« previous next »
Pages: 1 [2] 3 4 ... 7   Go Down

Author Topic: I can not get to restore or even have norton run online virus scan  (Read 17618 times)

0 Members and 2 Guests are viewing this topic.

Offline nash017

  • Jr. Member
  • **
  • Posts: 63
Re: I can not get to restore or even have norton run online virus scan
« Reply #15 on: December 31, 2008, 11:47:44 PM »
web pages are now opening in chinese, i can see 1 or2 pages then chinese and have to log out of internet and log in again to send you this
Logged

Offline nash017

  • Jr. Member
  • **
  • Posts: 63
Re: I can not get to restore or even have norton run online virus scan
« Reply #16 on: December 31, 2008, 11:49:13 PM »
this is really doing my head in,  apart from that Happy New Year  :Hammys pint:
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11228
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: I can not get to restore or even have norton run online virus scan
« Reply #17 on: January 01, 2009, 12:29:54 AM »
Hi, Nash.  Happy New Year.  Let's see if you can start 2009 off right, ok?  We'll help you get your system cleaned now that we see what the problem is.  It will likely take some extra work, but I can see now where we're going (even if you can't). 

Please follow these instructions carefully.

Download ComboFix from one of the following locations:

Link 1
Link 2
Link 3

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.
  • Double-click ComboFix.exe on your desktop and follow the prompts.
  • As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click "Yes" to continue scanning for malware.
  • When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline nash017

  • Jr. Member
  • **
  • Posts: 63
Re: I can not get to restore or even have norton run online virus scan
« Reply #18 on: January 01, 2009, 02:21:42 PM »
ComboFix 08-12-31.01 - norman 2009-01-01 14:27:15.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2047.1543 [GMT 0:00]
Running from: c:\documents and settings\norman\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: Webroot Desktop Firewall *disabled*
.
ADS - svchost.exe: deleted 88 bytes in 2 streams.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\norman\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\INSTALL.LOG
c:\windows\system32\hhhkj.ini
c:\windows\system32\hhhkj.ini2
c:\windows\system32\khfCuvwu.dll
c:\windows\system32\TDSSmtve.dat
c:\windows\system32\TDSSpaxt.dat
c:\windows\system32\TDSSpqlt.dat

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


(((((((((((((((((((((((((   Files Created from 2008-12-01 to 2009-01-01  )))))))))))))))))))))))))))))))
.

2008-12-31 19:22 . 2008-12-31 19:22   <DIR>   d--------   c:\program files\Webroot
2008-12-31 19:20 . 2008-12-31 19:20   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Webroot
2008-12-31 19:06 . 2008-12-31 19:06   0   --a------   c:\windows\system32\^3
2008-12-31 16:05 . 2008-12-31 16:05   <DIR>   d--------   c:\documents and settings\norman\Application Data\RealNetworks
2008-12-31 16:05 . 2008-12-31 16:05   <DIR>   d--------   c:\documents and settings\All Users\Application Data\RealNetworks
2008-12-31 14:34 . 2008-12-31 14:34   <DIR>   d--------   c:\documents and settings\norman\Application Data\InstallShield
2008-12-30 13:54 . 2008-12-30 13:54   <DIR>   d--------   c:\documents and settings\norman\Application Data\Malwarebytes
2008-12-27 23:13 . 2008-12-30 19:15   <DIR>   d--------   C:\UBCD4Win
2008-12-27 14:41 . 2008-12-27 14:41   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2008-12-27 14:41 . 2008-12-27 14:41   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-27 14:41 . 2008-12-03 19:54   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-27 14:41 . 2008-12-03 19:54   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2008-12-25 20:39 . 2008-12-31 15:00   <DIR>   d--------   c:\program files\Norton Security Scan
2008-12-25 20:39 . 2008-12-25 20:39   <DIR>   d--------   c:\program files\Common Files\Symantec Shared
2008-12-25 20:12 . 2008-12-25 20:12   0   --a------   c:\windows\dsltest.INI
2008-12-25 14:08 . 2008-12-25 14:08   <DIR>   d--------   c:\windows\WinRescue
2008-12-25 13:29 . 2008-12-25 13:29   17,517,883   --a------   c:\windows\registry.zzz
2008-12-25 13:29 . 2008-12-25 13:29   17,517,883   --a------   c:\windows\registry.daz
2008-12-25 13:23 . 2008-12-25 13:23   47   --a------   C:\rsqXPdir.ini
2008-12-25 13:17 . 2008-12-25 13:17   <DIR>   d--------   c:\program files\backup
2008-12-25 13:15 . 2008-12-25 14:08   <DIR>   d--------   c:\program files\WinRescueXP
2008-12-25 13:03 . 2008-12-25 13:03   <DIR>   d--------   c:\program files\ParticleG
2008-12-25 12:03 . 2008-12-25 12:03   <DIR>   d--------   c:\program files\Dean Software
2008-12-25 12:02 . 2008-12-25 12:02   <DIR>   d--------   c:\program files\OSCheck
2008-12-24 21:48 . 2008-12-24 21:49   <DIR>   d--------   c:\program files\active ports
2008-12-24 18:54 . 2008-12-24 19:03   <DIR>   d--------   c:\program files\Ontrack
2008-12-22 13:34 . 2008-12-22 15:00   <DIR>   d--------   c:\program files\Hide IP
2008-12-22 13:34 . 2008-12-24 18:24   32   --a------   c:\windows\hip
2008-12-22 01:43 . 2008-12-22 01:43   <DIR>   d--------   c:\program files\Avira
2008-12-22 01:43 . 2008-12-22 01:43   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Avira
2008-12-22 01:11 . 2008-12-22 01:11   <DIR>   d--------   C:\ENG
2008-12-22 01:11 . 2002-07-09 17:46   726,528   --a------   C:\SETUP.EX~
2008-12-22 01:11 . 2008-12-22 01:11   0   --a------   C:\write.lok
2008-12-21 12:34 . 2008-12-21 12:34   <DIR>   d--------   c:\program files\Nokia
2008-12-21 12:34 . 2008-12-21 12:34   <DIR>   d--------   c:\documents and settings\norman\Application Data\PC Suite
2008-12-21 12:34 . 2007-02-22 10:15   90,624   --a------   c:\windows\system32\nmwcdcls.dll
2008-12-21 12:33 . 2008-12-21 12:33   <DIR>   d--------   c:\program files\PC Connectivity Solution
2008-12-21 12:33 . 2008-12-21 12:33   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Installations
2008-12-21 12:31 . 2008-12-21 12:31   <DIR>   d--------   c:\program files\Vodafone
2008-12-20 18:36 . 2008-12-20 18:36   46   --a------   c:\windows\p2hhr.bat
2008-12-20 16:47 . 2008-12-21 12:24   <DIR>   d--------   c:\documents and settings\norman\Application Data\Roxio
2008-12-20 16:47 . 2008-12-20 16:47   <DIR>   d--------   c:\documents and settings\LocalService\Application Data\Roxio
2008-12-20 16:47 . 2008-12-31 02:08   54,156   --ah-----   c:\windows\QTFont.qfn
2008-12-20 16:47 . 2008-12-20 16:47   1,409   --a------   c:\windows\QTFont.for
2008-12-20 16:38 . 2008-12-20 16:38   <DIR>   d--------   c:\documents and settings\norman\Application Data\Research In Motion
2008-12-20 16:38 . 2008-12-31 17:13   256   --a------   c:\windows\system32\pool.bin
2008-12-20 16:31 . 2008-12-20 16:31   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Sonic
2008-12-20 16:31 . 2008-12-20 16:31   <DIR>   d--------   c:\documents and settings\All Users\Application Data\InstallShield
2008-12-20 16:26 . 2008-12-20 16:28   <DIR>   d--------   c:\program files\Roxio
2008-12-20 16:26 . 2008-12-20 16:26   <DIR>   d--------   c:\program files\Common Files\Sonic Shared
2008-12-20 16:26 . 2008-12-20 16:26   <DIR>   d--------   c:\program files\Common Files\Roxio Shared
2008-12-20 16:26 . 2008-12-21 12:24   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Roxio
2008-12-20 16:17 . 2007-01-18 10:24   26,496   -ra------   c:\windows\system32\drivers\RimSerial.sys
2008-12-20 16:13 . 2008-12-20 16:13   <DIR>   d--------   c:\program files\Research In Motion
2008-12-20 16:13 . 2008-12-20 16:14   <DIR>   d--------   c:\program files\Common Files\Research In Motion
2008-12-20 16:05 . 2008-12-20 16:05   <DIR>   d--hs----   c:\windows\ftpcache
2008-12-20 12:39 . 2008-12-20 12:39   <DIR>   d--------   c:\windows\LastGood(2)
2008-12-20 12:30 . 2008-12-20 12:30   <DIR>   d--------   c:\documents and settings\norman\Application Data\s_5849_NTN8fHx8NTN8fHwxMjQyMzg0MzM5fA_
2008-12-11 20:37 . 2008-12-11 20:37   42,320   --a------   c:\windows\system32\xfcodec.dll
2008-12-01 20:51 . 2008-12-01 20:51   <DIR>   d--------   c:\windows\Applian FLV Player
2008-12-01 20:51 . 2008-12-01 20:51   <DIR>   d--------   c:\program files\FLV Player

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-01 13:01   ---------   d--h--w   c:\program files\InstallShield Installation Information
2009-01-01 13:00   ---------   d-----w   c:\program files\3GP Player
2009-01-01 12:58   ---------   d-----w   c:\program files\Veetle
2008-12-31 18:46   ---------   d-----w   c:\program files\PPStream
2008-12-31 15:04   ---------   d-----w   c:\documents and settings\All Users\Application Data\Google Updater
2008-12-30 23:36   ---------   d-----w   c:\program files\Spybot - Search & Destroy
2008-12-28 23:58   ---------   d---a-w   c:\documents and settings\All Users\Application Data\TEMP
2008-12-28 22:19   ---------   d-----w   c:\program files\SpywareBlaster
2008-12-27 14:08   ---------   d-----w   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-25 21:24   ---------   d-----w   c:\program files\Tiscali Broadband
2008-12-23 20:09   ---------   d-----w   c:\documents and settings\All Users\Application Data\avg8
2008-12-21 18:00   ---------   d-----w   c:\documents and settings\norman\Application Data\Xfire
2008-12-21 17:31   137,992   ----a-w   c:\windows\system32\drivers\PnkBstrK.sys
2008-12-21 10:47   ---------   d-----w   c:\program files\Xfire
2008-12-20 22:22   ---------   d-----w   c:\program files\IncrediMail
2008-12-10 19:32   ---------   d-----w   c:\program files\NCH Swift Sound
2008-12-10 19:32   ---------   d-----w   c:\documents and settings\norman\Application Data\NCH Swift Sound
2008-12-10 16:58   ---------   d-----w   c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-08 01:48   ---------   d-----w   c:\program files\Microsoft Games
2008-12-08 01:45   ---------   d-----w   c:\program files\Electronic Arts
2008-12-08 01:40   ---------   d-----w   c:\program files\Steam
2008-12-06 15:27   ---------   d-----w   c:\program files\Google
2008-11-22 14:30   ---------   d-----w   c:\documents and settings\norman\Application Data\ppstream
2008-11-22 12:31   ---------   d-----w   c:\program files\PCTV4Me
2008-11-15 15:10   48,396   ----a-w   c:\windows\UninstVeetleTVPlayer.exe
2008-11-03 19:36   ---------   d-----w   c:\program files\Ahead
2008-11-03 19:26   ---------   d-----w   c:\documents and settings\All Users\Application Data\DVD Shrink
2008-11-02 15:15   ---------   d-----w   c:\program files\Dirlog
2008-10-19 10:27   6,688   ----a-w   c:\windows\movexe.exe
2008-05-24 21:45   22,328   ----a-w   c:\documents and settings\norman\Application Data\PnkBstrK.sys
2007-05-15 17:38   82   ----a-w   c:\documents and settings\All Users\Application Data\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
2003-12-18 10:33   20,102   ----a-w   c:\program files\Readme.txt
2003-09-03 06:46   10,960   -c--a-w   c:\program files\EULA.txt
2006-09-02 00:09   56   -csha-r   c:\windows\system32\78F605413A.sys
2006-09-02 00:09   1,682   -csha-w   c:\windows\system32\KGyGaAvL.sys
2008-09-11 14:23   32,768   --sha-w   c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091120080912\index.dat
2007-04-03 15:51   9,173,280   --sha-w   c:\windows\system32\drivers\fidbox.dat
2007-04-03 15:51   103,712   --sha-w   c:\windows\system32\drivers\fidbox2.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FLMK08KB"="c:\program files\Muiltmedia keyboard utility\2.2D\MMKEYBD.EXE" [2006-09-23 207360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-01 185896]
"nwiz"="nwiz.exe" [2007-04-19 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2006-09-01 962661]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= IR41_32.DLL
"VIDC.MJPG"= pvmjpg20.dll
"VIDC.ACDV"= ACDV.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"msvideo7"= STV680tg.dll
"VIDC.XFR1"= xfcodec.dll
"vidc.pivc"= pivideo.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0lsdelete

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"FLMOFFICE4DMOUSE"=c:\program files\Trust\MI-2510T Optical Combi Tilt Mouse\moffice.exe
"nwiz"=nwiz.exe /install
"WinampAgent"=c:\program files\Winamp\winampa.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe"  -osboot
"SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Excursion9.5\\mIRC.ExCurSioN.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\steamapps\\rhysinator\\condition zero\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\rhysinator\\condition zero deleted scenes\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\rhysinator\\half-life 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\rhysinator\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\PhotoJoy\\Bin\\PjApp.exe"=
"c:\\Program Files\\PhotoJoy\\Bin\\PjImp.exe"=
"c:\\Program Files\\PhotoJoy\\Bin\\PhotoJoy.exe"=
"c:\\Program Files\\Steam\\steamapps\\rhysinator\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"135:TCP"= 135:TCP:DCOM(135)

R1 nnrnstdi;nnrnstdi;c:\windows\system32\drivers\nnrnstdi.sys [2007-11-03 13312]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2008-07-31 103304]
R2 PQfsmonNT ABE675CA-49DF-11d3-93F6-00104B64D07B;PowerQuest File System Monitor PQfsmonNT ABE675CA-49DF-11d3-93F6-00104B64D07B;\??\c:\program files\PowerQuest\DataKeeper 5.0\PqFsmonNt.sys [2002-07-12 49096]
R2 ptssvc;ptssvc;c:\program files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe [2006-12-21 45056]
R2 SVKP;SVKP;\??\c:\windows\system32\SVKP.sys [2007-02-16 2368]
R2 WDFNet;Webroot Desktop Firewall network service;c:\program files\Webroot\Webroot Desktop Firewall\wdfsvc.exe [2008-07-31 353672]
R3 km_filter;km_filter;c:\windows\system32\drivers\km_filter.sys [2007-11-03 8832]
S2 ColdFusion Management Repository;ColdFusion Management Repository Server;"c:\cfusion\jrun\bin\jrun.exe" -jrundir "c:\cfusion\jrun" -nt "ColdFusion Management Repository" "cfam" []
S3 A_USBETHMP;USB PowerPacket Network Adapter;c:\windows\system32\Drivers\usbethmp.sys [2006-11-24 14342]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\Drivers\Brfilt.sys [2006-09-05 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\Drivers\BrSerWdm.sys [2006-09-05 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\Drivers\BrUsbMdm.sys [2006-09-05 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\Drivers\BrUsbScn.sys [2006-09-05 10368]
S3 hid8101;hid8101;c:\windows\system32\drivers\hid8101.SYS [2006-12-24 31899]
S3 iMSPCLOj;iMSPCLOj;\??\c:\docume~1\norman\LOCALS~1\Temp\iMSPCLOj.sys []
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;\??\c:\windows\system32\PLCNDIS5.SYS [2006-11-24 17018]
S3 s3chipid;s3chipid;\??\c:\docume~1\norman\LOCALS~1\Temp\s3chipid.sys []
S3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [2007-04-28 428160]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1505667c-8af9-11dc-ad2e-4d6564696130}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d117648-064c-11dd-add9-4d6564696130}]
\Shell\AutoRun\command - G:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94df3b7a-7294-11dc-ad0c-4d6564696130}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be040102-9de9-11dc-ad48-4d6564696130}]
\Shell\AutoRun\command - E:\Laguna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-12-12 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []

2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-01-01 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2008-12-30 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2008-04-14 00:12]

2008-12-31 c:\windows\Tasks\Norton Security Scan for norman.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{DB9D7A78-A76C-4BF2-97C6-258925EE1542} - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = 61.166.68.71:80
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: {F52AF92F-A945-44D0-9705-B0A252CFDE59} = 212.139.132.10 212.139.132.11
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-01 14:41:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Owner=S-1-5-21-1757981266-746137067-725345543-1004
"*"=dword:00000004

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL* r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Owner=S-1-5-21-1757981266-746137067-725345543-1004
"*"=dword:00000004

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004

[HKEY_USERS\S-1-5-21-1757981266-746137067-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*NULL*]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-1757981266-746137067-725345543-1004
@Allowed: (Full) (S-1-5-21-1757981266-746137067-725345543-1004)
@Allowed: (Full) (S-1-5-21-1757981266-746137067-725345543-1004)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)

[HKEY_USERS\S-1-5-21-1757981266-746137067-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*NULL*\Certificates]
@Security="Inherited"

[HKEY_USERS\S-1-5-21-1757981266-746137067-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*NULL*\CRLs]
@Security="Inherited"

[HKEY_USERS\S-1-5-21-1757981266-746137067-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*NULL*\CTLs]
@Security="Inherited"

[HKEY_USERS\S-1-5-21-1757981266-746137067-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-1757981266-746137067-725345543-1004
@Allowed: (Full) (S-1-5-21-1757981266-746137067-725345543-1004)
@Allowed: (Full) (S-1-5-21-1757981266-746137067-725345543-1004)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
"*"=dword:00000004

[HKEY_USERS\S-1-5-21-1757981266-746137067-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004

[HKEY_USERS\S-1-5-21-1757981266-746137067-725345543-1004\Software\\¸ìÎ *NULL*QÇ©Æ *NULL*Õ\¸ø­¨· *NULL*ȹ•¼¬ÀÐÅÁ *NULL*ÝÀ1Á´ *NULL*QÇ©Æ *NULL*Õ\¸ø­¨·]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-1757981266-746137067-725345543-1004
@Allowed: (Full) (S-1-5-21-1757981266-746137067-725345543-1004)
@Allowed: (Full) (S-1-5-21-1757981266-746137067-725345543-1004)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)

[HKEY_USERS\S-1-5-21-1757981266-746137067-725345543-1004\Software\\¸ìÎ *NULL*QÇ©Æ *NULL*Õ\¸ø­¨· *NULL*ȹ•¼¬ÀÐÅÁ *NULL*ÝÀ1Á´ *NULL*QÇ©Æ *NULL*Õ\¸ø­¨·\PC Sync]
@Security="Inherited"

[HKEY_USERS\S-1-5-21-1757981266-746137067-725345543-1004\Software\\¸ìÎ *NULL*QÇ©Æ *NULL*Õ\¸ø­¨· *NULL*ȹ•¼¬ÀÐÅÁ *NULL*ÝÀ1Á´ *NULL*QÇ©Æ *NULL*Õ\¸ø­¨·\PC Sync\Settings]
@Security="Inherited"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*NULL*a*NULL*u*NULL*s*NULL*a*NULL*u*NULL*f*NULL*g*NULL*a*NULL*b*NULL*e*NULL*n*NULL*â*NULL*¬  r*NULL*e*NULL*f*NULL*e*NULL*r*NULL*a*NULL*t*NULL*e*NULL*.*NULL*d*NULL*e*NULL*]
@Security="Inherited"
"*"=dword:00000004
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\wdfproc.dll

- - - - - - - > 'lsass.exe'(708)
c:\windows\system32\wdfproc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Muiltmedia keyboard utility\2.2D\KBDAP32A.EXE
c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
c:\program files\Spybot - Search & Destroy\TeaTimer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-01 14:48:46 - machine was rebooted
ComboFix-quarantined-files.txt  2009-01-01 14:48:42

Pre-Run: 51,289,067,520 bytes free
Post-Run: 51,259,842,560 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn /TUTag=ASS7SF

363   --- E O F ---   2008-12-25 21:27:36
Logged

Offline nash017

  • Jr. Member
  • **
  • Posts: 63
Re: I can not get to restore or even have norton run online virus scan
« Reply #19 on: January 01, 2009, 02:29:14 PM »
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:27:25, on 01/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
C:\Program Files\Muiltmedia keyboard utility\2.2D\KbdAp32A.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
E:\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.166.68.71:80
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\2.2D\MMKEYBD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] E:\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F52AF92F-A945-44D0-9705-B0A252CFDE59}: NameServer = 212.139.132.8 212.139.132.9
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ColdFusion Monitoring Service (ClusterCATS Service) - Unknown owner - C:\CFusion\cfam\program\ccmgr.exe (file missing)
O23 - Service: ColdFusion Management Repository Server (ColdFusion Management Repository) - Unknown owner - C:\CFusion\jrun\bin\jrun.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software Inc (www.webroot.com) - C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe

--
End of file - 8296 bytes
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11228
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: I can not get to restore or even have norton run online virus scan
« Reply #20 on: January 01, 2009, 08:37:07 PM »
Whew!  Hi, Nash.  There may be quite a bit of work ahead.  Let's see where this takes us.

1)  You don't want to have HijackThis doing a scan at startup so I've added it for removal from startup.  This won't remove it from your computer, just from performing a scan when the computer start up.

2)  Do you know what this file is? c:\windows\hip If you don't know, delete it.

3)  Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code: [Select]
File::
c:\windows\registry.zzz
c:\windows\registry.daz
c:\windows\dsltest.INI
C:\write.lok
c:\windows\p2hhr.bat

Folder::
C:\ENG
c:\program files\Java\j2re1.4.2_03

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"=-
O4 - HKCU\..\Run: [HijackThis startup scan]
  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

4)  Please copy the contents of the code box below to a notepad file.  Save it as type "all files" and call it look.bat

Save it to your desktop and double-click it to run.  A notepad file will open with some information that I want you to copy here as a reply with your latest ComboFix log.

Code: [Select]
@echo off
Swreg null query S-1-5-21-1757981266-746137067-725345543-1004\Software /s /f >Log.txt
Start Log.txt
DEL %0

5)  Once again, please copy the contents of the code box below to a notepad file.  Save it as type "all files" and call it look2.bat

Save it to your desktop and double-click it to run.  A notepad file will open with some information that I want you to copy here as a reply with your latest ComboFix log.

Code: [Select]
@echo off
Swreg null query HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap /s /f >Log.txt
Start Log.txt
DEL %0

Please let me know if you have any questions.

Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline nash017

  • Jr. Member
  • **
  • Posts: 63
Re: I can not get to restore or even have norton run online virus scan
« Reply #21 on: January 01, 2009, 11:03:23 PM »
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

Unknown Rootkey: 'S-1-5-21-1757981266-746137067-725345543-1004'
Logged

Offline nash017

  • Jr. Member
  • **
  • Posts: 63
Re: I can not get to restore or even have norton run online virus scan
« Reply #22 on: January 01, 2009, 11:17:21 PM »
ComboFix 08-12-31.01 - norman 2009-01-02  0:07:55.3 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2047.1477 [GMT 0:00]
Running from: c:\documents and settings\norman\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\norman\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
FW: Webroot Desktop Firewall *disabled*

FILE ::
c:\windows\dsltest.INI
c:\windows\p2hhr.bat
c:\windows\registry.daz
c:\windows\registry.zzz
C:\write.lok
.

(((((((((((((((((((((((((   Files Created from 2008-12-02 to 2009-01-02  )))))))))))))))))))))))))))))))
.

2009-01-01 17:40 . 2009-01-01 17:39   410,984   --a------   c:\windows\system32\deploytk.dll
2009-01-01 17:40 . 2009-01-01 17:39   73,728   --a------   c:\windows\system32\javacpl.cpl
2008-12-31 19:22 . 2008-12-31 19:22   <DIR>   d--------   c:\program files\Webroot
2008-12-31 19:20 . 2008-12-31 19:20   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Webroot
2008-12-31 19:06 . 2008-12-31 19:06   0   --a------   c:\windows\system32\^3
2008-12-31 16:05 . 2008-12-31 16:05   <DIR>   d--------   c:\documents and settings\norman\Application Data\RealNetworks
2008-12-31 16:05 . 2008-12-31 16:05   <DIR>   d--------   c:\documents and settings\All Users\Application Data\RealNetworks
2008-12-31 14:34 . 2008-12-31 14:34   <DIR>   d--------   c:\documents and settings\norman\Application Data\InstallShield
2008-12-30 13:54 . 2008-12-30 13:54   <DIR>   d--------   c:\documents and settings\norman\Application Data\Malwarebytes
2008-12-27 23:13 . 2008-12-30 19:15   <DIR>   d--------   C:\UBCD4Win
2008-12-27 14:41 . 2008-12-27 14:41   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2008-12-27 14:41 . 2008-12-27 14:41   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-27 14:41 . 2008-12-03 19:54   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-27 14:41 . 2008-12-03 19:54   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2008-12-25 20:39 . 2008-12-31 15:00   <DIR>   d--------   c:\program files\Norton Security Scan
2008-12-25 20:39 . 2008-12-25 20:39   <DIR>   d--------   c:\program files\Common Files\Symantec Shared
2008-12-25 14:08 . 2008-12-25 14:08   <DIR>   d--------   c:\windows\WinRescue
2008-12-25 13:23 . 2008-12-25 13:23   47   --a------   C:\rsqXPdir.ini
2008-12-25 13:17 . 2008-12-25 13:17   <DIR>   d--------   c:\program files\backup
2008-12-25 13:15 . 2008-12-25 14:08   <DIR>   d--------   c:\program files\WinRescueXP
2008-12-25 13:03 . 2008-12-25 13:03   <DIR>   d--------   c:\program files\ParticleG
2008-12-25 12:03 . 2008-12-25 12:03   <DIR>   d--------   c:\program files\Dean Software
2008-12-25 12:02 . 2008-12-25 12:02   <DIR>   d--------   c:\program files\OSCheck
2008-12-24 21:48 . 2008-12-24 21:49   <DIR>   d--------   c:\program files\active ports
2008-12-24 18:54 . 2008-12-24 19:03   <DIR>   d--------   c:\program files\Ontrack
2008-12-22 13:34 . 2008-12-22 15:00   <DIR>   d--------   c:\program files\Hide IP
2008-12-22 13:34 . 2008-12-24 18:24   32   --a------   c:\windows\hip
2008-12-22 01:43 . 2008-12-22 01:43   <DIR>   d--------   c:\program files\Avira
2008-12-22 01:43 . 2008-12-22 01:43   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Avira
2008-12-22 01:11 . 2002-07-09 17:46   726,528   --a------   C:\SETUP.EX~
2008-12-21 12:34 . 2008-12-21 12:34   <DIR>   d--------   c:\program files\Nokia
2008-12-21 12:34 . 2008-12-21 12:34   <DIR>   d--------   c:\documents and settings\norman\Application Data\PC Suite
2008-12-21 12:34 . 2007-02-22 10:15   90,624   --a------   c:\windows\system32\nmwcdcls.dll
2008-12-21 12:33 . 2008-12-21 12:33   <DIR>   d--------   c:\program files\PC Connectivity Solution
2008-12-21 12:33 . 2008-12-21 12:33   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Installations
2008-12-21 12:31 . 2008-12-21 12:31   <DIR>   d--------   c:\program files\Vodafone
2008-12-20 16:47 . 2008-12-21 12:24   <DIR>   d--------   c:\documents and settings\norman\Application Data\Roxio
2008-12-20 16:47 . 2008-12-20 16:47   <DIR>   d--------   c:\documents and settings\LocalService\Application Data\Roxio
2008-12-20 16:47 . 2008-12-31 02:08   54,156   --ah-----   c:\windows\QTFont.qfn
2008-12-20 16:47 . 2008-12-20 16:47   1,409   --a------   c:\windows\QTFont.for
2008-12-20 16:38 . 2008-12-20 16:38   <DIR>   d--------   c:\documents and settings\norman\Application Data\Research In Motion
2008-12-20 16:38 . 2008-12-31 17:13   256   --a------   c:\windows\system32\pool.bin
2008-12-20 16:31 . 2008-12-20 16:31   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Sonic
2008-12-20 16:31 . 2008-12-20 16:31   <DIR>   d--------   c:\documents and settings\All Users\Application Data\InstallShield
2008-12-20 16:26 . 2008-12-20 16:28   <DIR>   d--------   c:\program files\Roxio
2008-12-20 16:26 . 2008-12-20 16:26   <DIR>   d--------   c:\program files\Common Files\Sonic Shared
2008-12-20 16:26 . 2008-12-20 16:26   <DIR>   d--------   c:\program files\Common Files\Roxio Shared
2008-12-20 16:26 . 2008-12-21 12:24   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Roxio
2008-12-20 16:17 . 2007-01-18 10:24   26,496   -ra------   c:\windows\system32\drivers\RimSerial.sys
2008-12-20 16:13 . 2008-12-20 16:13   <DIR>   d--------   c:\program files\Research In Motion
2008-12-20 16:13 . 2008-12-20 16:14   <DIR>   d--------   c:\program files\Common Files\Research In Motion
2008-12-20 16:05 . 2008-12-20 16:05   <DIR>   d--hs----   c:\windows\ftpcache
2008-12-20 12:39 . 2008-12-20 12:39   <DIR>   d--------   c:\windows\LastGood(2)
2008-12-20 12:30 . 2008-12-20 12:30   <DIR>   d--------   c:\documents and settings\norman\Application Data\s_5849_NTN8fHx8NTN8fHwxMjQyMzg0MzM5fA_
2008-12-11 20:37 . 2008-12-11 20:37   42,320   --a------   c:\windows\system32\xfcodec.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-01 23:39   ---------   d-----w   c:\program files\Java
2009-01-01 16:04   ---------   d-----w   c:\documents and settings\All Users\Application Data\Google Updater
2009-01-01 13:01   ---------   d--h--w   c:\program files\InstallShield Installation Information
2009-01-01 13:00   ---------   d-----w   c:\program files\3GP Player
2009-01-01 12:58   ---------   d-----w   c:\program files\Veetle
2008-12-31 18:46   ---------   d-----w   c:\program files\PPStream
2008-12-30 23:36   ---------   d-----w   c:\program files\Spybot - Search & Destroy
2008-12-28 23:58   ---------   d---a-w   c:\documents and settings\All Users\Application Data\TEMP
2008-12-28 22:19   ---------   d-----w   c:\program files\SpywareBlaster
2008-12-27 14:08   ---------   d-----w   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-27 13:06   14,336   ----a-w   c:\windows\system32\svchost.exe
2008-12-25 21:24   ---------   d-----w   c:\program files\Tiscali Broadband
2008-12-23 20:09   ---------   d-----w   c:\documents and settings\All Users\Application Data\avg8
2008-12-21 18:00   ---------   d-----w   c:\documents and settings\norman\Application Data\Xfire
2008-12-21 17:31   137,992   ----a-w   c:\windows\system32\drivers\PnkBstrK.sys
2008-12-21 17:30   201,816   ----a-w   c:\windows\system32\PnkBstrB.exe
2008-12-21 10:47   ---------   d-----w   c:\program files\Xfire
2008-12-20 22:22   ---------   d-----w   c:\program files\IncrediMail
2008-12-10 19:32   ---------   d-----w   c:\program files\NCH Swift Sound
2008-12-10 19:32   ---------   d-----w   c:\documents and settings\norman\Application Data\NCH Swift Sound
2008-12-10 16:58   ---------   d-----w   c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-08 01:48   ---------   d-----w   c:\program files\Microsoft Games
2008-12-08 01:45   ---------   d-----w   c:\program files\Electronic Arts
2008-12-08 01:40   ---------   d-----w   c:\program files\Steam
2008-12-06 15:27   ---------   d-----w   c:\program files\Google
2008-12-01 20:51   ---------   d-----w   c:\program files\FLV Player
2008-11-22 14:30   ---------   d-----w   c:\documents and settings\norman\Application Data\ppstream
2008-11-22 12:31   ---------   d-----w   c:\program files\PCTV4Me
2008-11-15 15:10   48,396   ----a-w   c:\windows\UninstVeetleTVPlayer.exe
2008-11-03 19:36   ---------   d-----w   c:\program files\Ahead
2008-11-03 19:26   ---------   d-----w   c:\documents and settings\All Users\Application Data\DVD Shrink
2008-11-02 15:15   ---------   d-----w   c:\program files\Dirlog
2008-10-23 12:36   286,720   ----a-w   c:\windows\system32\gdi32.dll
2008-10-19 10:27   6,688   ----a-w   c:\windows\movexe.exe
2008-10-16 20:38   826,368   ----a-w   c:\windows\system32\wininet.dll
2008-10-16 14:13   202,776   ----a-w   c:\windows\system32\wuweb.dll
2008-10-16 14:13   1,809,944   ----a-w   c:\windows\system32\wuaueng.dll
2008-10-16 14:12   561,688   ----a-w   c:\windows\system32\wuapi.dll
2008-10-16 14:12   323,608   ----a-w   c:\windows\system32\wucltui.dll
2008-10-16 14:09   92,696   ----a-w   c:\windows\system32\cdm.dll
2008-10-16 14:09   51,224   ----a-w   c:\windows\system32\wuauclt.exe
2008-10-16 14:09   43,544   ----a-w   c:\windows\system32\wups2.dll
2008-10-16 14:08   34,328   ----a-w   c:\windows\system32\wups.dll
2008-10-16 14:06   268,648   ----a-w   c:\windows\system32\mucltui.dll
2008-10-16 14:06   208,744   ----a-w   c:\windows\system32\muweb.dll
2008-10-03 10:02   247,326   ----a-w   c:\windows\system32\strmdll.dll
2008-05-24 21:45   22,328   ----a-w   c:\documents and settings\norman\Application Data\PnkBstrK.sys
2007-05-15 17:38   82   ----a-w   c:\documents and settings\All Users\Application Data\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
2003-12-18 10:33   20,102   ----a-w   c:\program files\Readme.txt
2003-09-03 06:46   10,960   -c--a-w   c:\program files\EULA.txt
2002-10-09 12:06   286,720   -c--a-w   c:\windows\inf\i386\rtscan.dll
2002-10-09 12:06   172,032   -c--a-w   c:\windows\inf\i386\viceo.dll
2002-10-09 08:11   61,440   -c--a-w   c:\windows\inf\i386\onetUSD.dll
2002-08-23 13:06   13,824   -c--a-w   c:\windows\inf\i386\Usbscan.sys
2002-08-23 12:58   36,864   -c--a-w   c:\windows\inf\i386\Vizmicro.dll
2006-09-02 00:09   56   -csha-r   c:\windows\system32\78F605413A.sys
2006-09-02 00:09   1,682   -csha-w   c:\windows\system32\KGyGaAvL.sys
2008-09-11 14:23   32,768   --sha-w   c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091120080912\index.dat
2007-04-03 15:51   9,173,280   --sha-w   c:\windows\system32\drivers\fidbox.dat
2007-04-03 15:51   103,712   --sha-w   c:\windows\system32\drivers\fidbox2.dat
.

(((((((((((((((((((((((((((((   snapshot@2009-01-01_14.45.31.18   )))))))))))))))))))))))))))))))))))))))))
.
- 2003-11-19 16:36:26   24,681   -c--a-w   c:\windows\system32\java.exe
+ 2009-01-01 17:39:24   144,792   ----a-w   c:\windows\system32\java.exe
- 2003-11-19 16:36:30   28,779   -c--a-w   c:\windows\system32\javaw.exe
+ 2009-01-01 17:39:24   144,792   ----a-w   c:\windows\system32\javaw.exe
+ 2009-01-01 17:39:24   148,888   ----a-w   c:\windows\system32\javaws.exe
+ 2009-01-01 17:40:05   16,384   ----atw   c:\windows\temp\Perflib_Perfdata_ea8.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FLMK08KB"="c:\program files\Muiltmedia keyboard utility\2.2D\MMKEYBD.EXE" [2006-09-23 207360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-01 185896]
"nwiz"="nwiz.exe" [2007-04-19 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2006-09-01 962661]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= IR41_32.DLL
"VIDC.MJPG"= pvmjpg20.dll
"VIDC.ACDV"= ACDV.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"msvideo7"= STV680tg.dll
"VIDC.XFR1"= xfcodec.dll
"vidc.pivc"= pivideo.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0lsdelete

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"FLMOFFICE4DMOUSE"=c:\program files\Trust\MI-2510T Optical Combi Tilt Mouse\moffice.exe
"nwiz"=nwiz.exe /install
"WinampAgent"=c:\program files\Winamp\winampa.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe"  -osboot

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Excursion9.5\\mIRC.ExCurSioN.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\steamapps\\rhysinator\\condition zero\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\rhysinator\\condition zero deleted scenes\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\rhysinator\\half-life 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\rhysinator\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\PhotoJoy\\Bin\\PjApp.exe"=
"c:\\Program Files\\PhotoJoy\\Bin\\PjImp.exe"=
"c:\\Program Files\\PhotoJoy\\Bin\\PhotoJoy.exe"=
"c:\\Program Files\\Steam\\steamapps\\rhysinator\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"135:TCP"= 135:TCP:DCOM(135)

R1 nnrnstdi;nnrnstdi;c:\windows\system32\drivers\nnrnstdi.sys [2007-11-03 13312]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2008-07-31 103304]
R2 PQfsmonNT ABE675CA-49DF-11d3-93F6-00104B64D07B;PowerQuest File System Monitor PQfsmonNT ABE675CA-49DF-11d3-93F6-00104B64D07B;\??\c:\program files\PowerQuest\DataKeeper 5.0\PqFsmonNt.sys [2002-07-12 49096]
R2 ptssvc;ptssvc;c:\program files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe [2006-12-21 45056]
R2 SVKP;SVKP;\??\c:\windows\system32\SVKP.sys [2007-02-16 2368]
R2 WDFNet;Webroot Desktop Firewall network service;c:\program files\Webroot\Webroot Desktop Firewall\wdfsvc.exe [2008-07-31 353672]
R3 km_filter;km_filter;c:\windows\system32\drivers\km_filter.sys [2007-11-03 8832]
S2 ColdFusion Management Repository;ColdFusion Management Repository Server;"c:\cfusion\jrun\bin\jrun.exe" -jrundir "c:\cfusion\jrun" -nt "ColdFusion Management Repository" "cfam" []
S3 A_USBETHMP;USB PowerPacket Network Adapter;c:\windows\system32\Drivers\usbethmp.sys [2006-11-24 14342]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\Drivers\Brfilt.sys [2006-09-05 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\Drivers\BrSerWdm.sys [2006-09-05 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\Drivers\BrUsbMdm.sys [2006-09-05 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\Drivers\BrUsbScn.sys [2006-09-05 10368]
S3 hid8101;hid8101;c:\windows\system32\drivers\hid8101.SYS [2006-12-24 31899]
S3 iMSPCLOj;iMSPCLOj;\??\c:\docume~1\norman\LOCALS~1\Temp\iMSPCLOj.sys []
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;\??\c:\windows\system32\PLCNDIS5.SYS [2006-11-24 17018]
S3 s3chipid;s3chipid;\??\c:\docume~1\norman\LOCALS~1\Temp\s3chipid.sys []
S3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [2007-04-28 428160]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1505667c-8af9-11dc-ad2e-4d6564696130}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d117648-064c-11dd-add9-4d6564696130}]
\Shell\AutoRun\command - G:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94df3b7a-7294-11dc-ad0c-4d6564696130}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be040102-9de9-11dc-ad48-4d6564696130}]
\Shell\AutoRun\command - E:\Laguna.exe

*Newly Created Service* - JAVAQUICKSTARTERSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-12-12 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []

2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-01-01 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2008-12-30 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2008-04-14 00:12]

2008-12-31 c:\windows\Tasks\Norton Security Scan for norman.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = 61.166.68.71:80
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 00:10:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\wdfproc.dll

- - - - - - - > 'lsass.exe'(708)
c:\windows\system32\wdfproc.dll
.
Completion time: 2009-01-02  0:12:06
ComboFix-quarantined-files.txt  2009-01-02 00:12:03
ComboFix2.txt  2009-01-01 23:44:34
ComboFix3.txt  2009-01-01 14:48:49

Pre-Run: 51,060,371,456 bytes free
Post-Run: 51,041,906,688 bytes free

290   --- E O F ---   2008-12-25 21:27:36
Logged

Offline nash017

  • Jr. Member
  • **
  • Posts: 63
Re: I can not get to restore or even have norton run online virus scan
« Reply #23 on: January 01, 2009, 11:20:38 PM »

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)
Logged

Offline nash017

  • Jr. Member
  • **
  • Posts: 63
Re: I can not get to restore or even have norton run online virus scan
« Reply #24 on: January 01, 2009, 11:21:55 PM »
sorry Corrine, have to log in and out, lost combi file 1st time,
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11228
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: I can not get to restore or even have norton run online virus scan
« Reply #25 on: January 01, 2009, 11:24:25 PM »
Thank you, Nash.  I see that those "null" entries are now missing from the log.  That's good news.

(Edit to add:

Quote from: nash017 on January 01, 2009, 11:03:23 PM
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

Unknown Rootkey: 'S-1-5-21-1757981266-746137067-725345543-1004'

That was because I obviously missed something in my copy/paste.  The line should have read
Swreg null query HKU\S-1-5-21-1757981266-746137067-725345543-1004\Software /s /f >Log.txt )
_____

Although it appears to be "empty" there is a file I missed removing in the previous ComboFix run.  However, first, let's do an online scan in case there is something else that needs taking care of and then we'll take care of "c:\windows\system32\^3" later.

This may take a while, so you get to practice patience in the new year.  :)

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Note:
  • This scan is best done from IE (Internet Explorer)
  • Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here: http://www.kaspersky.com/kos/eng/partner/default/languages/english/check.html?n=1223851135704
  • Read the Requirements and limitations before you click Accept.
  • Once the database has downloaded, click My Computer in the left pane
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Note: To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

=====================

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

=====================

Logs Required
Kaspersky Scan Log
Hijackthis Log
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline nash017

  • Jr. Member
  • **
  • Posts: 63
Re: I can not get to restore or even have norton run online virus scan
« Reply #26 on: January 01, 2009, 11:36:54 PM »
says i need java 1.5 or later, ie not letting it download
Logged

Offline nash017

  • Jr. Member
  • **
  • Posts: 63
Re: I can not get to restore or even have norton run online virus scan
« Reply #27 on: January 01, 2009, 11:43:57 PM »
getting java off tucows, could have sworn it was on pc all ready
Logged

Offline Paddy

  • LandzDown Team
  • Hero Member
  • *****
  • Posts: 1366
Re: I can not get to restore or even have norton run online virus scan
« Reply #28 on: January 01, 2009, 11:55:56 PM »
nash if that fails get it from here >> Java SE Runtime Environment (JRE) 6 Update 11

http://java.sun.com/javase/downloads/index.jsp


Paddy..
Logged
This is one race of people for whom psychoanalysis is of no use whatsoever - Sigmund Freud (about the Irish)

Never argue with a fool, they will lower you to their level and then beat you with experience.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11228
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: I can not get to restore or even have norton run online virus scan
« Reply #29 on: January 01, 2009, 11:57:06 PM »
It is best to get it from the vendor site.  However, when installing, beware of any pre-checked toolbar options!
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.
Pages: 1 [2] 3 4 ... 7   Go Up
« previous next »