Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with XP internet security fix, system fix, google redirect


  • This topic is locked This topic is locked
31 replies to this topic

#1 umbutu

umbutu

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 AM

Posted 14 February 2012 - 02:08 PM

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by RBailey at 12:24:12 on 2012-02-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.3079 [GMT -5:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://atlarc2.larc.nasa.gov/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [DellCleanup] c:\dell\WINCLEAN.EXE
mRun: [IAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK32.EXE
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1317226768718
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1317226876468
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{B5FD34D5-8EF0-42EB-9384-8FF2B929851C} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: NecUsb3Sevices - USB3Sw32.dll
Notify: USB3Sw32 - USB3Sw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
S1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
S1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2011-9-28 13336]
S2 NecUsb3;USB3 Service;c:\windows\system32\svchost.exe -k NecUsb3Sevic [2008-4-25 14336]
S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\nvidia corporation\performance drivers\nvPDsvc.exe [2009-12-8 5241448]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2011-9-22 113664]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2011-9-22 33832]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-29 106104]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20111211.006\naveng.sys [2011-12-12 86136]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20111211.006\navex15.sys [2011-12-12 1576312]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]
.
=============== Created Last 30 ================
.
2012-02-14 17:14:55 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-14 16:22:44 -------- d-----w- c:\windows\pss
2012-02-14 15:34:07 37888 ----a-w- c:\windows\system32\USB3Sw32.dll
2012-02-14 15:34:07 156672 ----a-w- c:\windows\system32\NCUSBw32.dll
.
==================== Find3M ====================
.
2012-02-14 16:01:15 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-12-17 16:11:46 26872 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
2011-12-17 15:48:42 83064 ----a-w- c:\windows\system32\drivers\SMR210.SYS
2011-11-22 13:23:10 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 12:30:12.40 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 135,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:41 AM

Posted 16 February 2012 - 11:12 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 umbutu

umbutu
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 AM

Posted 18 February 2012 - 04:23 PM

Ran Combofix in SAFE Mode.
Thought I had disabled Symantec Corporate Edition, but Combofix gave notice that Symantec Antivirus was detected. I chose to continue.
Have not tried Google search yet. Will update log after I have had chance to run computer for awhile.
Thank you for your help.


ComboFix 12-02-16.02 - RBailey 02/18/2012 12:19:44.1.8 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.3264 [GMT -5:00]
Running from: c:\documents and settings\RBailey\My Documents\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB29885$
c:\windows\$NtUninstallKB29885$\3747976948
c:\windows\$NtUninstallKB29885$\3809056692\@
c:\windows\$NtUninstallKB29885$\3809056692\bckfg.tmp
c:\windows\$NtUninstallKB29885$\3809056692\cfg.ini
c:\windows\$NtUninstallKB29885$\3809056692\Desktop.ini
c:\windows\$NtUninstallKB29885$\3809056692\keywords
c:\windows\$NtUninstallKB29885$\3809056692\kwrd.dll
c:\windows\$NtUninstallKB29885$\3809056692\L\rohepcid
c:\windows\$NtUninstallKB29885$\3809056692\lsflt7.ver
c:\windows\$NtUninstallKB29885$\3809056692\oemid
c:\windows\$NtUninstallKB29885$\3809056692\U\00000001.@
c:\windows\$NtUninstallKB29885$\3809056692\U\00000002.@
c:\windows\$NtUninstallKB29885$\3809056692\U\00000004.@
c:\windows\$NtUninstallKB29885$\3809056692\U\80000000.@
c:\windows\$NtUninstallKB29885$\3809056692\U\80000004.@
c:\windows\$NtUninstallKB29885$\3809056692\U\80000032.@
c:\windows\$NtUninstallKB29885$\3809056692\version
.
Infected copy of c:\windows\system32\drivers\i8042prt.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Service_6to4
.
.
((((((((((((((((((((((((( Files Created from 2012-01-18 to 2012-02-18 )))))))))))))))))))))))))))))))
.
.
2012-02-18 17:09 . 2008-04-14 12:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-02-14 17:14 . 2012-02-18 16:47 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-14 15:34 . 2012-02-14 15:34 37888 ----a-w- c:\windows\system32\USB3Sw32.dll
2012-02-14 15:34 . 2012-02-14 15:34 156672 ----a-w- c:\windows\system32\NCUSBw32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-14 16:01 . 2011-12-18 00:15 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-12-17 16:11 . 2011-12-17 16:11 26872 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
2011-12-17 15:48 . 2011-12-17 15:48 83064 ----a-w- c:\windows\system32\drivers\SMR210.SYS
2011-11-22 13:23 . 2011-10-06 04:18 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-12-10 1594664]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-05-25 495708]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2010-05-25 737280]
"nwiz"="nwiz.exe" [2009-12-17 1657448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-12-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-12-17 13803520]
"NVHotkey"="nvHotkey.dll" [2009-12-17 86016]
"DellCleanup"="c:\dell\WINCLEAN.EXE" [2010-09-27 212992]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2010-07-09 2670592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2011-10-5 25214]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2011-11-17 611144]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NecUsb3Sevices]
2012-02-14 15:34 37888 ----a-w- c:\windows\system32\USB3Sw32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\USB3Sw32]
2012-02-14 15:34 37888 ----a-w- c:\windows\system32\USB3Sw32.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootdelete
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [9/28/2011 10:36 AM 13336]
S2 NecUsb3;USB3 Service;c:\windows\System32\svchost.exe -k NecUsb3Sevic [4/25/2008 11:16 AM 14336]
S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [12/8/2009 2:14 PM 5241448]
S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [9/22/2011 3:31 PM 113664]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [9/22/2011 3:31 PM 33832]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/29/2011 10:04 PM 106104]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 6:48 PM 116416]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 11:16 AM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ndassvc
SQLAgent$MICROSOFTBCM
rca
HIDSwvd
swwd
wwsecsvc
eventclientmultiplexer
isamsmt
z525obex
slssvc
cicsclient
nvedavt
SE2Emdm
relational
tiwlnsvc
snmptrapdservice
smstsmgr
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://atlarc2.larc.nasa.gov/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-18 12:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(856)
c:\windows\system32\USB3Sw32.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(696)
c:\windows\system32\WININET.dll
c:\program files\Microsoft Office\Office12\GrooveShellExtensions.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\jscript.dll
c:\windows\system32\Macromed\Flash\Flash11e.ocx
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
.
Completion time: 2012-02-18 13:10:28 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-18 18:10
.
Pre-Run: 234,183,139,328 bytes free
Post-Run: 234,581,880,832 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /safeboot:network
.
- - End Of File - - 5478B7399CDAE2D6BB76FD56AE83A059

#4 umbutu

umbutu
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 AM

Posted 18 February 2012 - 08:56 PM

Google still being redirected.
Decided to try ComboFix again, this time without Symantec Antivirus, logged on as Administrator, and NOT in Safe Mode.
Note:
1) I removed Symantec Antivirus using 'add/remove programs'
2) I could only boot into Safe Mode, until I ran 'msconfig' from START;RUN and selected 'regular boot'
3) When I ran ComboFix the first time (per previous post), I selected 'Yes' when ComboFix asked if I wanted to have recovery console downloaded/installed
4) Despite indicating it had created a restore point when I ran it first time, had no restore points to choose from in recovery console
5) Booted into standard XP
6) ComboFix started, and small window showing files being extracted completes, but when larger ComboFix window pops up, Blue Screen Of Death (BSOD) occurs within a short time and computer reboots. (I do not know how to freeze the BSOD so I can copy what appears on screen)
7) Because of #6 above, I had to boot into Safe Mode to run ComboFix
8) When I ran ComboFix the first time (per previous post), got a pop-up stating "infected w/ Rootkit.zeroaccess . . .", did not get that popup this time
9) When I ran ComboFix the first time (per previous post), got a pop-up stating "rmbr.3XE encountered a problem and needs to close", got that same popup this time

After running ComboFix, Google still being redirected

ComboFix 12-02-16.02 - Administrator 02/18/2012 18:15:36.2.8 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.3250 [GMT -5:00]
Running from: c:\documents and settings\RBailey\My Documents\CFix\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Service_6to4
.
.
((((((((((((((((((((((((( Files Created from 2012-01-19 to 2012-02-19 )))))))))))))))))))))))))))))))
.
.
2012-02-18 22:46 . 2012-02-18 22:46 -------- d-----w- C:\New Folder
2012-02-18 17:09 . 2008-04-14 12:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-02-14 17:14 . 2012-02-18 16:47 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-14 15:34 . 2012-02-14 15:34 37888 ----a-w- c:\windows\system32\USB3Sw32.dll
2012-02-14 15:34 . 2012-02-14 15:34 156672 ----a-w- c:\windows\system32\NCUSBw32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-14 16:01 . 2011-12-18 00:15 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-12-17 16:11 . 2011-12-17 16:11 26872 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
2011-12-17 15:48 . 2011-12-17 15:48 83064 ----a-w- c:\windows\system32\drivers\SMR210.SYS
2011-11-22 13:23 . 2011-10-06 04:18 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-12-10 1594664]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-05-25 495708]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2010-05-25 737280]
"nwiz"="nwiz.exe" [2009-12-17 1657448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-12-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-12-17 13803520]
"NVHotkey"="nvHotkey.dll" [2009-12-17 86016]
"DellCleanup"="c:\dell\WINCLEAN.EXE" [2010-09-27 212992]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2010-07-09 2670592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2011-10-5 25214]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2011-11-17 611144]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NecUsb3Sevices]
2012-02-14 15:34 37888 ----a-w- c:\windows\system32\USB3Sw32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\USB3Sw32]
2012-02-14 15:34 37888 ----a-w- c:\windows\system32\USB3Sw32.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootdelete
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [9/28/2011 10:36 AM 13336]
S2 NecUsb3;USB3 Service;c:\windows\System32\svchost.exe -k NecUsb3Sevic [4/25/2008 11:16 AM 14336]
S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [12/8/2009 2:14 PM 5241448]
S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [9/22/2011 3:31 PM 113664]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [9/22/2011 3:31 PM 33832]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 11:16 AM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ndassvc
SQLAgent$MICROSOFTBCM
rca
HIDSwvd
swwd
wwsecsvc
eventclientmultiplexer
isamsmt
z525obex
slssvc
cicsclient
nvedavt
SE2Emdm
relational
tiwlnsvc
snmptrapdservice
smstsmgr
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://atlarc2.larc.nasa.gov/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
.
- - - - ORPHANS REMOVED - - - -
.
Notify-NavLogon - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-18 19:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(856)
c:\windows\system32\USB3Sw32.dll
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\logon.scr
.
**************************************************************************
.
Completion time: 2012-02-18 19:51:00 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-19 00:50
.
Pre-Run: 235,102,601,216 bytes free
Post-Run: 235,095,875,584 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /safeboot:network
.
- - End Of File - - 107BBBF57026C523ACA38626397B0E80

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 135,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:41 AM

Posted 18 February 2012 - 09:08 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 umbutu

umbutu
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 AM

Posted 19 February 2012 - 12:02 AM

Appear unable to run TDSSKiller.
I double click on the .exe and nothing happens.

Was able to run aswMBR, see logs from aswMBR below:
Note: First time I ran aswMBR, I thought it was finished and I pressed the 'log' button to write log file. But it was not finished, so I had to press the 'log' button again. This is the 1st log. Was not sure if I may have messed something up, so I ran aswMBR again, this is the 2nd log.

This is 1st aswMBR Log:

aswMBR version 0.9.9.1618 Copyright© 2011 AVAST Software
Run date: 2012-02-18 23:31:43
-----------------------------
23:31:43.046 OS Version: Windows 5.1.2600 Service Pack 3
23:31:43.046 Number of processors: 8 586 0x1E05
23:31:43.046 ComputerName: DBB4JNM1 UserName: RBailey
23:31:43.468 Initialize success
23:36:05.562 AVAST engine defs: 12021802
23:36:19.875 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
23:36:19.937 Disk 0 Vendor: WDC_WD25 11.0 Size: 238475MB BusType: 8
23:36:20.015 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-2
23:36:20.078 Disk 1 Vendor: TOSHIBA_ LJ00 Size: 238475MB BusType: 8
23:36:20.187 Disk 0 MBR read successfully
23:36:20.265 Disk 0 MBR scan
23:36:20.359 Disk 0 Windows VISTA default MBR code
23:36:20.437 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 133 MB offset 63
23:36:20.562 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 238336 MB offset 278528
23:36:20.640 Disk 0 scanning sectors +488397152
23:36:21.031 Disk 0 scanning C:\WINDOWS\system32\drivers
23:36:28.875 Service scanning
23:36:35.296 Service NecUsb3 C:\WINDOWS\system32\NCUSBw32.dll **INFECTED** Win32:Malware-gen
23:36:42.437 Modules scanning
23:36:48.031 Disk 0 trace - called modules:
23:36:48.546 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8b0affa9]<<
23:36:48.937 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b054ab8]
23:36:49.343 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8a605028]
23:36:49.750 \Driver\iaStor[0x8b0f3de8] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8b0affa9
23:36:50.609 AVAST engine scan C:\WINDOWS
23:37:01.312 AVAST engine scan C:\WINDOWS\system32
23:37:42.843 File: C:\WINDOWS\system32\NCUSBw32.dll **INFECTED** Win32:Malware-gen
23:38:08.656 File: C:\WINDOWS\system32\USB3Sw32.dll **INFECTED** Win32:Malware-gen
23:38:52.890 AVAST engine scan C:\WINDOWS\system32\drivers
23:39:04.031 AVAST engine scan C:\Documents and Settings\RBailey
23:39:10.531 File: C:\Documents and Settings\RBailey\Application Data\Sun\Java\Deployment\cache\6.0\6\3f5fea06-31605718 **INFECTED** Win32:FakeSysdefs-A [Trj]
23:40:13.406 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\RBailey\My Documents\malware removal files to send\MBR.dat"
23:40:13.671 The log file has been saved successfully to "C:\Documents and Settings\RBailey\My Documents\malware removal files to send\aswMBR.txt"


aswMBR version 0.9.9.1618 Copyright© 2011 AVAST Software
Run date: 2012-02-18 23:31:43
-----------------------------
23:31:43.046 OS Version: Windows 5.1.2600 Service Pack 3
23:31:43.046 Number of processors: 8 586 0x1E05
23:31:43.046 ComputerName: DBB4JNM1 UserName: RBailey
23:31:43.468 Initialize success
23:36:05.562 AVAST engine defs: 12021802
23:36:19.875 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
23:36:19.937 Disk 0 Vendor: WDC_WD25 11.0 Size: 238475MB BusType: 8
23:36:20.015 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-2
23:36:20.078 Disk 1 Vendor: TOSHIBA_ LJ00 Size: 238475MB BusType: 8
23:36:20.187 Disk 0 MBR read successfully
23:36:20.265 Disk 0 MBR scan
23:36:20.359 Disk 0 Windows VISTA default MBR code
23:36:20.437 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 133 MB offset 63
23:36:20.562 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 238336 MB offset 278528
23:36:20.640 Disk 0 scanning sectors +488397152
23:36:21.031 Disk 0 scanning C:\WINDOWS\system32\drivers
23:36:28.875 Service scanning
23:36:35.296 Service NecUsb3 C:\WINDOWS\system32\NCUSBw32.dll **INFECTED** Win32:Malware-gen
23:36:42.437 Modules scanning
23:36:48.031 Disk 0 trace - called modules:
23:36:48.546 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8b0affa9]<<
23:36:48.937 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b054ab8]
23:36:49.343 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8a605028]
23:36:49.750 \Driver\iaStor[0x8b0f3de8] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8b0affa9
23:36:50.609 AVAST engine scan C:\WINDOWS
23:37:01.312 AVAST engine scan C:\WINDOWS\system32
23:37:42.843 File: C:\WINDOWS\system32\NCUSBw32.dll **INFECTED** Win32:Malware-gen
23:38:08.656 File: C:\WINDOWS\system32\USB3Sw32.dll **INFECTED** Win32:Malware-gen
23:38:52.890 AVAST engine scan C:\WINDOWS\system32\drivers
23:39:04.031 AVAST engine scan C:\Documents and Settings\RBailey
23:39:10.531 File: C:\Documents and Settings\RBailey\Application Data\Sun\Java\Deployment\cache\6.0\6\3f5fea06-31605718 **INFECTED** Win32:FakeSysdefs-A [Trj]
23:40:13.406 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\RBailey\My Documents\malware removal files to send\MBR.dat"
23:40:13.671 The log file has been saved successfully to "C:\Documents and Settings\RBailey\My Documents\malware removal files to send\aswMBR.txt"
23:40:25.671 AVAST engine scan C:\Documents and Settings\All Users
23:40:34.375 Scan finished successfully
23:41:08.546 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\RBailey\My Documents\malware removal files to send\MBR.dat"
23:41:08.640 The log file has been saved successfully to "C:\Documents and Settings\RBailey\My Documents\malware removal files to send\aswMBR.txt"


This is 2nd aswMBR log:

aswMBR version 0.9.9.1618 Copyright© 2011 AVAST Software
Run date: 2012-02-18 23:41:42
-----------------------------
23:41:42.640 OS Version: Windows 5.1.2600 Service Pack 3
23:41:42.640 Number of processors: 8 586 0x1E05
23:41:42.640 ComputerName: DBB4JNM1 UserName: RBailey
23:41:43.156 Initialize success
23:41:49.312 AVAST engine defs: 12021802
23:41:55.468 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
23:41:55.531 Disk 0 Vendor: WDC_WD25 11.0 Size: 238475MB BusType: 8
23:41:55.593 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-2
23:41:55.671 Disk 1 Vendor: TOSHIBA_ LJ00 Size: 238475MB BusType: 8
23:41:55.765 Disk 0 MBR read successfully
23:41:55.843 Disk 0 MBR scan
23:41:55.937 Disk 0 Windows VISTA default MBR code
23:41:56.015 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 133 MB offset 63
23:41:56.093 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 238336 MB offset 278528
23:41:56.187 Disk 0 scanning sectors +488397152
23:41:56.578 Disk 0 scanning C:\WINDOWS\system32\drivers
23:42:04.625 Service scanning
23:42:10.515 Service NecUsb3 C:\WINDOWS\system32\NCUSBw32.dll **INFECTED** Win32:Malware-gen
23:42:17.625 Modules scanning
23:42:22.671 Disk 0 trace - called modules:
23:42:23.171 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8b0affa9]<<
23:42:23.578 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b054ab8]
23:42:23.984 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8a605028]
23:42:24.390 \Driver\iaStor[0x8b0f3de8] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8b0affa9
23:42:25.421 AVAST engine scan C:\WINDOWS
23:42:33.046 AVAST engine scan C:\WINDOWS\system32
23:43:17.015 File: C:\WINDOWS\system32\NCUSBw32.dll **INFECTED** Win32:Malware-gen
23:43:44.781 File: C:\WINDOWS\system32\USB3Sw32.dll **INFECTED** Win32:Malware-gen
23:44:43.000 AVAST engine scan C:\WINDOWS\system32\drivers
23:44:58.953 AVAST engine scan C:\Documents and Settings\RBailey
23:45:06.859 File: C:\Documents and Settings\RBailey\Application Data\Sun\Java\Deployment\cache\6.0\6\3f5fea06-31605718 **INFECTED** Win32:FakeSysdefs-A [Trj]
23:46:10.656 AVAST engine scan C:\Documents and Settings\All Users
23:46:21.375 Scan finished successfully
23:47:17.421 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\RBailey\My Documents\malware removal files to send\MBR.dat"
23:47:17.515 The log file has been saved successfully to "C:\Documents and Settings\RBailey\My Documents\malware removal files to send\aswMBR.txt"

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 135,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:41 AM

Posted 19 February 2012 - 12:26 AM

Hello

I would like you to run this tool for me - fixTDSS

download it to your desktop and start the program

Follow the prompts and Ok any security prompts

when it is complete it will say the infection was cleared or no infection was found - let me know what it says

after it is complete I want you to restart the computer and try to rerun TDSSKiller for me and send me the report

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 umbutu

umbutu
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 AM

Posted 19 February 2012 - 01:32 AM

I am running in Safe Mode
Ran fixTDSS
I accept user agreement form Symantec
popup Window says fixTDSS will reboot computer and window will popup after reboot to give me the results.
Computer reboots, but I do not get any window with results.

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 135,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:41 AM

Posted 19 February 2012 - 01:33 AM

reboot the computer and try to run TDSSKiller


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 umbutu

umbutu
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 AM

Posted 19 February 2012 - 09:53 AM

TDSSKiller ran, see 1st log below
Also reran aswMBR, see 2nd log below

07:17:38.0093 1616 TDSS rootkit removing tool 2.7.13.0 Feb 15 2012 19:33:14
07:17:38.0484 1616 ============================================================
07:17:38.0484 1616 Current date / time: 2012/02/19 07:17:38.0484
07:17:38.0484 1616 SystemInfo:
07:17:38.0484 1616
07:17:38.0484 1616 OS Version: 5.1.2600 ServicePack: 3.0
07:17:38.0484 1616 Product type: Workstation
07:17:38.0484 1616 ComputerName: DBB4JNM1
07:17:38.0484 1616 UserName: RBailey
07:17:38.0484 1616 Windows directory: C:\WINDOWS
07:17:38.0484 1616 System windows directory: C:\WINDOWS
07:17:38.0484 1616 Processor architecture: Intel x86
07:17:38.0484 1616 Number of processors: 8
07:17:38.0484 1616 Page size: 0x1000
07:17:38.0484 1616 Boot type: Safe boot with network
07:17:38.0484 1616 ============================================================
07:17:38.0953 1616 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
07:17:39.0281 1616 Drive \Device\Harddisk1\DR1 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
07:17:39.0281 1616 \Device\Harddisk0\DR0:
07:17:39.0281 1616 MBR used
07:17:39.0281 1616 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x44000, BlocksNum 0x1D180000
07:17:39.0281 1616 \Device\Harddisk1\DR1:
07:17:39.0281 1616 MBR used
07:17:39.0281 1616 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3EC1, BlocksNum 0x1D1C06C0
07:17:39.0375 1616 Initialize success
07:17:39.0375 1616 ============================================================
07:17:55.0015 1756 ============================================================
07:17:55.0015 1756 Scan started
07:17:55.0015 1756 Mode: Manual;
07:17:55.0015 1756 ============================================================
07:17:55.0250 1756 Abiosdsk - ok
07:17:55.0328 1756 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
07:17:55.0328 1756 abp480n5 - ok
07:17:55.0406 1756 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
07:17:55.0406 1756 ACPI - ok
07:17:55.0437 1756 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
07:17:55.0437 1756 ACPIEC - ok
07:17:55.0531 1756 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
07:17:55.0531 1756 adpu160m - ok
07:17:55.0609 1756 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
07:17:55.0609 1756 aec - ok
07:17:55.0656 1756 AESTAud (822d53766d57c90c437536232ece9023) C:\WINDOWS\system32\drivers\AESTAud.sys
07:17:55.0656 1756 AESTAud - ok
07:17:55.0734 1756 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
07:17:55.0734 1756 AFD - ok
07:17:55.0781 1756 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
07:17:55.0781 1756 agp440 - ok
07:17:55.0859 1756 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
07:17:55.0859 1756 agpCPQ - ok
07:17:55.0906 1756 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
07:17:55.0906 1756 Aha154x - ok
07:17:55.0968 1756 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
07:17:55.0968 1756 aic78u2 - ok
07:17:56.0031 1756 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
07:17:56.0031 1756 aic78xx - ok
07:17:56.0171 1756 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
07:17:56.0171 1756 AliIde - ok
07:17:56.0218 1756 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
07:17:56.0218 1756 alim1541 - ok
07:17:56.0281 1756 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
07:17:56.0281 1756 amdagp - ok
07:17:56.0343 1756 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
07:17:56.0343 1756 amsint - ok
07:17:56.0453 1756 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
07:17:56.0453 1756 Arp1394 - ok
07:17:56.0515 1756 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
07:17:56.0515 1756 asc - ok
07:17:56.0578 1756 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
07:17:56.0578 1756 asc3350p - ok
07:17:56.0640 1756 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
07:17:56.0640 1756 asc3550 - ok
07:17:56.0828 1756 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
07:17:56.0828 1756 AsyncMac - ok
07:17:56.0890 1756 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
07:17:56.0890 1756 atapi - ok
07:17:56.0937 1756 Atdisk - ok
07:17:57.0000 1756 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
07:17:57.0000 1756 Atmarpc - ok
07:17:57.0109 1756 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
07:17:57.0109 1756 audstub - ok
07:17:57.0171 1756 b57w2k (a86835def67af25070a2178a26f0d3eb) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
07:17:57.0171 1756 b57w2k - ok
07:17:57.0312 1756 BCM43XX (5d4893633b7161fa25500eb7aeabec94) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
07:17:57.0375 1756 BCM43XX - ok
07:17:57.0437 1756 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
07:17:57.0437 1756 Beep - ok
07:17:57.0531 1756 Blfp (3edae8e7b40257da798c6952edb26eb0) C:\WINDOWS\system32\DRIVERS\baspxp32.sys
07:17:57.0531 1756 Blfp - ok
07:17:57.0718 1756 catchme - ok
07:17:57.0781 1756 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
07:17:57.0781 1756 cbidf - ok
07:17:57.0843 1756 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
07:17:57.0843 1756 cbidf2k - ok
07:17:57.0906 1756 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
07:17:57.0921 1756 CCDECODE - ok
07:17:57.0968 1756 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
07:17:57.0968 1756 cd20xrnt - ok
07:17:58.0031 1756 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
07:17:58.0031 1756 Cdaudio - ok
07:17:58.0093 1756 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
07:17:58.0093 1756 Cdfs - ok
07:17:58.0156 1756 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
07:17:58.0156 1756 Cdrom - ok
07:17:58.0203 1756 Changer - ok
07:17:58.0375 1756 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
07:17:58.0375 1756 CmBatt - ok
07:17:58.0421 1756 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
07:17:58.0421 1756 CmdIde - ok
07:17:58.0484 1756 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
07:17:58.0484 1756 Compbatt - ok
07:17:58.0640 1756 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
07:17:58.0640 1756 Cpqarray - ok
07:17:58.0734 1756 cvusbdrv (d1697063e2cdb6575aa46d668ffee825) C:\WINDOWS\system32\Drivers\cvusbdrv.sys
07:17:58.0734 1756 cvusbdrv - ok
07:17:58.0796 1756 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
07:17:58.0796 1756 dac2w2k - ok
07:17:58.0843 1756 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
07:17:58.0859 1756 dac960nt - ok
07:17:58.0968 1756 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
07:17:58.0968 1756 Disk - ok
07:17:59.0093 1756 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
07:17:59.0109 1756 dmboot - ok
07:17:59.0140 1756 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
07:17:59.0140 1756 dmio - ok
07:17:59.0187 1756 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
07:17:59.0187 1756 dmload - ok
07:17:59.0296 1756 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
07:17:59.0296 1756 DMusic - ok
07:17:59.0406 1756 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
07:17:59.0406 1756 dpti2o - ok
07:17:59.0468 1756 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
07:17:59.0468 1756 drmkaud - ok
07:17:59.0656 1756 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
07:17:59.0671 1756 Fastfat - ok
07:17:59.0765 1756 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
07:17:59.0765 1756 Fdc - ok
07:17:59.0828 1756 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
07:17:59.0828 1756 Fips - ok
07:17:59.0890 1756 FixTDSS (77d6ffaa3010b66fb4692532d75a585f) C:\WINDOWS\system32\drivers\FixTDSS.sys
07:17:59.0890 1756 FixTDSS - ok
07:17:59.0953 1756 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
07:17:59.0953 1756 Flpydisk - ok
07:18:00.0015 1756 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
07:18:00.0015 1756 FltMgr - ok
07:18:00.0109 1756 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
07:18:00.0109 1756 Fs_Rec - ok
07:18:00.0171 1756 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
07:18:00.0171 1756 Ftdisk - ok
07:18:00.0234 1756 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
07:18:00.0234 1756 GEARAspiWDM - ok
07:18:00.0296 1756 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
07:18:00.0296 1756 Gpc - ok
07:18:00.0359 1756 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
07:18:00.0359 1756 HDAudBus - ok
07:18:00.0468 1756 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
07:18:00.0468 1756 hidusb - ok
07:18:00.0562 1756 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
07:18:00.0562 1756 hpn - ok
07:18:00.0640 1756 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
07:18:00.0640 1756 HTTP - ok
07:18:00.0703 1756 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
07:18:00.0703 1756 i2omgmt - ok
07:18:00.0765 1756 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
07:18:00.0765 1756 i2omp - ok
07:18:00.0843 1756 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
07:18:00.0843 1756 i8042prt - ok
07:18:00.0890 1756 iaStor (26541a068572f650a2fa490726fe81be) C:\WINDOWS\system32\drivers\iaStor.sys
07:18:00.0890 1756 iaStor - ok
07:18:01.0015 1756 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
07:18:01.0015 1756 Imapi - ok
07:18:01.0125 1756 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
07:18:01.0140 1756 ini910u - ok
07:18:01.0218 1756 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
07:18:01.0218 1756 IntelIde - ok
07:18:01.0296 1756 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
07:18:01.0296 1756 intelppm - ok
07:18:01.0343 1756 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
07:18:01.0343 1756 Ip6Fw - ok
07:18:01.0406 1756 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
07:18:01.0406 1756 IpFilterDriver - ok
07:18:01.0468 1756 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
07:18:01.0468 1756 IpInIp - ok
07:18:01.0546 1756 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
07:18:01.0546 1756 IpNat - ok
07:18:01.0625 1756 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
07:18:01.0625 1756 IPSec - ok
07:18:01.0671 1756 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
07:18:01.0671 1756 IRENUM - ok
07:18:01.0765 1756 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
07:18:01.0765 1756 isapnp - ok
07:18:01.0859 1756 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
07:18:01.0859 1756 Kbdclass - ok
07:18:01.0921 1756 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
07:18:01.0921 1756 kbdhid - ok
07:18:02.0000 1756 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
07:18:02.0000 1756 kmixer - ok
07:18:02.0062 1756 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
07:18:02.0062 1756 KSecDD - ok
07:18:02.0156 1756 lbrtfdc - ok
07:18:02.0406 1756 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
07:18:02.0406 1756 mnmdd - ok
07:18:02.0500 1756 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
07:18:02.0500 1756 Modem - ok
07:18:02.0562 1756 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
07:18:02.0562 1756 Mouclass - ok
07:18:02.0640 1756 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
07:18:02.0640 1756 mouhid - ok
07:18:02.0671 1756 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
07:18:02.0671 1756 MountMgr - ok
07:18:02.0734 1756 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
07:18:02.0734 1756 mraid35x - ok
07:18:02.0796 1756 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
07:18:02.0796 1756 MRxDAV - ok
07:18:02.0875 1756 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
07:18:02.0890 1756 MRxSmb - ok
07:18:02.0984 1756 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
07:18:02.0984 1756 Msfs - ok
07:18:03.0078 1756 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
07:18:03.0078 1756 MSKSSRV - ok
07:18:03.0140 1756 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
07:18:03.0140 1756 MSPCLOCK - ok
07:18:03.0203 1756 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
07:18:03.0203 1756 MSPQM - ok
07:18:03.0296 1756 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
07:18:03.0296 1756 mssmbios - ok
07:18:03.0343 1756 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
07:18:03.0343 1756 MSTEE - ok
07:18:03.0406 1756 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
07:18:03.0406 1756 Mup - ok
07:18:03.0468 1756 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
07:18:03.0468 1756 NABTSFEC - ok
07:18:03.0562 1756 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
07:18:03.0562 1756 NDIS - ok
07:18:03.0625 1756 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
07:18:03.0625 1756 NdisIP - ok
07:18:03.0687 1756 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
07:18:03.0687 1756 NdisTapi - ok
07:18:03.0734 1756 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
07:18:03.0734 1756 Ndisuio - ok
07:18:03.0796 1756 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
07:18:03.0796 1756 NdisWan - ok
07:18:03.0875 1756 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
07:18:03.0875 1756 NDProxy - ok
07:18:03.0953 1756 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
07:18:03.0953 1756 NetBIOS - ok
07:18:04.0031 1756 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
07:18:04.0031 1756 NetBT - ok
07:18:04.0218 1756 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
07:18:04.0218 1756 NIC1394 - ok
07:18:04.0312 1756 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
07:18:04.0312 1756 Npfs - ok
07:18:04.0390 1756 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
07:18:04.0390 1756 Ntfs - ok
07:18:04.0500 1756 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
07:18:04.0500 1756 Null - ok
07:18:04.0734 1756 nv (02eb892f3942deaaf88cd68795dc3484) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
07:18:04.0890 1756 nv - ok
07:18:04.0984 1756 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
07:18:04.0984 1756 NwlnkFlt - ok
07:18:05.0046 1756 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
07:18:05.0046 1756 NwlnkFwd - ok
07:18:05.0140 1756 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
07:18:05.0140 1756 ohci1394 - ok
07:18:05.0265 1756 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
07:18:05.0265 1756 Parport - ok
07:18:05.0312 1756 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
07:18:05.0312 1756 PartMgr - ok
07:18:05.0375 1756 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
07:18:05.0375 1756 ParVdm - ok
07:18:05.0437 1756 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
07:18:05.0437 1756 PCI - ok
07:18:05.0500 1756 PCIDump - ok
07:18:05.0562 1756 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
07:18:05.0562 1756 PCIIde - ok
07:18:05.0625 1756 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
07:18:05.0625 1756 Pcmcia - ok
07:18:05.0687 1756 PDCOMP - ok
07:18:05.0750 1756 PDFRAME - ok
07:18:05.0796 1756 PDRELI - ok
07:18:05.0859 1756 PDRFRAME - ok
07:18:05.0921 1756 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
07:18:05.0921 1756 perc2 - ok
07:18:05.0984 1756 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
07:18:05.0984 1756 perc2hib - ok
07:18:06.0234 1756 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
07:18:06.0234 1756 PptpMiniport - ok
07:18:06.0312 1756 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
07:18:06.0328 1756 PSched - ok
07:18:06.0375 1756 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
07:18:06.0375 1756 Ptilink - ok
07:18:06.0437 1756 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
07:18:06.0437 1756 ql1080 - ok
07:18:06.0500 1756 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
07:18:06.0500 1756 Ql10wnt - ok
07:18:06.0562 1756 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
07:18:06.0562 1756 ql12160 - ok
07:18:06.0625 1756 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
07:18:06.0625 1756 ql1240 - ok
07:18:06.0687 1756 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
07:18:06.0687 1756 ql1280 - ok
07:18:06.0750 1756 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
07:18:06.0750 1756 RasAcd - ok
07:18:06.0843 1756 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
07:18:06.0843 1756 Rasl2tp - ok
07:18:06.0921 1756 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
07:18:06.0921 1756 RasPppoe - ok
07:18:06.0984 1756 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
07:18:06.0984 1756 Raspti - ok
07:18:07.0046 1756 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
07:18:07.0046 1756 Rdbss - ok
07:18:07.0109 1756 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
07:18:07.0109 1756 RDPCDD - ok
07:18:07.0203 1756 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
07:18:07.0203 1756 rdpdr - ok
07:18:07.0296 1756 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
07:18:07.0296 1756 RDPWD - ok
07:18:07.0390 1756 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
07:18:07.0390 1756 redbook - ok
07:18:07.0687 1756 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
07:18:07.0687 1756 sdbus - ok
07:18:07.0750 1756 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
07:18:07.0750 1756 Secdrv - ok
07:18:07.0875 1756 Ser2pl (b4664c1ee39a5b7fc112f4077f8d21a5) C:\WINDOWS\system32\DRIVERS\ser2pl.sys
07:18:07.0875 1756 Ser2pl - ok
07:18:07.0921 1756 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
07:18:07.0921 1756 Serenum - ok
07:18:07.0984 1756 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
07:18:07.0984 1756 Serial - ok
07:18:08.0140 1756 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
07:18:08.0140 1756 Sfloppy - ok
07:18:08.0265 1756 Simbad - ok
07:18:08.0312 1756 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
07:18:08.0328 1756 sisagp - ok
07:18:08.0390 1756 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
07:18:08.0390 1756 SLIP - ok
07:18:08.0500 1756 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
07:18:08.0500 1756 Sparrow - ok
07:18:08.0578 1756 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
07:18:08.0578 1756 splitter - ok
07:18:08.0656 1756 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
07:18:08.0656 1756 sr - ok
07:18:08.0750 1756 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
07:18:08.0750 1756 Srv - ok
07:18:08.0906 1756 STHDA (72c411579358a57941f8d0b3a67175b4) C:\WINDOWS\system32\drivers\sthda.sys
07:18:08.0937 1756 STHDA - ok
07:18:09.0000 1756 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
07:18:09.0000 1756 streamip - ok
07:18:09.0062 1756 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
07:18:09.0062 1756 swenum - ok
07:18:09.0140 1756 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
07:18:09.0140 1756 swmidi - ok
07:18:09.0218 1756 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
07:18:09.0218 1756 symc810 - ok
07:18:09.0265 1756 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
07:18:09.0265 1756 symc8xx - ok
07:18:09.0328 1756 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
07:18:09.0328 1756 sym_hi - ok
07:18:09.0390 1756 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
07:18:09.0390 1756 sym_u3 - ok
07:18:09.0500 1756 SynTP (d776eb85a20696d9d43129ccf6e703e2) C:\WINDOWS\system32\DRIVERS\SynTP.sys
07:18:09.0500 1756 SynTP - ok
07:18:09.0562 1756 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
07:18:09.0562 1756 sysaudio - ok
07:18:09.0687 1756 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
07:18:09.0687 1756 Tcpip - ok
07:18:09.0734 1756 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
07:18:09.0734 1756 TDPIPE - ok
07:18:09.0781 1756 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
07:18:09.0781 1756 TDTCP - ok
07:18:09.0843 1756 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
07:18:09.0843 1756 TermDD - ok
07:18:09.0984 1756 tifm21 (28b7f973c36d157a7885b1ae42a4a2a9) C:\WINDOWS\system32\drivers\tifm21.sys
07:18:09.0984 1756 tifm21 - ok
07:18:10.0062 1756 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
07:18:10.0062 1756 TosIde - ok
07:18:10.0187 1756 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
07:18:10.0187 1756 Udfs - ok
07:18:10.0296 1756 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
07:18:10.0296 1756 ultra - ok
07:18:10.0359 1756 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
07:18:10.0375 1756 Update - ok
07:18:10.0515 1756 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
07:18:10.0515 1756 usbccgp - ok
07:18:10.0578 1756 USBCCID (6b5e4d5e6e5ecd6acd14aed59768ce5c) C:\WINDOWS\system32\DRIVERS\usbccid.sys
07:18:10.0578 1756 USBCCID - ok
07:18:10.0640 1756 usbehci (4bac8df07f1d8434fc640e677a62204e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
07:18:10.0640 1756 usbehci - ok
07:18:10.0703 1756 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
07:18:10.0703 1756 usbhub - ok
07:18:10.0765 1756 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
07:18:10.0765 1756 USBSTOR - ok
07:18:10.0812 1756 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
07:18:10.0812 1756 usbuhci - ok
07:18:10.0890 1756 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
07:18:10.0890 1756 usbvideo - ok
07:18:10.0937 1756 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
07:18:10.0937 1756 VgaSave - ok
07:18:11.0000 1756 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
07:18:11.0000 1756 viaagp - ok
07:18:11.0062 1756 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
07:18:11.0062 1756 ViaIde - ok
07:18:11.0125 1756 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
07:18:11.0125 1756 VolSnap - ok
07:18:11.0265 1756 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
07:18:11.0265 1756 Wanarp - ok
07:18:11.0359 1756 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
07:18:11.0359 1756 Wdf01000 - ok
07:18:11.0390 1756 WDICA - ok
07:18:11.0468 1756 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
07:18:11.0468 1756 wdmaud - ok
07:18:11.0828 1756 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
07:18:11.0828 1756 WmiAcpi - ok
07:18:11.0968 1756 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
07:18:11.0968 1756 WS2IFSL - ok
07:18:12.0125 1756 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
07:18:12.0125 1756 WSTCODEC - ok
07:18:12.0218 1756 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
07:18:12.0218 1756 WudfPf - ok
07:18:12.0281 1756 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
07:18:12.0281 1756 WudfRd - ok
07:18:12.0562 1756 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
07:18:12.0593 1756 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - infected
07:18:12.0593 1756 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.b (0)
07:18:12.0953 1756 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk1\DR1
07:18:12.0953 1756 \Device\Harddisk1\DR1 - ok
07:18:13.0031 1756 Boot (0x1200) (1b4246f1f9389e20ddd3e8db33a3805d) \Device\Harddisk0\DR0\Partition0
07:18:13.0031 1756 \Device\Harddisk0\DR0\Partition0 - ok
07:18:13.0078 1756 Boot (0x1200) (5fff7a19152d7438b66582d9ce5f3a1a) \Device\Harddisk1\DR1\Partition0
07:18:13.0078 1756 \Device\Harddisk1\DR1\Partition0 - ok
07:18:13.0093 1756 ============================================================
07:18:13.0093 1756 Scan finished
07:18:13.0093 1756 ============================================================
07:18:13.0187 1004 Detected object count: 1
07:18:13.0187 1004 Actual detected object count: 1
07:19:41.0640 1004 \Device\Harddisk0\DR0\# - copied to quarantine
07:19:41.0640 1004 \Device\Harddisk0\DR0 - copied to quarantine
07:19:41.0703 1004 \Device\Harddisk0\DR0\TDLFS\mbr - copied to quarantine
07:19:41.0703 1004 \Device\Harddisk0\DR0\TDLFS\vbr - copied to quarantine
07:19:41.0703 1004 \Device\Harddisk0\DR0\TDLFS\bid - copied to quarantine
07:19:41.0703 1004 \Device\Harddisk0\DR0\TDLFS\affid - copied to quarantine
07:19:41.0703 1004 \Device\Harddisk0\DR0\TDLFS\boot - copied to quarantine
07:19:41.0703 1004 \Device\Harddisk0\DR0\TDLFS\cmd32 - copied to quarantine
07:19:41.0703 1004 \Device\Harddisk0\DR0\TDLFS\cmd64 - copied to quarantine
07:19:41.0703 1004 \Device\Harddisk0\DR0\TDLFS\dbg32 - copied to quarantine
07:19:41.0703 1004 \Device\Harddisk0\DR0\TDLFS\dbg64 - copied to quarantine
07:19:41.0718 1004 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
07:19:41.0718 1004 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
07:19:41.0718 1004 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
07:19:41.0718 1004 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
07:19:41.0718 1004 \Device\Harddisk0\DR0\TDLFS\subid - copied to quarantine
07:19:41.0718 1004 \Device\Harddisk0\DR0\TDLFS\info - copied to quarantine
07:19:41.0718 1004 \Device\Harddisk0\DR0\TDLFS\mainfb.script - copied to quarantine
07:19:41.0750 1004 \Device\Harddisk0\DR0\TDLFS\com32 - copied to quarantine
07:19:41.0765 1004 \Device\Harddisk0\DR0\TDLFS\serf332 - copied to quarantine
07:19:42.0140 1004 \Device\Harddisk0\DR0\TDLFS\sant32 - copied to quarantine
07:19:42.0140 1004 \Device\Harddisk0\DR0\TDLFS\serf_conf - copied to quarantine
07:19:42.0140 1004 \Device\Harddisk0\DR0\TDLFS\time.txt - copied to quarantine
07:19:42.0203 1004 \Device\Harddisk0\DR0\TDLFS\main - copied to quarantine
07:19:42.0218 1004 \Device\Harddisk0\DR0\TDLFS\bbr232 - copied to quarantine
07:19:42.0250 1004 \Device\Harddisk0\DR0\TDLFS\bbr_conf - copied to quarantine
07:19:42.0250 1004 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - will be cured on reboot
07:19:42.0250 1004 \Device\Harddisk0\DR0 - ok
07:19:42.0312 1004 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - User select action: Cure
07:19:59.0156 1612 Deinitialize success


aswMBR version 0.9.9.1618 Copyright© 2011 AVAST Software
Run date: 2012-02-18 23:41:42
-----------------------------
23:41:42.640 OS Version: Windows 5.1.2600 Service Pack 3
23:41:42.640 Number of processors: 8 586 0x1E05
23:41:42.640 ComputerName: DBB4JNM1 UserName: RBailey
23:41:43.156 Initialize success
23:41:49.312 AVAST engine defs: 12021802
23:41:55.468 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
23:41:55.531 Disk 0 Vendor: WDC_WD25 11.0 Size: 238475MB BusType: 8
23:41:55.593 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-2
23:41:55.671 Disk 1 Vendor: TOSHIBA_ LJ00 Size: 238475MB BusType: 8
23:41:55.765 Disk 0 MBR read successfully
23:41:55.843 Disk 0 MBR scan
23:41:55.937 Disk 0 Windows VISTA default MBR code
23:41:56.015 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 133 MB offset 63
23:41:56.093 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 238336 MB offset 278528
23:41:56.187 Disk 0 scanning sectors +488397152
23:41:56.578 Disk 0 scanning C:\WINDOWS\system32\drivers
23:42:04.625 Service scanning
23:42:10.515 Service NecUsb3 C:\WINDOWS\system32\NCUSBw32.dll **INFECTED** Win32:Malware-gen
23:42:17.625 Modules scanning
23:42:22.671 Disk 0 trace - called modules:
23:42:23.171 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8b0affa9]<<
23:42:23.578 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b054ab8]
23:42:23.984 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8a605028]
23:42:24.390 \Driver\iaStor[0x8b0f3de8] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8b0affa9
23:42:25.421 AVAST engine scan C:\WINDOWS
23:42:33.046 AVAST engine scan C:\WINDOWS\system32
23:43:17.015 File: C:\WINDOWS\system32\NCUSBw32.dll **INFECTED** Win32:Malware-gen
23:43:44.781 File: C:\WINDOWS\system32\USB3Sw32.dll **INFECTED** Win32:Malware-gen
23:44:43.000 AVAST engine scan C:\WINDOWS\system32\drivers
23:44:58.953 AVAST engine scan C:\Documents and Settings\RBailey
23:45:06.859 File: C:\Documents and Settings\RBailey\Application Data\Sun\Java\Deployment\cache\6.0\6\3f5fea06-31605718 **INFECTED** Win32:FakeSysdefs-A [Trj]
23:46:10.656 AVAST engine scan C:\Documents and Settings\All Users
23:46:21.375 Scan finished successfully
23:47:17.421 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\RBailey\My Documents\malware removal files to send\MBR.dat"
23:47:17.515 The log file has been saved successfully to "C:\Documents and Settings\RBailey\My Documents\malware removal files to send\aswMBR.txt"


aswMBR version 0.9.9.1618 Copyright© 2011 AVAST Software
Run date: 2012-02-19 07:27:12
-----------------------------
07:27:12.312 OS Version: Windows 5.1.2600 Service Pack 3
07:27:12.312 Number of processors: 8 586 0x1E05
07:27:12.312 ComputerName: DBB4JNM1 UserName: RBailey
07:27:12.750 Initialize success
07:27:22.750 AVAST engine defs: 12021802
07:27:27.640 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
07:27:27.703 Disk 0 Vendor: WDC_WD25 11.0 Size: 238475MB BusType: 8
07:27:27.781 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-2
07:27:27.843 Disk 1 Vendor: TOSHIBA_ LJ00 Size: 238475MB BusType: 8
07:27:27.953 Disk 0 MBR read successfully
07:27:28.031 Disk 0 MBR scan
07:27:28.187 Disk 0 Windows VISTA default MBR code
07:27:28.265 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 133 MB offset 63
07:27:28.359 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 238336 MB offset 278528
07:27:28.437 Disk 0 scanning sectors +488390656
07:27:28.578 Disk 0 scanning C:\WINDOWS\system32\drivers
07:27:36.406 Service scanning
07:27:42.500 Service NecUsb3 C:\WINDOWS\system32\NCUSBw32.dll **INFECTED** Win32:Malware-gen
07:27:49.703 Modules scanning
07:27:54.562 Disk 0 trace - called modules:
07:27:55.062 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
07:27:55.468 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8afa7ab8]
07:27:55.875 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8a605028]
07:27:56.859 AVAST engine scan C:\WINDOWS
07:28:07.375 AVAST engine scan C:\WINDOWS\system32
07:28:48.671 File: C:\WINDOWS\system32\NCUSBw32.dll **INFECTED** Win32:Malware-gen
07:29:14.343 File: C:\WINDOWS\system32\USB3Sw32.dll **INFECTED** Win32:Malware-gen
07:29:58.187 AVAST engine scan C:\WINDOWS\system32\drivers
07:30:09.062 AVAST engine scan C:\Documents and Settings\RBailey
07:30:15.328 File: C:\Documents and Settings\RBailey\Application Data\Sun\Java\Deployment\cache\6.0\6\3f5fea06-31605718 **INFECTED** Win32:FakeSysdefs-A [Trj]
07:31:28.390 AVAST engine scan C:\Documents and Settings\All Users
07:31:36.875 Scan finished successfully
07:32:07.375 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\RBailey\My Documents\malware removal files to send\MBR.dat"
07:32:07.468 The log file has been saved successfully to "C:\Documents and Settings\RBailey\My Documents\malware removal files to send\aswMBR.txt"

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 135,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:41 AM

Posted 19 February 2012 - 04:48 PM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

KillAll::

File::
C:\WINDOWS\system32\NCUSBw32.dll
C:\WINDOWS\system32\USB3Sw32.dll
c:\windows\system32\dds_trash_log.cmd

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 umbutu

umbutu
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 AM

Posted 19 February 2012 - 06:27 PM

In Safe Mode
Ran CFScript and ComboFix per your instructions
See log from ComboFix below

ComboFix 12-02-16.02 - RBailey 02/19/2012 17:43:20.3.8 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.3255 [GMT -5:00]
Running from: c:\documents and settings\RBailey\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\RBailey\Desktop\CFScript.txt
.
FILE ::
"c:\windows\system32\dds_trash_log.cmd"
"c:\windows\system32\NCUSBw32.dll"
"c:\windows\system32\USB3Sw32.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\NCUSBw32.dll
c:\windows\system32\USB3Sw32.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NecUsb3
-------\Service_NecUsb3
.
.
((((((((((((((((((((((((( Files Created from 2012-01-19 to 2012-02-19 )))))))))))))))))))))))))))))))
.
.
2012-02-19 12:19 . 2012-02-19 12:19 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-18 22:46 . 2012-02-18 22:46 -------- d-----w- C:\New Folder
2012-02-18 17:09 . 2008-04-14 12:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-19 06:22 . 2011-12-17 16:11 26872 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
2012-02-14 16:01 . 2011-12-18 00:15 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-12-17 15:48 . 2011-12-17 15:48 83064 ----a-w- c:\windows\system32\drivers\SMR210.SYS
2011-11-22 13:23 . 2011-10-06 04:18 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-12-10 1594664]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-05-25 495708]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2010-05-25 737280]
"nwiz"="nwiz.exe" [2009-12-17 1657448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-12-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-12-17 13803520]
"NVHotkey"="nvHotkey.dll" [2009-12-17 86016]
"DellCleanup"="c:\dell\WINCLEAN.EXE" [2010-09-27 212992]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2010-07-09 2670592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FixTDSS"="start" [X]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2011-10-5 25214]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2011-11-17 611144]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootdelete
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 FixTDSS;TDSS Fixtool driver;c:\windows\system32\drivers\FixTDSS.sys [12/17/2011 11:11 AM 26872]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [9/28/2011 10:36 AM 13336]
S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [12/8/2009 2:14 PM 5241448]
S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [9/22/2011 3:31 PM 113664]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [9/22/2011 3:31 PM 33832]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 11:16 AM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ndassvc
SQLAgent$MICROSOFTBCM
rca
HIDSwvd
swwd
wwsecsvc
eventclientmultiplexer
isamsmt
z525obex
slssvc
cicsclient
nvedavt
SE2Emdm
relational
tiwlnsvc
snmptrapdservice
smstsmgr
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://atlarc2.larc.nasa.gov/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
.
- - - - ORPHANS REMOVED - - - -
.
Notify-NecUsb3Sevices - USB3Sw32.dll
Notify-USB3Sw32 - USB3Sw32.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-19 17:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(836)
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(540)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2012-02-19 17:52:20 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-19 22:52
.
Pre-Run: 234,947,899,392 bytes free
Post-Run: 235,044,605,952 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /safeboot:network
.
- - End Of File - - A7666656B24428AC5757F4E7A3EE0876




NOTE =================================

No Google redirect noted!! THANK YOU!!!!
Rebooted computer in regular mode
When XP desktop came up, TDSS Fix Tool 2.1.3 "scan in progress" came up running, when it finished, displayed message:
"Backdoor.Tidserv has not been found on your computer"

Ran ComboFix again, this time no BSOD popup
Log from this run of ComboFix below:

ComboFix 12-02-16.02 - RBailey 02/19/2012 18:08:57.4.8 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.3111 [GMT -5:00]
Running from: c:\malware fixers\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-01-19 to 2012-02-19 )))))))))))))))))))))))))))))))
.
.
2012-02-19 12:19 . 2012-02-19 12:19 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-18 22:46 . 2012-02-18 22:46 -------- d-----w- C:\New Folder
2012-02-18 17:09 . 2008-04-14 12:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-14 16:01 . 2011-12-18 00:15 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-12-17 15:48 . 2011-12-17 15:48 83064 ----a-w- c:\windows\system32\drivers\SMR210.SYS
2011-11-22 13:23 . 2011-10-06 04:18 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-18_17.55.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-19 23:04 . 2012-02-19 23:04 16384 c:\windows\temp\Perflib_Perfdata_830.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-12-10 1594664]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-05-25 495708]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2010-05-25 737280]
"nwiz"="nwiz.exe" [2009-12-17 1657448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-12-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-12-17 13803520]
"NVHotkey"="nvHotkey.dll" [2009-12-17 86016]
"DellCleanup"="c:\dell\WINCLEAN.EXE" [2010-09-27 212992]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2010-07-09 2670592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2011-10-5 25214]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2011-11-17 611144]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootdelete
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [9/28/2011 10:36 AM 13336]
R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [12/8/2009 2:14 PM 5241448]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [9/22/2011 3:31 PM 113664]
R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [9/22/2011 3:31 PM 33832]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 11:16 AM 14336]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - FixTDSS
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ndassvc
SQLAgent$MICROSOFTBCM
rca
HIDSwvd
swwd
wwsecsvc
eventclientmultiplexer
isamsmt
z525obex
slssvc
cicsclient
nvedavt
SE2Emdm
relational
tiwlnsvc
snmptrapdservice
smstsmgr
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://atlarc2.larc.nasa.gov/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-19 18:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(952)
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(876)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-02-19 18:11:43
ComboFix-quarantined-files.txt 2012-02-19 23:11
ComboFix2.txt 2012-02-19 22:52
.
Pre-Run: 231,300,808,704 bytes free
Post-Run: 231,293,124,608 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 86D0C82502FBB80F2412F438749C5391

Reran ComboFix, this time no BSOD popup
Log from this

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 135,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:41 AM

Posted 19 February 2012 - 06:33 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (it does allot better of a job

Programs to remove

Java™ 6 Update 20 [/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]
Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close


TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 umbutu

umbutu
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 AM

Posted 20 February 2012 - 10:23 AM

Able to complete steps as directed until I got to Java Install
Got Java Install Error message as follows:
"Installer: Wrapper.CreateFile failed with error 5: Access is denied"

Continued to Malwarebytes Anti-Malware install
during install got a "Setup" popup window
message inside window = "Access is denied"
Afet I press 'OK' an Error message popup window appears with message = "Setup was not completed"

Note:
I only have one choice of user account I use to log onto Windows XP, this account has administrator priviledges
I do not get a choice of 'Administrator' to log on with

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 135,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:41 AM

Posted 20 February 2012 - 03:49 PM

Hello

Please do the following:

Step One
Please download Junction.zip and save it to your desktop.
Unzip it and extract junction.exe to your C:\ drive.

Step Two
Now copy (Ctrl +C) and paste (Ctrl +V) the text inside the code box below into Notepad.

@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0
Save it to your desktop as File name: junc.bat
Save as type: All Files

Step Three
Double click junc.bat to run it. A log will be presented. Copy and paste or attach the content of the log in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users