Norton found Backdoor.Tidserv.L

View previous topic View next topic Go down

Norton found Backdoor.Tidserv.L

Post by 48tombob48 on 3rd October 2010, 3:15 am


Hello all.
My friend gave me his computer to see if I could fix a virus his wife got on Facebook. I did a search in google and found a mention of cdll. I noticed in Task Manager that that was the User Name being used. It should have been Administrator. I think it is a redirector because I tried using Internet Explorer to find a mention of cdll on my own computer. I run a scan with Norton on C/Documents and Settings/cdll. It said it quarintined the virus. But I believe it is still messing with the computer. Any help would be greatly appreciated......Thanks....Tom

My OTL text file:
OTL logfile created on: 10/2/2010 10:25:55 PM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\cdll\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 245.00 Mb Available Physical Memory | 48.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 71.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 30.12 Gb Free Space | 80.88% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELL-5B9B88664B
Current User Name: cdll
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/10/02 22:17:17 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\cdll\My Documents\Downloads\OTL.com
PRC - [2010/10/02 20:34:13 | 000,396,288 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
PRC - [2010/09/01 15:51:48 | 000,328,080 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\NOS\bin\getPlusPlus_Adobe.exe
PRC - [2010/02/25 20:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Engine\17.8.0.5\ccsvchst.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/10/02 22:17:17 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\cdll\My Documents\Downloads\OTL.com
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/09/01 15:51:28 | 000,066,112 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Running] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus(R)
SRV - [2010/02/25 20:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton AntiVirus\Engine\17.8.0.5\ccSvcHst.exe -- (NAV)


========== Driver Services (SafeList) ==========

DRV - [2010/09/28 20:28:29 | 001,371,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\VirusDefs\20101002.003\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/09/28 20:28:29 | 000,086,064 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\VirusDefs\20101002.003\NAVENG.SYS -- (NAVENG)
DRV - [2010/09/25 18:37:52 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/09/25 18:37:52 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/09/25 18:15:45 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/09/01 21:39:20 | 000,692,272 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\BASHDefs\20100901.003\BHDrvx86.sys -- (BHDrvx86)
DRV - [2010/08/26 12:47:24 | 000,331,640 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20100930.005\IDSXpx86.sys -- (IDSxpx86)
DRV - [2010/05/10 14:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Documents and Settings\cdll\Local Settings\Temp\SAS_SelfExtract\saskutil.sys -- (SASKUTIL)
DRV - [2010/05/06 00:01:59 | 000,361,904 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NAV\1108000.005\SYMTDI.SYS -- (SYMTDI)
DRV - [2010/04/29 01:03:51 | 000,116,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1108000.005\Ironx86.SYS -- (SymIRON)
DRV - [2010/04/21 23:02:20 | 000,173,104 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NAV\1108000.005\SYMEFA.SYS -- (SymEFA)
DRV - [2010/04/21 22:29:50 | 000,325,680 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\NAV\1108000.005\SRTSP.SYS -- (SRTSP)
DRV - [2010/04/21 22:29:50 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1108000.005\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2010/02/25 20:22:57 | 000,501,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1108000.005\ccHPx86.sys -- (ccHP)
DRV - [2010/02/17 14:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Documents and Settings\cdll\Local Settings\Temp\SAS_SelfExtract\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/10/14 23:50:05 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\NAV\1108000.005\SYMDS.SYS -- (SymDS)
DRV - [2008/04/13 14:36:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 14:36:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2003/07/28 16:19:00 | 001,341,339 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2001/08/22 09:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - [2001/08/17 15:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 15:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 15:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 15:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 15:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 14:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 14:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 14:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 14:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 14:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 14:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 14:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 14:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 14:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 14:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\IPSFFPlgn\ [2010/09/27 07:09:49 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2004/08/04 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\17.8.0.5\ipsbho.dll (Symantec Corporation)
O4 - HKLM..\RunOnce: [Uninstall Adobe Download Manager] File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} [You must be registered and logged in to see this link.] (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\cdll\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/05 12:01:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Shockwave Flash
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (69537929998893056)

========== Files/Folders - Created Within 30 Days ==========

[2010/10/02 22:21:09 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2010/10/02 22:20:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9 Installer
[2010/10/02 22:18:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2010/10/02 22:18:30 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2010/10/02 22:18:04 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/10/02 22:16:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\cdll\Local Settings\Application Data\Adobe
[2010/10/02 22:16:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/10/02 22:16:14 | 000,000,000 | ---D | C] -- C:\Program Files\NOS
[2010/10/02 20:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/10/02 20:46:20 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/10/02 20:45:40 | 000,423,656 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/10/02 20:45:40 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/10/02 20:45:39 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/10/02 20:45:39 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/10/02 20:45:39 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/10/02 20:44:32 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/10/02 20:43:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\cdll\Application Data\Sun
[2010/10/02 20:34:13 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/10/02 20:31:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\cdll\My Documents\Downloads
[2010/10/02 19:12:26 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\cdll\IECompatCache
[2010/09/29 22:26:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Identities
[2010/09/27 07:10:15 | 000,361,904 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1108000.005\symtdi.sys
[2010/09/27 07:10:15 | 000,339,504 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1108000.005\symtdiv.sys
[2010/09/27 07:10:15 | 000,328,752 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1108000.005\symds.sys
[2010/09/27 07:10:15 | 000,173,104 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1108000.005\symefa.sys
[2010/09/27 07:10:14 | 000,501,888 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1108000.005\cchpx86.sys
[2010/09/27 07:10:14 | 000,325,680 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1108000.005\srtsp.sys
[2010/09/27 07:10:14 | 000,116,784 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1108000.005\ironx86.sys
[2010/09/27 07:10:14 | 000,043,696 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1108000.005\srtspx.sys
[2010/09/27 07:09:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NAV\1108000.005
[2010/09/26 19:10:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\cdll\Application Data\SUPERAntiSpyware.com
[2010/09/26 19:10:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/09/25 20:50:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/09/25 19:40:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\cdll\Local Settings\Application Data\Help
[2010/09/25 19:40:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\cdll\Application Data\Help
[2010/09/25 18:32:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\cdll\My Documents\Symantec
[2010/09/25 17:59:36 | 000,060,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/09/25 17:59:35 | 000,124,976 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/09/25 17:59:35 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2010/09/25 17:59:35 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2010/09/25 17:56:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NAV
[2010/09/25 17:56:17 | 000,000,000 | ---D | C] -- C:\Program Files\Norton AntiVirus
[2010/09/25 17:56:16 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Sidebar
[2010/09/24 21:53:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/09/24 20:52:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2010/09/24 20:41:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2010/09/24 20:30:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\cdll\Application Data\Norton Utilities 14
[2010/09/24 20:20:05 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2010/09/24 20:20:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2010/09/24 20:08:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton Installer
[2010/09/24 20:07:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/09/24 20:06:27 | 001,101,824 | ---- | C] (Woodbury Associates Limited) -- C:\WINDOWS\System32\UniBox210.ocx
[2010/09/24 20:06:27 | 000,880,640 | ---- | C] (Woodbury Associates Limited) -- C:\WINDOWS\System32\UniBox10.ocx
[2010/09/24 20:06:27 | 000,212,992 | ---- | C] (Woodbury Associates Limited) -- C:\WINDOWS\System32\UniBoxVB12.ocx
[2010/09/24 20:06:23 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Utilities 14
[2010/09/24 19:29:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/09/24 19:29:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/10/02 22:22:51 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/10/02 22:20:24 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/10/02 21:24:48 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/10/02 20:45:00 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/10/02 20:44:59 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/10/02 20:44:58 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/10/02 20:44:57 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/10/02 20:44:53 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/10/02 20:34:15 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\cdll\Desktop\HijackThis.lnk
[2010/10/02 20:29:39 | 000,000,180 | ---- | M] () -- C:\Documents and Settings\cdll\Desktop\GeekPolice.net.url
[2010/10/02 19:08:02 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/10/02 19:07:37 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/10/02 19:07:18 | 535,875,584 | -HS- | M] () -- C:\hiberfil.sys
[2010/10/02 17:31:43 | 003,145,728 | -H-- | M] () -- C:\Documents and Settings\cdll\NTUSER.DAT
[2010/10/02 17:31:43 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\cdll\ntuser.ini
[2010/09/28 21:47:04 | 004,816,352 | -H-- | M] () -- C:\Documents and Settings\cdll\Local Settings\Application Data\IconCache.db
[2010/09/27 20:24:46 | 000,613,906 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1108000.005\Cat.DB
[2010/09/27 10:25:04 | 000,001,876 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton AntiVirus.LNK
[2010/09/26 19:08:24 | 011,329,872 | ---- | M] () -- C:\Documents and Settings\cdll\My Documents\SAS_113748.COM
[2010/09/25 19:31:55 | 000,000,240 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/09/25 18:21:25 | 000,000,208 | ---- | M] () -- C:\Documents and Settings\cdll\Desktop\Yahoo!.url
[2010/09/25 18:15:45 | 000,124,976 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/09/25 18:15:45 | 000,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/09/25 18:15:45 | 000,007,443 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/09/25 18:15:45 | 000,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/09/25 17:49:49 | 000,000,002 | ---- | M] () -- C:\Documents and Settings\cdll\Local Settings\Application Data\010010257974854.xxe
[2010/09/24 21:56:50 | 000,000,241 | ---- | M] () -- C:\Documents and Settings\cdll\Desktop\Welcome to Facebook.url
[2010/09/24 21:16:01 | 000,000,002 | ---- | M] () -- C:\Documents and Settings\cdll\Local Settings\Application Data\01015653974953.xxe
[2010/09/24 21:14:50 | 000,000,002 | ---- | M] () -- C:\Documents and Settings\cdll\Local Settings\Application Data\010155555710297.xxe
[2010/09/24 20:06:56 | 000,000,723 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton Utilities.lnk
[2010/09/24 19:46:36 | 000,053,732 | ---- | M] () -- C:\WINDOWS\fs1235.dat
[2010/09/24 19:21:55 | 000,000,002 | ---- | M] () -- C:\Documents and Settings\cdll\Local Settings\Application Data\05010251575050.xxe
[2010/09/24 18:39:30 | 000,000,002 | ---- | M] () -- C:\Documents and Settings\cdll\Local Settings\Application Data\010154541015198.xxe
[2010/09/24 18:39:20 | 000,000,002 | ---- | M] () -- C:\Documents and Settings\cdll\Local Settings\Application Data\05448501005598.xxe
[2010/09/24 18:37:46 | 000,000,001 | -H-- | M] () -- C:\WINDOWS\bk23567.dat
[2010/09/24 18:37:46 | 000,000,001 | ---- | M] () -- C:\WINDOWS\fdgg34353edfgdfdf
[2010/09/20 17:57:11 | 000,000,172 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1108000.005\isolate.ini
[2010/09/17 22:45:01 | 000,000,072 | ---- | M] () -- C:\WINDOWS\iltwain.ini
[2010/09/15 07:27:12 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/10/02 22:22:51 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/10/02 20:34:15 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\cdll\Desktop\HijackThis.lnk
[2010/10/02 20:29:39 | 000,000,180 | ---- | C] () -- C:\Documents and Settings\cdll\Desktop\GeekPolice.net.url
[2010/09/27 10:24:36 | 000,613,906 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1108000.005\Cat.DB
[2010/09/27 07:10:15 | 000,007,873 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1108000.005\symefa.cat
[2010/09/27 07:10:15 | 000,007,787 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1108000.005\symnetv.cat
[2010/09/27 07:10:15 | 000,007,425 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1108000.005\symds.cat
[2010/09/27 07:10:15 | 000,007,368 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1108000.005\symnet.cat
[2010/09/27 07:10:15 | 000,003,373 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1108000.005\symefa.inf
[2010/09/27 07:10:15 | 000,002,793 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1108000.005\symds.inf
[2010/09/27 07:10:15 | 000,001,473 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1108000.005\symnetv.inf
[2010/09/27 07:10:15 | 000,001,445 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1108000.005\symnet.inf
[2010/09/27 07:10:14 | 000,007,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1108000.005\srtspx.cat
[2010/09/27 07:10:14 | 000,007,438 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1108000.005\srtsp.cat
[2010/09/27 07:10:14 | 000,007,438 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1108000.005\iron.cat
[2010/09/27 07:10:14 | 000,007,396 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1108000.005\cchpx86.cat
[2010/09/27 07:10:14 | 000,001,754 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1108000.005\cchpx86.inf
[2010/09/27 07:10:14 | 000,001,388 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1108000.005\srtspx.inf
[2010/09/27 07:10:14 | 000,001,382 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1108000.005\srtsp.inf
[2010/09/27 07:10:14 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1108000.005\iron.inf
[2010/09/27 07:09:51 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1108000.005\isolate.ini
[2010/09/26 19:08:24 | 011,329,872 | ---- | C] () -- C:\Documents and Settings\cdll\My Documents\SAS_113748.COM
[2010/09/25 19:31:55 | 000,000,240 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/09/25 17:59:36 | 000,007,443 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/09/25 17:59:36 | 000,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/09/25 17:59:16 | 000,001,876 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Norton AntiVirus.LNK
[2010/09/25 17:49:49 | 000,000,002 | ---- | C] () -- C:\Documents and Settings\cdll\Local Settings\Application Data\010010257974854.xxe
[2010/09/24 21:16:01 | 000,000,002 | ---- | C] () -- C:\Documents and Settings\cdll\Local Settings\Application Data\01015653974953.xxe
[2010/09/24 21:14:50 | 000,000,002 | ---- | C] () -- C:\Documents and Settings\cdll\Local Settings\Application Data\010155555710297.xxe
[2010/09/24 20:06:56 | 000,000,723 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Norton Utilities.lnk
[2010/09/24 19:31:46 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/09/24 19:21:55 | 000,000,002 | ---- | C] () -- C:\Documents and Settings\cdll\Local Settings\Application Data\05010251575050.xxe
[2010/09/24 18:42:23 | 000,053,732 | ---- | C] () -- C:\WINDOWS\fs1235.dat
[2010/09/24 18:39:30 | 000,000,002 | ---- | C] () -- C:\Documents and Settings\cdll\Local Settings\Application Data\010154541015198.xxe
[2010/09/24 18:39:20 | 000,000,002 | ---- | C] () -- C:\Documents and Settings\cdll\Local Settings\Application Data\05448501005598.xxe
[2010/09/24 18:37:46 | 000,000,001 | -H-- | C] () -- C:\WINDOWS\bk23567.dat
[2010/09/24 18:37:46 | 000,000,001 | ---- | C] () -- C:\WINDOWS\fdgg34353edfgdfdf
[2010/08/14 19:00:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\uninst32.INI
[2010/08/14 18:55:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MSREGUSR.INI
[2010/08/14 17:07:25 | 000,003,713 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2010/08/14 16:22:27 | 000,000,072 | ---- | C] () -- C:\WINDOWS\iltwain.ini
[2010/08/14 16:19:44 | 000,229,376 | ---- | C] () -- C:\WINDOWS\System32\ISP2000.dll
[2010/08/14 16:19:44 | 000,063,488 | ---- | C] () -- C:\WINDOWS\System32\Eztw32.dll
[2010/08/14 11:10:48 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\cdll\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/12 13:26:19 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

========== Custom Scans ==========


< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/04/13 20:12:00 | 001,384,479 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\msvbvm60.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.exe /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2010/01/05 06:48:25 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2010/01/05 06:48:25 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2010/01/05 06:48:25 | 000,897,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.sys >
[2004/08/04 08:00:00 | 000,009,029 | ---- | M] () -- C:\WINDOWS\system32\ansi.sys
[2004/08/04 08:00:00 | 000,027,097 | ---- | M] () -- C:\WINDOWS\system32\country.sys
[2004/08/04 08:00:00 | 000,004,768 | ---- | M] () -- C:\WINDOWS\system32\himem.sys
[2004/08/04 08:00:00 | 000,042,809 | ---- | M] () -- C:\WINDOWS\system32\key01.sys
[2004/08/04 08:00:00 | 000,042,537 | ---- | M] () -- C:\WINDOWS\system32\keyboard.sys
[2004/08/04 08:00:00 | 000,027,866 | ---- | M] () -- C:\WINDOWS\system32\ntdos.sys
[2004/08/04 08:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos404.sys
[2004/08/04 08:00:00 | 000,029,370 | ---- | M] () -- C:\WINDOWS\system32\ntdos411.sys
[2004/08/04 08:00:00 | 000,029,274 | ---- | M] () -- C:\WINDOWS\system32\ntdos412.sys
[2004/08/04 08:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos804.sys
[2004/08/04 08:00:00 | 000,033,840 | ---- | M] () -- C:\WINDOWS\system32\ntio.sys
[2004/08/04 08:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio404.sys
[2004/08/04 08:00:00 | 000,035,648 | ---- | M] () -- C:\WINDOWS\system32\ntio411.sys
[2004/08/04 08:00:00 | 000,035,424 | ---- | M] () -- C:\WINDOWS\system32\ntio412.sys
[2004/08/04 08:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio804.sys
[2008/04/13 14:44:59 | 000,017,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\watchdog.sys
[2010/06/23 09:44:04 | 001,851,904 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\drivers\*.dll >
[2008/04/13 20:11:48 | 000,004,255 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv01nt5.dll
[2008/04/13 20:11:48 | 000,003,967 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv02nt5.dll
[2008/04/13 20:11:48 | 000,003,615 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv05nt5.dll
[2008/04/13 20:11:48 | 000,003,647 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv07nt5.dll
[2008/04/13 20:11:48 | 000,003,135 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv08nt5.dll
[2008/04/13 20:11:48 | 000,003,711 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv09nt5.dll
[2008/04/13 20:11:48 | 000,003,775 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv11nt5.dll
[2008/04/13 20:11:50 | 000,021,183 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv01nt5.dll
[2008/04/13 20:11:50 | 000,011,359 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv02nt5.dll
[2008/04/13 20:11:50 | 000,025,471 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv04nt5.dll
[2008/04/13 20:11:50 | 000,014,143 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv06nt5.dll
[2008/04/13 20:11:50 | 000,017,279 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv10nt5.dll
[2008/04/13 20:11:50 | 000,015,423 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\ch7xxnt5.dll
[2008/04/13 20:12:05 | 000,003,901 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\siint5.dll
[2008/04/13 20:12:08 | 000,011,325 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\vchnt5.dll

< %systemroot%\system32\drivers\*.ini >

< %systemroot%\system32\drivers\*.exe >

< %SYSTEMDRIVE%\*.* >
[2010/01/05 12:01:17 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/07/09 12:43:17 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2010/01/05 12:01:17 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/10/02 19:07:18 | 535,875,584 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/05 12:01:17 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/10/02 20:55:24 | 000,006,253 | ---- | M] () -- C:\JavaRa.log
[2010/01/05 12:01:17 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 08:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2010/01/11 17:26:13 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/10/02 19:07:17 | 805,306,368 | -HS- | M] () -- C:\pagefile.sys

< %PROGRAMFILES%\*. >
[2010/10/02 22:21:09 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2010/01/05 13:05:33 | 000,000,000 | ---D | M] -- C:\Program Files\Analog Devices
[2010/10/02 22:21:09 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2010/01/05 11:58:00 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2010/08/14 16:19:40 | 000,000,000 | ---D | M] -- C:\Program Files\Cosmi
[2010/08/14 17:08:09 | 000,000,000 | ---D | M] -- C:\Program Files\HP
[2010/01/05 13:05:32 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2010/08/13 23:34:12 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2010/10/02 20:44:32 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2010/01/12 11:04:44 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2010/01/05 12:01:39 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2010/08/13 23:31:41 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2010/01/05 11:57:09 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2010/01/05 11:57:34 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2010/01/11 17:28:21 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2010/09/25 17:56:32 | 000,000,000 | ---D | M] -- C:\Program Files\Norton AntiVirus
[2010/09/24 21:03:38 | 000,000,000 | ---D | M] -- C:\Program Files\Norton Utilities 14
[2010/09/25 18:14:09 | 000,000,000 | ---D | M] -- C:\Program Files\NortonInstaller
[2010/10/02 22:16:14 | 000,000,000 | ---D | M] -- C:\Program Files\NOS
[2010/01/05 11:57:43 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2010/08/13 23:32:11 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2010/08/14 16:19:00 | 000,000,000 | ---D | M] -- C:\Program Files\Setup NetZero
[2010/09/25 18:15:45 | 000,000,000 | ---D | M] -- C:\Program Files\Symantec
[2010/10/02 20:34:13 | 000,000,000 | ---D | M] -- C:\Program Files\Trend Micro
[2010/01/05 12:46:46 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2010/01/11 17:30:35 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2010/01/11 17:28:17 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2010/09/25 17:56:16 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Sidebar
[2010/01/05 11:59:47 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2010/01/05 12:01:39 | 000,000,000 | ---D | M] -- C:\Program Files\xerox

< %appdata%\*.* >
[2010/01/05 06:49:53 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\cdll\Application Data\desktop.ini


< MD5 for: AGP440.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2010/01/11 17:22:30 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2010/01/11 17:22:30 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\AGP440.SYS
[2004/08/03 19:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2004/08/03 19:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2010/01/11 17:22:30 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2010/01/11 17:22:30 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 08:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: DISK.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2010/01/11 17:22:30 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2010/01/11 17:22:30 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:disk.sys
[2004/08/04 08:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\$NtServicePackUninstall$\disk.sys
[2008/04/13 14:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\ServicePackFiles\i386\disk.sys
[2008/04/13 14:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 08:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2005/04/25 11:28:14 | 000,871,040 | ---- | M] (Intel Corporation) MD5=D593517879E65167DF35F6015814AC59 -- C:\WINDOWS\dell\iastor\iastor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: NVATABUS.SYS >
[2005/05/17 18:45:08 | 000,092,800 | ---- | M] (NVIDIA Corporation) MD5=DCE353985C988BFB7E84FD942068151F -- C:\WINDOWS\dell\nvraid\NvAtaBus.sys
[2005/05/17 18:45:08 | 000,092,800 | ---- | M] (NVIDIA Corporation) MD5=DCE353985C988BFB7E84FD942068151F -- C:\WINDOWS\system32\drivers\NvAtaBus.sys

< MD5 for: SCECLI.DLL >
[2004/08/04 08:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USBSTOR.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:usbstor.sys
[2010/01/11 17:22:30 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:usbstor.sys
[2010/01/11 17:22:30 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:usbstor.sys
[2008/04/13 14:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\ServicePackFiles\i386\usbstor.sys
[2008/04/13 13:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\dllcache\usbstor.sys
[2008/04/13 13:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\drivers\USBSTOR.SYS

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-09-15 11:27:17

========== Alternate Data Streams ==========

@Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D287FACF
< End of report >


My OTL Extras text file:
OTL Extras logfile created on: 10/2/2010 10:25:55 PM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\cdll\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 245.00 Mb Available Physical Memory | 48.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 71.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 30.12 Gb Free Space | 80.88% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELL-5B9B88664B
Current User Name: cdll
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.exe [@ = exefile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"8087:TCP" = 8087:TCP:*:Enabled:swe

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java(TM) 6 Update 21
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Advanced Photo Editor" = Advanced Photo Editor
"HijackThis" = HijackThis 2.0.2
"ie8" = Windows Internet Explorer 8
"NAV" = Norton AntiVirus
"Norton Utilities_is1" = Norton Utilities
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"PROSet" = Intel(R) PRO Network Connections Drivers
"Windows XP Service Pack" = Windows XP Service Pack 3

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/1/2010 8:26:07 PM | Computer Name = DELL-5B9B88664B | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 10/1/2010 8:26:07 PM | Computer Name = DELL-5B9B88664B | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 10/1/2010 8:26:07 PM | Computer Name = DELL-5B9B88664B | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:

with error: This network connection does not exist.

Error - 10/1/2010 8:26:07 PM | Computer Name = DELL-5B9B88664B | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 10/1/2010 8:26:07 PM | Computer Name = DELL-5B9B88664B | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 10/1/2010 8:26:07 PM | Computer Name = DELL-5B9B88664B | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:

with error: This network connection does not exist.

Error - 10/1/2010 8:26:07 PM | Computer Name = DELL-5B9B88664B | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 10/2/2010 9:33:32 AM | Computer Name = DELL-5B9B88664B | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x00023845.

Error - 10/2/2010 9:52:56 AM | Computer Name = DELL-5B9B88664B | Source = Application Error | ID = 1001
Description = Fault bucket 1271752061.

Error - 10/2/2010 9:54:50 PM | Computer Name = DELL-5B9B88664B | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x00023845.


< End of report >


Thanks in advance for your help

48tombob48
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-10-03
Gender Gender : Male
OS OS : XP Pro Service Pack 3
Protection Protection : ZoneAlarm Extreme Security
Points Points : 22733
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Norton found Backdoor.Tidserv.L

Post by Belahzur on 3rd October 2010, 11:14 pm

Hello.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Norton found Backdoor.Tidserv.L

Post by 48tombob48 on 4th October 2010, 3:05 pm

Thank Belahzur for your reply. Here is the Malwarebytes Log file. Also since I have posted on here I installed ZoneAlarm, Firefox and Spybot Search&Destroy. The computer is still down to a crawl. Internet Exploer will not work hardly at all. Firefox is very buggy. I'ts opening windows on it's own. I get quite a few of these notices...."Generic Host Process for Win32 Services has encountered a problem and needs to close". I will also post the Norton Recent History Log and Norton Quaratine Log.

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4739

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/4/2010 9:26:53 AM
mbam-log-2010-10-04 (09-26-53).txt

Scan type: Quick scan
Objects scanned: 131087
Time elapsed: 13 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\sswe (Trojan.Koobface) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\cdll\Local Settings\Application Data\010010257974854.xxe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Documents and Settings\cdll\Local Settings\Application Data\010154541015198.xxe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Documents and Settings\cdll\Local Settings\Application Data\010155555710297.xxe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Documents and Settings\cdll\Local Settings\Application Data\01015653974953.xxe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Documents and Settings\cdll\Local Settings\Application Data\05010251575050.xxe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Documents and Settings\cdll\Local Settings\Application Data\05448501005598.xxe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\bk23567.dat (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\fdgg34353edfgdfdf (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\fs1235.dat (KoobFace.Trace) -> Quarantined and deleted successfully.

48tombob48
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-10-03
Gender Gender : Male
OS OS : XP Pro Service Pack 3
Protection Protection : ZoneAlarm Extreme Security
Points Points : 22733
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Norton found Backdoor.Tidserv.L

Post by 48tombob48 on 4th October 2010, 3:09 pm

Norton Quarantine Log:

Category: Quarantine
Date & Time,Risk,Activity,Status,Recommended Action
10/3/2010 11:56 AM,High,a0021446.sys (W32.Koobface) detected by Auto-Protect,Quarantined,Resolved - No Action
10/3/2010 11:10 AM,High,a0018439.dll (W32.Koobface) detected by Auto-Protect,Quarantined,Resolved - No Action
10/3/2010 10:11 AM,High,a0009029.exe (Trojan.Gen) detected by Auto-Protect,Quarantined,Resolved - No Action
10/2/2010 7:27 PM,High,1b.tmp (Backdoor.Tidserv.L) detected by Virus scanner,Quarantined,Resolved - No Action
10/2/2010 9:22 AM,High,a0009028.exe (Trojan.Gen) detected by Auto-Protect,Quarantined,Resolved - No Action
9/29/2010 8:33 PM,High,swe.sys (W32.Koobface) detected by Auto-Protect,Quarantined,Resolved - No Action
9/29/2010 8:06 AM,High,swe.dll (W32.Koobface) detected by Auto-Protect,Quarantined,Resolved - No Action
9/26/2010 7:25 PM,High,a0008996.exe (Trojan.Gen) detected by Auto-Protect,Quarantined,Resolved - No Action
9/25/2010 6:44 PM,High,rdr_1285367888.exe (Trojan.Gen) detected by Virus scanner,Quarantined,Resolved - No Action

48tombob48
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-10-03
Gender Gender : Male
OS OS : XP Pro Service Pack 3
Protection Protection : ZoneAlarm Extreme Security
Points Points : 22733
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Norton found Backdoor.Tidserv.L

Post by 48tombob48 on 4th October 2010, 3:12 pm

Sorry the Norton Recent History Log is way too big. I am getting a lot of notifications from Norton about unauthorized attempts to access the internet........Thanks....Tom

48tombob48
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-10-03
Gender Gender : Male
OS OS : XP Pro Service Pack 3
Protection Protection : ZoneAlarm Extreme Security
Points Points : 22733
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Norton found Backdoor.Tidserv.L

Post by 48tombob48 on 4th October 2010, 4:25 pm

Hello all. I don't know if this will help you any but I ran Kapersky GetSystemInfo. Here is the link [You must be registered and logged in to see this link.]

Thanks.......Tom

48tombob48
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-10-03
Gender Gender : Male
OS OS : XP Pro Service Pack 3
Protection Protection : ZoneAlarm Extreme Security
Points Points : 22733
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Norton found Backdoor.Tidserv.L

Post by Belahzur on 4th October 2010, 11:08 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Norton found Backdoor.Tidserv.L

Post by 48tombob48 on 5th October 2010, 1:58 am

Thanks Belahzur. Here is the file.

ComboFix 10-10-04.01 - cdll 10/04/2010 21:27:45.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.741 [GMT -4:00]
Running from: c:\documents and settings\cdll\Desktop\Combo-Fix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\ABP480N5.SYS was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-09-05 to 2010-10-05 )))))))))))))))))))))))))))))))
.

2010-10-04 23:11 . 2010-10-04 23:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-10-04 17:55 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-10-04 16:45 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-10-04 16:45 . 2010-10-04 16:45 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-10-04 16:39 . 2010-10-04 16:39 -------- d-----w- c:\documents and settings\cdll\Local Settings\Application Data\Sunbelt Software
2010-10-04 16:38 . 2010-10-04 16:38 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-10-04 16:38 . 2010-08-12 12:16 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-10-04 16:37 . 2010-10-04 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-10-04 16:37 . 2010-10-04 16:37 -------- d-----w- c:\program files\Lavasoft
2010-10-04 15:31 . 2010-10-04 15:31 -------- d-----w- c:\program files\IrfanView
2010-10-04 15:24 . 2010-10-04 15:24 -------- d-----w- c:\windows\Sun
2010-10-04 13:12 . 2010-10-04 13:12 -------- d-----w- c:\documents and settings\cdll\Application Data\Malwarebytes
2010-10-04 13:11 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-04 13:11 . 2010-10-04 13:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-04 13:11 . 2010-10-04 13:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-04 13:11 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-04 00:42 . 2010-10-04 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-10-04 00:42 . 2010-10-04 00:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-04 00:35 . 2010-10-04 00:35 -------- d-----w- c:\windows\system32\LogFiles
2010-10-04 00:32 . 2010-10-04 00:32 -------- d-----w- c:\documents and settings\cdll\Application Data\CheckPoint
2010-10-04 00:27 . 2010-10-04 13:31 -------- d-----w- c:\documents and settings\cdll\Local Settings\Application Data\Conduit
2010-10-04 00:27 . 2010-10-04 00:27 -------- d-----w- c:\program files\Conduit
2010-10-04 00:27 . 2010-10-04 00:27 -------- d-----w- c:\program files\CheckPoint
2010-10-04 00:26 . 2010-10-04 00:26 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-10-04 00:26 . 2010-06-23 17:51 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-10-04 00:26 . 2010-06-23 17:51 103936 ----a-w- c:\windows\system32\zlcommdb.dll
2010-10-04 00:26 . 2010-06-23 17:51 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-10-04 00:26 . 2010-10-04 00:32 -------- d-----w- c:\windows\system32\ZoneLabs
2010-10-04 00:26 . 2010-10-04 00:26 -------- d-----w- c:\program files\Zone Labs
2010-10-04 00:25 . 2010-10-05 01:44 -------- d-----w- c:\windows\Internet Logs
2010-10-03 13:01 . 2010-10-03 13:01 0 ----a-w- c:\windows\nsreg.dat
2010-10-03 13:01 . 2010-10-03 13:01 -------- d-----w- c:\documents and settings\cdll\Local Settings\Application Data\Mozilla
2010-10-03 02:21 . 2010-10-03 02:22 -------- d-----w- c:\program files\Common Files\Adobe
2010-10-03 02:18 . 2010-10-03 02:17 53632 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2010-10-03 02:18 . 2010-10-03 02:18 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-10-03 02:16 . 2010-10-03 02:23 -------- d-----w- c:\documents and settings\cdll\Local Settings\Application Data\Adobe
2010-10-03 00:46 . 2010-10-03 00:46 -------- d-----w- c:\program files\Common Files\Java
2010-10-03 00:46 . 2010-10-03 00:46 503808 ----a-w- c:\documents and settings\cdll\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-51c13c05-n\msvcp71.dll
2010-10-03 00:46 . 2010-10-03 00:46 499712 ----a-w- c:\documents and settings\cdll\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-51c13c05-n\jmc.dll
2010-10-03 00:46 . 2010-10-03 00:46 348160 ----a-w- c:\documents and settings\cdll\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-51c13c05-n\msvcr71.dll
2010-10-03 00:46 . 2010-10-03 00:46 61440 ----a-w- c:\documents and settings\cdll\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1b8de2da-n\decora-sse.dll
2010-10-03 00:46 . 2010-10-03 00:46 12800 ----a-w- c:\documents and settings\cdll\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1b8de2da-n\decora-d3d.dll
2010-10-03 00:45 . 2010-10-03 00:44 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-03 00:44 . 2010-10-03 00:44 -------- d-----w- c:\program files\Java
2010-10-03 00:34 . 2010-10-03 00:34 -------- d-----w- c:\program files\Trend Micro
2010-10-02 23:12 . 2010-10-02 23:12 -------- d-sh--w- c:\documents and settings\cdll\IECompatCache
2010-09-27 11:10 . 2010-05-06 04:01 361904 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-09-27 11:10 . 2010-04-22 03:02 173104 ----a-w- c:\windows\system32\drivers\symefa.sys
2010-09-27 11:10 . 2009-10-15 03:50 328752 ----a-r- c:\windows\system32\drivers\symds.sys
2010-09-27 11:10 . 2010-04-29 05:03 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
2010-09-27 11:10 . 2010-04-22 02:29 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-09-27 11:10 . 2010-02-26 00:22 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys
2010-09-26 23:10 . 2010-09-26 23:10 -------- d-----w- c:\documents and settings\cdll\Application Data\SUPERAntiSpyware.com
2010-09-26 23:10 . 2010-09-26 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-25 23:40 . 2010-09-25 23:40 -------- d-----w- c:\documents and settings\cdll\Local Settings\Application Data\Help
2010-09-25 21:59 . 2010-09-25 22:15 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-09-25 21:59 . 2010-09-25 22:15 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-09-25 21:59 . 2010-09-25 22:15 -------- d-----w- c:\program files\Symantec
2010-09-25 21:59 . 2010-09-25 22:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-09-25 21:56 . 2010-09-27 14:26 -------- d-----w- c:\windows\system32\drivers\NAV
2010-09-25 21:56 . 2010-09-25 21:56 -------- d-----w- c:\program files\Norton AntiVirus
2010-09-25 21:56 . 2010-09-25 21:56 -------- d-----w- c:\program files\Windows Sidebar
2010-09-25 01:53 . 2010-09-25 01:53 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-09-25 01:01 . 2010-09-25 00:54 1129120 ----a-w- c:\documents and settings\All Users\Application Data\STOPzilla!\vdb\vbcorent.dll
2010-09-25 00:52 . 2010-09-26 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-09-25 00:41 . 2010-09-25 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-09-25 00:30 . 2010-10-03 13:15 -------- d-----w- c:\documents and settings\cdll\Application Data\Norton Utilities 14
2010-09-25 00:20 . 2010-09-25 22:14 -------- d-----w- c:\program files\NortonInstaller
2010-09-25 00:20 . 2010-09-25 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-09-25 00:08 . 2010-09-25 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton Installer
2010-09-25 00:07 . 2010-10-03 13:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-25 00:06 . 2010-10-03 13:32 -------- d-----w- c:\program files\Norton Utilities 14
2010-09-24 23:31 . 2010-10-05 00:27 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-24 22:42 . 2010-09-24 22:42 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-04 13:48 . 2010-10-04 13:57 28672 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2010-10-04 00:54 . 2010-10-04 11:42 27136 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2010-10-03 18:52 . 2010-01-05 16:01 -------- d-----w- c:\program files\microsoft frontpage
2010-09-25 23:31 . 2010-09-25 23:31 240 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-09-25 22:15 . 2010-09-25 21:59 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-09-25 22:15 . 2010-09-25 21:59 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-08-17 13:17 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-14 21:08 . 2010-08-14 21:08 -------- d-----w- c:\program files\HP
2010-08-14 21:07 . 2010-08-14 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-08-14 20:19 . 2010-08-14 20:19 -------- d-----w- c:\program files\Common Files\Cosmi
2010-08-14 20:19 . 2010-08-14 20:19 -------- d-----w- c:\program files\Common Files\Borland Shared
2010-08-14 20:19 . 2010-08-14 20:19 -------- d-----w- c:\program files\Cosmi
2010-08-14 20:19 . 2010-08-14 20:19 -------- d-----w- c:\program files\Setup NetZero
2010-08-13 13:34 . 2010-08-13 13:34 2826192 ----a-w- c:\documents and settings\cdll\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2010-08-03 21:02 . 2010-08-03 21:02 13104 ----a-w- c:\documents and settings\cdll\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-22 15:49 . 2004-08-04 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2010-01-12 14:56 5120 ----a-w- c:\windows\system32\xpsp4res.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-07-28 49152]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8087:TCP"= 8087:TCP:swe

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/4/2010 12:45 PM 64288]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1108000.005\symds.sys [9/27/2010 7:10 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1108000.005\symefa.sys [9/27/2010 7:10 AM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\BASHDefs\20100901.003\BHDrvx86.sys [9/1/2010 9:39 PM 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1108000.005\cchpx86.sys [9/27/2010 7:10 AM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1108000.005\ironx86.sys [9/27/2010 7:10 AM 116784]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 8:15 AM 1356952]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.8.0.5\ccsvchst.exe [9/27/2010 7:09 AM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/27/2010 9:04 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20100930.005\IDSXpx86.sys [10/1/2010 5:27 AM 331640]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\cdll\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\cdll\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\cdll\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\cdll\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 8:15 AM 15008]
.
Contents of the 'Scheduled Tasks' folder

2010-10-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 16:45]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\cdll\Application Data\Mozilla\Firefox\Profiles\dxx2dlr2.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAV]
"ImagePath"=""c:\program files\Norton AntiVirus\Engine\17.8.0.5\ccSvcHst.exe" /s "NAV" /m "c:\program files\Norton AntiVirus\Engine\17.8.0.5\diMaster.dll" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-10-04 21:48:04
ComboFix-quarantined-files.txt 2010-10-05 01:48

Pre-Run: 30,667,624,448 bytes free
Post-Run: 30,916,370,432 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - B604DF8B28DE82767C47C1D01C348CDA

48tombob48
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-10-03
Gender Gender : Male
OS OS : XP Pro Service Pack 3
Protection Protection : ZoneAlarm Extreme Security
Points Points : 22733
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Norton found Backdoor.Tidserv.L

Post by 48tombob48 on 5th October 2010, 12:28 pm

Hello Belahzur. Thanks for your help. As far as I know Combo-Fix did the job. I have been able to do searches without being redirected. I will run the computer for another day to see if all is still ok and then let everyone know.

Thanks again for your help. You guys/gals are great!!! Hooray!

48tombob48
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-10-03
Gender Gender : Male
OS OS : XP Pro Service Pack 3
Protection Protection : ZoneAlarm Extreme Security
Points Points : 22733
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Norton found Backdoor.Tidserv.L

Post by 48tombob48 on 5th October 2010, 5:14 pm

Hello all. Well I went to the store and doctor today and left the computer running while I was gone. When I got back Norton said the computer was infected with Backdoor.Tidserv.l!inf virus. It said it couldn't fix it but it gave me a link to a fix on their site. I downloaded the fix called FixTDSS.exe from [You must be registered and logged in to see this link.]. I ran the fix and it said no infections found. I don't get it. I'll keep the computer for another day and see how it does. It is running fine right now...... Let me think

Thanks for your help!!!

48tombob48
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-10-03
Gender Gender : Male
OS OS : XP Pro Service Pack 3
Protection Protection : ZoneAlarm Extreme Security
Points Points : 22733
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Norton found Backdoor.Tidserv.L

Post by Belahzur on 5th October 2010, 9:18 pm


Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    KILLALL::

    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8087:TCP"=-
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Norton found Backdoor.Tidserv.L

Post by 48tombob48 on 6th October 2010, 1:01 pm

Hello Belahzur. I've already given the computer back to it's owner. If they have any trouble I will get it back. Thank you so much for your help. I guess we can mark this as solved for now. Thank You!

48tombob48
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-10-03
Gender Gender : Male
OS OS : XP Pro Service Pack 3
Protection Protection : ZoneAlarm Extreme Security
Points Points : 22733
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum