Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HTTPS Tidserv Request 2 [Solved]


  • This topic is locked This topic is locked

#16
summit1000

summit1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photos.walmar...martActivia.cab (Snapfish Activia)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail....es/MSNPUpld.cab (MSN Photo Upload Tool)
  • 0

Advertisements


#17
summit1000

summit1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
========== Files Created - No Company Name ==========

[2010/06/12 09:09:20 | 000,000,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/12 09:03:32 | 000,000,771 | ---- | C] () -- C:\Documents and Settings\Ed\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/06/12 09:03:15 | 000,000,615 | ---- | C] () -- C:\Documents and Settings\Ed\Desktop\NTREGOPT.lnk
[2010/06/12 09:03:15 | 000,000,596 | ---- | C] () -- C:\Documents and Settings\Ed\Desktop\ERUNT.lnk
[2010/06/12 08:04:53 | 000,000,082 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/05/29 09:05:19 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Ed\My Documents\Nikon bino repair.doc
[2010/05/24 20:45:15 | 000,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/01/01 15:39:30 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2008/06/03 20:06:47 | 000,000,050 | ---- | C] () -- C:\WINDOWS\VistaEmail.ini
[2008/01/09 21:59:04 | 000,000,027 | ---- | C] () -- C:\WINDOWS\SOFTNOW.INI
[2007/05/11 19:43:03 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/04/18 22:21:07 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\CMRMDRV3.DLL
[2007/04/18 22:21:07 | 000,000,464 | ---- | C] () -- C:\WINDOWS\CMUDA3.ini
[2007/04/16 20:29:07 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\FSRremoC.DLL
[2007/04/09 21:40:56 | 000,000,165 | ---- | C] () -- C:\WINDOWS\Quicken.ini
[2007/04/09 21:28:51 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/04/09 19:28:53 | 000,003,712 | ---- | C] () -- C:\WINDOWS\System32\socketlock.sys
[2002/01/24 02:29:26 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\lxaxlcnp.dll
[2000/09/08 17:53:50 | 000,073,839 | ---- | C] () -- C:\WINDOWS\System32\KodakOneTouch.dll
[1999/12/07 00:00:00 | 000,024,974 | ---- | C] () -- C:\WINDOWS\twain_16.dll

========== LOP Check ==========

[2007/04/09 20:22:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acronis
[2008/10/28 12:42:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCSettings
[2008/03/28 05:34:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2010/06/11 19:24:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/05/24 20:45:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/01/26 07:28:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2008/01/15 20:10:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ed\Application Data\Costco Photo Viewer
[2008/12/11 19:10:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ed\Application Data\Snapfish

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2007/04/09 17:38:16 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2007/04/09 17:33:34 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2007/04/09 17:38:16 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2007/04/09 17:38:16 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2007/04/09 17:38:16 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/03 23:38:34 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2004/08/03 23:59:34 | 000,250,032 | RHS- | M] () -- C:\ntldr

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2008/07/06 05:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2002/02/19 10:38:15 | 000,077,824 | ---- | M] (Lexmark International) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\LXAXPP5C.DLL

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/06/29 09:12:14 | 000,347,136 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/06/29 09:12:14 | 000,214,528 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2007/04/09 09:25:25 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2007/04/09 09:25:25 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2007/04/09 09:25:24 | 000,901,120 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\user32.dll /md5 >
[2007/03/08 08:36:28 | 000,577,536 | ---- | M] (Microsoft Corporation) MD5=B409909F6E2E8A7067076ED748ABF1E7 -- C:\WINDOWS\system32\user32.dll

< %systemroot%\system32\ws2_32.dll /md5 >
[2004/08/04 01:56:48 | 000,082,944 | ---- | M] (Microsoft Corporation) MD5=2ED0B7F12A60F90092081C50FA0EC2B2 -- C:\WINDOWS\system32\ws2_32.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 144 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E965A533
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >
  • 0

#18
summit1000

summit1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/11/14 07:26:43 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: midi - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\WINDOWS\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.imaadpcm - C:\WINDOWS\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.msadpcm - C:\WINDOWS\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msaudio1 - C:\WINDOWS\System32\msaud32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\WINDOWS\System32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msg723 - C:\WINDOWS\System32\msg723.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\WINDOWS\System32\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.I420 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.iyuv - C:\WINDOWS\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.M261 - C:\WINDOWS\System32\msh261.drv (Microsoft Corporation)
Drivers32: vidc.M263 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.mrle - C:\WINDOWS\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\WINDOWS\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: vidc.uyvy - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yuy2 - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvu9 - C:\WINDOWS\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvyu - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\WINDOWS\System32\msacm32.drv (Microsoft Corporation)

CREATERESTOREPOINT
Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.

========== Files/Folders - Created Within 90 Days ==========

[2010/06/12 22:02:16 | 000,572,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Ed\My Documents\OTL.exe
[2010/06/12 10:48:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\My Documents\Malware
[2010/06/12 09:09:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\Application Data\Malwarebytes
[2010/06/12 09:09:17 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/06/12 09:09:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/06/12 09:09:15 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/06/12 09:09:14 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/06/12 09:03:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/06/12 09:03:14 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/06/12 08:15:44 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Ed\My Documents\TFC.exe
[2010/06/10 22:04:39 | 000,000,000 | R--D | C] -- C:\Program Files\Norton Support
[2010/06/08 19:51:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/06/08 19:51:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/24 20:44:43 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/05/24 20:44:36 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/05/24 20:44:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/05/24 20:38:12 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/05/24 20:38:09 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/04/26 17:01:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\Desktop\Teresa docs
[2010/04/14 18:57:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\My Documents\eastmans hunting research
[2010/04/06 08:41:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\Local Settings\Application Data\Help
[2010/04/06 08:41:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ed\Application Data\Help

========== Files - Modified Within 90 Days ==========

[2010/06/12 22:02:24 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ed\My Documents\OTL.exe
[2010/06/12 21:58:08 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/12 21:58:07 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/12 21:58:03 | 000,321,264 | ---- | M] () -- C:\WINDOWS\System32\OODBS.lor
[2010/06/12 19:21:58 | 008,912,896 | -H-- | M] () -- C:\Documents and Settings\Ed\NTUSER.DAT
[2010/06/12 19:21:58 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Ed\ntuser.ini
[2010/06/12 09:09:20 | 000,000,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/12 09:03:32 | 000,000,771 | ---- | M] () -- C:\Documents and Settings\Ed\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/06/12 09:03:15 | 000,000,615 | ---- | M] () -- C:\Documents and Settings\Ed\Desktop\NTREGOPT.lnk
[2010/06/12 09:03:15 | 000,000,596 | ---- | M] () -- C:\Documents and Settings\Ed\Desktop\ERUNT.lnk
[2010/06/12 08:15:55 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ed\My Documents\TFC.exe
[2010/06/12 08:04:53 | 000,000,082 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/06/10 19:11:38 | 000,002,262 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/07 20:00:00 | 000,000,616 | ---- | M] () -- C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Ed.job
[2010/06/07 07:36:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/06/01 21:05:34 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/05/29 09:05:19 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Ed\My Documents\Nikon bino repair.doc
[2010/05/24 20:30:15 | 000,000,151 | ---- | M] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2010/05/24 20:24:26 | 000,001,854 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2010/05/19 05:39:13 | 012,065,792 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mbb
[2010/05/19 05:39:13 | 008,328,192 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mb
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/27 06:44:40 | 000,005,632 | ---- | M] () -- C:\Documents and Settings\Ed\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/18 21:22:07 | 000,000,157 | ---- | M] () -- C:\Documents and Settings\Ed\default.pls
[2010/04/18 21:21:05 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/04/07 07:53:53 | 000,385,966 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/05 09:56:35 | 000,385,966 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100407-075353.backup
[2010/04/04 11:41:58 | 000,230,824 | R--- | M] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2.cid
[2010/03/18 19:53:18 | 000,002,393 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TurboTax 2009.lnk
  • 0

#19
summit1000

summit1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 205.171.3.25
O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.8.0.41\CoIEPlg.dll (Symantec Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Ed\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Ed\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/04/09 17:38:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{a876124c-ec7e-11db-8748-00123f5bc0aa}\Shell - "" = AutoRun
O33 - MountPoints2\{a876124c-ec7e-11db-8748-00123f5bc0aa}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (OODBS) - C:\WINDOWS\System32\OODBS.exe (O&O Software GmbH)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
  • 0

#20
summit1000

summit1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
  • 0

#21
summit1000

summit1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
  • 0

#22
summit1000

summit1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symant...ex/symdlmgr.cab (Symantec Download Manager)
  • 0

#23
summit1000

summit1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
  • 0

#24
summit1000

summit1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
I have finally posted all the OTL log. It is not in the exact order as it would not let me post it complete. I hope this helps I look forward to your continued help.

Thanks
  • 0

#25
mpascal

mpascal

    Math Nerd

  • Retired Staff
  • 3,644 posts
Hi,

Can you try running GMER again with just Sections and Files checked?
  • 0

Advertisements


#26
summit1000

summit1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
I was able to run GMER with just the section you requested and get it to finish.

I have posted the log below. Sorry it took me all day to get back to this.

Thanks again for your help.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-13 19:12:25
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Ed\LOCALS~1\Temp\kgtdqpow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2D74 80503B48 2 Bytes [B8, 0B]
.text ntkrnlpa.exe!ZwCallbackReturn + 2D77 80503B4B 5 Bytes [86, 10, 46, 7B, 86] {XCHG [EAX], DL; INC ESI; JNP 0xffffffffffffff8b}
.text ntkrnlpa.exe!ZwCallbackReturn + 2D8C 80503B60 2 Bytes [28, 0A] {SUB [EDX], CL}
.text ntkrnlpa.exe!ZwCallbackReturn + 2DB0 80503B84 2 Bytes [80, EB]
? SYMEFA.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1392] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0097000A
.text C:\WINDOWS\System32\svchost.exe[1392] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0098000A
.text C:\WINDOWS\System32\svchost.exe[1392] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0096000C
.text C:\WINDOWS\System32\svchost.exe[1392] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00B4000A
.text C:\WINDOWS\Explorer.EXE[1888] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B5000A
.text C:\WINDOWS\Explorer.EXE[1888] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C3000A
.text C:\WINDOWS\Explorer.EXE[1888] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B4000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D4000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 003F000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 3E351F8F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 3E351F10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 3E351F54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 3E351E9C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 3E351ED6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 3E351FCA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3980] ole32.dll!OleLoadFromStream 7752A257 5 Bytes JMP 3E35218C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Edited by summit1000, 13 June 2010 - 08:29 PM.

  • 0

#27
mpascal

mpascal

    Math Nerd

  • Retired Staff
  • 3,644 posts
Hi there,

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
  • 0

#28
summit1000

summit1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
I ran the combo fix and here is the log for your review.

Thanks
ComboFix 10-06-14.02 - Ed 06/14/2010 19:13:58.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.676 [GMT -7:00]
Running from: c:\documents and settings\Ed\My Documents\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\twain_16.dll

Infected copy of c:\windows\system32\drivers\imapi.sys was found and disinfected
Restored copy from - Kitty had a snack :)
.
((((((((((((((((((((((((( Files Created from 2010-05-15 to 2010-06-15 )))))))))))))))))))))))))))))))
.

2010-06-12 16:03 . 2010-06-12 16:03 -------- d-----w- c:\program files\ERUNT
2010-06-11 05:04 . 2010-06-11 05:04 -------- d-----r- c:\program files\Norton Support
2010-05-25 03:44 . 2010-05-25 03:44 -------- d-----w- c:\program files\iPod
2010-05-25 03:44 . 2010-05-25 03:45 -------- d-----w- c:\program files\iTunes
2010-05-25 03:44 . 2010-05-25 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-25 03:38 . 2010-05-25 03:38 -------- d-----w- c:\program files\Bonjour
2010-05-25 03:31 . 2010-05-25 03:31 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-25 03:19 . 2010-05-25 03:19 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-12 16:09 . 2010-06-12 16:09 -------- d-----w- c:\documents and settings\Ed\Application Data\Malwarebytes
2010-06-12 16:09 . 2010-06-12 16:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-12 16:09 . 2010-06-12 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-12 02:24 . 2009-04-10 14:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-11 05:05 . 2008-10-28 19:48 -------- d-----w- c:\program files\Symantec
2010-05-25 03:44 . 2008-07-29 22:36 -------- d-----w- c:\program files\Common Files\Apple
2010-05-25 03:42 . 2008-12-11 02:06 -------- d-----w- c:\program files\QuickTime
2010-05-25 03:24 . 2008-12-11 01:53 -------- d-----w- c:\program files\Safari
2010-04-29 22:39 . 2010-06-12 16:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-06-12 16:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-17 14:15 . 2009-10-06 05:47 -------- d-----w- c:\documents and settings\Ed\Application Data\vlc
2010-04-16 15:33 . 2010-01-26 14:23 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-16 15:33 . 2008-07-29 22:36 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-08 20:20 . 2010-04-08 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 20:20 . 2010-04-08 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-22 22:53 . 2010-04-05 15:48 32576 ----a-w- c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\grvoa8o1.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-03-22 22:53 . 2010-04-05 15:48 29984 ----a-w- c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\grvoa8o1.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2008-06-30 20:44 . 2008-08-23 17:36 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-11 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-21 86016]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-12-01 1115317]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-12-01 1852329]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-12-01 135168]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"SaiMfd"="c:\program files\Saitek\Software\SaiMfd.exe" [2006-08-21 126976]
"QuickCare2.2"="c:\program files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-04 198184]

c:\documents and settings\Ed\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SymEFA.sys [1/27/2010 8:56 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1008000.029\BHDrvx86.sys [1/27/2010 8:56 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1008000.029\cchpx86.sys [1/27/2010 8:56 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100604.004\IDSXpx86.sys [6/8/2010 5:16 PM 331640]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [1/27/2010 8:56 PM 117640]
R2 SocketLock;Raw Socket Lock Driver;c:\windows\system32\socketlock.sys [4/9/2007 7:28 PM 3712]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/1/2010 10:06 AM 102448]
R3 SaiH0004;SaiH0004;c:\windows\system32\drivers\SaiH0004.sys [5/4/2007 4:56 PM 182528]
R3 SaiL0004;SaiL0004;c:\windows\system32\drivers\SaiL0004.sys [5/4/2007 4:56 PM 15104]
R3 SaiU0004;SaiU0004;c:\windows\system32\drivers\SaiU0004.sys [5/4/2007 4:56 PM 27392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-06-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
IE: Download using LeechGet - file://c:\program files\LeechGet 2006\\AddUrl.html
IE: Download using LeechGet Wizard - file://c:\program files\LeechGet 2006\\Wizard.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Parse with LeechGet - file://c:\program files\LeechGet 2006\\Parser.html
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
Trusted Zone: wednet.edu\web.issaquah
FF - ProfilePath - c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\grvoa8o1.default\
FF - prefs.js: browser.startup.homepage - hxxp://bloomberg.com/markets/commodities/energyprices.html
FF - plugin: c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\grvoa8o1.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
------- File Associations -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-USRpdA - (no file)
HKLM-Run-3c1807pd - (no file)
  • 0

#29
mpascal

mpascal

    Math Nerd

  • Retired Staff
  • 3,644 posts
Hi there,

STEP 1 - TFC

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

STEP 2 - MBAM

Open Malwarebyte's Anti-Malware.
  • Under the Updates tab, click Check for Updates. Let the updates install (if any).
  • After that, under the Scanner tab, click Perform Quick Scan and then Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM''s database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

STEP 3 - Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases
  • Click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View report... at the bottom.
  • Click the Save report... button.

    Posted Image

  • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply
STEP 4 - Reply

Please reply with the following logs:
  • MBAM Log
  • Kaspersky Log

  • 0

#30
summit1000

summit1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4204

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

6/16/2010 6:21:18 AM
mbam-log-2010-06-16 (06-21-18).txt

Scan type: Quick scan
Objects scanned: 120012
Time elapsed: 6 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP