29 17:57 . 2006-08-10 05:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-29 17:52 . 2010-03-29 17:52 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-29 17:52 . 2010-03-29 17:52 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-29 14:33 . 2008-05-05 21:35 -------- d-----w- c:\program files\Houstons Player Cards
2010-03-29 14:32 . 2008-12-20 23:02 -------- d-----w- c:\program files\Houstons Hosters
2010-03-29 13:32 . 2008-11-21 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-29 05:04 . 2007-10-12 17:46 -------- d-----w- c:\program files\VZones
2010-03-05 03:38 . 2007-01-07 05:39 52400 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-03 00:16 . 2010-01-18 23:55 -------- d-----w- c:\program files\Microsoft
2010-02-25 21:35 . 2006-08-10 04:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-18 14:31 . 2010-02-18 14:31 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Facebook
2010-02-08 23:42 . 2010-02-08 23:42 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\HorizonWimba
2010-02-01 17:04 . 2010-02-01 17:04 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2010-02-01 17:04 . 2010-02-01 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-12 06:17 . 2010-01-12 06:17 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-01-12 06:17 . 2010-01-12 06:17 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-01-12 06:17 . 2010-01-12 06:17 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-01-12 06:17 . 2010-01-12 06:17 13666408 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-12 06:17 . 2010-01-12 06:17 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-12 06:17 . 2010-01-12 06:17 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-01-06 01:04 . 2010-01-06 01:04 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-12-31 16:50 . 2004-08-04 11:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-26 49152]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"ISUSScheduler"="c:\progra~1\common~1\instal~1\update~1\issch.exe" [2004-07-28 81920]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-03 18085888]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-9 27136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-10-07 17:32 133104 ----atw- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\SecondLife\\SecondLife.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SpacialAudio\\SAMBC\\SAMBC.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\SpacialAudio\\SAMBC\\SAMReporter\\SAMReporter.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Documents and Settings\\Compaq_Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Compaq_Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0400000.07F\SymDS.sys [3/29/2010 10:51 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0400000.07F\SymEFA.sys [3/29/2010 10:51 AM 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100324.001\BHDrvx86.sys [3/24/2010 1:38 PM 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0400000.07F\cchpx86.sys [3/29/2010 10:51 AM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0400000.07F\Ironx86.sys [3/29/2010 10:51 AM 116272]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe [3/29/2010 10:51 AM 126392]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/17/2007 9:04 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/29/2010 10:54 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100326.001\IDSXpx86.sys [3/29/2010 10:55 AM 329592]
S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\RTL8187B.sys [11/30/2008 12:00 PM 215040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-03-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3322374908-2478490877-3389178683-1008Core.job
- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-07 17:32]

2010-03-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3322374908-2478490877-3389178683-1008UA.job
- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-07 17:32]

2010-03-30 c:\windows\Tasks\User_Feed_Synchronization-{79519612-6107-498D-9BCC-43A5B8CC2E30}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com
DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - [You must be registered and logged in to see this link.]
DPF: {B0C45AFD-2802-4285-BE1F-714C50FEE6D9} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\qhe7cqvt.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\Compaq_Owner\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-nwiz - nwiz.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe
AddRemove-AXIS Camera Server Control - c:\program files\Axis Communications\AXIS Camera Server Control\Uninst.isu
AddRemove-HijackThis - c:\documents and settings\Compaq_Owner\My Documents\Downloads\HijackThis.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-03-30 16:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.0.0.127\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3322374908-2478490877-3389178683-1008\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D205A748-C496-298A-D919-126588722E37}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iammgdgnjabianfimo"=hex:6a,61,61,6a,6b,64,6e,6a,6b,65,6c,64,6f,69,68,69,6d,6e,
6b,64,00,00
"haclakakbjnkgjfe"=hex:6a,61,61,6a,63,64,66,68,61,63,6f,6b,63,65,70,6a,67,6c,
68,70,00,ff
"iaalgfiefnnjklbgbp"=hex:63,61,6a,6a,6f,66,00,7c
"dbmjagebanmbcdkaafdoadfbflfgnaipedenjmgp"=hex:6a,62,69,6d,70,65,66,6a,6e,6f,
67,6f,6a,6f,63,63,70,65,70,6a,6e,63,61,6f,63,64,61,6d,67,6d,6f,6b,68,66,61,\
"jbmjagebanmbcdkaafdobeamkpjfbhihdakheaehgobhekngmjfl"=hex:6f,61,69,6c,63,61,
61,68,6c,62,64,69,64,67,66,66,6c,64,61,6d,6e,6d,6b,63,62,65,67,62,6d,68,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4072)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\RTHDCPL.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-03-30 16:33:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-30 23:32

Pre-Run: 76,761,227,264 bytes free
Post-Run: 76,774,088,704 bytes free

- - End Of File - - 937D9B3C1BBB3981BAEA3759DE9274A7

Snowshark
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2010-03-30
Gender : Male
OS : Windows XP home SP3

View user profile

Back to top Go down

Re: ATAPI.SYS backdoor.tidserv!inf help requested

Post by Belahzur on Wed Mar 31, 2010 12:36 am

Hello.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: ATAPI.SYS backdoor.tidserv!inf help requested

Post by Snowshark on Wed Mar 31, 2010 12:58 am

here is the uninstall list...

32 Bit HP CIO Components Installer
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3
Amazon MP3 Downloader 1.0.3
Boggle Player Cards
Compact Wireless-G USB Adapter
Compaq Connections (remove only)
Customer Experience Enhancement
Data Fax SoftModem with SmartCP
Google Talk (remove only)
Google Talk Plugin
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Boot Optimizer
HP DVD Play 2.1
HP Imaging Device Functions 11.0
HP Photosmart C5500 All-In-One Driver Software 11.0 Rel .4
HP Photosmart Essential 3.0
HP Product Detection
HP Smart Web Printing
HP Solution Center 11.0
HP Support Overview
HP Update
HP Web Helper
iTunes
Java(TM) 6 Update 18
Magic ISO Maker v5.3 (build 0229)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Add-in 1.4
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Mozilla Firefox (3.6.2)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
neroxml
Norton 360
NVIDIA Drivers
NVIDIA nView Desktop Manager
OCR Software by I.R.I.S. 11.0
PC-Doctor 5 for Windows
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QuickTime
Realtek High Definition Audio Driver
SAM Broadcaster (remove only)
SecondLife (remove only)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Segoe UI
Shop for HP Supplies
SHOUTcast Source DSP 1.8.2 (remove only)
Sonic Express Labeler
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spybot - Search & Destroy
TeamViewer 5
TRENDnet TEW-424UB Wireless USB 2.0 Adapter Driver and Utility
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
ViewSonic Monitor Drivers
VZones
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Messenger
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3

Snowshark
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2010-03-30
Gender : Male
OS : Windows XP home SP3

View user profile

Back to top Go down

Re: ATAPI.SYS backdoor.tidserv!inf help requested

Post by Belahzur on Wed Mar 31, 2010 1:03 pm

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Viewpoint Media Player


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    RegNull::
    [HKEY_USERS\S-1-5-21-3322374908-2478490877-3389178683-1008\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D205A748-C496-298A-D919-126588722E37}*]
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: ATAPI.SYS backdoor.tidserv!inf help requested

Post by Snowshark on Wed Mar 31, 2010 1:23 pm

Hello
Thank you for the reply, here is the requested log.

ComboFix 10-03-29.04 - Compaq_Owner 03/31/2010 6:10.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1534 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-31 )))))))))))))))))))))))))))))))
.

2010-03-31 09:11 . 2010-03-28 08:00 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100330.048\NAVENG.SYS
2010-03-31 09:11 . 2010-03-28 08:00 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100330.048\EECTRL.SYS
2010-03-31 09:11 . 2010-03-28 08:00 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100330.048\CCERASER.DLL
2010-03-31 09:11 . 2010-03-28 08:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100330.048\ECMSVR32.DLL
2010-03-31 09:11 . 2010-03-28 08:00 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100330.048\NAVENG32.DLL
2010-03-31 09:11 . 2010-03-28 08:00 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100330.048\NAVEX32A.DLL
2010-03-31 09:11 . 2010-03-28 08:00 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100330.048\NAVEX15.SYS
2010-03-31 09:11 . 2010-03-28 08:00 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100330.048\ERASER.SYS
2010-03-30 20:16 . 2010-03-30 20:16 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 18:09 . 2010-02-01 01:45 38784 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2010-03-30 18:08 . 2010-03-30 18:08 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-03-30 16:44 . 2010-03-30 16:46 -------- dc-h--w- c:\windows\ie8
2010-03-30 16:13 . 2010-03-30 16:13 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-30 16:12 . 2010-03-30 16:12 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-03-30 16:12 . 2010-03-30 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-30 01:05 . 2010-03-30 01:05 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-03-29 17:55 . 2009-11-17 00:51 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100326.001\Scxpx86.dll
2010-03-29 17:55 . 2009-11-17 00:51 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100326.001\IDSxpx86.dll
2010-03-29 17:55 . 2009-11-17 00:51 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100326.001\IDSviA64.sys
2010-03-29 17:55 . 2009-11-17 00:51 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100326.001\IDSvix86.sys
2010-03-29 17:55 . 2009-11-17 00:51 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100326.001\IDSXpx86.sys
2010-03-29 17:53 . 2009-12-10 03:16 784752 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dll
2010-03-29 17:53 . 2009-11-17 00:51 164216 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
2010-03-29 17:52 . 2010-03-29 17:52 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-03-29 17:52 . 2010-03-29 17:52 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-29 17:52 . 2010-03-29 17:52 -------- d-----w- c:\program files\Symantec
2010-03-29 17:51 . 2009-11-17 00:51 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\BinHub\IDSvia64.sys
2010-03-29 17:51 . 2009-11-17 00:51 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\BinHub\IDSvix86.sys
2010-03-29 17:51 . 2009-11-17 00:51 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\BinHub\IDSxpx86.sys
2010-03-29 17:51 . 2009-11-17 00:51 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\BinHub\scxpx86.dll
2010-03-29 17:51 . 2009-12-08 02:21 1117040 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\OCS\hsplayer.dll
2010-03-29 17:51 . 2009-11-17 00:51 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\BinHub\idsxpx86.dll
2010-03-29 17:51 . 2009-12-17 07:07 893808 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\CLT\cltLMSx.dll
2010-03-29 17:51 . 2010-03-29 17:51 -------- d-----w- c:\windows\system32\drivers\N360
2010-03-29 17:51 . 2010-03-29 17:51 -------- d-----w- c:\program files\Norton 360
2010-03-29 17:51 . 2010-03-29 17:51 -------- d-----w- c:\program files\Windows Sidebar
2010-03-29 17:51 . 2010-03-29 17:51 -------- d-----w- c:\program files\NortonInstaller
2010-03-29 17:51 . 2010-03-29 17:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-03-29 17:49 . 2010-03-29 17:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-03-28 21:45 . 2010-03-28 21:45 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\TeamViewer
2010-03-28 21:45 . 2010-03-28 21:45 -------- d-----w- c:\program files\TeamViewer
2010-03-28 20:45 . 2010-03-28 20:45 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-03-28 20:23 . 2010-03-28 20:23 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-28 20:22 . 2010-03-28 22:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-24 20:38 . 2010-03-24 20:38 536112 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100324.001\BHDrvx86.sys
2010-03-24 20:38 . 2010-03-24 20:38 201616 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100324.001\BHRules.dll
2010-03-24 20:38 . 2010-03-24 20:38 1407888 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100324.001\BHEngine.dll
2010-03-24 20:38 . 2010-03-24 20:38 678960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100324.001\BHDrvx64.sys
2010-03-24 20:38 . 2010-03-24 20:38 611216 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100324.001\bbRGen.dll
2010-03-19 15:17 . 2010-03-19 15:17 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-19 10:51 . 2010-03-19 10:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-03-19 10:51 . 2010-03-19 10:51 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-03-18 16:57 . 2010-03-30 01:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-18 16:01 . 2010-03-18 16:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-03-18 15:59 . 2010-03-19 15:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-03-18 15:57 . 2010-03-18 15:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-03-18 15:55 . 2009-11-11 18:14 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-03-18 15:55 . 2009-11-11 18:14 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-03-18 15:55 . 2009-11-11 18:14 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-03-18 15:51 . 2009-11-11 18:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-03-18 15:46 . 2010-03-29 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-10 15:17 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-05 19:41 . 2010-03-05 19:41 -------- d-----w- c:\program files\NCI SEER
2010-03-05 19:40 . 2010-03-05 19:40 -------- d-----w- c:\windows\Cache
2010-03-03 22:56 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-03-03 00:23 . 2010-03-03 00:23 -------- d--h--w- c:\windows\PIF
2010-03-03 00:23 . 2010-03-03 00:23 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Windows Search
2010-03-03 00:16 . 2010-03-03 00:18 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-03 00:11 . 2010-03-03 00:11 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-03 00:11 . 2010-03-03 00:11 -------- d-----w- c:\windows\system32\XPSViewer
2010-03-03 00:10 . 2010-03-03 00:10 -------- d-----w- c:\program files\MSBuild
2010-03-03 00:10 . 2010-03-03 00:10 -------- d-----w- c:\program files\Reference Assemblies
2010-03-03 00:10 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-03-03 00:10 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-03-03 00:10 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-03-03 00:10 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-03-03 00:10 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-03-03 00:10 . 2010-03-03 00:10 -------- d-----w- C:\729a5a57e6f2258be8a94c
2010-03-03 00:10 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-03-03 00:10 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-03-03 00:10 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-03-03 00:10 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-03-03 00:06 . 2010-03-03 00:06 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Windows Desktop Search
2010-03-03 00:06 . 2010-03-03 15:10 -------- d-----w- c:\program files\Windows Desktop Search
2010-03-03 00:06 . 2010-03-03 00:06 -------- d-----w- c:\windows\system32\GroupPolicy
2010-03-03 00:04 . 2008-03-07 17:02 98304 ------w- c:\windows\system32\dllcache\nlhtml.dll
2010-03-03 00:04 . 2008-03-07 17:02 29696 ------w- c:\windows\system32\dllcache\mimefilt.dll
2010-03-03 00:04 . 2008-03-07 17:02 192000 ------w- c:\windows\system32\dllcache\offfilt.dll
2010-03-03 00:04 . 2010-03-03 00:04 -------- d-----w- c:\program files\Windows Media Connect 2
2010-03-03 00:02 . 2010-03-03 00:03 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-03-02 23:28 . 2010-03-02 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-03-02 23:28 . 2010-03-02 23:28 -------- d-----w- c:\program files\NVIDIA Corporation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-31 13:07 . 2007-07-10 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-03-30 20:18 . 2010-02-01 17:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 16:14 . 2008-01-29 20:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-30 16:09 . 2007-01-27 18:11 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\AdobeUM
2010-03-30 16:07 . 2006-08-10 04:19 -------- d-----w- c:\program files\Java
2010-03-30 07:46 . 2010-02-01 17:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2010-02-01 17:04 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-30 00:15 . 2004-08-04 11:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-29 17:57 . 2006-08-10 05:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-29 17:52 . 2010-03-29 17:52 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-29 17:52 . 2010-03-29 17:52 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-29 14:33 . 2008-05-05 21:35 -------- d-----w- c:\program files\Houstons Player Cards
2010-03-29 14:32 . 2008-12-20 23:02 -------- d-----w- c:\program files\Houstons Hosters
2010-03-29 13:32 . 2008-11-21 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-29 05:04 . 2007-10-12 17:46 -------- d-----w- c:\program files\VZones
2010-03-05 03:38 . 2007-01-07 05:39 52400 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-03 00:16 . 2010-01-18 23:55 -------- d-----w- c:\program files\Microsoft
2010-02-25 21:35 . 2006-08-10 04:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-25 06:24 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-18 14:31 . 2010-02-18 14:31 50354 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Facebook\uninstall.exe
2010-02-18 14:31 . 2010-02-18 14:31 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Facebook
2010-02-08 23:42 . 2010-02-08 23:42 240640 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\HorizonWimba\JSecureDoor\audioproxy_1.0.3\data\audioproxy.exe
2010-02-08 23:42 . 2010-02-08 23:42 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\HorizonWimba
2010-02-05 18:39 . 2010-02-05 18:39 251376 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Facebook\npfbplugin_1_0_1.dll
2010-02-01 17:04 . 2010-02-01 17:04 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2010-02-01 17:04 . 2010-02-01 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-27 19:37 . 2010-01-27 19:37 61440 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6f486447-n\decora-sse.dll
2010-01-27 19:37 . 2010-01-27 19:37 503808 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-23871891-n\msvcp71.dll
2010-01-27 19:37 . 2010-01-27 19:37 499712 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-23871891-n\jmc.dll
2010-01-27 19:37 . 2010-01-27 19:37 348160 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-23871891-n\msvcr71.dll
2010-01-27 19:37 . 2010-01-27 19:37 12800 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6f486447-n\decora-d3d.dll
2010-01-12 06:17 . 2010-01-12 06:17 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-01-12 06:17 . 2010-01-12 06:17 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-01-12 06:17 . 2010-01-12 06:17 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-01-12 06:17 . 2010-01-12 06:17 13666408 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-12 06:17 . 2010-01-12 06:17 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-12 06:17 . 2010-01-12 06:17 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-01-06 01:04 . 2010-01-06 01:04 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-12-31 16:50 . 2004-08-04 11:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-26 49152]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"ISUSScheduler"="c:\progra~1\common~1\instal~1\update~1\issch.exe" [2004-07-28 81920]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-03 18085888]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-9 27136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-10-07 17:32 133104 ----atw- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\SecondLife\\SecondLife.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SpacialAudio\\SAMBC\\SAMBC.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\SpacialAudio\\SAMBC\\SAMReporter\\SAMReporter.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Documents and Settings\\Compaq_Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Compaq_Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0400000.07F\SymDS.sys [3/29/2010 10:51 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0400000.07F\SymEFA.sys [3/29/2010 10:51 AM 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100324.001\BHDrvx86.sys [3/24/2010 1:38 PM 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0400000.07F\cchpx86.sys [3/29/2010 10:51 AM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0400000.07F\Ironx86.sys [3/29/2010 10:51 AM 116272]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe [3/29/2010 10:51 AM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/29/2010 10:54 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100326.001\IDSXpx86.sys [3/29/2010 10:55 AM 329592]
S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\RTL8187B.sys [11/30/2008 12:00 PM 215040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-03-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3322374908-2478490877-3389178683-1008Core.job
- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-07 17:32]

2010-03-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3322374908-2478490877-3389178683-1008UA.job
- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-07 17:32]

2010-03-30 c:\windows\Tasks\User_Feed_Synchronization-{79519612-6107-498D-9BCC-43A5B8CC2E30}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com
DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - [You must be registered and logged in to see this link.]
DPF: {B0C45AFD-2802-4285-BE1F-714C50FEE6D9} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\qhe7cqvt.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\Compaq_Owner\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-03-31 06:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.0.0.127\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.0.0.127\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2924)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-31 06:20:52
ComboFix-quarantined-files.txt 2010-03-31 13:20
ComboFix2.txt 2010-03-30 23:33

Pre-Run: 76,598,030,336 bytes free
Post-Run: 76,561,932,288 bytes free

- - End Of File - - A8F85CC8530B2F47E8A8BFCC6B68607A

Snowshark
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2010-03-30
Gender : Male
OS : Windows XP home SP3

View user profile

Back to top Go down

Re: ATAPI.SYS backdoor.tidserv!inf help requested

Post by Belahzur on Wed Mar 31, 2010 4:02 pm

Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: ATAPI.SYS backdoor.tidserv!inf help requested

Post by Snowshark on Wed Mar 31, 2010 5:39 pm

Hi
I had Sys restore disabled previously as recommended by norton for their fix of this issue, will that matter at all or has it been re-enabled?. It's scanning now i assume you want me to post the logfile when complete? Logged in on another cpu now. 3 instances of win32bagel.genzip worm so far 50% through scan.

Snowshark
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2010-03-30
Gender : Male
OS : Windows XP home SP3

View user profile

Back to top Go down

Re: ATAPI.SYS backdoor.tidserv!inf help requested

Post by Snowshark on Wed Mar 31, 2010 6:47 pm

log file from eset follows

# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=e20458d17545f34987e8a8aba00243f5
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-03-31 06:44:33
# local_time=2010-03-31 11:44:33 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3589 16777189 100 86 81094 20625106 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=122544
# found=5
# cleaned=5
# scan_time=8478
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent19.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent49.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent8.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\I386\APPS\APP13206\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application (deleted - quarantined) 00000000000000000000000000000000 C
D:\I386\APPS\APP13206\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application (deleted - quarantined) 00000000000000000000000000000000 C

Snowshark
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2010-03-30
Gender : Male
OS : Windows XP home SP3

View user profile

Back to top Go down

Re: ATAPI.SYS backdoor.tidserv!inf help requested

Post by Belahzur on Wed Mar 31, 2010 10:39 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: ATAPI.SYS backdoor.tidserv!inf help requested

Post by Snowshark on Wed Mar 31, 2010 10:49 pm

Hello,
Thanks for your assistance, I haven't been playing on it yet. Been waiting on an all clear. I will run Malwarebytes scan and Re-enable and scan Norton I suppose then give it a whirl. I will let you know.
Thanks

Snowshark
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2010-03-30
Gender : Male
OS : Windows XP home SP3

View user profile

Back to top Go down

Re: ATAPI.SYS backdoor.tidserv!inf help requested

Post by Snowshark on Thu Apr 01, 2010 12:37 am

Malwarebytes' Anti-Malware 1.45
[You must be registered and logged in to see this link.]

Database version: 3939

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/31/2010 4:57:48 PM
mbam-log-2010-03-31 (16-57-48).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 223492
Time elapsed: 1 hour(s), 6 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Compaq_Owner\Desktop\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Isnt that from Hijack this?

Snowshark
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2010-03-30
Gender : Male
OS : Windows XP home SP3

View user profile

Back to top Go down

Re: ATAPI.SYS backdoor.tidserv!inf help requested

Post by Snowshark on Thu Apr 01, 2010 2:58 am

So far so good, Thank you. I will be making a donation and your time and effort are much appreciated.

Snowshark
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2010-03-30
Gender : Male
OS : Windows XP home SP3

View user profile

Back to top Go down

Re: ATAPI.SYS backdoor.tidserv!inf help requested

Post by Belahzur on Thu Apr 01, 2010 11:33 pm

Hello.
Don't worry about the Heuristics.Reserved.Word.Exploit, Hijack This using a system filename sets of the heuristics search, no filename should be using system file names, but desperate times call for desperate measures. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum