manual removal of backdoor.tidserv!inf - Page 2

johnsimchick · #16 July 11th, 2012, 12:14 PM

This is Norton's report, same as last time: I downloaded Symantec's app which did not clean it, they sent me to kapersky to download the tdss app. You know their results.
I do not have a Vista Home Premium dvd to replace the infected Sys, Cyberpower says Vista is no longer available to them.

Norton 360 Report:
Backdor.Tidserv.l!inf
Virus
High Level
requires manual removal
c:\windows\winsxs\x86_microsoft-windows0t..llaboration-drivers_31bf3856ad364e35-6.0.6001.18000_none_064cf4b56d56d5c130dc\rdpencdd. sys
and low risk tracking cookies
cookie:administrator@at.atwola.com
@pro-Market.net
@doubleclick.net
@rubiconproject.com
@serving-sys.com
@atdmt.com
@ru4.com
@revsci.net
@tribalfusion.com
@pixel.rubiconproject.com
@advertising.com
@quantserve.com
@ad.yieldmanager.com
(null)

**Jintan** · #17 July 12th, 2012, 01:38 AM

Things like this:

Error - 7/9/2012 7:31:50 PM | Computer Name = DEBORAH-PC | Source = disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.

Sure suggest something is afoot there, and we need to get rid of those D drive services.

Be sure to continue to temporarily disable any protective software when running the scan tools we use here.

Download ComboFix.exe from here to your desktop, then click that to run that scan. Agree to any warnings you might receive.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

johnsimchick · #18 July 12th, 2012, 02:20 AM

ComboFix 12-07-11.03 - Administrator 07/11/2012 21:06:35.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.977 [GMT -4:00]
Running from: c:\users\Administrator\Downloads\ComboFix.exe
AV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-12 to 2012-07-12 )))))))))))))))))))))))))))))))
.
.
2012-07-12 01:15 . 2012-07-12 01:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-12 01:15 . 2012-07-12 01:15 -------- d-----w- c:\users\DEBORAH\AppData\Local\temp
2012-07-12 01:15 . 2012-07-12 01:15 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-07-11 15:31 . 2012-07-11 15:31 -------- d-----w- c:\users\Administrator\temp
2012-07-11 15:29 . 2012-07-11 15:29 -------- d-----w- c:\program files\TeamViewer
2012-07-11 11:21 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-07-11 11:20 . 2012-06-18 07:14 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0548BD12-C843-4CC8-BC52-76B03246D5FB}\mpengine.dll
2012-07-11 00:34 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-11 00:34 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-07-11 00:34 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-07-11 00:34 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-11 00:34 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
2012-07-11 00:34 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-09 23:16 . 2012-07-09 23:16 -------- d-----w- c:\program files\CCleaner
2012-07-09 22:31 . 2012-07-09 22:31 -------- d-----w- c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP
2012-07-08 15:40 . 2012-03-01 11:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-07-08 12:56 . 2012-07-08 12:56 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-07 04:40 . 2012-02-29 15:11 5120 ----a-w- c:\windows\system32\wmi.dll
2012-07-07 04:40 . 2012-02-29 15:11 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-07-07 04:40 . 2012-02-29 15:09 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-07-07 04:40 . 2012-02-29 13:32 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-07-07 04:31 . 2012-07-07 04:31 -------- d-----w- c:\users\Administrator\AppData\Local\Microsoft Help
2012-07-07 04:03 . 2012-03-01 14:46 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-07-07 04:03 . 2012-03-01 14:46 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-07-07 04:03 . 2012-02-29 14:08 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-07-07 04:03 . 2012-02-29 13:44 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-07-07 04:03 . 2012-02-29 13:41 1069056 ----a-w- c:\windows\system32\DWrite.dll
2012-07-07 04:03 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2012-07-07 04:03 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
2012-07-07 04:02 . 2012-03-30 12:39 905600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-07-07 04:02 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-07-07 04:02 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-07-07 04:02 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-07-07 04:01 . 2012-02-01 15:11 1218048 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2012-07-07 04:01 . 2012-02-01 15:10 983040 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2012-07-07 04:01 . 2012-02-01 15:10 964608 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2012-07-07 04:01 . 2012-02-01 15:10 936960 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-07-07 04:01 . 2012-02-01 15:10 1404928 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\InkObj.dll
2012-07-07 04:01 . 2012-02-01 13:58 47104 ----a-w- c:\program files\Windows Journal\PDIALOG.exe
2012-07-07 04:01 . 2012-03-20 23:28 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-07-07 04:01 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2012-07-07 04:01 . 2012-05-01 14:03 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-07 03:57 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2012-07-07 03:57 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2012-07-07 03:55 . 2012-04-03 08:16 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-07-07 03:55 . 2012-04-03 08:16 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-07-07 03:26 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-07-07 03:26 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-07-07 03:26 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-07-07 03:26 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-07-07 03:26 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-07-07 03:26 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-07-07 03:26 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-07-07 03:26 . 2012-06-02 19:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-07-07 03:26 . 2012-06-02 19:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-07-07 00:07 . 2012-07-07 00:07 -------- d-----w- c:\users\Administrator\AppData\Local\ElevatedDiagn ostics
2012-07-06 23:40 . 2012-07-06 23:40 -------- d-----w- c:\users\Administrator\AppData\Local\Microsoft Corporation
2012-07-06 21:00 . 2012-07-06 21:20 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-06 18:51 . 2012-07-06 18:51 -------- d-----w- c:\program files\Common Files\Java
2012-07-06 18:50 . 2012-07-06 18:50 476936 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-07-06 18:49 . 2012-07-06 18:49 -------- d-----w- c:\programdata\McAfee
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2012-07-07 10:52 . 2008-01-21 02:24 6144 ----a-w- c:\windows\system32\drivers\RDPENCDD.SYS
2012-07-06 21:20 . 2011-06-02 20:49 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-06 18:50 . 2010-08-20 16:37 472840 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-31 16:25 . 2010-01-05 21:27 237072 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-17 6111232]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Wind ows^Start Menu^Programs^Startup^GamersFirst LIVE!.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\GamersFirst LIVE!.lnk
backup=c:\windows\pss\GamersFirst LIVE!.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy Dock]
2011-08-12 20:00 585728 ----a-w- c:\users\Administrator\Documents\RCA easyRip\EZDock.exe
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPl ayerUpdateService.exe [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpda teService.exe [2012-07-06 21:24]
.
2012-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-16 02:36]
.
2012-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-16 02:36]
.
2012-07-12 c:\windows\Tasks\User_Feed_Synchronization-{7885945F-FB39-41AD-A3DC-DAFC6ED15725}.job
- c:\windows\system32\msfeedssync.exe [2011-06-09 21:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = 127.0.0.1:9421
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8 574934B26AC4.dll/cmsidewiki.html
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)
URLSearchHooks-{5e5ab302-7f65-44cd-8211-c1d4caaccea3} - (no file)
HKLM-Run-Easy Dock - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
Notify-!SASWinLogon - c:\program files\SUPERAntiSpyware\SASWINLO.DLL
AddRemove-{958AF490-810C-4D3E-AA82-EBA2CE41DA20} - c:\users\Administrator\AppData\Roaming\InstallShie ld Installation Information\{958AF490-810C-4D3E-AA82-EBA2CE41DA20}\setup.exe
.
.
.
************************************************** ************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (Administrator)
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,3b,1b,21,82,1 7,
ef,65,9c,42,0b,aa,34,d7,a9,28,9c,14,16
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,3b,1b,6f,c2,f 8,
ad,5a,92,bc,54,a9,e2,41,e0,c8,40,f4,1a
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,3b,1b,0c,14,c d,
08,92,b8,ef,07,b0,99,bb,17,8d,64,fc,d6
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,3b,1b,74,c8,2 2,
80,3d,1c,d3,0f,9b,c3,10,24,77,42,22,d3
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"=hex:51,66,7a,6c,4c,1d,3b,1b,f3,f3,f 9,
6f,26,3b,25,06,8d,dd,be,f0,9c,01,08,df
"{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}"=hex:51,66,7a,6c,4c,1d,3b,1b,1e,c7,3 8,
70,c0,1a,7b,07,9f,ae,d4,9a,c5,95,e5,1d
"{6D53EC84-6AAE-4787-AEEE-F4628F01010C}"=hex:51,66,7a,6c,4c,1d,3b,1b,94,f0,4 1,
7d,91,3a,eb,02,bb,e1,b5,22,8e,4b,40,19
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (Administrator)
"Timestamp"=hex:0e,c6,e4,a4,e9,26,cc,01
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:0 1,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ba,f8,96 ,06,a0,cd,6e,48,bd,7a,fa,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:0 1,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,99,7c,40 ,a5,c4,ac,51,45,a5,58,ba,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:0 1,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,be,1e ,de,d6,56,5a,44,b5,26,5a,\
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.aif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.aiff\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.au\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.avi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.avi"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.CDA"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.DS_Store\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\iexplore.exe"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.ips\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\notepad.exe"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.jar\UserChoice]
@Denied: (2) (Administrator)
"Progid"="jarfile"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.jpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="jpegfile"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.m1v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.M2V\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M3U"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mid\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.midi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.MOD\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mpa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mpe\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mpeg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.rmi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.rtf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="rtffile"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.smc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\wmplayer.exe"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wav\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAV"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wax\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAX"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wma\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMA"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wmv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMV"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wmx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"
.
[HKEY_USERS\S-1-5-21-2098338943-1949750660-1627160459-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\FileExts\.wvx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WVX"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2300)
c:\windows\system32\imapi2.dll
c:\windows\system32\bthprops.cpl
.
Completion time: 2012-07-11 21:18:41
ComboFix-quarantined-files.txt 2012-07-12 01:18
.
Pre-Run: 167,128,567,808 bytes free
Post-Run: 166,856,769,536 bytes free
.
- - End Of File - - B0F5768CDEA296DB9E7F5CC4E499ACB1

**Jintan** · #19 July 13th, 2012, 12:25 AM

Really little in that, and starting to think Norton is seeing a false positive (mistaken identity). Hits on your issues do go to Norton forums, where that is the consensus. I belive there is a way within Norton to tell it to quite reporting on that file/bootkit issues.

These:

21:12:03.086 Service GMSIPCI D:\INSTALL\GMSIPCI.SYS **LOCKED** 21
21:12:07.679 Service NTACCESS D:\NTACCESS.sys **LOCKED** 21
21:12:11.273 Service SetupNTGLM7X D:\NTGLM7X.sys **LOCKED** 21

Typical of an MSI motherboard live update install, and of course the "D", as you mentioned, is you disk drive. Did you install MSI apps from a CD there?

johnsimchick · #20 July 13th, 2012, 12:47 AM

Thank you very much.
At least I know that it is a false positive. I was wondering why Kapersky's quick scanner did not come up with it.

Those drive D items must have been installed by the owner of this computer. This youngster will be glad to get it back.

I thank you for your help. I will be activating a subscription to your site.
You do not need to reply to this if you are busy.

I thank you again.

**Jintan** · #21 July 13th, 2012, 01:08 AM

I suggest we just close out here by doing some updates, then remove what our work added there. Yes?

johnsimchick · #22 July 13th, 2012, 01:16 AM

Yes, I have started the process of removing downloaded files and reports. I don't believe we installed any programs.

What else do you suggest we do to the computer before turning it over to the owner.

John

**Jintan** · #23 July 13th, 2012, 11:18 PM

Just a few changes, then we are done here.

The logs show you have slightly outdated version of Java, so go here and update that:

ttp://java.com/en/download/manual.jsp
(For Java 7 Update 5 - trying to slip Ask adware/spyware to systems lately, so watch and uncheck it)

Once you have done that, be sure to go to Programs and Features/Uninstall and uninstall any older, more vulnerable Java versions.

----------

Go to Start Search, type cmd.exe in the Start Search box. Cmd.exe will appear at the top of the Menu. Rightclick on it and choose "Run as administrator". At the prompt copy/paste the following, pressing Enter after each:

cd "%userprofile%\desktop"

combofix /uninstall

ComboFix should uninstall itself at this time.

-----------

You can also at this time delete the files/folders of the tools we used. To assist with some of that run OTL again. This will help by automatically removing some of the tools we used.

Just click CleanUp, and select Yes. When it finishes removing some of the tools and files we used there just agree to the reboot.

In addition, I like to recommend reviewing the information Here to make sure you stay malware free.

johnsimchick · #24 July 14th, 2012, 01:59 AM

Done,

Thank You very much.
I think you can close this case now.

**Jintan** · #25 July 15th, 2012, 01:42 AM