virus redirecting Google or any other search engine.

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

4 Pages
1
2
3
→
Last »

You cannot start a new topic
This topic is locked

virus redirecting Google or any other search engine. Tried everything can't remove it myself.

#1 hpodell

Member

Group: Members
Posts: 30
Joined: 03-April 11

Posted 22 April 2011 - 04:38 PM

My computer is infected with a virus that redirects Google or other search engines.
As best I can tell the infection started on or about March 23rd to 24th.
I have tried many available malware removal schemes and nothing has worked.
I would appreciate any help you can give..
Regards
Howard

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Howard at 13:10:30.06 on Fri 22/04/2011
Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2046.903 [GMT -7:00]
.
AV: Norton AntiVirus *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton AntiVirus *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k regsvc
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\dvd43\DVD43_Tray.exe
C:\Program Files\CyberLink\Shared Files\brs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Anoto\DockingEngine.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\Logitech Internet Handset\LOGI_HDS.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\dvd43\DVD43_Tray.exe
C:\Program Files\CyberLink\Shared Files\brs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Anoto\DockingEngine.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Users\Raelyn\AppData\Roaming\Smilebox\SmileboxTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Windows\system32\LogonUI.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\Howard\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://g.xtramsn.co.nz/0SEENNZ/SAOS01?FORM=TOOLBR
uSearch Bar = hxxp://g.xtramsn.co.nz/0SEENNZ/SAOS01?FORM=TOOLBR
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://g.xtramsn.co.nz/0SEENNZ/SAOS01?FORM=TOOLBR
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.8.0.41\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Logitech Pen Docking Engine Server] c:\program files\common files\anoto\DockingEngine.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [ProfilerU] c:\program files\saitek\sd6\software\ProfilerU.exe
mRun: [SaiMfd] c:\program files\saitek\sd6\software\SaiMfd.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [DACSMiniApp] c:\program files\fisher-price\dacs\miniapp\DACSMiniApp.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
StartupFolder: c:\users\howard\appdata\roaming\micros~1\windows\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\logitech internet handset\LOGI_HDS.exe
mPolicies-explorer: RevertWebViewSecurity = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB}
DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Internet Shortcut: {fbf23b40-e3f0-101b-8488-00aa003e56f8} - c:\windows\system32\ieframe.dll
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\howard\appdata\roaming\mozilla\firefox\profiles\yplsp9lv.default\
FF - prefs.js: browser.startup.homepage - hxxp://msn.com/
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.27\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft research\hdview for firefox\nphdview.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbiblionet.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\howard\appdata\roaming\mozilla\firefox\profiles\yplsp9lv.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
.
============= SERVICES / DRIVERS ===============
.
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1008000.029\SymEFA.sys [2010-1-27 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1008000.029\BHDrvx86.sys [2010-1-27 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1008000.029\cchpx86.sys [2010-1-27 482432]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20110421.001\IDSvix86.sys [2011-4-21 353912]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.8.0.41\ccSvcHst.exe [2010-1-27 117640]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-8-16 239648]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-4-6 102448]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\nav\1008000.029\symndisv.sys [2010-1-27 48688]
S2 gupdate1c988d74691d419;Google Update Service (gupdate1c988d74691d419);c:\program files\google\update\GoogleUpdate.exe [2009-2-6 133104]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-3-27 1153368]
S3 CoachVid;CoachVid;c:\windows\system32\drivers\CoachVid.sys [2007-6-29 45344]
S3 LapUsb;Logitech io Pen USB driver;c:\windows\system32\drivers\LapUsb.sys [2002-9-30 68057]
S3 mamotou;mamotou;c:\windows\system32\drivers\mamotou.sys [2008-5-17 49377]
S3 papycpu;papycpu;c:\windows\system32\drivers\papycpu.sys [2010-10-16 1984]
S3 SaiH0763;SaiH0763;c:\windows\system32\drivers\SaiH0763.sys [2010-10-30 135296]
S3 SaiH0BAC;SaiH0BAC;c:\windows\system32\drivers\SaiH0BAC.sys [2010-10-30 135168]
.
=============== File Associations ===============
.
scrfile="%1" /S "%3"
.
=============== Created Last 30 ================
.
2011-04-19 05:12:25 -------- d-----w- c:\windows\system32\wbem\Logs
2011-04-07 00:08:13 1180672 ----a-w- c:\windows\system32\AutoPartNt.exe
2011-04-06 20:55:27 -------- d-----w- c:\users\howard\appdata\roaming\Music Coach
2011-04-06 20:55:26 -------- d-----w- c:\progra~2\Music Coach
2011-04-06 20:54:04 -------- d-----w- c:\windows\system32\dllcache
2011-04-06 20:39:19 -------- d-----w- c:\program files\Music Coach
2011-04-06 16:30:54 -------- d-----w- c:\progra~2\eMedia Beginner Guitar Lessons
2011-04-06 16:30:36 -------- d-----w- c:\program files\eMedia Beginner Guitar Lessons
2011-04-04 18:33:30 392320 ----a-w- c:\windows\system32\drivers\timntr.sys
2011-04-04 18:33:30 32768 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2011-04-04 18:33:21 99776 ----a-w- c:\windows\system32\drivers\snapman.sys
2011-03-28 03:08:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-28 03:08:16 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-03-24 01:30:04 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-03-24 01:28:57 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
2011-03-24 01:19:55 603648 ----a-w- c:\windows\system32\schedsvc.dll
2011-03-24 01:18:59 2048 ----a-w- c:\windows\system32\tzres.dll
2011-03-24 01:17:22 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-03-24 01:17:21 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-24 00:57:03 53248 ----a-r- c:\users\howard\appdata\roaming\microsoft\installer\{3ee9bcae-e9a9-45e5-9b1c-83a4d357e05c}\ARPPRODUCTICON.exe
2011-03-24 00:56:54 -------- d-----w- c:\users\howard\appdata\local\Logishrd
2011-03-24 00:56:36 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2011-03-24 00:48:20 -------- d-----w- c:\users\howard\appdata\roaming\Logishrd
2011-03-23 22:22:37 -------- d-----w- c:\progra~2\XoftSpySE
2011-03-23 22:22:35 -------- d-----w- c:\program files\XoftSpySE6
2011-03-23 22:10:58 96600 ----a-w- c:\windows\system32\R4EEL32A.dll
2011-03-23 21:43:52 -------- d-----w- c:\program files\common files\Canon
2011-03-23 21:42:03 77824 ----a-w- c:\windows\system32\CNCSDO60.DLL
2011-03-23 21:42:03 49152 ----a-w- c:\windows\system32\cncisco.dll
2011-03-23 21:42:03 48128 ----a-w- c:\windows\system32\CNCSTR60.DLL
2011-03-23 21:42:03 46592 ----a-w- c:\windows\system32\CNCSUT60.DLL
2011-03-23 21:42:03 46592 ----a-w- c:\windows\system32\CNCSCM60.DLL
2011-03-23 21:42:03 44032 ----a-w- c:\windows\system32\CNCSIF60.DLL
2011-03-23 21:42:03 389180 ----a-w- c:\windows\system32\UCS32P.DLL
2011-03-23 21:42:03 37376 ----a-w- c:\windows\system32\CNCI780.DLL
2011-03-23 21:42:03 20535 ----a-w- c:\windows\system32\CNCFMS60.EXE
2011-03-23 21:42:03 18432 ----a-w- c:\windows\system32\CNCL780.DLL
2011-03-23 21:42:03 159744 ----a-w- c:\windows\system32\CNCC780.DLL
2011-03-23 21:42:02 130560 ----a-w- c:\windows\system32\CNCF2L60.DLL
2011-03-23 21:06:49 -------- d-----w- c:\users\howard\appdata\roaming\DriverCure
2011-03-23 21:06:48 -------- d-----w- c:\users\howard\appdata\roaming\ParetoLogic
2011-03-23 21:06:30 -------- d-----w- c:\program files\common files\ParetoLogic
2011-03-23 21:06:29 -------- d-----w- c:\program files\ParetoLogic
2011-03-23 21:06:29 -------- d-----w- c:\progra~2\ParetoLogic
.
==================== Find3M ====================
.
2011-03-23 22:11:40 319456 ----a-w- c:\windows\DIFxAPI.dll
2011-03-23 01:26:25 108544 --sha-r- c:\windows\system32\resutilso.dll
2011-03-05 17:00:31 69632 ----a-w- c:\windows\system32\Clifford Uninstall.exe
.
============= FINISH: 13:12:18.51 ===============

Attached File(s)

Attach.txt (7.45K)
Number of downloads: 1
ark.txt (11.33K)
Number of downloads: 1

#2 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,449
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 30 April 2011 - 02:45 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

Do not run any other tool untill instructed to do so!
Please Do not Attach logs or put in code boxes.
Tell me about any problems that have occurred during the fix.
Tell me of any other symptoms you may be having as these can help also.
Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

DeFogger

desktop

DeFogger

The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger may ask you to reboot the machine, if it does - click OK

Do not

Download DDS:

DDS by sUBs

Link1

Link2

Link3

Please disable any anti-malware program that will block scripts from running before running DDS.

Double-Click on dds.scr and a command window will appear. This is normal.
Shortly after two logs will appear:
- DDS.txt
- Attach.txt
A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

Please Download Rootkit Unhooker Save it to your desktop.
Now double-click on RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
Wait till the scanner has finished and then click File, Save Report.
Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

information and logs:

In your next post I need the following

.logs from DDS
log from RKUnHooker
let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

#3 hpodell

Member

Group: Members
Posts: 30
Joined: 03-April 11

Posted 01 May 2011 - 11:19 AM

Hopefully doing this right.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Howard at 8:44:23.50 on Sun 01/05/2011
Internet Explorer: 8.0.6001.19048 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2046.903 [GMT -7:00]
.
AV: Norton AntiVirus *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton AntiVirus *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k regsvc
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\dvd43\DVD43_Tray.exe
C:\Program Files\CyberLink\Shared Files\brs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Anoto\DockingEngine.exe

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume1
Install Date: 25/07/2007 6:07:16 p.m.
System Uptime: 29/04/2011 3:45:33 p.m. (41 hours ago)
.
Motherboard: http://www.abit.com.tw/ | | IB9(Intel P965+ICH8)
Processor: Intel® Core™2 CPU 6420 @ 2.13GHz | Socket 775 | 2133/266mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 1863 GiB total, 1713.012 GiB free.
K: is CDROM (CDFS)
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0001
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0001
Service: tunmp
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Acronis True Image Home
Active Disk
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.0
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Applian Director
ArcSoft MediaConverter 2.5
ArcSoft MediaImpression
Audacity 1.2.6
Avanquest update
Bonjour
Buzz Lightyear Astro Blasters
Cakewalk Sound Center 1.0.0
Canon Inkjet Printer Driver Add-On Module
Canon MP780
Canon ScanGear Starter
Clifford Thinking Adventures
Compatibility Pack for the 2007 Office system
CyberLink BD Advisor 2.0
CyberLink PowerDVD
Digital Video
Disney's Mickey Mouse Toddler

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6001 (Service Pack 1)
Number of processors #2
==============================================
>Drivers
==============================================
0x8D800000 C:\Windows\system32\DRIVERS\nvlddmkm.sys 7741440 bytes (NVIDIA Corporation, NVIDIA Compatible Windows Vista Kernel Mode Driver, Version 181.22 )
0x83050000 C:\Windows\system32\ntkrnlpa.exe 3903488 bytes (Microsoft Corporation, NT Kernel & System)
0x83050000 PnpManager 3903488 bytes
0x83050000 RAW 3903488 bytes
0x83050000 WMIxWDM 3903488 bytes
0x8E803000 C:\Windows\system32\drivers\RTKVHDA.sys 3346432 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0x98280000 Win32k 2109440 bytes
0x98280000 C:\Windows\System32\win32k.sys 2109440 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xA6005000 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20110430.002\NAVEX15.SYS 1388544 bytes (Symantec Corporation, AV Engine)
0x83E0A000 C:\Windows\System32\Drivers\Ntfs.sys 1110016 bytes (Microsoft Corporation, NT File System Driver)
0x836D4000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes
0x83C74000 C:\Windows\System32\drivers\tcpip.sys 954368 bytes (Microsoft Corporation, TCP/IP Driver)
0x804CA000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)
0xA4405000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x9E608000 C:\Windows\system32\drivers\spsys.sys 716800 bytes (Microsoft Corporation, security processor)
0x8E005000 C:\Windows\System32\drivers\dxgkrnl.sys 651264 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x80607000 C:\Windows\system32\drivers\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
0x8F606000 C:\Windows\System32\Drivers\NAV\1008000.029\ccHPx86.sys 503808 bytes (Symantec Corporation, Common Client Hash Provider Driver)
0x83663000 C:\Windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x9E6E3000 C:\Windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x80410000 C:\Windows\system32\mcupdate_GenuineIntel.dll 393216 bytes (Microsoft Corporation, Intel Microcode Update Library)
0x83D78000 C:\Windows\system32\DRIVERS\timntr.sys 393216 bytes (Acronis, Acronis True Image Backup Archive Explorer)
0x8F2E3000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0x8F26F000 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20110429.002\IDSvix86.sys 372736 bytes (Symantec Corporation, IDS Core Driver)
0xA451A000 C:\Windows\System32\Drivers\NAV\1008000.029\SRTSP.SYS 339968 bytes (Symantec Corporation, Symantec AutoProtect)
0x8F38C000 C:\Windows\System32\DRIVERS\srv.sys 323584 bytes (Microsoft Corporation, Server driver)
0x8360B000 C:\Windows\system32\drivers\NAV\1008000.029\SYMEFA.SYS 323584 bytes (Symantec Corporation, Symantec Extended File Attributes)
0x984D0000 C:\Windows\System32\ATMFD.DLL 315392 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0x8072C000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x8E56A000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x80690000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)
0x8F681000 C:\Windows\System32\Drivers\NAV\1008000.029\BHDrvx86.sys 270336 bytes (Symantec Corporation, BASH Driver)
0x8E11B000 C:\Windows\system32\DRIVERS\Rtlh86.sys 270336 bytes (Realtek , Realtek 8136/8168/8169 NDIS6 32-bit Driver )
0x80489000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)
0x8DF64000 C:\Windows\system32\DRIVERS\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
0x8E0BC000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x8F229000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x83C3A000 C:\Windows\system32\drivers\NETIO.SYS 237568 bytes (Microsoft Corporation, Network I/O Subsystem)
0x8F768000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x83F19000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x8E4DA000 C:\Windows\System32\Drivers\NAV\1008000.029\SYMTDI.SYS 212992 bytes (Symantec Corporation, Network Dispatch Driver)
0x8E443000 C:\Windows\system32\DRIVERS\usbhub.sys 212992 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x8301D000 ACPI_HAL 208896 bytes
0x8301D000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x805AA000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x8E5B2000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x8E193000 C:\Windows\system32\DRIVERS\msiscsi.sys 188416 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
0x8EB34000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x83C0F000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x8E402000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
0x8F7A1000 C:\Windows\System32\DRIVERS\srv2.sys 163840 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x83F82000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)
0x806E7000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corp

#4 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,449
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 01 May 2011 - 04:49 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1

Link 2

Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

<-- Don't worry every little bit helps.

#5 hpodell

Member

Group: Members
Posts: 30
Joined: 03-April 11

Posted 02 May 2011 - 10:46 AM

Gringo
No joy using Combofix.
I downloaded and ran Combofix and when it started it said Nortons was still running which I made sure it was not, first by disabling after right clicking in the toolbar and selecting "Disable Antivirus Auto-protect" and then later when that didn't make any difference by entering Norton's and manually turning all functions to off.
The first attempt it got to "attempting to create restore point" and then hung for over an hour, but you could see in the back ground that at the beginning that it was saving the registry to a file.
Second attempt hung at "Combofix preparing to run" which also hung up for an hour.
The third attempt announced a new version of combo fix is available which it downloaded and ran, and then I went back to square one where it got to attempting a restore point and then hung up again. This time I let it sit for almost two hours and it never got past that screen.
Also before running it I did take Spybot off my system and turned off the Windows Firewall.
But Combo fix does specifically say "Nortons" so I doubt those would have been the problem anyway.

#6 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,449
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 02 May 2011 - 11:02 AM

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo

<-- Don't worry every little bit helps.

#7 hpodell

Member

Group: Members
Posts: 30
Joined: 03-April 11

Posted 02 May 2011 - 03:31 PM

Ran TDSS.KILLER found a bad file and cured but redirect problem is still there.
Ran again found same file, "rootkit.win32.tdss.tdl3",

2011/05/02 13:10:36.0625 8088 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/05/02 13:10:38.0577 8088 ================================================================================
2011/05/02 13:10:38.0577 8088 SystemInfo:
2011/05/02 13:10:38.0577 8088
2011/05/02 13:10:38.0578 8088 OS Version: 6.0.6001 ServicePack: 1.0
2011/05/02 13:10:38.0578 8088 Product type: Workstation
2011/05/02 13:10:38.0578 8088 ComputerName: HOME
2011/05/02 13:10:38.0578 8088 UserName: Howard
2011/05/02 13:10:38.0578 8088 Windows directory: C:\Windows
2011/05/02 13:10:38.0578 8088 System windows directory: C:\Windows
2011/05/02 13:10:38.0578 8088 Processor architecture: Intel x86
2011/05/02 13:10:38.0578 8088 Number of processors: 2
2011/05/02 13:10:38.0578 8088 Page size: 0x1000
2011/05/02 13:10:38.0578 8088 Boot type: Normal boot
2011/05/02 13:10:38.0578 8088 ================================================================================
2011/05/02 13:10:38.0833 8088 Initialize success
2011/05/02 13:10:49.0197 7588 ================================================================================
2011/05/02 13:10:49.0197 7588 Scan started
2011/05/02 13:10:49.0197 7588 Mode: Manual;
2011/05/02 13:10:49.0197 7588 ================================================================================
2011/05/02 13:10:50.0905 7588 ACPI (fcb8c7210f0135e24c6580f7f649c73c) C:\Windows\system32\drivers\acpi.sys
2011/05/02 13:10:50.0980 7588 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2011/05/02 13:10:51.0018 7588 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2011/05/02 13:10:51.0048 7588 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2011/05/02 13:10:51.0085 7588 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2011/05/02 13:10:51.0195 7588 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\Windows\system32\drivers\Afc.sys
2011/05/02 13:10:51.0362 7588 AFD (763e172a55177e478cb419f88fd0ba03) C:\Windows\system32\drivers\afd.sys
2011/05/02 13:10:51.0388 7588 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
2011/05/02 13:10:51.0411 7588 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/05/02 13:10:51.0444 7588 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
2011/05/02 13:10:51.0479 7588 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
2011/05/02 13:10:51.0511 7588 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
2011/05/02 13:10:51.0533 7588 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2011/05/02 13:10:51.0563 7588 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
2011/05/02 13:10:51.0616 7588 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2011/05/02 13:10:51.0641 7588 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2011/05/02 13:10:51.0689 7588 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/05/02 13:10:51.0735 7588 atapi (2d9c903dc76a66813d350a562de40ed9) C:\Windows\system32\drivers\atapi.sys
2011/05/02 13:10:51.0779 7588 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/05/02 13:10:51.0945 7588 BHDrvx86 (76154fa6a742c613b44bb636b1a7c057) C:\Windows\System32\Drivers\NAV\1008000.029\BHDrvx86.sys
2011/05/02 13:10:52.0040 7588 bowser (8153396d5551276227fa146900f734e6) C:\Windows\system32\DRIVERS\bowser.sys
2011/05/02 13:10:52.0079 7588 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/05/02 13:10:52.0103 7588 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/05/02 13:10:52.0133 7588 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/05/02 13:10:52.0174 7588 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/05/02 13:10:52.0205 7588 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/05/02 13:10:52.0237 7588 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/05/02 13:10:52.0264 7588 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/05/02 13:10:52.0348 7588 ccHP (8973ff34b83572d867b5b928905ad5ac) C:\Windows\System32\Drivers\NAV\1008000.029\ccHPx86.sys
2011/05/02 13:10:52.0400 7588 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/05/02 13:10:52.0438 7588 cdrom (1ec25cea0de6ac4718bf89f9e1778b57) C:\Windows\system32\DRIVERS\cdrom.sys
2011/05/02 13:10:52.0477 7588 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2011/05/02 13:10:52.0576 7588 CLFS (465745561c832b29f7c48b488aab3842) C:\Windows\system32\CLFS.sys
2011/05/02 13:10:52.0721 7588 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
2011/05/02 13:10:52.0769 7588 CoachAud (8c0b9303364fbff79345c1be2146e5f2) C:\Windows\system32\DRIVERS\CoachAud.sys
2011/05/02 13:10:52.0805 7588 CoachUsb (577e2d85e908e5eb9311b54e8b56447b) C:\Windows\system32\DRIVERS\CoachUsb.sys
2011/05/02 13:10:52.0847 7588 CoachVid (f084c7b8e08d761040b708e65468ec2e) C:\Windows\system32\DRIVERS\CoachVid.sys
2011/05/02 13:10:52.0874 7588 Compbatt (82b8c91d327cfecf76cb58716f7d4997) C:\Windows\system32\drivers\compbatt.sys
2011/05/02 13:10:52.0914 7588 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2011/05/02 13:10:52.0949 7588 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2011/05/02 13:10:53.0001 7588 DfsC (9e635ae5e8ad93e2b5989e2e23679f97) C:\Windows\system32\Drivers\dfsc.sys
2011/05/02 13:10:53.0059 7588 disk (64109e623abd6955c8fb110b592e68b7) C:\Windows\system32\drivers\disk.sys
2011/05/02 13:10:53.0259 7588 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/05/02 13:10:53.0339 7588 dvd43llh (1fc1eed3ea0c3a0ecf8a95b97e1b4831) C:\Windows\system32\DRIVERS\dvd43llh.sys
2011/05/02 13:10:53.0389 7588 DXGKrnl (85f33880b8cfb554bd3d9ccdb486845a) C:\Windows\System32\drivers\dxgkrnl.sys
2011/05/02 13:10:53.0432 7588 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/05/02 13:10:53.0480 7588 Ecache (dd2cd259d83d8b72c02c5f2331ff9d68) C:\Windows\system32\drivers\ecache.sys
2011/05/02 13:10:53.0552 7588 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/05/02 13:10:53.0581 7588 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2011/05/02 13:10:53.0713 7588 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/05/02 13:10:53.0800 7588 exfat (0d858eb20589a34efb25695acaa6aa2d) C:\Windows\system32\drivers\exfat.sys
2011/05/02 13:10:53.0833 7588 fastfat (3c489390c2e2064563727752af8eab9e) C:\Windows\system32\drivers\fastfat.sys
2011/05/02 13:10:53.0874 7588 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
2011/05/02 13:10:53.0904 7588 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/05/02 13:10:53.0937 7588 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/05/02 13:10:53.0965 7588 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/05/02 13:10:53.0995 7588 FltMgr (05ea53afe985443011e36dab07343b46) C:\Windows\system32\drivers\fltmgr.sys
2011/05/02 13:10:54.0038 7588 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/05/02 13:10:54.0086 7588 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2011/05/02 13:10:54.0120 7588 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2011/05/02 13:10:54.0178 7588 grmnusb (6003bc70f1a8307262bd3c941bda0b7e) C:\Windows\system32\drivers\grmnusb.sys
2011/05/02 13:10:54.0262 7588 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2011/05/02 13:10:54.0280 7588 HDAudBus (c87b1ee051c0464491c1a7b03fa0bc99) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/05/02 13:10:54.0310 7588 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/05/02 13:10:54.0342 7588 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/05/02 13:10:54.0401 7588 HidUsb (854ca287ab7faf949617a788306d967e) C:\Windows\system32\DRIVERS\hidusb.sys
2011/05/02 13:10:54.0443 7588 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2011/05/02 13:10:54.0480 7588 HTTP (33b02459e86d0a2b86a6b9fe19139390) C:\Windows\system32\drivers\HTTP.sys
2011/05/02 13:10:54.0519 7588 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2011/05/02 13:10:54.0561 7588 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/05/02 13:10:54.0597 7588 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2011/05/02 13:10:54.0888 7588 IDSVix86 (7c8ce2b83a89ee1cb0c3fee5991e62a2) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20110429.002\IDSvix86.sys
2011/05/02 13:10:55.0175 7588 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/05/02 13:10:55.0279 7588 IntcAzAudAddService (b44c0357d1fc7c9e4c0b0983a9e96ff9) C:\Windows\system32\drivers\RTKVHDA.sys
2011/05/02 13:10:55.0379 7588 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2011/05/02 13:10:55.0443 7588 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2011/05/02 13:10:55.0473 7588 iomdisk (9d7069d72c0c72952f05e1688a5ae89d) C:\Windows\system32\DRIVERS\iomdisk.sys
2011/05/02 13:10:55.0532 7588 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/05/02 13:10:55.0576 7588 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2011/05/02 13:10:55.0619 7588 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/05/02 13:10:55.0689 7588 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/05/02 13:10:55.0712 7588 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
2011/05/02 13:10:55.0751 7588 iScsiPrt (f247eec28317f6c739c16de420097301) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/05/02 13:10:55.0823 7588 iteatapi (6944a9ddabb124bde6ba3ca5430b0398) C:\Windows\system32\drivers\iteatapi.sys
2011/05/02 13:10:55.0922 7588 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/05/02 13:10:55.0961 7588 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/05/02 13:10:55.0978 7588 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/05/02 13:10:56.0062 7588 KSecDD (7a0cf7908b6824d6a2a1d313e5ae3dca) C:\Windows\system32\Drivers\ksecdd.sys
2011/05/02 13:10:56.0108 7588 L8042Kbd (d88846f9f4f27ae9be584a6e5b6b8753) C:\Windows\system32\DRIVERS\L8042Kbd.sys
2011/05/02 13:10:56.0153 7588 LapUsb (a50c6c15fecb750bf7da5b62e85f9682) C:\Windows\system32\Drivers\LapUsb.sys
2011/05/02 13:10:56.0213 7588 LHidFilt (318b3d608fbec44b7e0c23bf759dced5) C:\Windows\system32\DRIVERS\LHidFilt.Sys
2011/05/02 13:10:56.0259 7588 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/05/02 13:10:56.0290 7588 LMouFilt (84af069d219df3c43dc6792b2bbd7bed) C:\Windows\system32\DRIVERS\LMouFilt.Sys
2011/05/02 13:10:56.0333 7588 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2011/05/02 13:10:56.0485 7588 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2011/05/02 13:10:56.0543 7588 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2011/05/02 13:10:56.0593 7588 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/05/02 13:10:56.0643 7588 mamotou (bc5dc4e94494d72acf20f4fa64ea44bf) C:\Windows\system32\DRIVERS\mamotou.sys
2011/05/02 13:10:56.0671 7588 MaRdPnp (b51e7eab4baf13b492aa3299bcf52a35) C:\Windows\system32\DRIVERS\MaRdP2K.sys
2011/05/02 13:10:56.0696 7588 MaVctrl (8181ceb341cbb2f7f893f85b915d5e15) C:\Windows\system32\DRIVERS\MaVc2K.sys
2011/05/02 13:10:56.0733 7588 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2011/05/02 13:10:56.0821 7588 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/05/02 13:10:56.0870 7588 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/05/02 13:10:56.0918 7588 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/05/02 13:10:56.0938 7588 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2011/05/02 13:10:56.0971 7588 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/05/02 13:10:57.0001 7588 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2011/05/02 13:10:57.0021 7588 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/05/02 13:10:57.0056 7588 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/05/02 13:10:57.0112 7588 MREMPR5 (2bc9e43f55de8c30fc817ed56d0ee907) C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS
2011/05/02 13:10:57.0128 7588 MRENDIS5 (594b9d8194e3f4ecbf0325bd10bbeb05) C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
2011/05/02 13:10:57.0160 7588 MRxDAV (ae3de84536b6799d2267443cec8edbb9) C:\Windows\system32\drivers\mrxdav.sys
2011/05/02 13:10:57.0205 7588 mrxsmb (cc752d233ef39875ca6885d9415ba869) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/05/02 13:10:57.0243 7588 mrxsmb10 (9049dddd4bd27d43d82f5968f1da76e4) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/05/02 13:10:57.0264 7588 mrxsmb20 (91dc069b6831ef564e7d8c97eaf0343e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/05/02 13:10:57.0300 7588 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
2011/05/02 13:10:57.0336 7588 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2011/05/02 13:10:57.0383 7588 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/05/02 13:10:57.0447 7588 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/05/02 13:10:57.0502 7588 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/05/02 13:10:57.0543 7588 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/05/02 13:10:57.0580 7588 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/05/02 13:10:57.0625 7588 MsRPC (b5614aecb05a9340aa0fb55bf561cc63) C:\Windows\system32\drivers\MsRPC.sys
2011/05/02 13:10:57.0686 7588 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/05/02 13:10:57.0718 7588 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/05/02 13:10:57.0735 7588 Mup (6dfd1d322de55b0b7db7d21b90bec49c) C:\Windows\system32\Drivers\mup.sys
2011/05/02 13:10:57.0787 7588 NativeWifiP (3c21ce48ff529bb73dadb98770b54025) C:\Windows\system32\DRIVERS\nwifi.sys
2011/05/02 13:10:57.0977 7588 NAVENG (c34e2a884ccca8b5567d0c2752527073) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20110502.002\NAVENG.SYS
2011/05/02 13:10:58.0040 7588 NAVEX15 (b3916eeec738dd4178f4fd6a44a32e36) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20110502.002\NAVEX15.SYS
2011/05/02 13:10:58.0150 7588 NDIS (3d449ada110447a6b385cac3df461e40) C:\Windows\system32\drivers\ndis.sys
2011/05/02 13:10:58.0171 7588 NDIS - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/05/02 13:10:58.0196 7588 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/05/02 13:10:58.0228 7588 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/05/02 13:10:58.0278 7588 NdisWan (3d14c3b3496f88890d431e8aa022a411) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/05/02 13:10:58.0320 7588 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/05/02 13:10:58.0350 7588 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/05/02 13:10:58.0421 7588 netbt (7c5fee5b1c5728507cd96fb4a13e7a02) C:\Windows\system32\DRIVERS\netbt.sys
2011/05/02 13:10:58.0501 7588 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/05/02 13:10:58.0540 7588 Npfs (ecb5003f484f9ed6c608d6d6c7886cbb) C:\Windows\system32\drivers\Npfs.sys
2011/05/02 13:10:58.0584 7588 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/05/02 13:10:58.0659 7588 Ntfs (b4effe29eb4f15538fd8a9681108492d) C:\Windows\system32\drivers\Ntfs.sys
2011/05/02 13:10:58.0806 7588 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/05/02 13:10:58.0859 7588 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\Windows\system32\DRIVERS\NuidFltr.sys
2011/05/02 13:10:58.0887 7588 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/05/02 13:10:59.0247 7588 nv (8c2ed5910513a56cf78bfd86d5d0894f) C:\Windows\system32\DRIVERS\nv4_mini.sys
2011/05/02 13:10:59.0544 7588 nvlddmkm (0013f8cf1322487fb247eae56ef0ed90) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2011/05/02 13:10:59.0687 7588 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2011/05/02 13:10:59.0719 7588 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
2011/05/02 13:10:59.0764 7588 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
2011/05/02 13:10:59.0830 7588 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
2011/05/02 13:10:59.0874 7588 papycpu (2f886a56d520f872e7e4ba9423a9b07b) C:\Windows\system32\drivers\papycpu.sys
2011/05/02 13:10:59.0893 7588 papycpu2 (b2fce3df242eaaa317fa2e4946d26a03) C:\Windows\system32\drivers\papycpu2.sys
2011/05/02 13:10:59.0929 7588 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/05/02 13:10:59.0951 7588 partmgr (3b38467e7c3daed009dfe359e17f139f) C:\Windows\system32\drivers\partmgr.sys
2011/05/02 13:10:59.0985 7588 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/05/02 13:11:00.0019 7588 pci (01b94418deb235dff777cc80076354b4) C:\Windows\system32\drivers\pci.sys
2011/05/02 13:11:00.0045 7588 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys
2011/05/02 13:11:00.0083 7588 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2011/05/02 13:11:00.0135 7588 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/05/02 13:11:00.0214 7588 Point32 (d82ac5b7da8fdccda1323836516405ec) C:\Windows\system32\DRIVERS\point32k.sys
2011/05/02 13:11:00.0261 7588 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/05/02 13:11:00.0304 7588 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2011/05/02 13:11:00.0337 7588 PSched (bfef604508a0ed1eae2a73e872555ffb) C:\Windows\system32\DRIVERS\pacer.sys
2011/05/02 13:11:00.0383 7588 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\Windows\system32\Drivers\PxHelp20.sys
2011/05/02 13:11:00.0502 7588 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2011/05/02 13:11:00.0551 7588 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/05/02 13:11:00.0597 7588 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/05/02 13:11:00.0636 7588 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/05/02 13:11:00.0684 7588 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/05/02 13:11:00.0706 7588 RasPppoe (3e9d9b048107b40d87b97df2e48e0744) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/05/02 13:11:00.0724 7588 RasSstp (a7d141684e9500ac928a772ed8e6b671) C:\Windows\system32\DRIVERS\rassstp.sys
2011/05/02 13:11:00.0750 7588 rdbss (6e1c5d0457622f9ee35f683110e93d14) C:\Windows\system32\DRIVERS\rdbss.sys
2011/05/02 13:11:00.0779 7588 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/05/02 13:11:00.0820 7588 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
2011/05/02 13:11:00.0837 7588 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/05/02 13:11:00.0881 7588 RDPWD (e1c18f4097a5abcec941dc4b2f99db7e) C:\Windows\system32\drivers\RDPWD.sys
2011/05/02 13:11:00.0949 7588 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/05/02 13:11:00.0998 7588 RTL8169 (17b1d7ce7af11fb24db1def9621c033b) C:\Windows\system32\DRIVERS\Rtlh86.sys
2011/05/02 13:11:01.0060 7588 SaiH0763 (47023c4591e697af620320c70a47846f) C:\Windows\system32\DRIVERS\SaiH0763.sys
2011/05/02 13:11:01.0117 7588 SaiH0BAC (3252d5571633e0b244541615d6252358) C:\Windows\system32\DRIVERS\SaiH0BAC.sys
2011/05/02 13:11:01.0161 7588 SaiMini (9f6531b2cb0e4e9ef644616f5c38630b) C:\Windows\system32\DRIVERS\SaiMini.sys
2011/05/02 13:11:01.0200 7588 SaiNtBus (368713c87ada877d26e4d025f3cf882e) C:\Windows\system32\drivers\SaiBus.sys
2011/05/02 13:11:01.0271 7588 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/05/02 13:11:01.0321 7588 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/05/02 13:11:01.0371 7588 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2011/05/02 13:11:01.0391 7588 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2011/05/02 13:11:01.0419 7588 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/05/02 13:11:01.0461 7588 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
2011/05/02 13:11:01.0480 7588 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
2011/05/02 13:11:01.0498 7588 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
2011/05/02 13:11:01.0520 7588 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/05/02 13:11:01.0610 7588 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
2011/05/02 13:11:01.0672 7588 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2011/05/02 13:11:01.0689 7588 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2011/05/02 13:11:01.0745 7588 Smb (031e6bcd53c9b2b9ace111eafec347b6) C:\Windows\system32\DRIVERS\smb.sys
2011/05/02 13:11:01.0778 7588 snapman (5052dbafc8f4e4507e6ad0d467dd3529) C:\Windows\system32\DRIVERS\snapman.sys
2011/05/02 13:11:01.0808 7588 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/05/02 13:11:01.0881 7588 SRTSP (e81f6caeab9ad5732e94c07c97866aa2) C:\Windows\System32\Drivers\NAV\1008000.029\SRTSP.SYS
2011/05/02 13:11:01.0910 7588 SRTSPX (e28de499d942b08058bffac69d4122b6) C:\Windows\system32\drivers\NAV\1008000.029\SRTSPX.SYS
2011/05/02 13:11:01.0952 7588 srv (2252aef839b1093d16761189f45af885) C:\Windows\system32\DRIVERS\srv.sys
2011/05/02 13:11:01.0997 7588 srv2 (96512f4a30b741e7d33a7936b9abbc20) C:\Windows\system32\DRIVERS\srv2.sys
2011/05/02 13:11:02.0034 7588 srvnet (1c69e33e0e23626da5a34ca5ba0dd990) C:\Windows\system32\DRIVERS\srvnet.sys
2011/05/02 13:11:02.0092 7588 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/05/02 13:11:02.0149 7588 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/05/02 13:11:02.0207 7588 SymEFA (d0885f6e24259a6c65e68d6ad749910a) C:\Windows\system32\drivers\NAV\1008000.029\SYMEFA.SYS
2011/05/02 13:11:02.0256 7588 SymEvent (a54ff04bd6e75dc4d8cb6f3e352635e0) C:\Windows\system32\Drivers\SYMEVENT.SYS
2011/05/02 13:11:02.0289 7588 SYMFW (1e825026436c4eac3e1a11d1e9c33f2c) C:\Windows\System32\Drivers\NAV\1008000.029\SYMFW.SYS
2011/05/02 13:11:02.0323 7588 SymIM (34f1c9d5dcc19df1e824d6b73767b8af) C:\Windows\system32\DRIVERS\SymIMv.sys
2011/05/02 13:11:02.0354 7588 SYMNDISV (dcbf73da96cce94933c8cc6eded3c98b) C:\Windows\System32\Drivers\NAV\1008000.029\SYMNDISV.SYS
2011/05/02 13:11:02.0414 7588 SYMTDI (e4fa8bbb96e314e9508865de1a767538) C:\Windows\System32\Drivers\NAV\1008000.029\SYMTDI.SYS
2011/05/02 13:11:02.0438 7588 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/05/02 13:11:02.0458 7588 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/05/02 13:11:02.0530 7588 Tcpip (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\drivers\tcpip.sys
2011/05/02 13:11:02.0575 7588 Tcpip6 (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\DRIVERS\tcpip.sys
2011/05/02 13:11:02.0620 7588 tcpipreg (d4a2e4a4b011f3a883af77315a5ae76b) C:\Windows\system32\drivers\tcpipreg.sys
2011/05/02 13:11:02.0662 7588 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/05/02 13:11:02.0688 7588 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/05/02 13:11:02.0741 7588 tdx (d09276b1fab033ce1d40dcbdf303d10f) C:\Windows\system32\DRIVERS\tdx.sys
2011/05/02 13:11:02.0774 7588 TermDD (a048056f5e1a96a9bf3071b91741a5aa) C:\Windows\system32\DRIVERS\termdd.sys
2011/05/02 13:11:02.0834 7588 tifsfilter (b84b82c0cbeb1b0d7eb7a946bade5830) C:\Windows\system32\DRIVERS\tifsfilt.sys
2011/05/02 13:11:02.0862 7588 timounter (74711884439bdf9ccf446c79cb05fac0) C:\Windows\system32\DRIVERS\timntr.sys
2011/05/02 13:11:02.0911 7588 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/05/02 13:11:02.0950 7588 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/05/02 13:11:02.0980 7588 tunnel (6042505ff6fa9ac1ef7684d0e03b6940) C:\Windows\system32\DRIVERS\tunnel.sys
2011/05/02 13:11:03.0024 7588 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2011/05/02 13:11:03.0066 7588 udfs (8b5088058fa1d1cd897a2113ccff6c58) C:\Windows\system32\DRIVERS\udfs.sys
2011/05/02 13:11:03.0114 7588 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
2011/05/02 13:11:03.0149 7588 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2011/05/02 13:11:03.0176 7588 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/05/02 13:11:03.0206 7588 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/05/02 13:11:03.0252 7588 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/05/02 13:11:03.0300 7588 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\Windows\system32\Drivers\usbaapl.sys
2011/05/02 13:11:03.0342 7588 usbaudio (292a25bb75a568ae2c67169ba2c6365a) C:\Windows\system32\drivers\usbaudio.sys
2011/05/02 13:11:03.0382 7588 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/05/02 13:11:03.0421 7588 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/05/02 13:11:03.0461 7588 usbehci (cebe90821810e76320155beba722fcf9) C:\Windows\system32\DRIVERS\usbehci.sys
2011/05/02 13:11:03.0509 7588 usbhub (cc6b28e4ce39951357963119ce47b143) C:\Windows\system32\DRIVERS\usbhub.sys
2011/05/02 13:11:03.0544 7588 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2011/05/02 13:11:03.0585 7588 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2011/05/02 13:11:03.0614 7588 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2011/05/02 13:11:03.0656 7588 usbsermptxp (af4b8cc5ea40c57208796920068ddcd5) C:\Windows\system32\DRIVERS\usbsermptxp.sys
2011/05/02 13:11:03.0688 7588 USBSTOR (87ba6b83c5d19b69160968d07d6e2982) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/05/02 13:11:03.0771 7588 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/05/02 13:11:03.0826 7588 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/05/02 13:11:03.0860 7588 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/05/02 13:11:03.0893 7588 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
2011/05/02 13:11:03.0921 7588 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2011/05/02 13:11:03.0961 7588 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
2011/05/02 13:11:03.0979 7588 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/05/02 13:11:04.0016 7588 volmgrx (98f5ffe6316bd74e9e2c97206c190196) C:\Windows\system32\drivers\volmgrx.sys
2011/05/02 13:11:04.0060 7588 volsnap (d8b4a53dd2769f226b3eb374374987c9) C:\Windows\system32\drivers\volsnap.sys
2011/05/02 13:11:04.0090 7588 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2011/05/02 13:11:04.0170 7588 VX3000 (bd32d7007cb505d3b1c29e3d0ef2a46a) C:\Windows\system32\DRIVERS\VX3000.sys
2011/05/02 13:11:04.0255 7588 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/05/02 13:11:04.0322 7588 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/05/02 13:11:04.0345 7588 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/05/02 13:11:04.0406 7588 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2011/05/02 13:11:04.0453 7588 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2011/05/02 13:11:04.0649 7588 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
2011/05/02 13:11:04.0737 7588 WpdUsb (0cec23084b51b8288099eb710224e955) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/05/02 13:11:04.0913 7588 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/05/02 13:11:05.0031 7588 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/05/02 13:11:05.0111 7588 {95808DC4-FA4A-4C74-92FE-5B863F82066B} (4d840c6af3c020ed3a35efba9025cf4a) C:\Program Files\CyberLink\PowerDVD\000.fcl
2011/05/02 13:11:05.0150 7588 ================================================================================
2011/05/02 13:11:05.0150 7588 Scan finished
2011/05/02 13:11:05.0150 7588 ================================================================================
2011/05/02 13:11:05.0166 7744 Detected object count: 1
2011/05/02 13:11:32.0013 7744 C:\Windows\system32\drivers\ndis.sys - processing error
2011/05/02 13:11:32.0013 7744 Rootkit.Win32.TDSS.tdl3(NDIS) - User select action: Cure

#8 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,449
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 02 May 2011 - 05:50 PM

try to rerun combofix now

Gringo

<-- Don't worry every little bit helps.

#9 hpodell

Member

Group: Members
Posts: 30
Joined: 03-April 11

Posted 02 May 2011 - 07:11 PM

Tried combofix again and it does same thing.
Thinks Nortons is still active, states it is preparing to run and then hangs for over half an hour.

Also of note. When I run Tdsskiller it finds a malicious threat which it says it cures but if I run it again straight away it still finds the same threat.
Evidently not "Cured"

#10 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,449
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 02 May 2011 - 07:43 PM

Please download aswMBR ( 511KB ) to your desktop.

Double click the aswMBR.exe icon to run it
Click the Scan button to start the scan
On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

<-- Don't worry every little bit helps.

#11 hpodell

Member

Group: Members
Posts: 30
Joined: 03-April 11

Posted 02 May 2011 - 09:50 PM

aswMBR version 0.9.5.247 Copyright© 2011 AVAST Software
Run date: 2011-05-02 19:47:10
-----------------------------
19:47:10.698 OS Version: Windows 6.0.6001 Service Pack 1
19:47:10.698 Number of processors: 2 586 0xF06
19:47:10.699 ComputerName: HOME UserName:
19:47:16.325 Initialize success
19:47:25.419 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
19:47:25.422 Disk 0 Vendor: WDC_WD20EADS-00S2B0 01.00A01 Size: 1907729MB BusType: 3
19:47:27.434 Disk 0 MBR read successfully
19:47:27.438 Disk 0 MBR scan
19:47:27.440 Disk 0 unknown MBR code
19:47:29.444 Disk 0 scanning sectors +3907024065
19:47:29.479 Disk 0 scanning C:\Windows\system32\drivers
19:47:33.937 Service scanning
19:47:35.583 Disk 0 trace - called modules:
19:47:35.600 ntkrnlpa.exe CLASSPNP.SYS disk.sys iomdisk.sys hal.dll acpi.sys dvd43llh.sys ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
19:47:35.603 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86b86ac8]
19:47:35.607 3 CLASSPNP.SYS[83fca745] -> nt!IofCallDriver -> [0x86a83348]
19:47:35.612 5 iomdisk.sys[83fadbc3] -> nt!IofCallDriver -> [0x861e9520]
19:47:35.617 7 acpi.sys[806966a0] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x861eb8e0]
19:47:35.635 \Driver\atapi[0x861e6370] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> dvd43llh.sys[0x8d17bb20]
19:47:35.642 Scan finished successfully
19:48:10.088 Disk 0 MBR has been saved successfully to "C:\Users\Howard\Desktop\MBR.dat"
19:48:10.094 The log file has been saved successfully to "C:\Users\Howard\Desktop\aswMBR.txt"

#12 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,449
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 03 May 2011 - 04:41 AM

Fix MBR Vista

bootrec.exe /fixmbr

If you have problems booting the computer after you have run that command boot back into the System Recovery Environment and Type the following into the "Command Prompt Window": and press enter

bootrec.exe /fixboot

<-- Don't worry every little bit helps.

#13 hpodell

Member

Group: Members
Posts: 30
Joined: 03-April 11

Posted 03 May 2011 - 11:30 AM

Tried the operating system repair using windows disc and "operation completed successfully" but didn't make any difference to redirecting problem.
I ran TDSKILLER again and it still reports same malicious software file.
Should I quarantine that file? (rootkit.win.tdss.tdl3)

#14 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,449
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 03 May 2011 - 01:16 PM

Hello

I would like to try this (thanks to sundavis for this suggestion)

Step1

Please download Minitool bootable CD iso file from Here on your desktop.
Place a blank CD in your CD-Rom to burn the iso to a bootable CD. If you need a free burner, please go to Here.
Boot the computer using the boot CD you just created. In order to do so, the computer must be set to boot from the CD first
Note : For information click Here
When the boot sequence is complete. Please proceed Step2 in the following:

Step2

Please insert your Minitool bootable CD into CD/DVD rom.
Make sure you have set the boot sequence from the CD first.
Please select boot from Partition Wizard Boot Disc first and press Enter while the following picture appears:
Please choose the following screen resolution. You may select: 1 and press Enter.
The Partition Wizard GUI should promt. Click on Disk 1 then press Rebuild MBR under Operations menu, Click OK when the prompt appears and press Apply in the left bottom.
When done, click on General menu and press Exit button. Get the bootable CD out of CD/DVD rom and reboot normally. For more info: consult this thread .

<-- Don't worry every little bit helps.

#15 hpodell

Member

Group: Members
Posts: 30
Joined: 03-April 11

Posted 04 May 2011 - 08:45 AM

Easier said than done.
How does one make a bootable disc in vista.
They don't have that option anymore and looking around on the web I couldn't come up with an answer.
I'm using Nero7.