WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Possible Malware Infection - File/Folder Permissions and IE 8 Browser

Started by lmacri , Feb 04 2011 04:03 PM

This topic is locked

47 replies to this topic

#1 lmacri

Authentic Member

Authentic Member
37 posts

Posted 04 February 2011 - 04:03 PM

I have encountered several problems on my home laptop PC since early January 2011 that all seem to be related to incorrect file/registry permissions and IE 8 browser errors. Before attempting a repair/re-install of my Vista OS I would like to ensure that I am not infected with malware that may have been missed by Norton Internet Security 2011 (NIS) and Malwarebytes' Anti-Malware (MBAM).

On January 16, 2011 I noticed that when I navigate to the Microsoft Update website (www.update.microsoft.com) using my IE 8 browser that I received a error number 0x8DDD0002 (must be logged on as an Administrator) (see attached .jpg). Every time I visit this site using IE 8 my Windows Event Viewer generates a DistributedCOM error (Event ID 10016) stating that I do not have Local Activation permission for the COM Server application with CLSID {E60687F7-01A1-40AA-86AC-DB1CBF673334}, which I discovered is the Windows Update Agent service (wuauserv) (see attached .txt file).

Prior to January 16, 2011 when I ran Windows Update from my Start menu, the GUI used to say "You receive updates for: Windows and other Microsoft Products" and if I went into the Windows Update settings there used to be a check box saying "Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows" that I could enable or disable. Regrettably, I disabled this check box a few weeks ago and now I am no longer able to re-configure Windows Update to deliver optional patches for Microsoft products (e.g., MS Works, MS Silverlight, etc.), although it still seems to deliver updates for my Windows OS.

I contacted Microsoft Support and some of the fixes they suggested (listed below) have just compounded the problem. Here are some other symptoms I'm currently seeing:

1. NIS 2011 firewall reports that I am connected to a protected network 127.0.0.0/125.0.0.0 (which I chose to trust) and a newly detected network on adapter "Software Loopback Interface 1 (IP address 127.0.0.1)". I checked my Hosts file at C:\Windows\System32\drivers\etc\ and confirmed that the Hosts file only contains the following two default entries for Windows Vista:

127.0.0.1 localhost
::1 localhost

I confirmed in the Norton NIS/NAV forum that it is not normal behavior for the NIS 2011 firewall to report 127.0.0.0 as a protected network.

2. When I try to run HijackThis, there is no "Run as Administrator" option if I right click on the desktop shortcut. If I proceed with the scan, HijackThis reports that "For some reason your system denied write access to the Hosts file" and the information for item O1 - Hosts: ::1 localhosts in the scan says that "A change in the 'Hosts' system file Windows uses to lookup domain names before querying internet DNS services, effectively making Windows believe that 'auto.search.windows.com' has a different IP address that it really has and making IE open the wrong page whenever you enter an invalid domain name in the IE address bar" (see attached .jpgs). I am unable to create the HijackThis log automatically in the default C:\Program Files\Trend Micro\HijackThis\ folder but I was able to manually save a copy of the log in my user Documents folder.

3. The SYSTEM and Administrators groups do not have any permissions for several folders in my C:\Windows\ and C:\Program Files\ (including C:\Windows\System32), although the Users group still has Read & Execute permissions. I have been unable to determine if this is normal, but it might explain why my Windows Update Agent service (wuauserv) does not have local activation permissions and why HijackThis cannot access the system Hosts file.

--------

Some of the fixes I attempted that have had no effect or made the problem worse:

1. Full reset of my IE 8 browser (Tools | Internet Options | Advanced | Reset Internet Explorer Settings)
2. Aggressive reset of Windows Update using Ms FixIT tool (http://support.microsoft.com/kb/971058)
3. Repair of Windows Files and Folders using MS FixIT tool (http://support.micro...lder_diag/en-us)

I also ran the System File Checker (sfc /scannow) and peformed a thorough DiskCheck to check for hard drive errors, and both scans reported no errors. I do not have a Windows Vista DVD (my HP laptop has a recovery partition on D: drive) and I don't know if choosing a Windows Repair from my boot-up options (i.e., by hitting F8 during boot-up) would just roll back my Windows Vista OS back to SP1 or if it would remove all my third-party software as well. I no longer have a system restore point created prior to January 16, 2011.

I have attached a copy of my HijackThis Uninstall list and pasted the contents of my HijackThis scan log below.

--------

Vista Home Premium 32-bit SP2 * IE 8 * Firefox 3.6.13 * NIS 2011 v. 18.5.0.125 * MBAM v. 1.5.1.1100 * HijackThis v. 2.0.4
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400 GS

--------

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:13:11 AM, on 04/02/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18999)
Boot mode: Normal

Running processes:
C:\Windows\SYSTEM32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\Windows\System32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: DigitalPersona Personal Extension - {395610AE-C624-4f58-B89E-23733EA00F9A} - C:\Program Files\DigitalPersona\Bin\DpOtsPluginIe8.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\18.5.0.125\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\18.5.0.125\IPS\IPSBHO.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.5.0.125\coIEPlg.dll
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.updat...b?1295533249443
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1263496178158
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1295533886492
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.h...tDetection2.cab
O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} - http://h20264.www2.h...osticsVista.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHostW.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

--
End of file - 7336 bytes

Attached Thumbnails

Attached Images

Attached Files

lmacri_HijackThis_Uninstall_List_04_Feb_2011.txt 2.73KB 428 downloads
lmacri_DistribtedCOM_EventID_10016_Error.txt 1.78KB 634 downloads

Advertisements

Register to Remove

#2 CatByte

Classroom Administrator

Classroom Admin
21,060 posts

Posted 05 February 2011 - 02:22 PM

Hi,

Please do the following:

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

Disable any script blocking protection
Double click dds to run the tool.
When done, two DDS.txt's will open.
Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.

NEXT

Download GMER Rootkit Scanner from here to your desktop. It will be a randomly named executable.

Double click the exe file.
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Ensure the following are unchecked
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and attach it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#3 lmacri

Authentic Member

Authentic Member
37 posts

Posted 08 February 2011 - 09:44 AM

Hi CatByte: Here are the contents of DSS.txt and Attach.txt. The GMER.txt file is attached. ________________________________________________________________________________ _________ DDS (Ver_10-12-12.02) - NTFSx86 Run by Lori at 15:55:28.48 on 07/02/2011 Internet Explorer: 8.0.6001.18999 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.3070.1666 [GMT -6:00] AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202} FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4} ============== Running Processes =============== C:\Windows\SYSTEM32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\nvvsvc.exe C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k GPSvcGroup C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\SearchIndexer.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Windows\system32\DllHost.exe c:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\nvvsvc.exe C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe C:\Windows\Explorer.EXE C:\Windows\SYSTEM32\taskeng.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe c:\Windows\System32\wbem\unsecapp.exe C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe C:\Program Files\Synaptics\SynTP\SynTPHelper.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Windows\system32\conime.exe c:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\vssvc.exe C:\Windows\System32\svchost.exe -k swprv C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Users\Lori\Desktop\dds.com ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.ca/ uSearch Bar = Preserve mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=laptop mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=laptop uInternet Settings,ProxyOverride = *.local BHO: DigitalPersona Personal Extension: {395610ae-c624-4f58-b89e-23733ea00f9a} - c:\program files\digitalpersona\bin\DpOtsPluginIe8.dll BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.5.0.125\ips\IPSBHO.DLL BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll uRun: [ISUSPM] "c:\programdata\macrovision\flexnet connect\6\ISUSPM.exe" -scheduler mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [<NO NAME>] uPolicies-explorer: NoViewOnDrive = 0 (0x0) mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1295533249443 DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263496178158 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1295533886492 DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab LSA: Notification Packages = scecli DPPWDFLT mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe" ================= FIREFOX =================== FF - ProfilePath - c:\users\lori\appdata\roaming\mozilla\firefox\profiles\t8xvl799.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ FF - prefs.js: network.proxy.type - 0 FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\coffplgn\components\coFFPlgn.dll FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\ipsffplgn\components\IPSFFPl.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\IPSFFPlgn FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\coFFPlgn FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Mozilla Archive Format: {7f57cf46-4467-4c2d-adfa-0cba7c507e54} - %profile%\extensions\{7f57cf46-4467-4c2d-adfa-0cba7c507e54} FF - Ext: Bookmark Duplicate Detector: {ba243cb0-b824-4a26-9418-73ee795d9b9d} - %profile%\extensions\{ba243cb0-b824-4a26-9418-73ee795d9b9d} ============= SERVICES / DRIVERS =============== R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1205000.07d\SymDS.sys [2011-2-3 340016] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1205000.07d\SymEFA.sys [2011-2-3 652336] R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\bashdefs\20110114.001\BHDrvx86.sys [2011-2-4 691248] R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\ipsdefs\20110204.001\IDSvix86.sys [2011-2-7 353912] R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1205000.07d\Ironx86.sys [2011-2-3 136312] R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1205000.07d\symtdiv.sys [2011-2-3 330360] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-5-3 363344] R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.5.0.125\ccSvcHst.exe [2011-2-3 130000] R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-10-2 482176] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-2-4 102448] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-5-3 20952] R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480] S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504] S4 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S4 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-7-29 193840] =============== Created Last 30 ================ 2011-02-07 14:50:02 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{b7adaf8f-9607-41f1-9f2d-fbdaba91919b}\mpengine.dll 2011-02-03 23:16:54 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2011-02-03 23:16:38 652336 ----a-r- c:\windows\system32\drivers\nis\1205000.07d\SymEFA.sys 2011-02-03 23:16:38 509560 ----a-r- c:\windows\system32\drivers\nis\1205000.07d\srtsp.sys 2011-02-03 23:16:38 50168 ----a-r- c:\windows\system32\drivers\nis\1205000.07d\srtspx.sys 2011-02-03 23:16:38 340016 ----a-r- c:\windows\system32\drivers\nis\1205000.07d\SymDS.sys 2011-02-03 23:16:38 330360 ----a-r- c:\windows\system32\drivers\nis\1205000.07d\symtdiv.sys 2011-02-03 23:16:38 295032 ----a-r- c:\windows\system32\drivers\nis\1205000.07d\symnets.sys 2011-02-03 23:16:38 136312 ----a-r- c:\windows\system32\drivers\nis\1205000.07d\Ironx86.sys 2011-02-03 23:15:28 -------- d-----w- c:\windows\system32\drivers\nis\1205000.07D 2011-02-03 23:15:28 -------- d-----w- c:\windows\system32\drivers\NIS 2011-02-03 23:15:18 -------- d-----w- c:\program files\Norton Internet Security 2011-02-03 21:41:25 -------- d-----w- c:\program files\Norton Internet Security(234) 2011-02-03 21:41:01 -------- d-----w- c:\program files\NortonInstaller(236) 2011-02-03 14:54:04 388096 ----a-r- c:\users\lori\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe 2011-02-03 14:54:03 -------- d-----w- c:\program files\Trend Micro 2011-02-03 14:25:42 -------- d-----w- c:\windows\system32\catroot2(295) 2011-02-03 14:25:42 -------- d-----w- c:\windows\system32\catroot2 2011-02-01 20:53:57 -------- d-----w- c:\program files\iPod(164) 2011-02-01 20:53:57 -------- d-----w- c:\program files\iPod 2011-02-01 20:53:54 -------- d-----w- c:\program files\iTunes(165) 2011-02-01 20:53:54 -------- d-----w- c:\program files\iTunes 2011-02-01 16:37:39 -------- d-sh--w- C:\$RECYCLE.BIN 2011-02-01 16:37:39 -------- d-----w- C:\$RECYCLE(6).BIN 2011-01-26 15:46:12 -------- d-----w- C:\288b594930c641eac4 2011-01-21 17:09:59 -------- d-----w- c:\users\lori\appdata\local\Secunia PSI 2011-01-21 03:40:51 -------- d-----w- c:\users\lori\appdata\local\Mozilla 2011-01-20 19:54:04 -------- d-----w- c:\users\lori\appdata\roaming\Foxit Software 2011-01-18 18:44:27 -------- d-----w- c:\users\lori\appdata\local\QuickPlay 2011-01-15 22:58:41 -------- d-----w- c:\program files\GPLGS 2011-01-15 22:41:32 87552 ----a-w- c:\windows\system32\cpwmon2k.dll 2011-01-12 15:00:45 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll 2011-01-12 15:00:45 413696 ----a-w- c:\windows\system32\odbc32.dll 2011-01-12 15:00:44 57344 ----a-w- c:\program files\common files\system\msadc\msadcs.dll 2011-01-12 15:00:44 253952 ----a-w- c:\program files\common files\system\ado\msadox.dll 2011-01-12 15:00:44 241664 ----a-w- c:\program files\common files\system\ado\msadomd.dll 2011-01-12 15:00:44 180224 ----a-w- c:\program files\common files\system\msadc\msadco.dll 2011-01-12 15:00:39 1169408 ----a-w- c:\windows\system32\sdclt.exe ==================== Find3M ==================== 2011-01-20 19:39:56 2989660 ----a-w- c:\progra~2\DVD.exe 2011-01-18 21:25:41 2864396 ----a-w- c:\progra~2\MPV.exe 2011-01-18 21:21:09 2331174 ----a-w- c:\progra~2\Karaoke.exe 2010-12-11 04:14:26 472808 ----a-w- c:\windows\system32\deployJava1.dll 2010-11-29 23:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx 2010-11-29 23:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts ============= FINISH: 15:56:01.21 =============== ________________________________________________________________________________ _______ UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_10-12-12.02) Microsoft® Windows Vista™ Home Premium Boot Device: \Device\HarddiskVolume1 Install Date: 17/03/2008 6:04:40 AM System Uptime: 07/02/2011 11:09:19 AM (4 hours ago) Motherboard: Quanta | | 30D2 Processor: Intel® Core™2 Duo CPU T5550 @ 1.83GHz | U2E1 | 1333/667mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 221 GiB total, 137.042 GiB free. D: is FIXED (NTFS) - 12 GiB total, 1.56 GiB free. E: is CDROM () ==== Disabled Device Manager Items ============= Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318} Description: Microsoft ISATAP Adapter Device ID: ROOT\*ISATAP\0001 Manufacturer: Microsoft Name: Microsoft ISATAP Adapter #2 PNP Device ID: ROOT\*ISATAP\0001 Service: tunnel Class GUID: {e0cbf06c-cd8b-4647-bb8a-263b43f0f974} Description: HP Integrated Module with Bluetooth 2.0 Wireless Technology Device ID: USB\VID_03F0&PID_171D\5&19D95DEA&0&2 Manufacturer: Broadcom Name: HP Integrated Module with Bluetooth 2.0 Wireless Technology PNP Device ID: USB\VID_03F0&PID_171D\5&19D95DEA&0&2 Service: BTHUSB ==== System Restore Points =================== RP1412: 20/01/2011 2:41:46 PM - Post Foxit PDF Reader Install RP1413: 20/01/2011 11:19:06 PM - Post Firefox Install and IE 8 Factory Reset RP1414: 21/01/2011 9:57:15 AM - Windows Update RP1415: 22/01/2011 7:20:38 PM - Windows Backup RP1416: 25/01/2011 6:38:13 PM - Scheduled Checkpoint RP1418: 26/01/2011 9:47:02 AM - Windows Update RP1419: 26/01/2011 1:45:30 PM - Installed Microsoft Fix it 50202 RP1420: 27/01/2011 5:06:02 PM - Windows Backup RP1421: 28/01/2011 12:34:13 PM - Scheduled Checkpoint RP1422: 29/01/2011 3:34:35 PM - Windows Update RP1423: 31/01/2011 6:06:07 PM - Scheduled Checkpoint RP1424: 01/02/2011 8:58:35 AM - Windows Update RP1425: 01/02/2011 10:56:27 AM - Installed Microsoft Fix it 50202 RP1427: 01/02/2011 2:00:34 PM - Made by Norton Utilities RP1428: 01/02/2011 2:45:47 PM - Device Driver Package Install: Apple, Inc. Universal Serial Bus controllers RP1429: 01/02/2011 2:46:11 PM - Device Driver Package Install: Apple Network adapters RP1430: 01/02/2011 2:47:12 PM - Installed iTunes RP1431: 01/02/2011 2:51:26 PM - Installed iTunes RP1432: 03/02/2011 7:51:09 AM - Installed Microsoft Fix it 50202 RP1433: 03/02/2011 8:07:13 AM - Installed Microsoft Fix it 50202 RP1434: 03/02/2011 8:53:26 AM - Installed HiJackThis RP1435: 03/02/2011 12:44:03 PM - Windows Backup RP1437: 03/02/2011 3:49:00 PM - Configured YouCam RP1439: 03/02/2011 3:50:46 PM - Configured YouCam RP1441: 03/02/2011 3:53:43 PM - Configured YouCam RP1442: 04/02/2011 7:38:47 AM - Windows Modules Installer RP1443: 07/02/2011 8:43:36 AM - Windows Update ==== Installed Programs ====================== 32 Bit HP CIO Components Installer AceMoney Lite Activation Assistant for the 2007 Microsoft Office suites ActiveCheck component for HP Active Support Library Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Shockwave Player AIO_Scan Analyse-it for Microsoft Excel Apple Application Support Apple Mobile Device Support Apple Software Update Auslogics Duplicate File Finder AuthenTec Fingerprint Sensor Minimum Install Bonjour BufferChm C5200 C5200_Help CCleaner Copy CutePDF Writer 2.8 Defraggler Destination Component DeviceDiscovery DeviceManagementQFolder DigitalPersona Personal 4.11 DocProc DocProcQFolder Driver Detective DVD Suite eSupportQFolder Fax FileHippo.com Update Checker Foxit Reader Fund Manager GPBaseService GPBaseService2 Hauppauge MCE XP/Vista Software Encoder (2.0.25149) HiJackThis Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) HP Active Support Library HP Customer Experience Enhancements HP Doc Viewer HP Driver Diagnostics HP Easy Setup - Frontend HP Help and Support HP Imaging Device Functions 10.0 HP Integrated Module with Bluetooth wireless technology 6.0.1.6000 HP Photosmart All-In-One Driver Software 10.0 Rel .2 HP Product Detection HP Quick Launch Buttons 6.40 H2 HP QuickPlay 3.7 HP QuickTouch 1.00 D2 HP Solution Center 13.0 HP Update HP User Guides 0087 HP Wireless Assistant HPAsset component for HP Active Support Library HPNetworkAssistant HPProductAssistant Intel® Matrix Storage Manager iTunes Java Auto Updater Java™ 6 Update 23 LabelPrint LightScribe System Software 1.10.13.1 LiveUpdate (Symantec Corporation) Malwarebytes' Anti-Malware Microsoft .NET Framework 3.5 SP1 Microsoft .NET Framework 4 Client Profile Microsoft Money 2005 Microsoft Office 2000 SR-1 Professional Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Works Moneydance 2010 Motorola SM56 Speakerphone Modem Mozilla Firefox (3.6.13) MSVCSetup MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB941833) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) My HP Games Norton Internet Security Norton Utilities NVIDIA Drivers OCR Software by I.R.I.S. 10.0 PanoStandAlone PerformanceTest PS_AIO_02_ProductContext PS_AIO_02_Software PS_AIO_02_Software_Min PVSonyDll QuickTime Realtek 8169, 8168, 8101E and 8102E Ethernet Network Card Driver for Windows Vista Realtek High Definition Audio Driver Registry First Aid RICOH R5C83x/84x Flash Media Controller Driver Ver.3.52.02 Scan Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473) Security Update for Microsoft Visual Basic for Applications 6.5 (KB974945) SolutionCenter Status Symantec Technical Support Web Controls Synaptics Pointing Device Driver Toolbox TrayApp UnloadSupport Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Viewpoint Media Player Vista Services Optimizer Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 WeatherBug Gadget WebReg Windows Live Install Wizard WinRAR archiver ==== Event Viewer Messages From Past Week ======== 07/02/2011 9:48:27 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {E60687F7-01A1-40AA-86AC-DB1CBF673334} to the user Lori-PC\Lori SID (S-1-5-21-3086198521-800258848-3831315664-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool. 04/02/2011 9:01:38 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.101.164 for the Network Card with network address 001F3B31C627 has been denied by the DHCP server 192.168.100.254 (The DHCP Server sent a DHCPNACK message). 04/02/2011 8:47:26 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.100.168 for the Network Card with network address 001F3B31C627 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message). ==== End Of File ===========================

Attached Files

GMER.TXT 6.51KB 422 downloads

#4 CatByte

Classroom Administrator

Classroom Admin
21,060 posts

Posted 08 February 2011 - 05:24 PM

Hi,

Please do the following

Refer to the ComboFix User's Guide

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Place ComboFix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

You can get help on disabling your protection programs here
Double click on ComboFix.exe & follow the prompts.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#5 lmacri

Authentic Member

Authentic Member
37 posts

Posted 09 February 2011 - 12:26 PM

Hi CatByte:

Here's the contents of my ComboFix log.

__________________________

ComboFix 11-02-08.05 - Lori 09/02/2011 11:24:38.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.3070.2131 [GMT -6:00]
Running from: c:\users\Lori\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\KBL.LOG

.
((((((((((((((((((((((((( Files Created from 2011-01-09 to 2011-02-09 )))))))))))))))))))))))))))))))
.

2011-02-09 17:31 . 2011-02-09 17:35 -------- d-----w- c:\users\Lori\AppData\Local\temp
2011-02-09 17:31 . 2011-02-09 17:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-09 17:31 . 2011-02-09 17:31 -------- d-----w- c:\users\Backup Administrator\AppData\Local\temp
2011-02-09 14:43 . 2010-10-15 14:08 3602320 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-02-09 14:43 . 2010-10-15 13:48 1205080 ----a-w- c:\windows\system32\ntdll.dll
2011-02-09 14:43 . 2010-10-15 14:08 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-02-09 14:43 . 2010-12-31 13:57 2039808 ----a-w- c:\windows\system32\win32k.sys
2011-02-07 14:50 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B7ADAF8F-9607-41F1-9F2D-FBDABA91919B}\mpengine.dll
2011-02-03 23:16 . 2011-02-03 23:16 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-02-03 23:15 . 2011-02-03 23:15 -------- d-----w- c:\windows\system32\drivers\NIS
2011-02-03 23:15 . 2011-02-03 23:15 -------- d-----w- c:\program files\Norton Internet Security
2011-02-03 21:41 . 2011-02-03 21:41 -------- d-----w- c:\program files\NortonInstaller(236)
2011-02-03 14:54 . 2011-02-03 14:54 388096 ----a-r- c:\users\Lori\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-03 14:54 . 2011-02-03 22:41 -------- d-----w- c:\program files\Trend Micro
2011-02-03 14:25 . 2011-02-09 15:04 -------- d-----w- c:\windows\system32\catroot2
2011-02-01 20:53 . 2011-02-03 23:00 -------- d-----w- c:\program files\iPod
2011-02-01 20:53 . 2011-02-03 23:00 -------- d-----w- c:\program files\iTunes
2011-02-01 16:37 . 2011-02-01 16:37 -------- d-----w- C:\$RECYCLE(6).BIN
2011-01-26 15:46 . 2011-01-26 15:48 -------- d-----w- C:\288b594930c641eac4
2011-01-21 17:09 . 2011-01-21 17:09 -------- d-----w- c:\users\Lori\AppData\Local\Secunia PSI
2011-01-21 03:40 . 2011-01-21 03:40 -------- d-----w- c:\users\Lori\AppData\Local\Mozilla
2011-01-20 19:54 . 2011-01-20 19:54 -------- d-----w- c:\users\Lori\AppData\Roaming\Foxit Software
2011-01-18 18:44 . 2011-02-03 22:41 -------- d-----w- c:\users\Lori\AppData\Local\QuickPlay
2011-01-15 22:58 . 2011-01-15 22:58 -------- d-----w- c:\program files\GPLGS
2011-01-15 22:41 . 2009-11-05 13:39 87552 ----a-w- c:\windows\system32\cpwmon2k.dll
2011-01-12 15:00 . 2010-12-28 15:55 413696 ----a-w- c:\windows\system32\odbc32.dll
2011-01-12 15:00 . 2010-12-28 15:53 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2011-01-12 15:00 . 2010-12-28 15:53 253952 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2011-01-12 15:00 . 2010-12-28 15:53 241664 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2011-01-12 15:00 . 2010-12-28 15:53 57344 ----a-w- c:\program files\Common Files\System\msadc\msadcs.dll
2011-01-12 15:00 . 2010-12-28 15:53 180224 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2011-01-12 15:00 . 2010-12-14 14:49 1169408 ----a-w- c:\windows\system32\sdclt.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-20 19:39 . 2009-08-01 02:02 2989660 ----a-w- c:\programdata\DVD.exe
2011-01-18 21:25 . 2009-08-01 02:02 2864396 ----a-w- c:\programdata\MPV.exe
2011-01-18 21:21 . 2009-08-01 02:02 2331174 ----a-w- c:\programdata\Karaoke.exe
2010-12-21 00:09 . 2010-05-03 21:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 00:08 . 2010-05-03 21:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-11 04:14 . 2010-04-16 19:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-29 23:38 . 2010-11-29 23:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38 . 2010-11-29 23:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-07-12 226904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-10-26 1458176]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-04 186904]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-06-09 7539232]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-11-01 554288]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-10-03 13826664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux4"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\G:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R4 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1205000.07D\SYMDS.SYS [2010-10-21 340016]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1205000.07D\SYMEFA.SYS [2010-11-18 652336]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20110114.001\BHDrvx86.sys [2010-11-23 691248]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20110208.003\IDSvix86.sys [2010-11-11 353912]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1205000.07D\Ironx86.SYS [2010-11-16 136312]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\NIS\1205000.07D\SYMTDIV.SYS [2010-12-01 330360]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-12-21 363344]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe [2010-11-24 130000]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2008-10-02 482176]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-02-04 102448]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-12-21 20952]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 22:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2011-02-09 c:\windows\Tasks\User_Feed_Synchronization-{8379694C-F8AF-4C5E-A380-BEA99E17B597}.job
- c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]

2010-08-10 c:\windows\Tasks\WebUpdate.job
- c:\program files\Smart PC Utilities\Vista Services Optimizer\WebUpdate.exe [2010-07-04 22:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Lori\AppData\Roaming\Mozilla\Firefox\Profiles\t8xvl799.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\coFFPlgn
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Mozilla Archive Format: {7f57cf46-4467-4c2d-adfa-0cba7c507e54} - %profile%\extensions\{7f57cf46-4467-4c2d-adfa-0cba7c507e54}
FF - Ext: Bookmark Duplicate Detector: {ba243cb0-b824-4a26-9418-73ee795d9b9d} - %profile%\extensions\{ba243cb0-b824-4a26-9418-73ee795d9b9d}
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-09 11:35
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:00000020
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(544)
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\conime.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
.
**************************************************************************
.
Completion time: 2011-02-09 11:41:00 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-09 17:40

Pre-Run: 145,051,992,064 bytes free
Post-Run: 144,652,087,296 bytes free

- - End Of File - - 816ABD85B97F29F086204C2AADE115ED

#6 lmacri

Authentic Member

Authentic Member
37 posts

Posted 09 February 2011 - 01:15 PM

Hi CatByte:

I may have some good news.

Is it possible that the ComboFix scan actually made some changes to my system? The first time I tried to open the ComboFix log on my desktop I got an error message (something about a registry key requiring deletion) so I re-booted my computer and tried running ComboFix again.

I noticed my desktop had a new icon for Internet Explorer 8, and when I used that icon to start IE 8, I was able to browse to the Microsoft Update website (www.update.microsoft.com) with no errors and I was also able to re-configure Windows Update to look for optional Microsoft Updates. I ran Windows Update and it found two new optional Microsoft updates for Windows Live Essentials and Microsoft Silverlight that weren't detected earlier this morning.

I'm still getting those odd messages in NIS 2011 about being connected to a protected network 127.0.0.0 and the network adapter on Software Loopback Interface 1 (IP address 127.0.0.1), so maybe I'm still having problems with a corrupted Hosts file or NIS installation. Do you have any objection to me uninstalling NIS 2011, running the Norton Removal Tool and trying a clean re-install of NIS 2011 to see if that solves the problem?

--------

Vista Home Premium 32-bit SP2 * IE 8 * Firefox 3.6.13 * NIS 2011 v. 18.5.0.125 * MBAM v. 1.5.1.1100 * HijackThis v. 2.0.4
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400 GS

#7 CatByte

Classroom Administrator

Classroom Admin
21,060 posts

Posted 09 February 2011 - 07:15 PM

Hi

Yes, completely uninstall NIS, see if that helps.

Please do the following:

Please open your MalwareBytes AntiMalware Program
Click the Update Tab and search for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected. <-- very important
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

NEXT

Go here to run an online scanner from ESET.

Note: You will need to use Internet explorer for this scan
Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activeX control to install
Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
Wait for the scan to finish
When the scan completes, press the LIST OF THREATS FOUND button
Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
Include the contents of this report in your next reply.
Press the BACK button.
Press Finish

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#8 lmacri

Authentic Member

Authentic Member
37 posts

Posted 10 February 2011 - 12:48 PM

Hi CatByte: Here are my MBAM Quick Scan (no infections) and ESET Online Scan (1 possible infection - WIn32/Agent.HZHBURL trojan) results. I'm not sure if it's relevant, but I don't think I've ever installed AOL Instant Messenger (or any other instant messaging software) on my machine, unless it was installed at the factory as bundled software and I uninstalled it after purchasing my PC. As instructed, I did not ask ESET to remove this possible infection. I actually ran a MBAM Full Scan last night and no problems were detected. The MBAM log for that full scan is attached. -------- Vista Home Premium 32-bit SP2 * IE 8 * Firefox 3.6.13 * NIS 2011 v. 18.5.0.125 * MBAM v. 1.5.1.1100 * HijackThis v. 2.0.4 HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400 GS __________________________________________________________ Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 5731 Windows 6.0.6002 Service Pack 2 Internet Explorer 8.0.6001.19019 10/02/2011 8:48:50 AM mbam-log-2011-02-10 (08-48-50).txt Scan type: Quick scan Objects scanned: 163108 Time elapsed: 4 minute(s), 4 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) _________________________________________ Contents of ESET Online Scan Results: C:\SWSetup\AOLIMS\setup.exe probably a variant of Win32/Agent.HZHBURL trojan

Attached Files

lmacri_mbam_log_2011_02_09__17_25_04_.txt 924bytes 384 downloads

#9 CatByte

Classroom Administrator

Classroom Admin
21,060 posts

Posted 10 February 2011 - 07:04 PM

That entry is a false positive, it's the AOL instant messenger set up file, that was likely bundled with software when you bought the computer. If you have no use for it, navigate to the AOL folder and delete it.

NEXT

Please post a fresh DDS Log and advise how your computer is running now and if there are any outstanding issues.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#10 lmacri

Authentic Member

Authentic Member
37 posts

Posted 11 February 2011 - 08:51 AM

Hi CatByte:

Here are my new DDS logs.

Please read my next post regarding NIS 2011 script blocking and let me know if it would be prudent to re-post a HijackThis and GMER log. I ran DDS today with every feature in NIS 2011 disabled.

I'm not entirely sure if I still have a problem on my PC or not. I still can't run Secunia PSI 2.0 security software over my dial-up Internet connection (it runs fine over an insecure public WiFi connection). I originally thought this was a bug in the Secunia PSI software since other users in the Secunia forum are having similar problems using PSI 2.0, but now I'm beginning to wonder if this NIS protected network on adapter "Software Loopback Interface 1" (IP address: 127.0.0.1) is part of the problem.

I don't know why ComboFix was able to purge my IE 8 browser history and get Microsoft Update working again when I was unable to reset my IE 8 browser manually, but I suspect it has something to do with the fact that all features in NIS 2011 were completely disabled when I ran ComboFix.

I still haven't tried a clean re-install of NIS 2011, by the way. I was waiting to hear your opinion on the possible Win32/Agent.HZHBURL trojan detected by ESET before trying the re-install. Glad to hear it's a false positive.

--------

Vista Home Premium 32-bit SP2 * IE 8 * Firefox 3.6.13 * NIS 2011 v. 18.5.0.125 * MBAM v. 1.5.1.1100 * HijackThis v. 2.0.4
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400 GS

___________________________

DDS (Ver_10-12-12.02) - NTFSx86
Run by Lori at 7:05:36.14 on 11/02/2011
Internet Explorer: 8.0.6001.19019
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.3070.2056 [GMT -6:00]

AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
C:\Windows\Explorer.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
c:\Windows\System32\wbem\unsecapp.exe
c:\Windows\System32\wbem\WmiPrvSE.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\conime.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\taskeng.exe
c:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Lori\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=laptop
BHO: DigitalPersona Personal Extension: {395610ae-c624-4f58-b89e-23733ea00f9a} - c:\program files\digitalpersona\bin\DpOtsPluginIe8.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.5.0.125\ips\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
uRun: [ISUSPM] "c:\programdata\macrovision\flexnet connect\6\ISUSPM.exe" -scheduler
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1295533249443
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263496178158
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1295533886492
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\users\lori\appdata\roaming\mozilla\firefox\profiles\t8xvl799.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\coFFPlgn
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Mozilla Archive Format: {7f57cf46-4467-4c2d-adfa-0cba7c507e54} - %profile%\extensions\{7f57cf46-4467-4c2d-adfa-0cba7c507e54}
FF - Ext: Bookmark Duplicate Detector: {ba243cb0-b824-4a26-9418-73ee795d9b9d} - %profile%\extensions\{ba243cb0-b824-4a26-9418-73ee795d9b9d}

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1205000.07d\SymDS.sys [2011-2-3 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1205000.07d\SymEFA.sys [2011-2-3 652336]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\bashdefs\20110114.001\BHDrvx86.sys [2011-2-4 691248]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\ipsdefs\20110209.001\IDSvix86.sys [2011-2-10 353912]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1205000.07d\Ironx86.sys [2011-2-3 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1205000.07d\symtdiv.sys [2011-2-3 330360]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-5-3 363344]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.5.0.125\ccSvcHst.exe [2011-2-3 130000]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-10-2 482176]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-2-9 102448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-5-3 20952]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S4 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-7-29 193840]

=============== Created Last 30 ================

2011-02-10 14:55:11 -------- d-----w- c:\program files\ESET
2011-02-09 18:34:28 -------- d-----w- c:\users\lori\appdata\local\WindowsUpdate
2011-02-09 18:15:25 -------- d-----w- c:\users\lori\appdata\local\temp
2011-02-09 18:14:52 -------- d-sh--w- C:\$RECYCLE.BIN
2011-02-09 18:06:31 -------- d-----w- C:\ComboFix
2011-02-09 17:22:12 98816 ----a-w- c:\windows\sed.exe
2011-02-09 17:22:12 89088 ----a-w- c:\windows\MBR.exe
2011-02-09 17:22:12 256512 ----a-w- c:\windows\PEV.exe
2011-02-09 17:22:12 161792 ----a-w- c:\windows\SWREG.exe
2011-02-09 14:43:05 3602320 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-02-09 14:43:05 1205080 ----a-w- c:\windows\system32\ntdll.dll
2011-02-09 14:43:04 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-02-09 14:43:02 2039808 ----a-w- c:\windows\system32\win32k.sys
2011-02-07 14:50:02 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{b7adaf8f-9607-41f1-9f2d-fbdaba91919b}\mpengine.dll
2011-02-03 23:16:54 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-02-03 23:16:38 652336 ----a-r- c:\windows\system32\drivers\nis\1205000.07d\SymEFA.sys
2011-02-03 23:16:38 509560 ----a-r- c:\windows\system32\drivers\nis\1205000.07d\srtsp.sys
2011-02-03 23:16:38 50168 ----a-r- c:\windows\system32\drivers\nis\1205000.07d\srtspx.sys
2011-02-03 23:16:38 340016 ----a-r- c:\windows\system32\drivers\nis\1205000.07d\SymDS.sys
2011-02-03 23:16:38 330360 ----a-r- c:\windows\system32\drivers\nis\1205000.07d\symtdiv.sys
2011-02-03 23:16:38 295032 ----a-r- c:\windows\system32\drivers\nis\1205000.07d\symnets.sys
2011-02-03 23:16:38 136312 ----a-r- c:\windows\system32\drivers\nis\1205000.07d\Ironx86.sys
2011-02-03 23:15:28 -------- d-----w- c:\windows\system32\drivers\nis\1205000.07D
2011-02-03 23:15:28 -------- d-----w- c:\windows\system32\drivers\NIS
2011-02-03 23:15:18 -------- d-----w- c:\program files\Norton Internet Security
2011-02-03 21:41:25 -------- d-----w- c:\program files\Norton Internet Security(234)
2011-02-03 21:41:01 -------- d-----w- c:\program files\NortonInstaller(236)
2011-02-03 14:54:04 388096 ----a-r- c:\users\lori\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-02-03 14:54:03 -------- d-----w- c:\program files\Trend Micro
2011-02-03 14:25:42 -------- d-----w- c:\windows\system32\catroot2(295)
2011-02-03 14:25:42 -------- d-----w- c:\windows\system32\catroot2
2011-02-01 20:53:57 -------- d-----w- c:\program files\iPod(164)
2011-02-01 20:53:57 -------- d-----w- c:\program files\iPod
2011-02-01 20:53:54 -------- d-----w- c:\program files\iTunes(165)
2011-02-01 20:53:54 -------- d-----w- c:\program files\iTunes
2011-02-01 16:37:39 -------- d-----w- C:\$RECYCLE(6).BIN
2011-01-26 15:46:12 -------- d-----w- C:\288b594930c641eac4
2011-01-21 17:09:59 -------- d-----w- c:\users\lori\appdata\local\Secunia PSI
2011-01-21 03:40:51 -------- d-----w- c:\users\lori\appdata\local\Mozilla
2011-01-20 19:54:04 -------- d-----w- c:\users\lori\appdata\roaming\Foxit Software
2011-01-18 18:44:27 -------- d-----w- c:\users\lori\appdata\local\QuickPlay
2011-01-15 22:58:41 -------- d-----w- c:\program files\GPLGS
2011-01-15 22:41:32 87552 ----a-w- c:\windows\system32\cpwmon2k.dll
2011-01-12 15:00:45 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
2011-01-12 15:00:45 413696 ----a-w- c:\windows\system32\odbc32.dll
2011-01-12 15:00:44 57344 ----a-w- c:\program files\common files\system\msadc\msadcs.dll
2011-01-12 15:00:44 253952 ----a-w- c:\program files\common files\system\ado\msadox.dll
2011-01-12 15:00:44 241664 ----a-w- c:\program files\common files\system\ado\msadomd.dll
2011-01-12 15:00:44 180224 ----a-w- c:\program files\common files\system\msadc\msadco.dll
2011-01-12 15:00:39 1169408 ----a-w- c:\windows\system32\sdclt.exe

==================== Find3M ====================

2011-01-20 19:39:56 2989660 ----a-w- c:\progra~2\DVD.exe
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:32 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 13:44:05 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-01-20 13:44:03 797184 ----a-w- c:\windows\system32\FntCache.dll
2011-01-18 21:25:41 2864396 ----a-w- c:\progra~2\MPV.exe
2011-01-18 21:21:09 2331174 ----a-w- c:\progra~2\Karaoke.exe
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-18 06:27:04 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-18 06:22:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-18 06:22:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-18 06:22:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-12-18 06:22:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-12-18 05:25:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-18 04:48:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-12-18 04:47:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-12-11 04:14:26 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-29 23:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 7:06:11.16 ===============

_________________________________________________________________

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 17/03/2008 6:04:40 AM
System Uptime: 11/02/2011 5:46:33 AM (2 hours ago)

Motherboard: Quanta | | 30D2
Processor: Intel® Core™2 Duo CPU T5550 @ 1.83GHz | U2E1 | 1000/667mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 221 GiB total, 131.652 GiB free.
D: is FIXED (NTFS) - 12 GiB total, 1.564 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0001
Manufacturer: Microsoft
Name: Microsoft ISATAP Adapter #2
PNP Device ID: ROOT\*ISATAP\0001
Service: tunnel

==== System Restore Points ===================

RP1420: 27/01/2011 5:06:02 PM - Windows Backup
RP1421: 28/01/2011 12:34:13 PM - Scheduled Checkpoint
RP1422: 29/01/2011 3:34:35 PM - Windows Update
RP1423: 31/01/2011 6:06:07 PM - Scheduled Checkpoint
RP1424: 01/02/2011 8:58:35 AM - Windows Update
RP1425: 01/02/2011 10:56:27 AM - Installed Microsoft Fix it 50202
RP1427: 01/02/2011 2:00:34 PM - Made by Norton Utilities
RP1428: 01/02/2011 2:45:47 PM - Device Driver Package Install: Apple, Inc. Universal Serial Bus controllers
RP1429: 01/02/2011 2:46:11 PM - Device Driver Package Install: Apple Network adapters
RP1430: 01/02/2011 2:47:12 PM - Installed iTunes
RP1431: 01/02/2011 2:51:26 PM - Installed iTunes
RP1432: 03/02/2011 7:51:09 AM - Installed Microsoft Fix it 50202
RP1433: 03/02/2011 8:07:13 AM - Installed Microsoft Fix it 50202
RP1434: 03/02/2011 8:53:26 AM - Installed HiJackThis
RP1435: 03/02/2011 12:44:03 PM - Windows Backup
RP1437: 03/02/2011 3:49:00 PM - Configured YouCam
RP1439: 03/02/2011 3:50:46 PM - Configured YouCam
RP1441: 03/02/2011 3:53:43 PM - Configured YouCam
RP1442: 04/02/2011 7:38:47 AM - Windows Modules Installer
RP1443: 07/02/2011 8:43:36 AM - Windows Update
RP1444: 07/02/2011 11:47:46 PM - Scheduled Checkpoint
RP1445: 08/02/2011 5:17:19 PM - Scheduled Checkpoint
RP1446: 09/02/2011 8:43:10 AM - Windows Update
RP1447: 09/02/2011 9:05:05 AM - Windows Update
RP1448: 09/02/2011 3:49:47 PM - Post ComboFix Windows Update Fix
RP1449: 09/02/2011 5:27:17 PM - Windows Backup

==== Installed Programs ======================

32 Bit HP CIO Components Installer
AceMoney Lite
Activation Assistant for the 2007 Microsoft Office suites
ActiveCheck component for HP Active Support Library
Adobe Flash Player 10 ActiveX
Adobe Shockwave Player
AIO_Scan
Analyse-it for Microsoft Excel
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Auslogics Duplicate File Finder
AuthenTec Fingerprint Sensor Minimum Install
Bonjour
BufferChm
C5200
C5200_Help
CCleaner
Copy
CutePDF Writer 2.8
Defraggler
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DigitalPersona Personal 4.11
DocProc
DocProcQFolder
Driver Detective
DVD Suite
ESET Online Scanner v3
eSupportQFolder
Fax
FileHippo.com Update Checker
Foxit Reader
Fund Manager
GPBaseService
GPBaseService2
Hauppauge MCE XP/Vista Software Encoder (2.0.25149)
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Customer Experience Enhancements
HP Doc Viewer
HP Driver Diagnostics
HP Easy Setup - Frontend
HP Help and Support
HP Imaging Device Functions 10.0
HP Integrated Module with Bluetooth wireless technology 6.0.1.6000
HP Photosmart All-In-One Driver Software 10.0 Rel .2
HP Product Detection
HP Quick Launch Buttons 6.40 H2
HP QuickPlay 3.7
HP QuickTouch 1.00 D2
HP Solution Center 13.0
HP Update
HP User Guides 0087
HP Wireless Assistant
HPAsset component for HP Active Support Library
HPNetworkAssistant
HPProductAssistant
Intel® Matrix Storage Manager
iTunes
Java Auto Updater
Java™ 6 Update 23
LabelPrint
LightScribe System Software 1.10.13.1
LiveUpdate (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Money 2005
Microsoft Office 2000 SR-1 Professional
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Moneydance 2010
Motorola SM56 Speakerphone Modem
Mozilla Firefox (3.6.13)
MSVCSetup
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
My HP Games
Norton Internet Security
Norton Utilities
NVIDIA Drivers
OCR Software by I.R.I.S. 10.0
PanoStandAlone
PerformanceTest
PS_AIO_02_ProductContext
PS_AIO_02_Software
PS_AIO_02_Software_Min
PVSonyDll
QuickTime
Realtek 8169, 8168, 8101E and 8102E Ethernet Network Card Driver for Windows Vista
Realtek High Definition Audio Driver
Registry First Aid
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.52.02
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Visual Basic for Applications 6.5 (KB974945)
SolutionCenter
Status
Symantec Technical Support Web Controls
Synaptics Pointing Device Driver
Toolbox
TrayApp
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Viewpoint Media Player
Vista Services Optimizer
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WeatherBug Gadget
WebReg
Windows Live Install Wizard
WinRAR archiver

==== Event Viewer Messages From Past Week ========

09/02/2011 12:13:49 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
09/02/2011 10:14:35 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {E60687F7-01A1-40AA-86AC-DB1CBF673334} to the user Lori-PC\Lori SID (S-1-5-21-3086198521-800258848-3831315664-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
08/02/2011 10:29:41 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
07/02/2011 10:25:19 PM, Error: EventLog [6008] - The previous system shutdown at 10:22:16 PM on 07/02/2011 was unexpected.
04/02/2011 9:01:38 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.101.164 for the Network Card with network address 001F3B31C627 has been denied by the DHCP server 192.168.100.254 (The DHCP Server sent a DHCPNACK message).
04/02/2011 8:47:26 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.100.168 for the Network Card with network address 001F3B31C627 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

Advertisements

Register to Remove

#11 lmacri

Authentic Member

Authentic Member
37 posts

Posted 11 February 2011 - 09:02 AM

Hi CatByte:

Here's my question about disabling script blocking in NIS 2011.

I checked the instructions in the link you provided at http://www.techsuppo...plications.html and read the instructions under the Norton Script Blocking section but I couldn't find any NIS 2011 settings specifically related to script blocking. I also searched the NIS 2011 help files for "script blocking" but didn't find anything.

I disabled the AntiVirus Auto-Protect from the NIS icon in my system tray before running HijackThis and GMER (as well as my initial run of DDS). However, I did the same thing with ComboFix and ComboFix warned me that I had not properly disabled my antivirus protection, so I opened the NIS main window and turned off every feature (e.g., Antispyware, Intrusion Protection, etc.) and ComboFix was able to run to completion.

It appears that disabling Antivirus Auto-Protect in NIS 2011 only disables the Antivirus, Sonar Protection and Download Intelligence features. I'm wondering if there is some other feature in NIS 2011 (e.g., Antispyware, Insight Protection, Norton Product Tamper Protection) that could have interfered with HijackThis, etc.

ESET seemed to run fine with only the AntiVirus Auto-Protect disabled. I didn't want to turn off every feature in NIS 2011 while I was running ESET because I was using a a public WiFi connection with my IE 8 browser.

--------

Vista Home Premium 32-bit SP2 * IE 8 * Firefox 3.6.13 * NIS 2011 v. 18.5.0.125 * MBAM v. 1.5.1.1100 * HijackThis v. 2.0.4
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400 GS

#12 lmacri

Authentic Member

Authentic Member
37 posts

Posted 11 February 2011 - 01:31 PM

Bad news. I decided to try a GMER (mi865h5d.exe) scan again in case you wanted me to post a new log and I can't get it to run.

If I disable the Antivirus Auto-Protect from the NIS 2011 icon in the system tray, the scan seems to stop while scanning \Device\Harddisk\VolumeShadowCopy1 and the application crashes (EventID 1000) with the following description:

Faulting application mi865h5d.exe, version 1.0.15.15530, time stamp 0x4cd7c3b7, faulting module mi865h5d.exe, version 1.0.15.15530, time stamp 0x4cd7c3b7, exception code 0xc0000005, fault offset 0x0000c551, process id 0x71c, application start time 0x01cbca1633163810.

I checked my NIS 2011 security history and the Norton Product Tamper Protection appears to be blocking GMER from running.

If I disable every feature in NIS 2011 (e.g., AntiVirus, AntiSpyware, Firewall, etc.) I get a blue screen of death (BSOD) and a warning that the system shut down to protect me from damage from kxldapod.sys. The BSOD error pointed to a file in C:\Users\Lori\AppData\Local\Temp\WER561A.tmp.version.txt, which has the following text:

Windows NT Version 6.0 Build: 6002 Service Pack 2
Product (0x3): Windows Vista ™ Home Premium
Edition: HomePremium
BuildString: 6002.18327.x86fre.vistasp2_gdr.101014-0432
Flavor: Multiprocessor Free
Architecture: X86
LCID: 1033

I booted up in Safe Mode and tried running GMER again but the results were the same. I downloaded a new copy of GMER to my desktop but had the same problem.

I've attached .JPGs showing the Norton Product Tamper Protection message as well as screenshots of the APPCRASH and BSOD error messages.

Attached Thumbnails

Attached Images

Edited by lmacri, 11 February 2011 - 01:34 PM.

#13 CatByte

Classroom Administrator

Classroom Admin
21,060 posts

Posted 11 February 2011 - 10:13 PM

Let's uninstall Norton for now, I think there are a couple of conflicts going on, the installation may have been corrupted.

use the Norton Removal Tool

Download the appropriate Norton Removal Tool from HERE and save it to your desktop.
Next Double click on Norton_Removal_Tool.exe to run the tool.
Follow the on-screen instructions.
Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.

NEXT

Download TFC to your desktop
Mirror

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time.

Please advise if there are any outstanding issues.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#14 lmacri

Authentic Member

Authentic Member
37 posts

Posted 13 February 2011 - 08:48 AM

Hi CatByte:

NIS 2011 doesn't appear to be the problem.

I uninstalled NIS 2011, ran the Norton Removal Tool (twice) and ran TFC.exe.

HijackThis is still throwing an error message about being unable to read my system Hosts file at C:\Windows\System32\drivers\etc\ and it still can't automatically save a log file.

GMER is still crashing (Application Error, EventID 1000, Task Category 100) around the time it tries to scan \Device\Harddisk\VolumeShadowCopy1.

A new MBAM Quick Scan still reports no detected infections.

I am currently using Windows Firewall and MBAM Pro 1.50 for system protection. Windows Defender is currently disabled.

MBAM protection was temporarily disabled when I tried running HijackThis and GMER.

I'm beginning to wondering if some of my problems could be related to a corrupted Hosts file. I looked at the contents again (posted below) and I can see a few stray comments left behind by Spybot - Search and Destroy v. 1.4.2.46 that I uninstalled on 24-Jul-2009. Spybot S&D threw an error message while the software was uninstalling (see attached .JPG) that may have messed something up.

--------

Vista Home Premium 32-bit SP2 * IE 8 * Firefox 3.6.13 * NIS 2011 v. 18.5.0.125 * MBAM v. 1.50.1.1100 * HijackThis v. 2.0.4
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400 GS

_________________________

# Copyright © 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
::1 localhost
# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy

Attached Thumbnails

Edited by lmacri, 13 February 2011 - 08:51 AM.

#15 CatByte

Classroom Administrator

Classroom Admin
21,060 posts

Posted 13 February 2011 - 09:28 AM

OK

reset your restore points, then run the following:

press the Win key on the keyboard, type Restore then press enter to get to the System Restore section.
Click "Create a restore point" Click on the "Create" button to create a new restore point. You may be prompted for permission to continue - ALLOW it to continue. You'll be prompted for a name, and you might want to give it a useful name that you'll be able to easily identify later.
Click the Create button, and then the system will create the restore point.
When it's all finished, you'll get a message saying it's completed successfully.
You will now have a new restore point

Then remove all previous Restore Points

Click Win key on the keyboard, type cleanmgr to access the disk cleanup
choose all files on the computer, then choose the C: drive, press OK Disk cleanup calculates the files, this takes a few minutes > another menu will pop up.
At the top, click on the More Options tab, under System Restore and Shadow Copies group,
Click the Clean up button,
You will be asked if you’re sure, click on the Delete button, click OK > Delete Files

next

Download OTL and save it to your desktop.
Double click on the icon to run it.
Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top, make sure Standard output is selected.
Under the Extra Registry section, check Use SafeList
Download the following file scan.txt and save it to your Desktop. (You may need to right click on it and select "Save")
Double click inside the Custom Scan box at the bottom
A window will appear saying "Click Ok to load a custom scan from a file or Cancel to cancel"
Click the Ok button and navigate to the file scan.txt which we just saved to your desktop
Select scan.txt and click Open. Writing will now appear under the Custom Scan box
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Body Background

skin color theme