Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Update Error (8024402C), Unable To Access Certain Websites, Random Internet Explorer Pop-Up Flooding


  • This topic is locked This topic is locked
20 replies to this topic

#1 Severan

Severan

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 19 August 2011 - 01:42 PM

Greetings!

(I have been directed to post here from the "Am I infected?" forum. My previous thread is located here).

My Windows Vista (32-bit) has been unable to update for over two months. Windows Update has tried to install the latest Definition Updates for Windows Defender, but has experienced a Code 8024402C error each time. I do not access the internet through a proxy and setting "Automatically detect (LAN) settings" in Internet Explorer did not resolve the problem.

It seems I am unable to access selected websites: Firefox cannot find the servers at download.microsoft.com and www.yahoo.com, even though these sites work fine on other computers using the same home network.

At times, IE also attempts to flood my screen with pop-ups pointing to a broken non-URL, most often when I re-log into Vista after waking up my computer from Sleep mode.

I paste (DDS) and attach (Attach, ark) the requested logs below.

Thank you for your help in advance!

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Severan at 18:45:03 on 2011-08-19
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2037.1231 [GMT 8:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Users\Severan\Programs\SAS\SASCORE.EXE
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\runservice.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint\Apoint.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\V0220Mon.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\sttray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bbc.co.uk
uWindow Title = Internet Explorer provided by Dell
mSearchAssistant = hxxp://start.facemoods.com/?a=ddr&s={searchTerms}&f=4
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [V0220Mon.exe] c:\windows\V0220Mon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [V0220Cfg.exe] V0220Cfg.exe /d:3
mRun: [ie238754] c:\program files\internet explorer\ielowutil\ielowutil.exe
mRun: [834rgruyg8374tg7h] c:\program files\internet explorer\ielowutil\update.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader9\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\users\severan\appdata\roaming\micros~1\windows\startm~1\programs\startup\imvu.lnk - c:\users\severan\appdata\roaming\imvuclient\IMVUQualityAgent.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{7f0c4457-8e64-491b-8d7b-991504365d1e}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.8.1
TCP: Interfaces\{2B8FE84C-A16E-4775-A7D9-BC7DE06573F8} : DhcpNameServer = 192.168.8.1
TCP: Interfaces\{5466EC0C-2276-4FEF-B090-94A6EF3EC957} : NameServer = 203.198.23.208 205.252.144.126
Notify: !SASWinLogon - c:\users\severan\programs\sas\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\users\severan\programs\sas\SASSEH.DLL
LSA: Authentication Packages = msv1_0 wvauth
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\severan\appdata\roaming\mozilla\firefox\profiles\ljehb30i.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - plugin: c:\program files\adobe\reader10.0\reader\browser\nppdf32.dll
FF - plugin: c:\program files\adobe\reader10\reader\browser\nppdf32.dll
FF - plugin: c:\program files\adobe\reader9\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader9\reader\browser\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.50401.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows media player\realalt\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\windows media player\realalt\browser\plugins\nprpjplug.dll
FF - plugin: c:\users\severan\programs\vlc\npvlc.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\users\severan\programs\sas\sasdifsv.sys [2011-7-23 12880]
R1 SASKUTIL;SASKUTIL;c:\users\severan\programs\sas\SASKUTIL.SYS [2011-7-13 67664]
R2 !SASCORE;SAS Core Service;c:\users\severan\programs\sas\SASCore.exe [2011-8-12 116608]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-20 79432]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-16 21504]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2008-12-15 2560]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2010-12-15 1839776]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-27 105592]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-19 130384]
S2 Secunia Update Agent;Secunia Update Agent;c:\users\severan\programs\secunia\sua.exe --start-service --> c:\users\severan\programs\secunia\sua.exe --start-service [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-8-22 179712]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-12-15 23888]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-8-22 30192]
S3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-1-24 13952]
S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-1-24 28800]
S3 V0220Dev;Live! Cam Video IM;c:\windows\system32\drivers\V0220Dev.sys [2008-1-7 146112]
S3 V0220Vfx;V0220VFX;c:\windows\system32\drivers\V0220Vfx.sys [2008-1-7 6272]
.
=============== Created Last 30 ================
.
2011-08-19 01:44:26 -------- d-----w- c:\users\severan\appdata\local\{3109944B-B5F4-4F69-A355-43DC5018DB36}
2011-08-19 01:43:36 -------- d-----w- c:\users\severan\appdata\local\{A6C967FF-F993-485B-9540-4D8037819E31}
2011-08-18 09:50:49 -------- d-----w- c:\users\severan\appdata\local\{693A41FF-18AD-444F-BF72-F50C9A8572DF}
2011-08-18 09:50:12 -------- d-----w- c:\users\severan\appdata\local\{F1210F9F-4EB0-42B1-9F69-A9D48E93DCA8}
2011-08-17 21:49:16 -------- d-----w- c:\users\severan\appdata\local\{D11446E7-C9EE-4F2D-B161-FA5D4BA346D8}
2011-08-17 21:48:25 -------- d-----w- c:\users\severan\appdata\local\{6DF1C3F7-7601-483E-9BCF-2BC5399E4B12}
2011-08-17 07:51:24 -------- d-----w- c:\users\severan\appdata\local\{6AFF95EE-BE93-439B-A246-634AD44982F4}
2011-08-17 07:50:40 -------- d-----w- c:\users\severan\appdata\local\{DF761543-9802-4AB3-8180-8A1BDD818774}
2011-08-16 21:51:21 -------- d-----w- c:\users\severan\appdata\roaming\SUPERAntiSpyware.com
2011-08-16 13:33:06 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-16 04:09:06 -------- d-----w- c:\users\severan\appdata\local\{AC678152-3587-4601-85B5-0A69A15795FB}
2011-08-16 04:08:27 -------- d-----w- c:\users\severan\appdata\local\{C0CAE1D3-9474-4EAF-A7B3-22A3499491EE}
2011-08-15 16:01:30 -------- d-----w- c:\program files\common files\Bitdefender
2011-08-15 15:57:02 -------- d-----w- c:\users\severan\appdata\roaming\QuickScan
2011-08-15 13:38:10 -------- d-----w- c:\users\severan\appdata\local\{9AA3391E-59A5-490B-8765-389B062B8939}
2011-08-15 13:37:20 -------- d-----w- c:\users\severan\appdata\local\{62AFE94F-240C-4158-860E-8B8BED5D4234}
2011-08-14 21:58:21 -------- d-----w- c:\users\severan\appdata\local\{86E7EAB2-5695-4C45-9266-6C2894E789B0}
2011-08-14 21:57:29 -------- d-----w- c:\users\severan\appdata\local\{0420AB98-229B-4D1E-986C-EBA4838DAD60}
2011-08-14 03:20:21 -------- d-----w- c:\users\severan\appdata\local\{2EAF7964-6A45-4955-A095-D94E0D8697D4}
2011-08-14 03:19:31 -------- d-----w- c:\users\severan\appdata\local\{2916B445-4B8C-4344-872D-6223167E9626}
2011-08-13 03:35:29 -------- d-----w- c:\users\severan\appdata\local\{38ACBD80-6AE8-4736-A909-4A6E40B7CAEF}
2011-08-13 03:34:26 -------- d-----w- c:\users\severan\appdata\local\{EDDC348C-3F61-4F13-9C60-3F73ED3671A2}
2011-08-12 03:50:54 -------- d-----w- c:\users\severan\appdata\local\{3D2853F8-5265-4974-9CE2-4BBA9F962354}
2011-08-12 03:50:04 -------- d-----w- c:\users\severan\appdata\local\{9B4FF0DC-21E6-402D-9C68-7EDABF4D78E6}
2011-08-11 02:26:32 -------- d-----w- c:\users\severan\appdata\local\{624C4BDE-1233-4D11-BAAB-195408ADC3EA}
2011-08-11 02:25:43 -------- d-----w- c:\users\severan\appdata\local\{ADA8138A-8C29-4754-8AA7-B898342B154C}
2011-08-10 06:59:53 -------- d-----w- c:\users\severan\appdata\local\{795E1D55-7059-4387-B846-01CDA87EA508}
2011-08-10 06:59:13 -------- d-----w- c:\users\severan\appdata\local\{D4C421D1-6CDF-42E3-B6D4-A2EBD9808C44}
2011-08-09 18:58:32 -------- d-----w- c:\users\severan\appdata\local\{B966002D-629A-4E41-9366-5925CF7CE73D}
2011-08-09 18:57:45 -------- d-----w- c:\users\severan\appdata\local\{039B4332-E483-4E12-BA8E-2AA3FBE92EA1}
2011-08-09 03:21:44 -------- d-----w- c:\users\severan\appdata\local\{76358EFD-F10F-47A3-83C0-CD2B4EF0528F}
2011-08-09 03:20:59 -------- d-----w- c:\users\severan\appdata\local\{B8AB4FCC-E521-4709-AB6F-854375675873}
2011-08-08 01:44:44 -------- d-----w- c:\users\severan\appdata\local\{7671E1E4-B9A0-45F7-B1DE-9709F23CAB9E}
2011-08-08 01:43:52 -------- d-----w- c:\users\severan\appdata\local\{99568E05-D05E-4FC5-B440-86B14E4F82D8}
2011-08-06 08:25:54 -------- d-----w- c:\users\severan\appdata\local\{665A2B83-8FFC-45F5-86D1-BAB107B29BF2}
2011-08-06 08:25:00 -------- d-----w- c:\users\severan\appdata\local\{B9EFC112-1693-4DDD-B26D-46766BD6018F}
2011-08-05 03:23:05 -------- d-----w- c:\users\severan\appdata\local\{A7BDBE73-E9E2-4366-A8A2-07208759EC9F}
2011-08-05 03:22:25 -------- d-----w- c:\users\severan\appdata\local\{E12F7B93-C1F7-49B4-BC70-64FB5E04F9C8}
2011-08-04 15:21:42 -------- d-----w- c:\users\severan\appdata\local\{12FE3BC7-123A-4971-9BC3-5001077FBAC6}
2011-08-04 15:21:02 -------- d-----w- c:\users\severan\appdata\local\{FB80A966-6EF1-4F22-8124-8FBA31D610A5}
2011-08-04 03:18:42 -------- d-----w- c:\users\severan\appdata\local\{866D738D-85A9-4839-B60B-A2BE059C00A9}
2011-08-04 03:17:54 -------- d-----w- c:\users\severan\appdata\local\{461281E3-3AF1-494C-84CC-B3A40DFE2F0B}
2011-08-03 15:16:48 -------- d-----w- c:\users\severan\appdata\local\{89D3F730-5E65-4A79-B7A9-56C07226CFEF}
2011-08-03 02:41:06 -------- d-----w- c:\users\severan\appdata\local\{80341500-039A-4FDB-AA9A-6F271DBC73FB}
2011-08-02 14:39:49 -------- d-----w- c:\users\severan\appdata\local\{337BC3C4-E565-46C6-B060-9B16BDFCCDAE}
2011-08-02 02:29:05 -------- d-----w- c:\users\severan\appdata\local\{BD5789CF-AB20-4EF0-9F85-15BBF4526B4E}
2011-08-01 06:33:30 -------- d-----w- c:\users\severan\appdata\local\{166CFC97-6E2B-41AA-86FD-49BB4EC0B9FA}
2011-07-31 15:50:50 -------- d-----w- c:\users\severan\appdata\local\{B4BB457B-E504-4A45-9DEF-6EAB913B754B}
2011-07-31 03:49:50 -------- d-----w- c:\users\severan\appdata\local\{3894C5FC-88B8-4032-AE5C-943720245516}
2011-07-30 14:53:03 -------- d-----w- c:\users\severan\appdata\local\{02755C38-770A-4797-AFAD-7F3DCC513B3A}
2011-07-30 02:51:57 -------- d-----w- c:\users\severan\appdata\local\{49FEF190-F26F-4D04-A65F-489C94DF38AE}
2011-07-29 14:26:27 -------- d-----w- c:\users\severan\appdata\local\{F240783A-10FA-4DCB-AB40-368846A7D11D}
2011-07-29 14:25:50 -------- d-----w- c:\users\severan\appdata\local\{026BD546-1D6D-4B43-8A1B-67829805D33D}
2011-07-29 00:55:29 -------- d-----w- c:\users\severan\appdata\local\{3A0B6D9F-F13D-4E09-9C51-E4364A856498}
2011-07-28 06:30:08 -------- d-----w- c:\users\severan\appdata\local\{04710AB0-E6B1-49A7-88BF-3BA94AD948A1}
2011-07-27 17:08:14 -------- d-----w- c:\users\severan\appdata\local\{9303CEEC-3392-42CB-B2FB-9946EC71853B}
2011-07-27 05:07:15 -------- d-----w- c:\users\severan\appdata\local\{431BCE00-ECFA-4B11-B31D-5368CC033A97}
2011-07-26 16:06:34 -------- d-----w- c:\users\severan\appdata\local\{1310AFD6-AE5F-4242-A208-953CDF920B27}
2011-07-26 09:22:14 -------- d-----w- c:\users\severan\appdata\local\Secunia PSI
2011-07-26 03:06:33 -------- d-----w- c:\users\severan\appdata\local\{334A0BFD-C75F-4D6D-93DF-834B7BE40E3B}
2011-07-25 15:05:35 -------- d-----w- c:\users\severan\appdata\local\{C5BBE0DD-0FBD-4598-BF2B-AEC1B42E3771}
2011-07-25 03:04:43 -------- d-----w- c:\users\severan\appdata\local\{A934C000-EF23-4006-AA67-44D5A494D5FA}
2011-07-24 15:03:33 -------- d-----w- c:\users\severan\appdata\local\{FC6A8D44-9C33-4FCE-AB93-EB38A79D7160}
2011-07-24 13:52:13 -------- d-----w- c:\users\severan\appdata\local\{6601A1A1-FBE9-4115-BD8C-F270A4C9C898}
2011-07-24 01:36:24 -------- d-----w- c:\users\severan\appdata\local\{15EBD67A-44D5-47BD-998D-8C49FC4A0530}
2011-07-23 03:12:49 -------- d-----w- c:\users\severan\appdata\local\{FD471DA7-BB07-4342-99BA-689A70F01A3D}
2011-07-22 13:26:54 -------- d-----w- c:\users\severan\appdata\local\{EBEAD5AF-D4B7-40EA-93D4-1B6117D4AF80}
2011-07-21 16:10:31 -------- d-----w- c:\users\severan\appdata\local\{A00B6EE4-52E8-419B-8011-6897B785B686}
2011-07-21 03:19:17 -------- d-----w- c:\users\severan\appdata\local\{0BE5785C-4435-4771-9558-7438E1082257}
2011-07-20 15:18:12 -------- d-----w- c:\users\severan\appdata\local\{760F8AEA-3DE0-4ED0-A4AF-435C12DEDB03}
.
==================== Find3M ====================
.
2011-08-18 07:58:30 1177 --sha-w- c:\windows\system32\mmf.sys
2011-08-16 13:26:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 18:47:00.71 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 10,143 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:58 PM

Posted 24 August 2011 - 01:45 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/415180 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Severan

Severan
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 25 August 2011 - 05:48 AM

I paste (DDS) and attach (Attach, ark) updated logs as requested.

Again, thank you for your help in advance!

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Severan at 18:34:44 on 2011-08-25
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2037.832 [GMT 8:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Users\Severan\Programs\SAS\SASCORE.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\runservice.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\V0220Mon.exe
C:\Windows\sttray.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\Internet Explorer\ielowutil\ielowutil.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bbc.co.uk
uWindow Title = Internet Explorer provided by Dell
mSearchAssistant = hxxp://start.facemoods.com/?a=ddr&s={searchTerms}&f=4
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [V0220Mon.exe] c:\windows\V0220Mon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [V0220Cfg.exe] V0220Cfg.exe /d:3
mRun: [ie238754] c:\program files\internet explorer\ielowutil\ielowutil.exe
mRun: [834rgruyg8374tg7h] c:\program files\internet explorer\ielowutil\update.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader9\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\users\severan\appdata\roaming\micros~1\windows\startm~1\programs\startup\imvu.lnk - c:\users\severan\appdata\roaming\imvuclient\IMVUQualityAgent.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{7f0c4457-8e64-491b-8d7b-991504365d1e}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.8.1
TCP: Interfaces\{2B8FE84C-A16E-4775-A7D9-BC7DE06573F8} : DhcpNameServer = 192.168.8.1
TCP: Interfaces\{5466EC0C-2276-4FEF-B090-94A6EF3EC957} : NameServer = 203.198.23.208 205.252.144.126
Notify: !SASWinLogon - c:\users\severan\programs\sas\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\users\severan\programs\sas\SASSEH.DLL
LSA: Authentication Packages = msv1_0 wvauth
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\severan\appdata\roaming\mozilla\firefox\profiles\ljehb30i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - plugin: c:\program files\adobe\reader10.0\reader\browser\nppdf32.dll
FF - plugin: c:\program files\adobe\reader10\reader\browser\nppdf32.dll
FF - plugin: c:\program files\adobe\reader9\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader9\reader\browser\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.50401.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows media player\realalt\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\windows media player\realalt\browser\plugins\nprpjplug.dll
FF - plugin: c:\users\severan\programs\vlc\npvlc.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\users\severan\programs\sas\sasdifsv.sys [2011-7-23 12880]
R1 SASKUTIL;SASKUTIL;c:\users\severan\programs\sas\SASKUTIL.SYS [2011-7-13 67664]
R2 !SASCORE;SAS Core Service;c:\users\severan\programs\sas\SASCore.exe [2011-8-12 116608]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-20 79432]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-16 21504]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2008-12-15 2560]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2010-12-15 1839776]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-1-4 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-27 105592]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-19 130384]
S2 Secunia Update Agent;Secunia Update Agent;c:\users\severan\programs\secunia\sua.exe --start-service --> c:\users\severan\programs\secunia\sua.exe --start-service [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-8-22 179712]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-12-15 23888]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-8-22 30192]
S3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-1-24 13952]
S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-1-24 28800]
S3 V0220Dev;Live! Cam Video IM;c:\windows\system32\drivers\V0220Dev.sys [2008-1-7 146112]
S3 V0220Vfx;V0220VFX;c:\windows\system32\drivers\V0220Vfx.sys [2008-1-7 6272]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-19 753504]
.
=============== Created Last 30 ================
.
2011-08-25 10:16:03 -------- d-----w- c:\users\severan\appdata\local\{34C2940B-8235-4311-A7DC-4822513F3B49}
2011-08-25 10:15:19 -------- d-----w- c:\users\severan\appdata\local\{764A47B2-CE25-406C-A564-1D9EF024B457}
2011-08-24 02:19:19 -------- d-----w- c:\users\severan\appdata\local\{231FB472-2DB7-44A9-8EC3-7EC0F427140F}
2011-08-24 02:18:24 -------- d-----w- c:\users\severan\appdata\local\{6D880743-30FC-46E2-ACC7-5EA35BD86BF3}
2011-08-23 09:29:44 -------- d-----w- C:\.jagex_cache_32
2011-08-23 02:39:01 -------- d-----w- c:\users\severan\appdata\local\{A074A23C-AF2F-4315-90CD-E1BB6CC5925D}
2011-08-23 02:38:05 -------- d-----w- c:\users\severan\appdata\local\{939671F9-8F40-4508-974A-FB36A9366896}
2011-08-22 11:47:37 -------- d-----w- c:\users\severan\appdata\local\{57D0A458-5EF6-427F-B0AF-81E901E4010A}
2011-08-22 11:46:48 -------- d-----w- c:\users\severan\appdata\local\{4836D1A3-55F1-469E-BF06-3646F3BEDEDD}
2011-08-21 03:08:12 -------- d-----w- c:\users\severan\appdata\local\{E72F0E36-2725-4B4C-BF75-DC568EBFA6BD}
2011-08-21 03:07:35 -------- d-----w- c:\users\severan\appdata\local\{9983469C-1706-4CA8-9C0E-955464427B49}
2011-08-20 15:06:54 -------- d-----w- c:\users\severan\appdata\local\{F4D8EFEA-8384-4E9E-9E84-7B0743436A5D}
2011-08-20 15:06:15 -------- d-----w- c:\users\severan\appdata\local\{A0B430C9-728D-4A43-8606-AE23A6CE04A5}
2011-08-20 03:05:28 -------- d-----w- c:\users\severan\appdata\local\{C654FB74-3105-41DF-BCA7-03D418F4CEDD}
2011-08-20 03:04:42 -------- d-----w- c:\users\severan\appdata\local\{9E1BAB01-CF97-4A92-A8F5-9F6CFDB33CFE}
2011-08-19 15:03:43 -------- d-----w- c:\users\severan\appdata\local\{2E248EED-0756-41F5-9E20-84C5200CD2C2}
2011-08-19 15:02:49 -------- d-----w- c:\users\severan\appdata\local\{BAF1DEBC-E511-4F10-8824-279DFBF1A261}
2011-08-19 01:44:26 -------- d-----w- c:\users\severan\appdata\local\{3109944B-B5F4-4F69-A355-43DC5018DB36}
2011-08-19 01:43:36 -------- d-----w- c:\users\severan\appdata\local\{A6C967FF-F993-485B-9540-4D8037819E31}
2011-08-18 09:50:49 -------- d-----w- c:\users\severan\appdata\local\{693A41FF-18AD-444F-BF72-F50C9A8572DF}
2011-08-18 09:50:12 -------- d-----w- c:\users\severan\appdata\local\{F1210F9F-4EB0-42B1-9F69-A9D48E93DCA8}
2011-08-17 21:49:16 -------- d-----w- c:\users\severan\appdata\local\{D11446E7-C9EE-4F2D-B161-FA5D4BA346D8}
2011-08-17 21:48:25 -------- d-----w- c:\users\severan\appdata\local\{6DF1C3F7-7601-483E-9BCF-2BC5399E4B12}
2011-08-17 07:51:24 -------- d-----w- c:\users\severan\appdata\local\{6AFF95EE-BE93-439B-A246-634AD44982F4}
2011-08-17 07:50:40 -------- d-----w- c:\users\severan\appdata\local\{DF761543-9802-4AB3-8180-8A1BDD818774}
2011-08-16 21:51:21 -------- d-----w- c:\users\severan\appdata\roaming\SUPERAntiSpyware.com
2011-08-16 13:33:06 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-16 04:09:06 -------- d-----w- c:\users\severan\appdata\local\{AC678152-3587-4601-85B5-0A69A15795FB}
2011-08-16 04:08:27 -------- d-----w- c:\users\severan\appdata\local\{C0CAE1D3-9474-4EAF-A7B3-22A3499491EE}
2011-08-15 16:01:30 -------- d-----w- c:\program files\common files\Bitdefender
2011-08-15 15:57:02 -------- d-----w- c:\users\severan\appdata\roaming\QuickScan
2011-08-15 13:38:10 -------- d-----w- c:\users\severan\appdata\local\{9AA3391E-59A5-490B-8765-389B062B8939}
2011-08-15 13:37:20 -------- d-----w- c:\users\severan\appdata\local\{62AFE94F-240C-4158-860E-8B8BED5D4234}
2011-08-14 21:58:21 -------- d-----w- c:\users\severan\appdata\local\{86E7EAB2-5695-4C45-9266-6C2894E789B0}
2011-08-14 21:57:29 -------- d-----w- c:\users\severan\appdata\local\{0420AB98-229B-4D1E-986C-EBA4838DAD60}
2011-08-14 03:20:21 -------- d-----w- c:\users\severan\appdata\local\{2EAF7964-6A45-4955-A095-D94E0D8697D4}
2011-08-14 03:19:31 -------- d-----w- c:\users\severan\appdata\local\{2916B445-4B8C-4344-872D-6223167E9626}
2011-08-13 03:35:29 -------- d-----w- c:\users\severan\appdata\local\{38ACBD80-6AE8-4736-A909-4A6E40B7CAEF}
2011-08-13 03:34:26 -------- d-----w- c:\users\severan\appdata\local\{EDDC348C-3F61-4F13-9C60-3F73ED3671A2}
2011-08-12 03:50:54 -------- d-----w- c:\users\severan\appdata\local\{3D2853F8-5265-4974-9CE2-4BBA9F962354}
2011-08-12 03:50:04 -------- d-----w- c:\users\severan\appdata\local\{9B4FF0DC-21E6-402D-9C68-7EDABF4D78E6}
2011-08-11 02:26:32 -------- d-----w- c:\users\severan\appdata\local\{624C4BDE-1233-4D11-BAAB-195408ADC3EA}
2011-08-11 02:25:43 -------- d-----w- c:\users\severan\appdata\local\{ADA8138A-8C29-4754-8AA7-B898342B154C}
2011-08-10 06:59:53 -------- d-----w- c:\users\severan\appdata\local\{795E1D55-7059-4387-B846-01CDA87EA508}
2011-08-10 06:59:13 -------- d-----w- c:\users\severan\appdata\local\{D4C421D1-6CDF-42E3-B6D4-A2EBD9808C44}
2011-08-09 18:58:32 -------- d-----w- c:\users\severan\appdata\local\{B966002D-629A-4E41-9366-5925CF7CE73D}
2011-08-09 18:57:45 -------- d-----w- c:\users\severan\appdata\local\{039B4332-E483-4E12-BA8E-2AA3FBE92EA1}
2011-08-09 03:21:44 -------- d-----w- c:\users\severan\appdata\local\{76358EFD-F10F-47A3-83C0-CD2B4EF0528F}
2011-08-09 03:20:59 -------- d-----w- c:\users\severan\appdata\local\{B8AB4FCC-E521-4709-AB6F-854375675873}
2011-08-08 01:44:44 -------- d-----w- c:\users\severan\appdata\local\{7671E1E4-B9A0-45F7-B1DE-9709F23CAB9E}
2011-08-08 01:43:52 -------- d-----w- c:\users\severan\appdata\local\{99568E05-D05E-4FC5-B440-86B14E4F82D8}
2011-08-06 08:25:54 -------- d-----w- c:\users\severan\appdata\local\{665A2B83-8FFC-45F5-86D1-BAB107B29BF2}
2011-08-06 08:25:00 -------- d-----w- c:\users\severan\appdata\local\{B9EFC112-1693-4DDD-B26D-46766BD6018F}
2011-08-05 03:23:05 -------- d-----w- c:\users\severan\appdata\local\{A7BDBE73-E9E2-4366-A8A2-07208759EC9F}
2011-08-05 03:22:25 -------- d-----w- c:\users\severan\appdata\local\{E12F7B93-C1F7-49B4-BC70-64FB5E04F9C8}
2011-08-04 15:21:42 -------- d-----w- c:\users\severan\appdata\local\{12FE3BC7-123A-4971-9BC3-5001077FBAC6}
2011-08-04 15:21:02 -------- d-----w- c:\users\severan\appdata\local\{FB80A966-6EF1-4F22-8124-8FBA31D610A5}
2011-08-04 03:18:42 -------- d-----w- c:\users\severan\appdata\local\{866D738D-85A9-4839-B60B-A2BE059C00A9}
2011-08-04 03:17:54 -------- d-----w- c:\users\severan\appdata\local\{461281E3-3AF1-494C-84CC-B3A40DFE2F0B}
2011-08-03 15:16:48 -------- d-----w- c:\users\severan\appdata\local\{89D3F730-5E65-4A79-B7A9-56C07226CFEF}
2011-08-03 02:41:06 -------- d-----w- c:\users\severan\appdata\local\{80341500-039A-4FDB-AA9A-6F271DBC73FB}
2011-08-02 14:39:49 -------- d-----w- c:\users\severan\appdata\local\{337BC3C4-E565-46C6-B060-9B16BDFCCDAE}
2011-08-02 02:29:05 -------- d-----w- c:\users\severan\appdata\local\{BD5789CF-AB20-4EF0-9F85-15BBF4526B4E}
2011-08-01 06:33:30 -------- d-----w- c:\users\severan\appdata\local\{166CFC97-6E2B-41AA-86FD-49BB4EC0B9FA}
2011-07-31 15:50:50 -------- d-----w- c:\users\severan\appdata\local\{B4BB457B-E504-4A45-9DEF-6EAB913B754B}
2011-07-31 03:49:50 -------- d-----w- c:\users\severan\appdata\local\{3894C5FC-88B8-4032-AE5C-943720245516}
2011-07-30 14:53:03 -------- d-----w- c:\users\severan\appdata\local\{02755C38-770A-4797-AFAD-7F3DCC513B3A}
2011-07-30 02:51:57 -------- d-----w- c:\users\severan\appdata\local\{49FEF190-F26F-4D04-A65F-489C94DF38AE}
2011-07-29 14:26:27 -------- d-----w- c:\users\severan\appdata\local\{F240783A-10FA-4DCB-AB40-368846A7D11D}
2011-07-29 14:25:50 -------- d-----w- c:\users\severan\appdata\local\{026BD546-1D6D-4B43-8A1B-67829805D33D}
2011-07-29 00:55:29 -------- d-----w- c:\users\severan\appdata\local\{3A0B6D9F-F13D-4E09-9C51-E4364A856498}
2011-07-28 06:30:08 -------- d-----w- c:\users\severan\appdata\local\{04710AB0-E6B1-49A7-88BF-3BA94AD948A1}
2011-07-27 17:08:14 -------- d-----w- c:\users\severan\appdata\local\{9303CEEC-3392-42CB-B2FB-9946EC71853B}
2011-07-27 05:07:15 -------- d-----w- c:\users\severan\appdata\local\{431BCE00-ECFA-4B11-B31D-5368CC033A97}
2011-07-26 16:06:34 -------- d-----w- c:\users\severan\appdata\local\{1310AFD6-AE5F-4242-A208-953CDF920B27}
.
==================== Find3M ====================
.
2011-08-24 22:12:57 1177 --sha-w- c:\windows\system32\mmf.sys
2011-08-16 13:26:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 18:37:18.36 ===============

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:58 AM

Posted 27 August 2011 - 03:10 AM

Hi


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Severan

Severan
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 28 August 2011 - 08:18 PM

The DDS logs have been pasted and attached as before, along with Combofix.txt.

I note that Windows Update still does not work, nor am I yet able to access download.microsoft.com or yahoo.com.

I await further instructions; as always, thank you for your help!

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Severan at 9:07:01 on 2011-08-29
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2037.1106 [GMT 8:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Users\Severan\Programs\SAS\SASCORE.EXE
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\runservice.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\STacSV.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\V0220Mon.exe
C:\Windows\sttray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Symantec Shared\COH\coh32.exe
C:\Program Files\Common Files\Symantec Shared\COH\coh32.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bbc.co.uk
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [V0220Mon.exe] c:\windows\V0220Mon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [V0220Cfg.exe] V0220Cfg.exe /d:3
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader9\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\users\severan\appdata\roaming\micros~1\windows\startm~1\programs\startup\imvu.lnk - c:\users\severan\appdata\roaming\imvuclient\IMVUQualityAgent.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{7f0c4457-8e64-491b-8d7b-991504365d1e}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.8.1
TCP: Interfaces\{2B8FE84C-A16E-4775-A7D9-BC7DE06573F8} : DhcpNameServer = 192.168.8.1
TCP: Interfaces\{5466EC0C-2276-4FEF-B090-94A6EF3EC957} : NameServer = 203.198.23.208 205.252.144.126
Notify: !SASWinLogon - c:\users\severan\programs\sas\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GoogleDesktopNetwork3.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\users\severan\programs\sas\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\severan\appdata\roaming\mozilla\firefox\profiles\ljehb30i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - plugin: c:\program files\adobe\reader9\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader9\reader\browser\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.50401.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows media player\realalt\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\windows media player\realalt\browser\plugins\nprpjplug.dll
FF - plugin: c:\users\severan\programs\vlc\npvlc.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\users\severan\programs\sas\sasdifsv.sys [2011-7-23 12880]
R1 SASKUTIL;SASKUTIL;c:\users\severan\programs\sas\SASKUTIL.SYS [2011-7-13 67664]
R2 !SASCORE;SAS Core Service;c:\users\severan\programs\sas\SASCore.exe [2011-8-12 116608]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-20 79432]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-16 21504]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2008-12-15 2560]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2010-12-15 1839776]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-1-4 24652]
R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-12-15 23888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-27 105592]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-19 130384]
S2 Secunia Update Agent;Secunia Update Agent;c:\users\severan\programs\secunia\sua.exe --start-service --> c:\users\severan\programs\secunia\sua.exe --start-service [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-8-22 179712]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-8-22 30192]
S3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-1-24 13952]
S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-1-24 28800]
S3 V0220Dev;Live! Cam Video IM;c:\windows\system32\drivers\V0220Dev.sys [2008-1-7 146112]
S3 V0220Vfx;V0220VFX;c:\windows\system32\drivers\V0220Vfx.sys [2008-1-7 6272]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-19 753504]
.
=============== Created Last 30 ================
.
2011-08-28 21:03:51 -------- d-----w- c:\users\severan\appdata\local\{0E8055C6-A047-481E-8067-A5FA746D85C2}
2011-08-28 21:02:58 -------- d-----w- c:\users\severan\appdata\local\{62B59CD1-E66E-4142-9730-79F8FC322527}
2011-08-28 10:03:14 -------- d-----w- C:\$RECYCLE.BIN
2011-08-28 09:34:54 98816 ----a-w- c:\windows\sed.exe
2011-08-28 09:34:54 518144 ----a-w- c:\windows\SWREG.exe
2011-08-28 09:34:54 256000 ----a-w- c:\windows\PEV.exe
2011-08-28 09:34:54 208896 ----a-w- c:\windows\MBR.exe
2011-08-28 09:34:44 -------- d-----w- C:\ComboFix
2011-08-28 03:40:30 -------- d-----w- c:\users\severan\appdata\local\{DE140B65-11D7-49D5-8AF5-FA10E5E1B4B8}
2011-08-28 03:39:51 -------- d-----w- c:\users\severan\appdata\local\{5BF21DA5-8D6A-4D9E-A050-1C17FFFBFB68}
2011-08-27 15:38:56 -------- d-----w- c:\users\severan\appdata\local\{AA2990D8-F272-44F6-9F1A-69338DF2101B}
2011-08-27 15:38:05 -------- d-----w- c:\users\severan\appdata\local\{973B3DBE-4721-4E24-9B2F-579F08056817}
2011-08-27 03:04:33 -------- d-----w- c:\users\severan\appdata\local\{FDD14EE5-A97F-4990-8A8A-5979CEB65FA8}
2011-08-27 03:03:34 -------- d-----w- c:\users\severan\appdata\local\{45C685A7-E936-4D22-957C-549880CB1B27}
2011-08-26 10:46:21 -------- d-----w- c:\users\severan\appdata\local\{FE277C01-0A9B-4221-AF0B-C26449BF85B6}
2011-08-26 10:45:39 -------- d-----w- c:\users\severan\appdata\local\{4DEB07F6-01A5-47F0-A174-BF817447EA16}
2011-08-25 22:44:35 -------- d-----w- c:\users\severan\appdata\local\{A0721734-C6F1-4A81-A3AD-10403D2D788F}
2011-08-25 22:43:47 -------- d-----w- c:\users\severan\appdata\local\{38FBECCB-8406-4BAE-9256-976EE7425759}
2011-08-25 10:16:03 -------- d-----w- c:\users\severan\appdata\local\{34C2940B-8235-4311-A7DC-4822513F3B49}
2011-08-25 10:15:19 -------- d-----w- c:\users\severan\appdata\local\{764A47B2-CE25-406C-A564-1D9EF024B457}
2011-08-24 02:19:19 -------- d-----w- c:\users\severan\appdata\local\{231FB472-2DB7-44A9-8EC3-7EC0F427140F}
2011-08-24 02:18:24 -------- d-----w- c:\users\severan\appdata\local\{6D880743-30FC-46E2-ACC7-5EA35BD86BF3}
2011-08-23 09:29:44 -------- d-----w- C:\.jagex_cache_32
2011-08-23 02:39:01 -------- d-----w- c:\users\severan\appdata\local\{A074A23C-AF2F-4315-90CD-E1BB6CC5925D}
2011-08-23 02:38:05 -------- d-----w- c:\users\severan\appdata\local\{939671F9-8F40-4508-974A-FB36A9366896}
2011-08-22 11:47:37 -------- d-----w- c:\users\severan\appdata\local\{57D0A458-5EF6-427F-B0AF-81E901E4010A}
2011-08-22 11:46:48 -------- d-----w- c:\users\severan\appdata\local\{4836D1A3-55F1-469E-BF06-3646F3BEDEDD}
2011-08-21 03:08:12 -------- d-----w- c:\users\severan\appdata\local\{E72F0E36-2725-4B4C-BF75-DC568EBFA6BD}
2011-08-21 03:07:35 -------- d-----w- c:\users\severan\appdata\local\{9983469C-1706-4CA8-9C0E-955464427B49}
2011-08-20 15:06:54 -------- d-----w- c:\users\severan\appdata\local\{F4D8EFEA-8384-4E9E-9E84-7B0743436A5D}
2011-08-20 15:06:15 -------- d-----w- c:\users\severan\appdata\local\{A0B430C9-728D-4A43-8606-AE23A6CE04A5}
2011-08-20 03:05:28 -------- d-----w- c:\users\severan\appdata\local\{C654FB74-3105-41DF-BCA7-03D418F4CEDD}
2011-08-20 03:04:42 -------- d-----w- c:\users\severan\appdata\local\{9E1BAB01-CF97-4A92-A8F5-9F6CFDB33CFE}
2011-08-19 15:03:43 -------- d-----w- c:\users\severan\appdata\local\{2E248EED-0756-41F5-9E20-84C5200CD2C2}
2011-08-19 15:02:49 -------- d-----w- c:\users\severan\appdata\local\{BAF1DEBC-E511-4F10-8824-279DFBF1A261}
2011-08-19 01:44:26 -------- d-----w- c:\users\severan\appdata\local\{3109944B-B5F4-4F69-A355-43DC5018DB36}
2011-08-19 01:43:36 -------- d-----w- c:\users\severan\appdata\local\{A6C967FF-F993-485B-9540-4D8037819E31}
2011-08-18 09:50:49 -------- d-----w- c:\users\severan\appdata\local\{693A41FF-18AD-444F-BF72-F50C9A8572DF}
2011-08-18 09:50:12 -------- d-----w- c:\users\severan\appdata\local\{F1210F9F-4EB0-42B1-9F69-A9D48E93DCA8}
2011-08-17 21:49:16 -------- d-----w- c:\users\severan\appdata\local\{D11446E7-C9EE-4F2D-B161-FA5D4BA346D8}
2011-08-17 21:48:25 -------- d-----w- c:\users\severan\appdata\local\{6DF1C3F7-7601-483E-9BCF-2BC5399E4B12}
2011-08-17 07:51:24 -------- d-----w- c:\users\severan\appdata\local\{6AFF95EE-BE93-439B-A246-634AD44982F4}
2011-08-17 07:50:40 -------- d-----w- c:\users\severan\appdata\local\{DF761543-9802-4AB3-8180-8A1BDD818774}
2011-08-16 21:51:21 -------- d-----w- c:\users\severan\appdata\roaming\SUPERAntiSpyware.com
2011-08-16 13:33:06 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-16 04:09:06 -------- d-----w- c:\users\severan\appdata\local\{AC678152-3587-4601-85B5-0A69A15795FB}
2011-08-16 04:08:27 -------- d-----w- c:\users\severan\appdata\local\{C0CAE1D3-9474-4EAF-A7B3-22A3499491EE}
2011-08-15 16:01:30 -------- d-----w- c:\program files\common files\Bitdefender
2011-08-15 15:57:02 -------- d-----w- c:\users\severan\appdata\roaming\QuickScan
2011-08-15 13:38:10 -------- d-----w- c:\users\severan\appdata\local\{9AA3391E-59A5-490B-8765-389B062B8939}
2011-08-15 13:37:20 -------- d-----w- c:\users\severan\appdata\local\{62AFE94F-240C-4158-860E-8B8BED5D4234}
2011-08-14 21:58:21 -------- d-----w- c:\users\severan\appdata\local\{86E7EAB2-5695-4C45-9266-6C2894E789B0}
2011-08-14 21:57:29 -------- d-----w- c:\users\severan\appdata\local\{0420AB98-229B-4D1E-986C-EBA4838DAD60}
2011-08-14 03:20:21 -------- d-----w- c:\users\severan\appdata\local\{2EAF7964-6A45-4955-A095-D94E0D8697D4}
2011-08-14 03:19:31 -------- d-----w- c:\users\severan\appdata\local\{2916B445-4B8C-4344-872D-6223167E9626}
2011-08-13 03:35:29 -------- d-----w- c:\users\severan\appdata\local\{38ACBD80-6AE8-4736-A909-4A6E40B7CAEF}
2011-08-13 03:34:26 -------- d-----w- c:\users\severan\appdata\local\{EDDC348C-3F61-4F13-9C60-3F73ED3671A2}
2011-08-12 03:50:54 -------- d-----w- c:\users\severan\appdata\local\{3D2853F8-5265-4974-9CE2-4BBA9F962354}
2011-08-12 03:50:04 -------- d-----w- c:\users\severan\appdata\local\{9B4FF0DC-21E6-402D-9C68-7EDABF4D78E6}
2011-08-11 02:26:32 -------- d-----w- c:\users\severan\appdata\local\{624C4BDE-1233-4D11-BAAB-195408ADC3EA}
2011-08-11 02:25:43 -------- d-----w- c:\users\severan\appdata\local\{ADA8138A-8C29-4754-8AA7-B898342B154C}
2011-08-10 06:59:53 -------- d-----w- c:\users\severan\appdata\local\{795E1D55-7059-4387-B846-01CDA87EA508}
2011-08-10 06:59:13 -------- d-----w- c:\users\severan\appdata\local\{D4C421D1-6CDF-42E3-B6D4-A2EBD9808C44}
2011-08-09 18:58:32 -------- d-----w- c:\users\severan\appdata\local\{B966002D-629A-4E41-9366-5925CF7CE73D}
2011-08-09 18:57:45 -------- d-----w- c:\users\severan\appdata\local\{039B4332-E483-4E12-BA8E-2AA3FBE92EA1}
2011-08-09 03:21:44 -------- d-----w- c:\users\severan\appdata\local\{76358EFD-F10F-47A3-83C0-CD2B4EF0528F}
2011-08-09 03:20:59 -------- d-----w- c:\users\severan\appdata\local\{B8AB4FCC-E521-4709-AB6F-854375675873}
2011-08-08 01:44:44 -------- d-----w- c:\users\severan\appdata\local\{7671E1E4-B9A0-45F7-B1DE-9709F23CAB9E}
2011-08-08 01:43:52 -------- d-----w- c:\users\severan\appdata\local\{99568E05-D05E-4FC5-B440-86B14E4F82D8}
2011-08-06 08:25:54 -------- d-----w- c:\users\severan\appdata\local\{665A2B83-8FFC-45F5-86D1-BAB107B29BF2}
2011-08-06 08:25:00 -------- d-----w- c:\users\severan\appdata\local\{B9EFC112-1693-4DDD-B26D-46766BD6018F}
2011-08-05 03:23:05 -------- d-----w- c:\users\severan\appdata\local\{A7BDBE73-E9E2-4366-A8A2-07208759EC9F}
2011-08-05 03:22:25 -------- d-----w- c:\users\severan\appdata\local\{E12F7B93-C1F7-49B4-BC70-64FB5E04F9C8}
2011-08-04 15:21:42 -------- d-----w- c:\users\severan\appdata\local\{12FE3BC7-123A-4971-9BC3-5001077FBAC6}
2011-08-04 15:21:02 -------- d-----w- c:\users\severan\appdata\local\{FB80A966-6EF1-4F22-8124-8FBA31D610A5}
2011-08-04 03:18:42 -------- d-----w- c:\users\severan\appdata\local\{866D738D-85A9-4839-B60B-A2BE059C00A9}
2011-08-04 03:17:54 -------- d-----w- c:\users\severan\appdata\local\{461281E3-3AF1-494C-84CC-B3A40DFE2F0B}
2011-08-03 15:16:48 -------- d-----w- c:\users\severan\appdata\local\{89D3F730-5E65-4A79-B7A9-56C07226CFEF}
2011-08-03 02:41:06 -------- d-----w- c:\users\severan\appdata\local\{80341500-039A-4FDB-AA9A-6F271DBC73FB}
2011-08-02 14:39:49 -------- d-----w- c:\users\severan\appdata\local\{337BC3C4-E565-46C6-B060-9B16BDFCCDAE}
2011-08-02 02:29:05 -------- d-----w- c:\users\severan\appdata\local\{BD5789CF-AB20-4EF0-9F85-15BBF4526B4E}
2011-08-01 06:33:30 -------- d-----w- c:\users\severan\appdata\local\{166CFC97-6E2B-41AA-86FD-49BB4EC0B9FA}
2011-07-31 15:50:50 -------- d-----w- c:\users\severan\appdata\local\{B4BB457B-E504-4A45-9DEF-6EAB913B754B}
2011-07-31 03:49:50 -------- d-----w- c:\users\severan\appdata\local\{3894C5FC-88B8-4032-AE5C-943720245516}
2011-07-30 14:53:03 -------- d-----w- c:\users\severan\appdata\local\{02755C38-770A-4797-AFAD-7F3DCC513B3A}
2011-07-30 02:51:57 -------- d-----w- c:\users\severan\appdata\local\{49FEF190-F26F-4D04-A65F-489C94DF38AE}
.
==================== Find3M ====================
.
2011-08-28 22:05:56 1177 --sha-w- c:\windows\system32\mmf.sys
2011-08-16 13:26:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 9:07:58.48 ===============

Attached Files



#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:58 AM

Posted 28 August 2011 - 11:44 PM

Hi again,

Open notepad and copy/paste the text in the quotebox below into it:

Driver::
GarenaPEngine


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log.



Update MBAM and run a quick scan with it. Post back the results.

Run a scan with ESET online scanner and post back its log. Post also fresh GMER log.


As a sidenote, your C: drive is almost full. I recommend to make some space by uninstalling and removing unnecessary stuff.

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 Severan

Severan
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 31 August 2011 - 03:18 AM

The requested results and logs have been pasted below.

I have noticed that the available memory space in my C: drive sometimes changes, even when I have not created any files or installed new programs. I have seen it drop slowly, megabyte by megabyte, before suddenly re-opening up a large amount of storage. Might this also be the symptom of some computer infection?

I await further instructions; as always, thank you for your help!

ComboFix 11-08-27.01 - Severan 08/29/2011 14:12:49.2.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2037.1090 [GMT 8:00]
Running from: c:\users\Severan\Desktop\ComboFix.exe
Command switches used :: c:\users\Severan\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_GARENAPENGINE
-------\Service_GarenaPEngine
.
.
((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-29 )))))))))))))))))))))))))))))))
.
.
2011-08-29 06:28 . 2011-08-29 06:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-23 09:29 . 2011-08-23 09:29 -------- d-----w- C:\.jagex_cache_32
2011-08-16 21:51 . 2011-08-16 21:51 -------- d-----w- c:\users\Severan\AppData\Roaming\SUPERAntiSpyware.com
2011-08-16 13:33 . 2011-07-07 23:55 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-15 16:01 . 2011-08-15 16:01 -------- d-----w- c:\program files\Common Files\Bitdefender
2011-08-15 15:57 . 2011-08-15 15:58 -------- d-----w- c:\users\Severan\AppData\Roaming\QuickScan
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-29 06:37 . 2007-08-28 20:13 0 ----a-w- c:\users\Severan\AppData\Local\WavXMapDrive.bat
2011-08-16 13:26 . 2011-06-03 14:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-10 08:45 . 2011-03-28 10:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-08-17 11:30 . 2011-03-24 00:12 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-07-31 03:19 . 2010-02-09 22:34 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-04-16 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-24 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-24 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-24 133912]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-02-15 66560]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-03-08 218688]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-31 30192]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"V0220Mon.exe"="c:\windows\V0220Mon.exe" [2006-06-28 32768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SigmatelSysTrayApp"="sttray.exe" [2007-04-17 303104]
"V0220Cfg.exe"="V0220Cfg.exe" [2006-04-13 20480]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-12-14 115560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader9\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
c:\users\Severan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
IMVU.lnk - c:\users\Severan\AppData\Roaming\IMVUClient\IMVUQualityAgent.exe [2011-7-29 22784]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-8-22 50688]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-3 210520]
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-8-22 45056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\users\Severan\Programs\SAS\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\users\Severan\Programs\SAS\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Secunia Update Agent;Secunia Update Agent;c:\users\Severan\Programs\Secunia\sua.exe [x]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-03-19 179712]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2010-12-14 23888]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-07-31 30192]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [x]
R3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-10-24 13952]
R3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-10-24 28800]
R3 V0220Dev;Live! Cam Video IM;c:\windows\system32\DRIVERS\V0220Dev.sys [2006-06-29 146112]
R3 V0220Vfx;V0220Vfx;c:\windows\system32\DRIVERS\V0220Vfx.sys [2006-06-08 6272]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 SASDIFSV;SASDIFSV;c:\users\Severan\Programs\SAS\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\users\Severan\Programs\SAS\SASKUTIL.SYS [2011-07-12 67664]
S2 !SASCORE;SAS Core Service;c:\users\Severan\Programs\SAS\SASCORE.EXE [2011-08-11 116608]
S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 79432]
S2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2008-12-15 2560]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-07-27 105592]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-25 c:\windows\Tasks\Norton Security Scan for Severan.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-13 05:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.8.1
TCP: Interfaces\{5466EC0C-2276-4FEF-B090-94A6EF3EC957}: NameServer = 203.198.23.208 205.252.144.126
FF - ProfilePath - c:\users\Severan\AppData\Roaming\Mozilla\Firefox\Profiles\ljehb30i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2186548529-1173517744-2209811348-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:34,10,21,f5,e7,ac,51,19,64,4b,72,7d,f4,bf,32,0b,cd,71,ea,4f,8f,fb,6b,
ab,35,dc,3c,b1,be,83,66,4f,78,95,24,ac,50,6c,1f,2b,95,0a,09,f2,24,c2,6f,bf,\
"??"=hex:e2,77,02,f2,1d,9a,55,fc,31,05,61,35,ae,56,57,db
.
[HKEY_USERS\S-1-5-21-2186548529-1173517744-2209811348-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:24,97,12,e8,1b,70,cf,6f,8f,c6,eb,70,2c,8c,0a,16,1e,32,0c,06,72,
c8,dc,71,22,ec,a8,47,bf,01,98,9e,95,1b,1b,b9,7f,73,68,59,06,9e,93,01,d1,c3,\
"rkeysecu"=hex:85,9f,c3,b2,c2,25,b4,93,48,5e,e5,a6,57,9b,35,e2
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec AntiVirus\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\windows\system32\STacSV.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Symantec AntiVirus\SmcGui.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\sttray.exe
c:\program files\Dell\QuickSet\quickset.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\RacAgent.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2011-08-29 14:48:15 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-29 06:46
ComboFix2.txt 2011-08-28 10:14
.
Pre-Run: 663,883,776 bytes free
Post-Run: 1,372,860,416 bytes free
.
- - End Of File - - 94E32376D5664FE1604FA43013037F31

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7602

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

8/29/2011 3:20:28 PM
mbam-log-2011-08-29 (15-20-27).txt

Scan type: Quick scan
Objects scanned: 169970
Time elapsed: 11 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=3d7ee37240c2944a975dccd9d517db35
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-08-29 11:37:40
# local_time=2011-08-29 07:37:40 (+0800, China Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5892 16776573 100 100 8072321 152132947 0 0
# compatibility_mode=8192 67108863 100 0 10860824 10860824 0 0
# scanned=325879
# found=3
# cleaned=3
# scan_time=14167
C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\ielowutil\ielowutil.exe.vir Win32/TrojanClicker.Agent.NOL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\ielowutil\register.exe.vir Win32/TrojanClicker.Agent.NOL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\ielowutil\update.exe.vir Win32/TrojanClicker.Agent.NOL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-31 15:33:52
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST912082 rev.3.AD
Running: gmer.exe; Driver: C:\Users\Severan\AppData\Local\Temp\pgloqpod.sys


---- System - GMER 1.0.15 ----

SSDT 876D8230 ZwAlertResumeThread
SSDT 87711C98 ZwAlertThread
SSDT 87704358 ZwAllocateVirtualMemory
SSDT 87710CF8 ZwConnectPort
SSDT 87711BC8 ZwCreateMutant
SSDT 8763D420 ZwCreateThread
SSDT 8746E178 ZwFreeVirtualMemory
SSDT 87668498 ZwImpersonateAnonymousToken
SSDT 8764A488 ZwImpersonateThread
SSDT 8766E9D0 ZwMapViewOfSection
SSDT 87668418 ZwOpenEvent
SSDT 8766E400 ZwOpenProcessToken
SSDT 87787CD8 ZwOpenThreadToken
SSDT 876770A8 ZwResumeThread
SSDT 87787BD8 ZwSetContextThread
SSDT 87703248 ZwSetInformationProcess
SSDT 87516CB8 ZwSetInformationThread
SSDT 870D7F10 ZwSuspendProcess
SSDT 87674DC0 ZwSuspendThread
SSDT 8764C458 ZwTerminateProcess
SSDT 87516BD8 ZwTerminateThread
SSDT 876123E0 ZwUnmapViewOfSection
SSDT 87516668 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 828F08A0 8 Bytes [30, 82, 6D, 87, 98, 1C, 71, ...] {XOR [EDX+0x1c98876d], AL; JNO 0xffffffffffffff8f}
.text ntkrnlpa.exe!KeSetEvent + 131 828F08B4 4 Bytes [58, 43, 70, 87] {POP EAX; INC EBX; JO 0xffffffffffffff8b}
.text ntkrnlpa.exe!KeSetEvent + 1C1 828F0944 4 Bytes [F8, 0C, 71, 87]
.text ntkrnlpa.exe!KeSetEvent + 1F5 828F0978 4 Bytes [C8, 1B, 71, 87] {ENTER 0x711b, 0x87}
.text ntkrnlpa.exe!KeSetEvent + 221 828F09A4 4 Bytes [20, D4, 63, 87]
.text ...
page C:\Windows\System32\Drivers\oz776.sys entry point in "page" section [0x8FF6DE34]
? C:\ComboFix\catchme.sys The system cannot find the file specified. !
? C:\Windows\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2888] USER32.dll!EnableWindow 76B8CD8B 5 Bytes JMP 6C379884 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2888] USER32.dll!DialogBoxParamW 76BB10B0 5 Bytes JMP 6C2D15BB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2888] USER32.dll!DialogBoxIndirectParamW 76BB2EF5 5 Bytes JMP 6C4C590F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2888] USER32.dll!DialogBoxParamA 76BC8152 5 Bytes JMP 6C4C58AA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2888] USER32.dll!DialogBoxIndirectParamA 76BC847D 5 Bytes JMP 6C4C5974 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2888] USER32.dll!MessageBoxIndirectA 76BDD4D9 5 Bytes JMP 6C4C5831 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2888] USER32.dll!MessageBoxIndirectW 76BDD5D3 5 Bytes JMP 6C4C57B8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2888] USER32.dll!MessageBoxExA 76BDD639 5 Bytes JMP 6C4C5754 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2888] USER32.dll!MessageBoxExW 76BDD65D 5 Bytes JMP 6C4C56F0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2888] WININET.dll!HttpAddRequestHeadersA 76991B9C 5 Bytes JMP 008B6811
.text C:\Program Files\Internet Explorer\iexplore.exe[2888] WININET.dll!HttpAddRequestHeadersW 769DF7A8 5 Bytes JMP 008B6A1C
.text C:\Program Files\Internet Explorer\iexplore.exe[2888] WS2_32.dll!closesocket 7676330C 5 Bytes JMP 00B3000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2888] WS2_32.dll!recv 7676343A 5 Bytes JMP 00A1000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2888] WS2_32.dll!connect 767640D9 5 Bytes JMP 00B2000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2888] WS2_32.dll!getaddrinfo 7676418A 5 Bytes JMP 00B6000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2888] WS2_32.dll!send 7676659B 5 Bytes JMP 00B4000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2888] WS2_32.dll!gethostbyname 767762D4 5 Bytes JMP 00B5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] kernel32.dll!CreateThread 76AEC90E 5 Bytes JMP 6C337133 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] USER32.dll!SetWindowsHookExW 76B887AD 5 Bytes JMP 6C371FE4 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] USER32.dll!CallNextHookEx 76B88E3B 5 Bytes JMP 6C397AEF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] USER32.dll!UnhookWindowsHookEx 76B898DB 5 Bytes JMP 6C3BEB70 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] USER32.dll!EnableWindow 76B8CD8B 5 Bytes JMP 6C379884 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] USER32.dll!DefWindowProcA 76B8DB88 7 Bytes JMP 6C339345 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] USER32.dll!CreateWindowExA 76B8DC2A 2 Bytes JMP 6C343173 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] USER32.dll!CreateWindowExA + 3 76B8DC2D 2 Bytes [7B, F5] {JNP 0xfffffffffffffff7}
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] USER32.dll!CreateWindowExW 76B91305 5 Bytes JMP 6C39FF57 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] USER32.dll!DefWindowProcW 76BA03B4 7 Bytes JMP 6C397B52 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] USER32.dll!DialogBoxParamW 76BB10B0 5 Bytes JMP 6C2D15BB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] USER32.dll!DialogBoxIndirectParamW 76BB2EF5 5 Bytes JMP 6C4C590F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] USER32.dll!DialogBoxParamA 76BC8152 5 Bytes JMP 6C4C58AA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] USER32.dll!DialogBoxIndirectParamA 76BC847D 5 Bytes JMP 6C4C5974 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] USER32.dll!MessageBoxIndirectA 76BDD4D9 5 Bytes JMP 6C4C5831 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] USER32.dll!MessageBoxIndirectW 76BDD5D3 5 Bytes JMP 6C4C57B8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] USER32.dll!MessageBoxExA 76BDD639 5 Bytes JMP 6C4C5754 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] USER32.dll!MessageBoxExW 76BDD65D 5 Bytes JMP 6C4C56F0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] ole32.dll!OleLoadFromStream 75891E80 5 Bytes JMP 6C4C6110 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] ole32.dll!CoCreateInstance 758C9F3E 5 Bytes JMP 6C39B6D4 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] WININET.dll!HttpAddRequestHeadersA 76991B9C 5 Bytes JMP 00D56811
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] WININET.dll!HttpAddRequestHeadersW 769DF7A8 5 Bytes JMP 00D56A1C
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] WS2_32.dll!closesocket 7676330C 5 Bytes JMP 00DF000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] WS2_32.dll!recv 7676343A 5 Bytes JMP 00DD000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] WS2_32.dll!connect 767640D9 5 Bytes JMP 00DE000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] WS2_32.dll!getaddrinfo 7676418A 5 Bytes JMP 00E6000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] WS2_32.dll!send 7676659B 5 Bytes JMP 00E0000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] WS2_32.dll!gethostbyname 767762D4 5 Bytes JMP 00E5000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\iaStor \Device\Ide\iaStor0 870371ED
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 870371ED

AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:272] 8703BE7A
Thread System [4:276] 8703E008

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2B8FE84C-A16E-4775-A7D9-BC7DE06573F8}@LeaseObtainedTime 1314734430
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2B8FE84C-A16E-4775-A7D9-BC7DE06573F8}@T1 1314734580
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2B8FE84C-A16E-4775-A7D9-BC7DE06573F8}@T2 1314734692
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2B8FE84C-A16E-4775-A7D9-BC7DE06573F8}@LeaseTerminatesTime 1314734730

---- EOF - GMER 1.0.15 ----


Edited by Severan, 31 August 2011 - 03:20 AM.


#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:58 AM

Posted 31 August 2011 - 05:24 AM

Hi,

1. Download TDSSKiller and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe.
3. Click Start Scan. If threats are found, select cure and click Continue (tool may prompt for a reboot).
4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)

I have noticed that the available memory space in my C: drive sometimes changes, even when I have not created any files or installed new programs. I have seen it drop slowly, megabyte by megabyte, before suddenly re-opening up a large amount of storage. Might this also be the symptom of some computer infection?

It may be system restore doings also.

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 Severan

Severan
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 31 August 2011 - 11:08 AM

Here is the TDSSKiller log.

I await further instructions; as always, thank you for your help!

2011/08/31 23:26:58.0510 2040 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
2011/08/31 23:26:59.0273 2040 ================================================================================
2011/08/31 23:26:59.0273 2040 SystemInfo:
2011/08/31 23:26:59.0273 2040
2011/08/31 23:26:59.0274 2040 OS Version: 6.0.6002 ServicePack: 2.0
2011/08/31 23:26:59.0274 2040 Product type: Workstation
2011/08/31 23:26:59.0274 2040 ComputerName: SEVERAN-PC
2011/08/31 23:26:59.0274 2040 UserName: Severan
2011/08/31 23:26:59.0275 2040 Windows directory: C:\Windows
2011/08/31 23:26:59.0275 2040 System windows directory: C:\Windows
2011/08/31 23:26:59.0275 2040 Processor architecture: Intel x86
2011/08/31 23:26:59.0275 2040 Number of processors: 2
2011/08/31 23:26:59.0275 2040 Page size: 0x1000
2011/08/31 23:26:59.0275 2040 Boot type: Normal boot
2011/08/31 23:26:59.0275 2040 ================================================================================
2011/08/31 23:27:01.0021 2040 Initialize success
2011/08/31 23:27:03.0166 5212 ================================================================================
2011/08/31 23:27:03.0167 5212 Scan started
2011/08/31 23:27:03.0167 5212 Mode: Manual;
2011/08/31 23:27:03.0167 5212 ================================================================================
2011/08/31 23:27:05.0464 5212 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2011/08/31 23:27:05.0720 5212 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2011/08/31 23:27:06.0251 5212 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2011/08/31 23:27:06.0972 5212 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2011/08/31 23:27:07.0768 5212 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2011/08/31 23:27:08.0358 5212 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2011/08/31 23:27:08.0449 5212 agp440 (8b10ce1c1f9f1d47e4deb1a547a00cd4) C:\Windows\system32\drivers\agp440.sys
2011/08/31 23:27:08.0794 5212 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/08/31 23:27:09.0149 5212 aliide (5c42a992e68724d2cd3ddb4fc3b0409f) C:\Windows\system32\drivers\aliide.sys
2011/08/31 23:27:09.0707 5212 amdagp (848f27e5b27c1c253f6cefdc1a5d8f21) C:\Windows\system32\drivers\amdagp.sys
2011/08/31 23:27:10.0367 5212 amdide (849dfacdde533da5d1810f0caf84eb19) C:\Windows\system32\drivers\amdide.sys
2011/08/31 23:27:10.0834 5212 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2011/08/31 23:27:11.0110 5212 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
2011/08/31 23:27:11.0342 5212 ApfiltrService (587ca72709dd93942422f40a9b046dd8) C:\Windows\system32\DRIVERS\Apfiltr.sys
2011/08/31 23:27:11.0733 5212 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2011/08/31 23:27:12.0293 5212 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2011/08/31 23:27:12.0832 5212 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/08/31 23:27:13.0237 5212 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2011/08/31 23:27:13.0446 5212 b57nd60x (0b92ccf7bfcbe2b33838434f2f50cb61) C:\Windows\system32\DRIVERS\b57nd60x.sys
2011/08/31 23:27:13.0569 5212 BASFND (5c68ac6f3e5b3e6d6a78e97d05e42c3a) C:\Program Files\Broadcom\ASFIPMon\BASFND.sys
2011/08/31 23:27:13.0849 5212 BCM43XX (746f59822a5187510471fc46889b8cc9) C:\Windows\system32\DRIVERS\bcmwl6.sys
2011/08/31 23:27:14.0275 5212 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/08/31 23:27:14.0611 5212 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
2011/08/31 23:27:14.0733 5212 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/08/31 23:27:15.0113 5212 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/08/31 23:27:15.0872 5212 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/08/31 23:27:16.0170 5212 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/08/31 23:27:16.0436 5212 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/08/31 23:27:16.0833 5212 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/08/31 23:27:17.0246 5212 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/08/31 23:27:17.0919 5212 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/08/31 23:27:18.0069 5212 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2011/08/31 23:27:18.0658 5212 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2011/08/31 23:27:18.0869 5212 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2011/08/31 23:27:19.0383 5212 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/08/31 23:27:19.0815 5212 cmdide (de11a06e187756ecb86cfa82dac40ff7) C:\Windows\system32\drivers\cmdide.sys
2011/08/31 23:27:20.0457 5212 COH_Mon (4f2dedeed7c091fafc4dada5534f3d37) C:\Windows\system32\Drivers\COH_Mon.sys
2011/08/31 23:27:20.0850 5212 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2011/08/31 23:27:21.0070 5212 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2011/08/31 23:27:21.0169 5212 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2011/08/31 23:27:21.0326 5212 CSC (9bdb2e89be8d0ef37b1f25c3d3fc192c) C:\Windows\system32\drivers\csc.sys
2011/08/31 23:27:21.0489 5212 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2011/08/31 23:27:21.0884 5212 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2011/08/31 23:27:22.0396 5212 Dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys
2011/08/31 23:27:22.0880 5212 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys
2011/08/31 23:27:23.0200 5212 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys
2011/08/31 23:27:23.0290 5212 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/08/31 23:27:23.0751 5212 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
2011/08/31 23:27:23.0925 5212 e1express (7505290504c8e2d172fa378cc0497bcc) C:\Windows\system32\DRIVERS\e1e6032.sys
2011/08/31 23:27:24.0054 5212 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/08/31 23:27:24.0320 5212 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2011/08/31 23:27:24.0461 5212 eeCtrl (8f7dbc4be48f5388a6fe1f285e7948ef) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/08/31 23:27:24.0656 5212 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2011/08/31 23:27:25.0039 5212 EraserUtilRebootDrv (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/08/31 23:27:25.0247 5212 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2011/08/31 23:27:25.0366 5212 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2011/08/31 23:27:25.0479 5212 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2011/08/31 23:27:25.0626 5212 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/08/31 23:27:25.0714 5212 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/08/31 23:27:25.0883 5212 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/08/31 23:27:26.0009 5212 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2011/08/31 23:27:26.0101 5212 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/08/31 23:27:26.0155 5212 fvevol (fecf4c2e42440a8d132bf94eee3c3fc9) C:\Windows\system32\DRIVERS\fvevol.sys
2011/08/31 23:27:26.0196 5212 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2011/08/31 23:27:26.0362 5212 GEARAspiWDM (df6e37b27a9a1a498c6d9f29995b7a03) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2011/08/31 23:27:26.0484 5212 guardian2 (0e1fd1ea2837d6b7a1d7b6c928014d05) C:\Windows\system32\Drivers\oz776.sys
2011/08/31 23:27:26.0589 5212 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2011/08/31 23:27:26.0721 5212 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/08/31 23:27:26.0816 5212 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/08/31 23:27:26.0891 5212 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/08/31 23:27:27.0116 5212 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2011/08/31 23:27:27.0351 5212 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2011/08/31 23:27:27.0697 5212 HSF_DPV (e9e589c9ab799f52e18f057635a2b362) C:\Windows\system32\DRIVERS\HSX_DPV.sys
2011/08/31 23:27:27.0880 5212 HSXHWAZL (7845d2385f4dc7dfb3ccaf0c2fa4948e) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
2011/08/31 23:27:28.0112 5212 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2011/08/31 23:27:28.0221 5212 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2011/08/31 23:27:28.0583 5212 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/08/31 23:27:28.0727 5212 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\Windows\system32\drivers\iastor.sys
2011/08/31 23:27:28.0895 5212 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2011/08/31 23:27:29.0178 5212 igfx (f7ecd4b9e7fad4a01a0ed889d40e2494) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/08/31 23:27:29.0577 5212 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/08/31 23:27:30.0399 5212 intelide (1b16626beae3a52e611fc681cd796f86) C:\Windows\system32\DRIVERS\intelide.sys
2011/08/31 23:27:30.0655 5212 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2011/08/31 23:27:30.0923 5212 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2011/08/31 23:27:31.0021 5212 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/08/31 23:27:31.0172 5212 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/08/31 23:27:31.0293 5212 isapnp (2f8ece2699e7e2070545e9b0960a8ed2) C:\Windows\system32\drivers\isapnp.sys
2011/08/31 23:27:31.0475 5212 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/08/31 23:27:31.0531 5212 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/08/31 23:27:32.0177 5212 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/08/31 23:27:32.0681 5212 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/08/31 23:27:32.0879 5212 kbdhid (d2600cb17b7408b4a83f231dc9a11ac3) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/08/31 23:27:33.0117 5212 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2011/08/31 23:27:33.0606 5212 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/08/31 23:27:33.0861 5212 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2011/08/31 23:27:34.0294 5212 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2011/08/31 23:27:34.0647 5212 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2011/08/31 23:27:35.0099 5212 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/08/31 23:27:35.0284 5212 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\Windows\system32\DRIVERS\mcdbus.sys
2011/08/31 23:27:35.0709 5212 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2011/08/31 23:27:35.0855 5212 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2011/08/31 23:27:36.0199 5212 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/08/31 23:27:36.0284 5212 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/08/31 23:27:36.0402 5212 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/08/31 23:27:36.0519 5212 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2011/08/31 23:27:36.0832 5212 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/08/31 23:27:36.0958 5212 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2011/08/31 23:27:37.0196 5212 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/08/31 23:27:37.0490 5212 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/08/31 23:27:37.0736 5212 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2011/08/31 23:27:37.0839 5212 mrxsmb (5fe5cf325f5b02ebc60832d3440cb414) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/08/31 23:27:37.0947 5212 mrxsmb10 (30b9c769446af379a2afb72b0392604d) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/08/31 23:27:38.0121 5212 mrxsmb20 (fea239b3ec4877e2b7e23204af589ddf) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/08/31 23:27:38.0271 5212 msahci (0d1c042188ffe61a702a9df5944de5ba) C:\Windows\system32\drivers\msahci.sys
2011/08/31 23:27:38.0871 5212 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2011/08/31 23:27:39.0446 5212 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/08/31 23:27:39.0744 5212 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/08/31 23:27:39.0894 5212 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/08/31 23:27:40.0172 5212 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/08/31 23:27:40.0572 5212 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/08/31 23:27:40.0939 5212 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2011/08/31 23:27:41.0069 5212 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/08/31 23:27:41.0162 5212 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/08/31 23:27:41.0402 5212 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2011/08/31 23:27:41.0538 5212 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2011/08/31 23:27:41.0802 5212 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20110830.017\NAVENG.SYS
2011/08/31 23:27:42.0267 5212 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20110830.017\NAVEX15.SYS
2011/08/31 23:27:42.0859 5212 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2011/08/31 23:27:42.0969 5212 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/08/31 23:27:43.0291 5212 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/08/31 23:27:43.0508 5212 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/08/31 23:27:43.0839 5212 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/08/31 23:27:44.0070 5212 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/08/31 23:27:44.0232 5212 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2011/08/31 23:27:44.0657 5212 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/08/31 23:27:45.0325 5212 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2011/08/31 23:27:45.0721 5212 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/08/31 23:27:46.0227 5212 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2011/08/31 23:27:46.0556 5212 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/08/31 23:27:46.0813 5212 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/08/31 23:27:46.0890 5212 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2011/08/31 23:27:47.0510 5212 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
2011/08/31 23:27:47.0734 5212 nv_agp (055081fd5076401c1ee1bcab08d81911) C:\Windows\system32\drivers\nv_agp.sys
2011/08/31 23:27:48.0377 5212 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/08/31 23:27:48.0767 5212 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/08/31 23:27:48.0981 5212 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2011/08/31 23:27:49.0048 5212 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/08/31 23:27:49.0167 5212 PBADRV (e3e6e724d6a82ab6a2afbcb21180ffce) C:\Windows\system32\DRIVERS\PBADRV.sys
2011/08/31 23:27:49.0257 5212 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2011/08/31 23:27:49.0348 5212 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
2011/08/31 23:27:49.0417 5212 pcmcia (3bb2244f343b610c29c98035504c9b75) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/08/31 23:27:49.0511 5212 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/08/31 23:27:49.0756 5212 PPJoyBus (89045b00bd36cfe3910e3cb6762c2db0) C:\Windows\system32\drivers\PPJoyBus.sys
2011/08/31 23:27:49.0907 5212 PPortJoystick (f1228587245ad1db17f918d518d85bc1) C:\Windows\system32\drivers\PPortJoy.sys
2011/08/31 23:27:50.0013 5212 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/08/31 23:27:50.0059 5212 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2011/08/31 23:27:50.0277 5212 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2011/08/31 23:27:50.0352 5212 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\Windows\system32\Drivers\PxHelp20.sys
2011/08/31 23:27:50.0446 5212 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2011/08/31 23:27:50.0698 5212 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/08/31 23:27:50.0922 5212 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/08/31 23:27:51.0098 5212 R300 (e642b131fb74caf4bb8a014f31113142) C:\Windows\system32\DRIVERS\atikmdag.sys
2011/08/31 23:27:51.0400 5212 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/08/31 23:27:51.0472 5212 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/08/31 23:27:51.0563 5212 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/08/31 23:27:51.0603 5212 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2011/08/31 23:27:51.0644 5212 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2011/08/31 23:27:51.0725 5212 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/08/31 23:27:51.0821 5212 rdpdr (943b18305eae3935598a9b4a3d560b4c) C:\Windows\system32\DRIVERS\rdpdr.sys
2011/08/31 23:27:51.0910 5212 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/08/31 23:27:51.0992 5212 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2011/08/31 23:27:52.0207 5212 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/08/31 23:27:52.0329 5212 SASDIFSV (39763504067962108505bff25f024345) C:\Users\Severan\Programs\SAS\SASDIFSV.SYS
2011/08/31 23:27:52.0365 5212 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Users\Severan\Programs\SAS\SASKUTIL.SYS
2011/08/31 23:27:52.0475 5212 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/08/31 23:27:52.0697 5212 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/08/31 23:27:52.0798 5212 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
2011/08/31 23:27:52.0833 5212 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
2011/08/31 23:27:52.0892 5212 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/08/31 23:27:53.0046 5212 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
2011/08/31 23:27:53.0111 5212 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
2011/08/31 23:27:53.0211 5212 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
2011/08/31 23:27:53.0295 5212 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/08/31 23:27:53.0539 5212 sisagp (08072b2fb92477fc813271a84b3a8698) C:\Windows\system32\drivers\sisagp.sys
2011/08/31 23:27:53.0727 5212 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2011/08/31 23:27:53.0932 5212 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2011/08/31 23:27:54.0106 5212 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2011/08/31 23:27:54.0337 5212 SPBBCDrv (e87cf104f12c92401c4d33c50a3d5dc8) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2011/08/31 23:27:54.0446 5212 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/08/31 23:27:54.0557 5212 SRTSP (b36f8d6a02ff2b3a53e250a629782f29) C:\Windows\system32\Drivers\SRTSP.SYS
2011/08/31 23:27:54.0629 5212 SRTSPL (e99bd98ac171a29fc1ba9376be87ae73) C:\Windows\system32\Drivers\SRTSPL.SYS
2011/08/31 23:27:54.0859 5212 SRTSPX (1af34729898063e9b7df8d149d767e07) C:\Windows\system32\Drivers\SRTSPX.SYS
2011/08/31 23:27:54.0916 5212 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
2011/08/31 23:27:54.0970 5212 srv2 (a5940ca32ed206f90be9fabdf6e92de4) C:\Windows\system32\DRIVERS\srv2.sys
2011/08/31 23:27:55.0075 5212 srvnet (37aa1d560d5fa486c4b11c2f276ada61) C:\Windows\system32\DRIVERS\srvnet.sys
2011/08/31 23:27:55.0192 5212 STHDA (3cfea727795243364bb6a7f9a091faa3) C:\Windows\system32\drivers\stwrt.sys
2011/08/31 23:27:55.0356 5212 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/08/31 23:27:55.0435 5212 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/08/31 23:27:55.0676 5212 SymEvent (e42a34e6f5ca71a84d4c2de620aad13d) C:\Windows\system32\Drivers\SYMEVENT.SYS
2011/08/31 23:27:56.0282 5212 SYMREDRV (394b2368212114d538316812af60fddd) C:\Windows\System32\Drivers\SYMREDRV.SYS
2011/08/31 23:27:56.0346 5212 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\Windows\System32\Drivers\SYMTDI.SYS
2011/08/31 23:27:56.0414 5212 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/08/31 23:27:56.0698 5212 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/08/31 23:27:57.0051 5212 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2011/08/31 23:27:57.0151 5212 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2011/08/31 23:27:57.0271 5212 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2011/08/31 23:27:57.0421 5212 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/08/31 23:27:57.0613 5212 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/08/31 23:27:57.0748 5212 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2011/08/31 23:27:57.0816 5212 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2011/08/31 23:27:57.0967 5212 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/08/31 23:27:58.0096 5212 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/08/31 23:27:58.0164 5212 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2011/08/31 23:27:58.0235 5212 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2011/08/31 23:27:58.0468 5212 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2011/08/31 23:27:58.0610 5212 uliagpkx (6d72ef05921abdf59fc45c7ebfe7e8dd) C:\Windows\system32\drivers\uliagpkx.sys
2011/08/31 23:27:58.0778 5212 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2011/08/31 23:27:58.0935 5212 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/08/31 23:27:59.0076 5212 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/08/31 23:27:59.0248 5212 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/08/31 23:27:59.0359 5212 USBAAPL (f340199e8cb097e1acd58a967c665919) C:\Windows\system32\Drivers\usbaapl.sys
2011/08/31 23:27:59.0472 5212 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/08/31 23:27:59.0596 5212 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/08/31 23:27:59.0721 5212 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2011/08/31 23:27:59.0810 5212 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2011/08/31 23:27:59.0889 5212 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2011/08/31 23:28:00.0047 5212 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2011/08/31 23:28:00.0150 5212 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2011/08/31 23:28:00.0240 5212 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/08/31 23:28:00.0354 5212 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/08/31 23:28:00.0455 5212 V0220Dev (d26829d436f592f6d80d71b9c02c690f) C:\Windows\system32\DRIVERS\V0220Dev.sys
2011/08/31 23:28:00.0565 5212 V0220Vfx (eb4e73963bc2eda84b93b29174e15b02) C:\Windows\system32\DRIVERS\V0220Vfx.sys
2011/08/31 23:28:00.0674 5212 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/08/31 23:28:00.0859 5212 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/08/31 23:28:00.0953 5212 viaagp (d5929a28bdff4367a12caf06af901971) C:\Windows\system32\drivers\viaagp.sys
2011/08/31 23:28:01.0168 5212 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2011/08/31 23:28:01.0254 5212 viaide (c0ace9d0f5a5ee0b00f58345947a57fc) C:\Windows\system32\drivers\viaide.sys
2011/08/31 23:28:01.0419 5212 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/08/31 23:28:01.0520 5212 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2011/08/31 23:28:01.0628 5212 volsnap (e269bb33062f9a6b4115c86781d767aa) C:\Windows\system32\drivers\volsnap.sys
2011/08/31 23:28:01.0643 5212 Suspicious file (Forged): C:\Windows\system32\drivers\volsnap.sys. Real md5: e269bb33062f9a6b4115c86781d767aa, Fake md5: 147281c01fcb1df9252de2a10d5e7093
2011/08/31 23:28:01.0679 5212 volsnap - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/08/31 23:28:01.0753 5212 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2011/08/31 23:28:02.0037 5212 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/08/31 23:28:02.0120 5212 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/08/31 23:28:02.0151 5212 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/08/31 23:28:02.0257 5212 WavxDMgr (993a6220a94f2e531cf0e577dc3cef9a) C:\Windows\system32\DRIVERS\WavxDMgr.sys
2011/08/31 23:28:02.0385 5212 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2011/08/31 23:28:02.0571 5212 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2011/08/31 23:28:02.0834 5212 winachsf (4daca8f07537d4d7e3534bb99294aa26) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
2011/08/31 23:28:03.0149 5212 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/08/31 23:28:03.0387 5212 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/08/31 23:28:03.0529 5212 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/08/31 23:28:03.0658 5212 XAudio (5a7ff9a18ff6d7e0527fe3abf9204ef8) C:\Windows\system32\DRIVERS\xaudio.sys
2011/08/31 23:28:03.0738 5212 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
2011/08/31 23:28:03.0790 5212 Boot (0x1200) (cc89d89b9101a83eceea0f2922b1bdc0) \Device\Harddisk0\DR0\Partition0
2011/08/31 23:28:03.0821 5212 Boot (0x1200) (c6549a4542e16e0e56175bb3aaae665d) \Device\Harddisk0\DR0\Partition1
2011/08/31 23:28:03.0831 5212 ================================================================================
2011/08/31 23:28:03.0831 5212 Scan finished
2011/08/31 23:28:03.0831 5212 ================================================================================
2011/08/31 23:28:03.0852 2688 Detected object count: 1
2011/08/31 23:28:03.0852 2688 Actual detected object count: 1
2011/08/31 23:28:27.0799 2688 volsnap (e269bb33062f9a6b4115c86781d767aa) C:\Windows\system32\drivers\volsnap.sys
2011/08/31 23:28:27.0802 2688 Suspicious file (Forged): C:\Windows\system32\drivers\volsnap.sys. Real md5: e269bb33062f9a6b4115c86781d767aa, Fake md5: 147281c01fcb1df9252de2a10d5e7093
2011/08/31 23:28:32.0457 2688 Backup copy found, using it..
2011/08/31 23:28:32.0517 2688 C:\Windows\system32\drivers\volsnap.sys - will be cured after reboot
2011/08/31 23:28:32.0517 2688 Rootkit.Win32.TDSS.tdl3(volsnap) - User select action: Cure
2011/08/31 23:30:38.0183 1408 Deinitialize success



#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:58 AM

Posted 31 August 2011 - 11:15 AM

Hi,

Please run GMER again and post back its log. Are earlier issues still remaining there?

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 Severan

Severan
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 31 August 2011 - 11:36 AM

I will begin another GMER scan once this is posted, but as it takes many hours to run, in the meantime I would like to let you know that the Internet Explorer pop-up flooding seems to have been resolved. However, Windows remains unable to check for updates and I still cannot access www.yahoo.com or download.microsoft.com.

Nevertheless, your help so far has been greatly appreciated!

Edited by Severan, 31 August 2011 - 11:37 AM.


#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:58 AM

Posted 01 September 2011 - 12:04 AM

Hi,

Ok, shall wait to see fresh gmer log before considering any further action.

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 Severan

Severan
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 01 September 2011 - 04:25 AM

The results of the latest GMER scan are pasted below.

I await further instructions; as always, thank you for your help!

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-01 16:39:05
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST912082 rev.3.AD
Running: gmer.exe; Driver: C:\Users\Severan\AppData\Local\Temp\pgloqpod.sys


---- System - GMER 1.0.15 ----

SSDT 87194738 ZwAlertResumeThread
SSDT 877C7D60 ZwAlertThread
SSDT 87805330 ZwAllocateVirtualMemory
SSDT 87595970 ZwConnectPort
SSDT 877B5360 ZwCreateMutant
SSDT 878054C0 ZwCreateThread
SSDT 8780B008 ZwFreeVirtualMemory
SSDT 877D67D0 ZwImpersonateAnonymousToken
SSDT 87802870 ZwImpersonateThread
SSDT 8780BF28 ZwMapViewOfSection
SSDT 877B52A0 ZwOpenEvent
SSDT 87805400 ZwOpenProcessToken
SSDT 8780BC68 ZwOpenThreadToken
SSDT 8758E5D8 ZwResumeThread
SSDT 8780BB88 ZwSetContextThread
SSDT 8780BD58 ZwSetInformationProcess
SSDT 8780BA18 ZwSetInformationThread
SSDT 877B5D88 ZwSuspendProcess
SSDT 877A62A8 ZwSuspendThread
SSDT 878055A0 ZwTerminateProcess
SSDT 8780B938 ZwTerminateThread
SSDT 8780BE48 ZwUnmapViewOfSection
SSDT 87805260 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 828B48A0 8 Bytes [38, 47, 19, 87, 60, 7D,

7C, ...] {CMP [EDI+0x19], AL; XCHG [EAX+0x7d], ESP; JL 0xffffffffffffff8f}
.text ntkrnlpa.exe!KeSetEvent + 131 828B48B4 4 Bytes [30, 53, 80, 87]
.text ntkrnlpa.exe!KeSetEvent + 1C1 828B4944 4 Bytes [70, 59, 59, 87]
.text ntkrnlpa.exe!KeSetEvent + 1F5 828B4978 4 Bytes [60, 53, 7B, 87] {PUSHA ;

PUSH EBX; JNP 0xffffffffffffff8b}
.text ntkrnlpa.exe!KeSetEvent + 221 828B49A4 4 Bytes [C0, 54, 80, 87]
.text ...
page C:\Windows\System32\Drivers\oz776.sys entry point in "page" section [0x8DFE6E34]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec

Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption

Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption

Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption

Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec

Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter

Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows Search\CatalogNames\Windows\SystemIndex@pkm:catalog:LastCatalogCrawlId 281
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@CheckPointNumber 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\282
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\282@CrawlType 2
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\282@InProgress 1
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\282@DoneAddingCrawlSeeds 1
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\282@LogName

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Crwl282.gthr
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\282@CheckPoint 0x7E 0x01 0x00 0x00 ...
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\282@IsCatalogLevel 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\282@LogStartAddId 2
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\2@CrawlNumberInProgress 282

---- EOF - GMER 1.0.15 ----



#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:58 AM

Posted 01 September 2011 - 08:31 AM

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 Severan

Severan
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 01 September 2011 - 09:15 AM

I have attached Result.txt as requested.

I await further instructions; as always, thank you for your help!

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users