IE & MFF Browser Redirect Virus

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages
1
2
→

You cannot start a new topic
This topic is locked

IE & MFF Browser Redirect Virus Original Virus Partially Remed by Norton Tech

#1 Big Bird

Member

Group: Members
Posts: 19
Joined: 14-January 12

Posted 23 January 2012 - 10:05 PM

Originally had a Windows XP Security Virus that I noticed by the fake security popups. I also had "Tidserv 2" popups from Norton AV. A Norton tech removed the XP Security virus (I think) Now I appear to have a browser redirect virus that affects both IE and MFF. I even uninstalled both browsers to try to remove it (and reinstalled MFF), which did not work. I have a lot of background activity on my computer which shows up as "svchost.exe" in task manager. I have recently received Windows popups that say that "A generic host process has been halted by windows". I'm not sure if all this is related.

dds.txt is:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Run by Eric at 21:40:03 on 2012-01-23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.1814 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Norton AntiVirus\Engine\19.2.0.10\ccSvcHst.exe
C:\Program Files\Norton Safe Web Lite\Engine\2.0.0.16\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\Engine\19.2.0.10\ccSvcHst.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uWindow Title = Internet Explorer, optimized for Bing and MSN
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080207
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\19.2.0.10\ips\IPSBHO.DLL
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Norton Safe Web Lite BHO: {f0da78e9-6b60-42fb-bc26-ef2cfb8c8ff3} - c:\program files\norton safe web lite\engine\2.0.0.16\coIEPlg.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Norton Safe Web Lite: {30ceeea2-3742-40e4-85dd-812bf1cbb83d} - c:\program files\norton safe web lite\engine\2.0.0.16\coIEPlg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [DellTouch] c:\windows\MMKeybd.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\eric\startm~1\programs\startup\autoru~1\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\documents and settings\eric\start menu\programs\startup\autorunsdisabled\onenote table of contents.onetoc2
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208020441859
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{FBEDF011-0443-48F2-8874-74C0DDAC314C} : DhcpNameServer = 192.168.1.1
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\eric\application data\mozilla\firefox\profiles\6cs4x2qg.default\
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-11-7 56208]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1302000.00a\symds.sys [2012-1-12 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1302000.00a\symefa.sys [2012-1-12 897656]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.1.3\definitions\bashdefs\20120121.002\BHDrvx86.sys [2012-1-23 820344]
R1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\nav\1302000.00a\ccsetx86.sys [2012-1-12 132744]
R1 ccSet_NST;Norton Safe Web Lite Settings Manager;c:\windows\system32\drivers\nst\0200000.010\ccSetx86.sys [2012-1-12 132744]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-11-7 71440]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-11-7 164112]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1302000.00a\ironx86.sys [2012-1-12 149624]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2012-1-14 67584]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\19.2.0.10\ccsvchst.exe [2012-1-12 138760]
R2 NSL;Norton Safe Web Lite;c:\program files\norton safe web lite\engine\2.0.0.16\ccSvcHst.exe [2012-1-12 138760]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-11-7 931640]
R3 chdrvr01;CH Control Manager Driver 1;c:\windows\system32\drivers\chdrvr01.sys [2008-4-25 215104]
R3 chdrvr02;CH Control Manager Driver 2;c:\windows\system32\drivers\chdrvr02.sys [2008-4-25 3744]
R3 chdrvr03;CH Control Manager Driver 3;c:\windows\system32\drivers\chdrvr03.sys [2008-4-25 9024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-1-12 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.1.3\definitions\ipsdefs\20120120.002\IDSXpx86.sys [2012-1-21 356280]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.1.3\definitions\virusdefs\20120123.002\NAVENG.SYS [2012-1-23 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.1.3\definitions\virusdefs\20120123.002\NAVEX15.SYS [2012-1-23 1576312]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2011-7-4 18560]
S3 mr7911;Photo Viewer ;c:\windows\system32\drivers\mr7911.sys [2009-9-26 39552]
S4 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]
S4 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S4 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\34302\RapportCerberus32_34302.sys [2011-12-15 228208]
.
=============== Created Last 30 ================
.
2012-01-17 03:41:18 -------- d-----w- c:\documents and settings\eric\application data\Systweak
2012-01-17 03:41:09 17280 ----a-w- c:\windows\system32\roboot.exe
2012-01-15 07:20:49 23040 ------w- c:\windows\system32\dllcache\mciseq.dll
2012-01-15 07:20:48 176128 ------w- c:\windows\system32\dllcache\winmm.dll
2012-01-15 07:18:05 386048 ------w- c:\windows\system32\dllcache\qdvd.dll
2012-01-15 07:17:07 60416 ------w- c:\windows\system32\dllcache\packager.exe
2012-01-15 07:09:46 -------- d-----w- c:\windows\ie8updates
2012-01-15 07:09:08 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2012-01-15 07:09:06 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2012-01-15 07:09:06 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2012-01-15 06:16:06 -------- d-----w- c:\documents and settings\eric\local settings\application data\FixItCenter
2012-01-15 06:13:49 -------- d-----w- c:\windows\MATS
2012-01-15 06:13:48 -------- d-----w- c:\program files\Microsoft Fix it Center
2012-01-15 05:33:02 -------- d-sh--w- c:\documents and settings\eric\PrivacIE
2012-01-15 03:32:40 -------- d-----w- c:\program files\iolo
2012-01-15 03:32:40 -------- d-----w- c:\documents and settings\all users\application data\iolo
2012-01-15 03:32:39 -------- d-----w- c:\documents and settings\eric\application data\iolo
2012-01-15 01:59:42 -------- d-----w- c:\documents and settings\eric\application data\ElevatedDiagnostics
2012-01-14 14:52:12 -------- d-----w- c:\documents and settings\eric\local settings\application data\Safe mirror
2012-01-14 14:51:32 -------- d-----w- c:\program files\Cobian Backup 10
2012-01-14 13:41:15 -------- d-----w- C:\sh4ldr
2012-01-14 13:41:15 -------- d-----w- c:\program files\Enigma Software Group
2012-01-14 13:40:29 -------- d-----w- c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP
2012-01-14 05:54:32 -------- d-----w- C:\BEER
2012-01-14 05:53:26 -------- d-----w- C:\Shooting & Hunting Related
2012-01-14 05:52:13 -------- d-----w- C:\PREP
2012-01-14 05:38:10 -------- d-----w- C:\PICTURES
2012-01-14 05:11:59 -------- d-----w- C:\Pron
2012-01-14 04:23:58 -------- d-sh--w- c:\documents and settings\eric\IECompatCache
2012-01-14 00:28:39 -------- d-----w- c:\documents and settings\eric\local settings\application data\NPE
2012-01-13 03:29:38 132744 ------r- c:\windows\system32\drivers\nst\0200000.010\ccSetx86.sys
2012-01-13 03:29:35 -------- d-----w- c:\windows\system32\drivers\nst\0200000.010
2012-01-13 03:29:35 -------- d-----w- c:\windows\system32\drivers\NST
2012-01-13 03:29:34 -------- d-----w- c:\program files\Norton Safe Web Lite
2012-01-13 03:10:34 897656 ----a-w- c:\windows\system32\drivers\nav\1302000.00a\symefa.sys
2012-01-13 03:10:34 566904 ----a-w- c:\windows\system32\drivers\nav\1302000.00a\srtsp.sys
2012-01-13 03:10:34 387192 ----a-w- c:\windows\system32\drivers\nav\1302000.00a\symtdi.sys
2012-01-13 03:10:34 344184 ----a-w- c:\windows\system32\drivers\nav\1302000.00a\symtdiv.sys
2012-01-13 03:10:34 340088 ----a-r- c:\windows\system32\drivers\nav\1302000.00a\symds.sys
2012-01-13 03:10:34 31864 ----a-w- c:\windows\system32\drivers\nav\1302000.00a\srtspx.sys
2012-01-13 03:10:34 314488 ----a-w- c:\windows\system32\drivers\nav\1302000.00a\symnets.sys
2012-01-13 03:10:34 149624 ----a-w- c:\windows\system32\drivers\nav\1302000.00a\ironx86.sys
2012-01-13 03:10:34 132744 ----a-w- c:\windows\system32\drivers\nav\1302000.00a\ccsetx86.sys
2012-01-13 03:10:28 2801 ----a-w- c:\windows\system32\drivers\nav\1302000.00a\symvtcer.dat
2012-01-13 03:01:40 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-01-13 03:01:40 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-01-13 03:01:40 -------- d-----w- c:\program files\Symantec
2012-01-13 03:01:22 -------- d-----w- c:\program files\Norton AntiVirus
2012-01-13 03:01:16 -------- d-----w- c:\program files\NortonInstaller
2012-01-13 02:28:45 -------- d-----w- c:\windows\system32\drivers\nav\1302000.00A
2012-01-11 16:28:43 -------- d-----w- c:\documents and settings\eric\local settings\application data\Symantec
2012-01-03 13:22:02 103864 ------w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2012-01-03 13:22:02 103864 ------w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-12-31 00:38:25 -------- d-----w- c:\program files\Winamp Detect
2011-12-29 17:01:38 -------- d-sh--w- c:\documents and settings\eric\IETldCache
2011-12-29 17:00:05 -------- d--h--w- c:\windows\msdownld.tmp
2011-12-29 16:59:09 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-12-29 16:59:09 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
.
==================== Find3M ====================
.
2011-11-28 13:37:39 1409 ------w- c:\windows\QTFont.for
2011-11-25 21:57:19 293376 ------w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ------w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ------w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ------w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ------w- c:\windows\system32\schannel.dll
2011-11-10 23:18:33 414368 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-08 02:28:38 56208 ------w- c:\windows\system32\drivers\RapportKELL.sys
2011-11-03 15:28:36 386048 ------w- c:\windows\system32\qdvd.dll
2011-11-03 15:28:36 1292288 ------w- c:\windows\system32\quartz.dll
2011-11-01 16:07:10 1288704 ------w- c:\windows\system32\ole32.dll
2011-10-31 23:43:21 832512 ----a-w- c:\windows\system32\wininet.dll
2011-10-31 23:43:21 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-10-31 23:43:20 17408 ----a-w- c:\windows\system32\corpol.dll
2011-10-28 05:31:48 33280 ------w- c:\windows\system32\csrsrv.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3750640AS rev.3.ADG -> Harddisk0\DR0 -> \Device\00000032
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8B16F49F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8b176738]; MOV EAX, [0x8b1768ac]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B46FAB8]
3 CLASSPNP[0xBA0C8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8B40C320]
\Driver\nvatabus[0x8B4512F0] -> IRP_MJ_CREATE -> 0x8B16F49F
error: Read The system cannot find the file specified.
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
\Device\00000074 -> \??\IDE#DiskST3750640AS_____________________________3.ADG___#2020202020202020202020205135314435504141#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 21:41:36.01 ===============

Attached File(s)

attach.txt (22.23K)
Number of downloads: 1

#2 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,549
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 26 January 2012 - 07:48 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

Do not run any other tool untill instructed to do so!
please Do not Attach logs or put in code boxes.
Tell me about any problems that have occurred during the fix.
Tell me of any other symptoms you may be having as these can help also.
Do not run anything while running a fix.
Do not run any other tool untill instructed to do so!

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

Link 1

Link 2

Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

#3 Big Bird

Member

Group: Members
Posts: 19
Joined: 14-January 12

Posted 26 January 2012 - 06:07 PM

Hello Gringo,
I downloaded and ran combo fix. It told me that I am infected with Rootkit Zero access, bad infection. During the initial run, a dialogue box told me that I was badly infected and I needed to reboot. I clicked OK, then it got hung up, so I had to hard power down. Upon bootup, Combo ran automatically and finished its business. I just used MFF to browse to the site and I had no redirection. Here is the combo log:

ComboFix 12-01-26.03 - Eric 01/26/2012 17:31:23.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2614 [GMT -5:00]
Running from: c:\documents and settings\Eric\My Documents\Downloads\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Eric\GoToAssistDownloadHelper.exe
c:\documents and settings\Eric\WINDOWS
c:\windows\$NtUninstallKB6326$
c:\windows\$NtUninstallKB6326$\1118329374\@
c:\windows\$NtUninstallKB6326$\1118329374\bckfg.tmp
c:\windows\$NtUninstallKB6326$\1118329374\cfg.ini
c:\windows\$NtUninstallKB6326$\1118329374\Desktop.ini
c:\windows\$NtUninstallKB6326$\1118329374\keywords
c:\windows\$NtUninstallKB6326$\1118329374\kwrd.dll
c:\windows\$NtUninstallKB6326$\1118329374\L\pdmzmplg
c:\windows\$NtUninstallKB6326$\1118329374\lsflt7.ver
c:\windows\$NtUninstallKB6326$\1118329374\U\00000001.@
c:\windows\$NtUninstallKB6326$\1118329374\U\00000002.@
c:\windows\$NtUninstallKB6326$\1118329374\U\00000004.@
c:\windows\$NtUninstallKB6326$\1118329374\U\80000000.@
c:\windows\$NtUninstallKB6326$\1118329374\U\80000004.@
c:\windows\$NtUninstallKB6326$\1118329374\U\80000032.@
c:\windows\$NtUninstallKB6326$\2134715933
c:\windows\kb913800.exe
c:\windows\system32\Cache
c:\windows\system32\Cache\84B75CF8\10k photos_Life.ch
c:\windows\system32\Cache\84B75CF8\10k photos_Marine Life.ch
c:\windows\system32\Cache\84B75CF8\10k photos_Molecules.ch
c:\windows\system32\Cache\84B75CF8\10k photos_Orchids.ch
c:\windows\system32\Cache\84B75CF8\10k photos_Painted Backgrounds.ch
c:\windows\system32\Cache\84B75CF8\10k photos_Penguins.ch
c:\windows\system32\Cache\84B75CF8\10k photos_Pill Backgrounds.ch
c:\windows\system32\Cache\84B75CF8\10k photos_Playing Cards.ch
c:\windows\system32\Cache\84B75CF8\10k photos_Underwater Life.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Business Kids.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Children's activities.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Children's dreams.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Children at play.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Children.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Clocks and Watches.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_College Life.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Dollar sign.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Dolls.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Dutch Tulip Festival.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Education.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Family Fun.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Family.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Field Insects.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Food & Beverage.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Funky Fish.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Game.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Games People Play.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Garden Creatures.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Hats.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Hawaii.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Helicopters.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Home and Office.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_I Scream for Ice Cream.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_In Love.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Insects.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Kiddy Art.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Kiddy Land.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Kids & Computers.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Kids at Play.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Ladybugs.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Landscapes.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Lawn & Garden.ch
c:\windows\system32\Cache\A2F7DF58\Clipart_Lawn Maintenance.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Modern Lighting.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Money.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Music Symbols.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Music.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_New Year's Eve.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Numbers.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Objects.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Occupations.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Oceans.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Office Accessories.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Office life.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Office Objects.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Office Pranks.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Office Supplies.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Office.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Our dogs.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Passport Stamps.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Penguins.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_PEOPLE DRINKING COFFEE.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_People on the Move.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_People power.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Performing Arts.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Pets.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Photo Album Snapshots.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Plants.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Pool Fun.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Postal Service.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Preschool Kids.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Presents.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Reef Fish.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Resort Life.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Resort Madness.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Rice.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Rodeo Drive.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Rubber Stamp.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Running Late.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Rush Hour.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_School Days.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_School.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Scrapbook Theme Stamps.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Sea Life.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Seamen.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Signs.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Special Occasions.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Sports & Leisure.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Sports Accessories.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Stars.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Summer Barbecue.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Summer Camp.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Summer Gardens.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Summer.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Super Bugs.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Super Heroes.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Super Models.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Swimming Pools and Spas.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Symbols of Money.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Symbols.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Tattoos.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Teens.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Television.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Temperature.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_The Beach.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_The Four Seasons.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_The Rich.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Theater.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Time Flies.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Time.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Toys.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Underwater world.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Underwater.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Weather Forecast.ch
c:\windows\system32\Cache\D6AB89AE\Clipart_Western Times.ch
c:\windows\system32\roboot.exe
c:\windows\system32\search.dll
c:\windows\system32\zip32.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-12-26 to 2012-01-26 )))))))))))))))))))))))))))))))
.
.
2012-01-17 03:41 . 2012-01-21 14:02 -------- d-----w- c:\documents and settings\Eric\Application Data\Systweak
2012-01-15 07:20 . 2011-10-14 14:47 23040 ------w- c:\windows\system32\dllcache\mciseq.dll
2012-01-15 07:20 . 2011-10-14 14:47 176128 ------w- c:\windows\system32\dllcache\winmm.dll
2012-01-15 07:18 . 2011-11-03 15:28 386048 ------w- c:\windows\system32\dllcache\qdvd.dll
2012-01-15 07:17 . 2011-11-18 12:35 60416 ------w- c:\windows\system32\dllcache\packager.exe
2012-01-15 07:09 . 2012-01-24 02:01 -------- d-----w- c:\windows\ie8updates
2012-01-15 07:09 . 2011-11-04 19:20 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2012-01-15 07:09 . 2011-11-04 19:20 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2012-01-15 07:09 . 2011-11-04 19:20 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2012-01-15 06:16 . 2012-01-15 06:17 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\FixItCenter
2012-01-15 06:13 . 2012-01-15 06:16 -------- d-----w- c:\windows\MATS
2012-01-15 06:13 . 2012-01-15 06:16 -------- d-----w- c:\program files\Microsoft Fix it Center
2012-01-15 05:33 . 2012-01-15 05:33 -------- d-sh--w- c:\documents and settings\Eric\PrivacIE
2012-01-15 03:32 . 2012-01-15 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2012-01-15 03:32 . 2012-01-15 03:32 -------- d-----w- c:\program files\iolo
2012-01-15 03:32 . 2012-01-15 03:32 -------- d-----w- c:\documents and settings\Eric\Application Data\iolo
2012-01-15 01:59 . 2012-01-15 01:59 -------- d-----w- c:\documents and settings\Eric\Application Data\ElevatedDiagnostics
2012-01-14 14:52 . 2012-01-14 14:52 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\Safe mirror
2012-01-14 14:51 . 2012-01-14 14:51 -------- d-----w- c:\program files\Cobian Backup 10
2012-01-14 13:41 . 2012-01-14 15:45 -------- d-----w- C:\sh4ldr
2012-01-14 13:41 . 2012-01-14 13:41 -------- d-----w- c:\program files\Enigma Software Group
2012-01-14 13:40 . 2012-01-14 15:45 -------- d-----w- c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP
2012-01-14 05:54 . 2012-01-14 05:54 -------- d-----w- C:\BEER
2012-01-14 05:53 . 2012-01-14 05:55 -------- d-----w- C:\Shooting & Hunting Related
2012-01-14 05:52 . 2012-01-14 05:52 -------- d-----w- C:\PREP
2012-01-14 05:38 . 2012-01-14 05:51 -------- d-----w- C:\PICTURES
2012-01-14 05:11 . 2012-01-14 05:28 -------- d-----w- C:\Pron
2012-01-14 04:23 . 2012-01-14 04:23 -------- d-sh--w- c:\documents and settings\Eric\IECompatCache
2012-01-14 00:28 . 2012-01-14 01:13 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\NPE
2012-01-13 03:29 . 2012-01-13 03:29 -------- d-----w- c:\windows\system32\drivers\NST
2012-01-13 03:29 . 2012-01-13 03:29 -------- d-----w- c:\program files\Norton Safe Web Lite
2012-01-13 03:01 . 2012-01-13 03:01 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-01-13 03:01 . 2012-01-13 03:01 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-01-13 03:01 . 2012-01-13 03:01 -------- d-----w- c:\program files\Symantec
2012-01-13 03:01 . 2012-01-13 03:01 -------- d-----w- c:\program files\Norton AntiVirus
2012-01-13 03:01 . 2012-01-13 03:29 -------- d-----w- c:\program files\NortonInstaller
2012-01-13 02:28 . 2012-01-13 03:10 -------- d-----w- c:\windows\system32\drivers\NAV\1302000.00A
2012-01-11 16:28 . 2012-01-11 16:28 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\Symantec
2012-01-05 15:48 . 2012-01-05 15:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2012-01-03 13:22 . 2012-01-03 13:22 103864 ------w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 13:22 . 2012-01-03 13:22 103864 ------w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-12-31 00:38 . 2011-12-31 00:38 -------- d-----w- c:\program files\Winamp Detect
2011-12-31 00:37 . 2011-12-31 00:44 -------- d-----w- c:\documents and settings\Eric\Application Data\Winamp
2011-12-31 00:37 . 2011-12-31 00:38 -------- d-----w- c:\program files\Winamp
2011-12-30 22:41 . 2011-12-30 22:41 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-12-29 17:02 . 2011-12-29 17:02 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-12-29 17:01 . 2011-12-29 17:01 -------- d-sh--w- c:\documents and settings\Eric\IETldCache
2011-12-29 17:00 . 2011-12-29 17:00 -------- d--h--w- c:\windows\msdownld.tmp
2011-12-29 16:59 . 2011-10-31 23:43 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-12-29 16:59 . 2011-10-31 23:43 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-28 13:37 . 2011-11-28 13:37 1409 ------w- c:\windows\QTFont.for
2011-11-25 21:57 . 2005-08-16 10:18 293376 ------w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2005-08-16 10:18 1859584 ------w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2005-08-16 10:18 60416 ------w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2005-08-16 10:18 354816 ------w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2005-08-16 10:18 152064 ------w- c:\windows\system32\schannel.dll
2011-11-10 23:18 . 2011-06-26 22:58 414368 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-08 02:28 . 2011-11-08 02:28 56208 ------w- c:\windows\system32\drivers\RapportKELL.sys
2011-11-03 15:28 . 2005-08-16 10:18 386048 ------w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2005-08-16 10:18 1292288 ------w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2005-08-16 10:18 1288704 ------w- c:\windows\system32\ole32.dll
2011-10-31 23:43 . 2005-08-16 10:18 832512 ----a-w- c:\windows\system32\wininet.dll
2011-10-31 23:43 . 2005-08-16 10:18 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-10-31 23:43 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2011-12-21 07:24 . 2012-01-24 01:42 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-05 700416]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-25 8523776]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-04-04 1236992]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152]
"DellTouch"="c:\windows\MMKeybd.exe" [2001-09-05 163840]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-22 229437]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2005-11-24 1187840]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-05 1505144]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-05 1468256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-04-26 413696]
.
c:\documents and settings\Eric\Start Menu\Programs\Startup\AutorunsDisabled
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
onenote table of contents.onetoc2 [2011-11-27 3656]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-aware]
2003-01-27 14:42 778240 ------w- c:\program files\Lavasoft\Ad-aware 6\Ad-aware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 21:18 241664 ------w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-04-26 00:14 413696 ------w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sh--r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Lavasoft\\Ad-aware 6\\Ad-aware.exe"=
"c:\\Program Files\\Napster\\napster.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [11/7/2011 9:28 PM 56208]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1302000.00A\symds.sys [1/12/2012 10:10 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1302000.00A\symefa.sys [1/12/2012 10:10 PM 897656]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\BASHDefs\20120121.002\BHDrvx86.sys [1/23/2012 8:13 PM 820344]
R1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAV\1302000.00A\ccsetx86.sys [1/12/2012 10:10 PM 132744]
R1 ccSet_NST;Norton Safe Web Lite Settings Manager;c:\windows\system32\drivers\NST\0200000.010\ccSetx86.sys [1/12/2012 10:29 PM 132744]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [11/7/2011 9:28 PM 71440]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [11/7/2011 9:28 PM 164112]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1302000.00A\ironx86.sys [1/12/2012 10:10 PM 149624]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [1/14/2012 9:51 AM 67584]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\19.2.0.10\ccsvchst.exe [1/12/2012 10:10 PM 138760]
R2 NSL;Norton Safe Web Lite;c:\program files\Norton Safe Web Lite\Engine\2.0.0.16\ccSvcHst.exe [1/12/2012 10:29 PM 138760]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [11/7/2011 9:28 PM 931640]
R3 chdrvr01;CH Control Manager Driver 1;c:\windows\system32\drivers\chdrvr01.sys [4/25/2008 7:54 AM 215104]
R3 chdrvr02;CH Control Manager Driver 2;c:\windows\system32\drivers\chdrvr02.sys [4/25/2008 7:54 AM 3744]
R3 chdrvr03;CH Control Manager Driver 3;c:\windows\system32\drivers\chdrvr03.sys [4/25/2008 7:54 AM 9024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/12/2012 10:10 PM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\IPSDefs\20120124.005\IDSXpx86.sys [1/25/2012 6:19 PM 356280]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [7/4/2011 5:36 PM 18560]
S3 mr7911;Photo Viewer ;c:\windows\system32\drivers\mr7911.sys [9/26/2009 3:56 PM 39552]
S4 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S4 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 10:09 PM 267568]
S4 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [12/15/2011 8:19 PM 228208]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2012-01-22 c:\windows\Tasks\ConfigExec.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 03:09]
.
2012-01-22 c:\windows\Tasks\DataUpload.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 03:09]
.
2012-01-15 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2005-08-16 00:12]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080207
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\6cs4x2qg.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-26 17:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3750640AS rev.3.ADG -> Harddisk0\DR0 -> \Device\00000032
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
error: Read The system cannot find the file specified.
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
\Device\00000076 -> \??\IDE#DiskST3750640AS_____________________________3.ADG___#2020202020202020202020205135314435504141#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\19.2.0.10\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\19.2.0.10\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NSL]
"ImagePath"="\"c:\program files\Norton Safe Web Lite\Engine\2.0.0.16\ccSvcHst.exe\" /s \"NSL\" /m \"c:\program files\Norton Safe Web Lite\Engine\2.0.0.16\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2346295851-249890667-506302795-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5d,50,48,2a,c5,fc,43,ff,55,38,b7,11,c4,81,c6,23,e2,cb,50,7b,ee,06,7a,
3c,ce,4e,69,1f,1f,7b,43,1a,d2,08,58,c2,13,ee,25,73,20,11,4e,11,ed,0e,16,5a,\
"??"=hex:1b,34,05,b0,07,e9,c1,33,9c,13,c7,d0,f6,ae,38,f4
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(768)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(560)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\windows\eHome\ehmsas.exe
c:\windows\SYSTEM32\CTXFISPI.EXE
c:\windows\system32\wscntfy.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\program files\Netropa\OSD.exe
.
**************************************************************************
.
Completion time: 2012-01-26 17:57:24 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-26 22:57
.
Pre-Run: 598,805,434,368 bytes free
Post-Run: 599,988,531,200 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptOut
.
- - End Of File - - 6B74758D416C282D19EDAD1E342421E2

#4 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,549
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 26 January 2012 - 08:34 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo

<-- Don't worry every little bit helps.

#5 Big Bird

Member

Group: Members
Posts: 19
Joined: 14-January 12

Posted 26 January 2012 - 08:54 PM

It found and cured an infected file. Log here:

20:49:55.0437 2896 TDSS rootkit removing tool 2.7.7.0 Jan 24 2012 16:44:27
20:49:55.0703 2896 ============================================================
20:49:55.0703 2896 Current date / time: 2012/01/26 20:49:55.0703
20:49:55.0703 2896 SystemInfo:
20:49:55.0703 2896
20:49:55.0718 2896 OS Version: 5.1.2600 ServicePack: 3.0
20:49:55.0718 2896 Product type: Workstation
20:49:55.0718 2896 ComputerName: HAL
20:49:55.0718 2896 UserName: Eric
20:49:55.0718 2896 Windows directory: C:\WINDOWS
20:49:55.0718 2896 System windows directory: C:\WINDOWS
20:49:55.0718 2896 Processor architecture: Intel x86
20:49:55.0718 2896 Number of processors: 4
20:49:55.0718 2896 Page size: 0x1000
20:49:55.0718 2896 Boot type: Normal boot
20:49:55.0718 2896 ============================================================
20:49:56.0578 2896 Drive \Device\Harddisk0\DR0 - Size: 0xAEA8CDE000 (698.64 Gb), SectorSize: 0x200, Cylinders: 0x16441, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
20:49:56.0718 2896 Initialize success
20:50:02.0875 1560 ============================================================
20:50:02.0875 1560 Scan started
20:50:02.0875 1560 Mode: Manual;
20:50:02.0875 1560 ============================================================
20:50:03.0046 1560 Abiosdsk - ok
20:50:03.0078 1560 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
20:50:03.0078 1560 abp480n5 - ok
20:50:03.0109 1560 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:50:03.0109 1560 ACPI - ok
20:50:03.0140 1560 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
20:50:03.0140 1560 ACPIEC - ok
20:50:03.0156 1560 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
20:50:03.0171 1560 adpu160m - ok
20:50:03.0187 1560 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
20:50:03.0187 1560 aec - ok
20:50:03.0234 1560 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
20:50:03.0234 1560 AFD - ok
20:50:03.0265 1560 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys
20:50:03.0265 1560 AFS2K - ok
20:50:03.0296 1560 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
20:50:03.0296 1560 agp440 - ok
20:50:03.0328 1560 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
20:50:03.0328 1560 agpCPQ - ok
20:50:03.0390 1560 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
20:50:03.0390 1560 Aha154x - ok
20:50:03.0437 1560 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
20:50:03.0437 1560 aic78u2 - ok
20:50:03.0484 1560 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
20:50:03.0484 1560 aic78xx - ok
20:50:03.0515 1560 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
20:50:03.0515 1560 AliIde - ok
20:50:03.0531 1560 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
20:50:03.0531 1560 alim1541 - ok
20:50:03.0546 1560 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
20:50:03.0546 1560 amdagp - ok
20:50:03.0609 1560 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
20:50:03.0609 1560 amsint - ok
20:50:03.0671 1560 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
20:50:03.0671 1560 APPDRV - ok
20:50:03.0687 1560 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
20:50:03.0687 1560 Arp1394 - ok
20:50:03.0718 1560 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
20:50:03.0718 1560 asc - ok
20:50:03.0750 1560 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
20:50:03.0750 1560 asc3350p - ok
20:50:03.0781 1560 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
20:50:03.0781 1560 asc3550 - ok
20:50:03.0812 1560 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:50:03.0812 1560 AsyncMac - ok
20:50:03.0843 1560 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:50:03.0843 1560 atapi - ok
20:50:03.0859 1560 Atdisk - ok
20:50:03.0875 1560 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:50:03.0875 1560 Atmarpc - ok
20:50:03.0890 1560 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:50:03.0890 1560 audstub - ok
20:50:03.0906 1560 b57w2k (f96038aa1ec4013a93d2420fc689d1e9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
20:50:03.0906 1560 b57w2k - ok
20:50:03.0937 1560 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:50:03.0937 1560 Beep - ok
20:50:04.0093 1560 BHDrvx86 (e685ba3267c5a4ec4ce9e2b4a1481725) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\BASHDefs\20120121.002\BHDrvx86.sys
20:50:04.0109 1560 BHDrvx86 - ok
20:50:04.0109 1560 catchme - ok
20:50:04.0140 1560 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
20:50:04.0140 1560 cbidf - ok
20:50:04.0140 1560 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
20:50:04.0140 1560 cbidf2k - ok
20:50:04.0203 1560 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
20:50:04.0203 1560 CCDECODE - ok
20:50:04.0296 1560 ccSet_NAV (2b2f9b4a08190334a9c36446b208bae9) C:\WINDOWS\system32\drivers\NAV\1302000.00A\ccSetx86.sys
20:50:04.0312 1560 ccSet_NAV - ok
20:50:04.0375 1560 ccSet_NST (2b2f9b4a08190334a9c36446b208bae9) C:\WINDOWS\system32\drivers\NST\0200000.010\ccSetx86.sys
20:50:04.0375 1560 ccSet_NST - ok
20:50:04.0468 1560 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
20:50:04.0468 1560 cd20xrnt - ok
20:50:04.0515 1560 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:50:04.0531 1560 Cdaudio - ok
20:50:04.0593 1560 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
20:50:04.0593 1560 Cdfs - ok
20:50:04.0640 1560 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:50:04.0640 1560 Cdrom - ok
20:50:04.0687 1560 Changer - ok
20:50:04.0718 1560 chdrvr01 (aabffd787ab272fc903afeeb336c6899) C:\WINDOWS\system32\DRIVERS\chdrvr01.sys
20:50:04.0718 1560 chdrvr01 - ok
20:50:04.0750 1560 chdrvr02 (7536fb70bcbf5d10b810e67e72f68137) C:\WINDOWS\system32\DRIVERS\chdrvr02.sys
20:50:04.0750 1560 chdrvr02 - ok
20:50:04.0781 1560 chdrvr03 (07e3319e5bae758ceb83c80419681b6a) C:\WINDOWS\system32\DRIVERS\chdrvr03.sys
20:50:04.0781 1560 chdrvr03 - ok
20:50:04.0843 1560 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
20:50:04.0843 1560 CmdIde - ok
20:50:04.0906 1560 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
20:50:04.0906 1560 Cpqarray - ok
20:50:04.0968 1560 ctac32k (8a9c65ce4fe6e8cb24ce06ba28d951a0) C:\WINDOWS\system32\drivers\ctac32k.sys
20:50:04.0968 1560 ctac32k - ok
20:50:05.0046 1560 ctaud2k (47236971dfb3e03690b98e41665d0924) C:\WINDOWS\system32\drivers\ctaud2k.sys
20:50:05.0046 1560 ctaud2k - ok
20:50:05.0109 1560 ctdvda2k (5a0eeb00b02fc78605aa9d3590b24978) C:\WINDOWS\system32\drivers\ctdvda2k.sys
20:50:05.0109 1560 ctdvda2k - ok
20:50:05.0156 1560 ctprxy2k (2381cf056c15271f6b8dab50ff82cf3a) C:\WINDOWS\system32\drivers\ctprxy2k.sys
20:50:05.0156 1560 ctprxy2k - ok
20:50:05.0203 1560 ctsfm2k (da1c530de86c85a701138b30fb145af3) C:\WINDOWS\system32\drivers\ctsfm2k.sys
20:50:05.0203 1560 ctsfm2k - ok
20:50:05.0265 1560 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
20:50:05.0265 1560 dac2w2k - ok
20:50:05.0312 1560 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
20:50:05.0312 1560 dac960nt - ok
20:50:05.0359 1560 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
20:50:05.0359 1560 Disk - ok
20:50:05.0468 1560 DLABMFSM (0659e6e0a95564f958d9df7313f7701e) C:\WINDOWS\system32\DLA\DLABMFSM.SYS
20:50:05.0468 1560 DLABMFSM - ok
20:50:05.0500 1560 DLABOIOM (8691c78908f0bd66170669db268369f2) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
20:50:05.0500 1560 DLABOIOM - ok
20:50:05.0546 1560 DLACDBHM (76167b5eb2dffc729edc36386876b40b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
20:50:05.0546 1560 DLACDBHM - ok
20:50:05.0578 1560 DLADResM (5615744a1056933b90e6ac54feb86f35) C:\WINDOWS\system32\DLA\DLADResM.SYS
20:50:05.0578 1560 DLADResM - ok
20:50:05.0593 1560 DLAIFS_M (1aeca2afa5005ce4a550cf8eb55a8c88) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
20:50:05.0593 1560 DLAIFS_M - ok
20:50:05.0593 1560 DLAOPIOM (840e7f6abb885c72b9ffddb022ef5b6d) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
20:50:05.0593 1560 DLAOPIOM - ok
20:50:05.0609 1560 DLAPoolM (0294d18731ac05da80132ce88f8a876b) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
20:50:05.0609 1560 DLAPoolM - ok
20:50:05.0625 1560 DLARTL_M (91886fed52a3f9966207bce46cfd794f) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
20:50:05.0625 1560 DLARTL_M - ok
20:50:05.0687 1560 DLAUDFAM (cca4e121d599d7d1706a30f603731e59) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
20:50:05.0687 1560 DLAUDFAM - ok
20:50:05.0687 1560 DLAUDF_M (7dab85c33135df24419951da4e7d38e5) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
20:50:05.0687 1560 DLAUDF_M - ok
20:50:05.0734 1560 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
20:50:05.0750 1560 dmboot - ok
20:50:05.0765 1560 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
20:50:05.0765 1560 dmio - ok
20:50:05.0765 1560 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:50:05.0765 1560 dmload - ok
20:50:05.0812 1560 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
20:50:05.0812 1560 DMusic - ok
20:50:05.0890 1560 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
20:50:05.0890 1560 dpti2o - ok
20:50:05.0890 1560 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
20:50:05.0890 1560 drmkaud - ok
20:50:05.0921 1560 DRVMCDB (c00440385cf9f3d142917c63f989e244) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
20:50:05.0921 1560 DRVMCDB - ok
20:50:05.0953 1560 DRVNDDM (6e6ab29d3c06e64ce81feacda85394b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
20:50:05.0953 1560 DRVNDDM - ok
20:50:05.0968 1560 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
20:50:05.0968 1560 E100B - ok
20:50:06.0062 1560 eeCtrl (75e8b69f28c813675b16db357f20720f) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
20:50:06.0062 1560 eeCtrl - ok
20:50:06.0093 1560 emupia (661cf27263f3e0b553be050a42d357db) C:\WINDOWS\system32\drivers\emupia2k.sys
20:50:06.0093 1560 emupia - ok
20:50:06.0109 1560 EraserUtilRebootDrv (720b18d76de9e603b626dfcd6f1fca7c) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
20:50:06.0109 1560 EraserUtilRebootDrv - ok
20:50:06.0140 1560 esgiguard - ok
20:50:06.0171 1560 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
20:50:06.0171 1560 Fastfat - ok
20:50:06.0187 1560 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
20:50:06.0187 1560 Fdc - ok
20:50:06.0218 1560 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
20:50:06.0218 1560 Fips - ok
20:50:06.0234 1560 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
20:50:06.0234 1560 Flpydisk - ok
20:50:06.0281 1560 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
20:50:06.0281 1560 FltMgr - ok
20:50:06.0312 1560 FlyUsb (8efa9bfc940d9eb9348d9dafb839fe25) C:\WINDOWS\system32\DRIVERS\FlyUsb.sys
20:50:06.0312 1560 FlyUsb - ok
20:50:06.0328 1560 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:50:06.0328 1560 Fs_Rec - ok
20:50:06.0359 1560 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:50:06.0359 1560 Ftdisk - ok
20:50:06.0390 1560 GEARAspiWDM (5dc17164f66380cbfefd895c18467773) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
20:50:06.0390 1560 GEARAspiWDM - ok
20:50:06.0437 1560 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:50:06.0437 1560 Gpc - ok
20:50:06.0468 1560 grmnusb (d956358054e99e6ffac69cd87e893a89) C:\WINDOWS\system32\drivers\grmnusb.sys
20:50:06.0468 1560 grmnusb - ok
20:50:06.0515 1560 ha20x2k (862d4185d43128fef7818711f8f30436) C:\WINDOWS\system32\drivers\ha20x2k.sys
20:50:06.0515 1560 ha20x2k - ok
20:50:06.0578 1560 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:50:06.0578 1560 HidUsb - ok
20:50:06.0593 1560 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
20:50:06.0593 1560 hpn - ok
20:50:06.0656 1560 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
20:50:06.0656 1560 HTTP - ok
20:50:06.0687 1560 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
20:50:06.0687 1560 i2omgmt - ok
20:50:06.0718 1560 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
20:50:06.0718 1560 i2omp - ok
20:50:06.0734 1560 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:50:06.0734 1560 i8042prt - ok
20:50:06.0953 1560 IDSxpx86 (cfbc1ce72e5353d428704659199147b1) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\IPSDefs\20120125.002\IDSxpx86.sys
20:50:06.0953 1560 IDSxpx86 - ok
20:50:07.0000 1560 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:50:07.0000 1560 Imapi - ok
20:50:07.0062 1560 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
20:50:07.0062 1560 ini910u - ok
20:50:07.0109 1560 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
20:50:07.0109 1560 IntelIde - ok
20:50:07.0171 1560 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
20:50:07.0171 1560 intelppm - ok
20:50:07.0218 1560 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
20:50:07.0218 1560 Ip6Fw - ok
20:50:07.0281 1560 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:50:07.0281 1560 IpFilterDriver - ok
20:50:07.0328 1560 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:50:07.0328 1560 IpInIp - ok
20:50:07.0390 1560 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:50:07.0390 1560 IpNat - ok
20:50:07.0468 1560 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:50:07.0468 1560 IPSec - ok
20:50:07.0515 1560 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:50:07.0515 1560 IRENUM - ok
20:50:07.0578 1560 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:50:07.0578 1560 isapnp - ok
20:50:07.0625 1560 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:50:07.0625 1560 Kbdclass - ok
20:50:07.0671 1560 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
20:50:07.0671 1560 kbdhid - ok
20:50:07.0718 1560 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
20:50:07.0718 1560 kmixer - ok
20:50:07.0796 1560 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
20:50:07.0796 1560 KSecDD - ok
20:50:07.0828 1560 lbrtfdc - ok
20:50:07.0921 1560 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
20:50:07.0921 1560 MHNDRV - ok
20:50:07.0968 1560 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
20:50:07.0968 1560 mnmdd - ok
20:50:08.0000 1560 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
20:50:08.0000 1560 Modem - ok
20:50:08.0046 1560 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:50:08.0046 1560 Mouclass - ok
20:50:08.0109 1560 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:50:08.0109 1560 mouhid - ok
20:50:08.0156 1560 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
20:50:08.0156 1560 MountMgr - ok
20:50:08.0234 1560 mr7911 (dac38ef64dbdd5c163ed07e5d0d54c1c) C:\WINDOWS\system32\DRIVERS\mr7911.sys
20:50:08.0234 1560 mr7911 - ok
20:50:08.0312 1560 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
20:50:08.0312 1560 mraid35x - ok
20:50:08.0359 1560 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:50:08.0359 1560 MRxDAV - ok
20:50:08.0421 1560 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:50:08.0437 1560 MRxSmb - ok
20:50:08.0468 1560 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
20:50:08.0468 1560 Msfs - ok
20:50:08.0500 1560 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:50:08.0500 1560 MSKSSRV - ok
20:50:08.0562 1560 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:50:08.0562 1560 MSPCLOCK - ok
20:50:08.0609 1560 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
20:50:08.0625 1560 MSPQM - ok
20:50:08.0671 1560 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:50:08.0671 1560 mssmbios - ok
20:50:08.0750 1560 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
20:50:08.0750 1560 MSTEE - ok
20:50:08.0796 1560 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
20:50:08.0796 1560 Mup - ok
20:50:08.0875 1560 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
20:50:08.0875 1560 NABTSFEC - ok
20:50:09.0031 1560 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\VirusDefs\20120126.003\NAVENG.SYS
20:50:09.0031 1560 NAVENG - ok
20:50:09.0109 1560 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\VirusDefs\20120126.003\NAVEX15.SYS
20:50:09.0125 1560 NAVEX15 - ok
20:50:09.0218 1560 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
20:50:09.0218 1560 NDIS - ok
20:50:09.0281 1560 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
20:50:09.0281 1560 NdisIP - ok
20:50:09.0343 1560 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:50:09.0343 1560 NdisTapi - ok
20:50:09.0390 1560 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:50:09.0390 1560 Ndisuio - ok
20:50:09.0468 1560 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:50:09.0468 1560 NdisWan - ok
20:50:09.0531 1560 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
20:50:09.0531 1560 NDProxy - ok
20:50:09.0578 1560 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:50:09.0578 1560 NetBIOS - ok
20:50:09.0656 1560 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:50:09.0656 1560 NetBT - ok
20:50:09.0703 1560 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
20:50:09.0703 1560 NIC1394 - ok
20:50:09.0765 1560 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
20:50:09.0765 1560 Npfs - ok
20:50:09.0812 1560 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
20:50:09.0828 1560 Ntfs - ok
20:50:09.0875 1560 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
20:50:09.0875 1560 NuidFltr - ok
20:50:09.0906 1560 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:50:09.0906 1560 Null - ok
20:50:10.0078 1560 nv (44067bf7d3e291cc38d9cf9aea1bd99d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
20:50:10.0234 1560 nv - ok
20:50:10.0265 1560 nvatabus (ef9941593b2e9b436f64a87ddb570d1a) C:\WINDOWS\system32\drivers\nvatabus.sys
20:50:10.0265 1560 nvatabus - ok
20:50:10.0281 1560 nvraid (ea4017441889a7e66d8a77bd41ac11c0) C:\WINDOWS\system32\drivers\nvraid.sys
20:50:10.0281 1560 nvraid - ok
20:50:10.0296 1560 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:50:10.0296 1560 NwlnkFlt - ok
20:50:10.0312 1560 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:50:10.0312 1560 NwlnkFwd - ok
20:50:10.0328 1560 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
20:50:10.0328 1560 ohci1394 - ok
20:50:10.0359 1560 ossrv (99f877a7bb6feb5af1184eafe937c208) C:\WINDOWS\system32\drivers\ctoss2k.sys
20:50:10.0359 1560 ossrv - ok
20:50:10.0390 1560 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
20:50:10.0390 1560 Parport - ok
20:50:10.0390 1560 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
20:50:10.0406 1560 PartMgr - ok
20:50:10.0437 1560 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
20:50:10.0437 1560 ParVdm - ok
20:50:10.0453 1560 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
20:50:10.0453 1560 PCI - ok
20:50:10.0468 1560 PCIDump - ok
20:50:10.0484 1560 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
20:50:10.0484 1560 PCIIde - ok
20:50:10.0531 1560 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
20:50:10.0531 1560 Pcmcia - ok
20:50:10.0562 1560 PDCOMP - ok
20:50:10.0609 1560 PDFRAME - ok
20:50:10.0640 1560 PDRELI - ok
20:50:10.0687 1560 PDRFRAME - ok
20:50:10.0750 1560 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
20:50:10.0750 1560 perc2 - ok
20:50:10.0796 1560 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
20:50:10.0796 1560 perc2hib - ok
20:50:10.0828 1560 Point32 (2e3394c8ebf31a9b4f0a531eb5cc7bc7) C:\WINDOWS\system32\DRIVERS\point32.sys
20:50:10.0828 1560 Point32 - ok
20:50:10.0859 1560 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:50:10.0859 1560 PptpMiniport - ok
20:50:10.0859 1560 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
20:50:10.0859 1560 PSched - ok
20:50:10.0890 1560 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:50:10.0890 1560 Ptilink - ok
20:50:10.0968 1560 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
20:50:10.0968 1560 PxHelp20 - ok
20:50:11.0015 1560 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
20:50:11.0015 1560 ql1080 - ok
20:50:11.0062 1560 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
20:50:11.0062 1560 Ql10wnt - ok
20:50:11.0078 1560 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
20:50:11.0078 1560 ql12160 - ok
20:50:11.0093 1560 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
20:50:11.0093 1560 ql1240 - ok
20:50:11.0109 1560 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
20:50:11.0109 1560 ql1280 - ok
20:50:11.0203 1560 RapportCerberus_34302 (6b6f0a77365667912360ff1d5e984f25) C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys
20:50:11.0203 1560 RapportCerberus_34302 - ok
20:50:11.0281 1560 RapportEI (5074fe56c70b31909c6b3129280c4cf2) C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
20:50:11.0281 1560 RapportEI - ok
20:50:11.0343 1560 RapportKELL (d6c7c196ad59375e9dde68d70db6e7a1) C:\WINDOWS\system32\Drivers\RapportKELL.sys
20:50:11.0343 1560 RapportKELL - ok
20:50:11.0359 1560 RapportPG (1205f9ccc78d152a5cc509f5ee32800d) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
20:50:11.0359 1560 RapportPG - ok
20:50:11.0375 1560 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:50:11.0375 1560 RasAcd - ok
20:50:11.0406 1560 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:50:11.0406 1560 Rasl2tp - ok
20:50:11.0421 1560 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:50:11.0421 1560 RasPppoe - ok
20:50:11.0484 1560 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:50:11.0484 1560 Raspti - ok
20:50:11.0531 1560 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:50:11.0531 1560 Rdbss - ok
20:50:11.0578 1560 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:50:11.0578 1560 RDPCDD - ok
20:50:11.0609 1560 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
20:50:11.0609 1560 rdpdr - ok
20:50:11.0687 1560 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
20:50:11.0687 1560 RDPWD - ok
20:50:11.0734 1560 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:50:11.0734 1560 redbook - ok
20:50:11.0796 1560 RIOUNIV (9eca9d94207317bf8c34c8b6856737bd) C:\WINDOWS\system32\Drivers\RIOUNIV.sys
20:50:11.0796 1560 RIOUNIV - ok
20:50:11.0875 1560 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:50:11.0875 1560 Secdrv - ok
20:50:11.0906 1560 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
20:50:11.0906 1560 serenum - ok
20:50:11.0921 1560 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
20:50:11.0921 1560 Serial - ok
20:50:11.0968 1560 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
20:50:11.0968 1560 Sfloppy - ok
20:50:11.0984 1560 Simbad - ok
20:50:12.0015 1560 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
20:50:12.0015 1560 sisagp - ok
20:50:12.0078 1560 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
20:50:12.0078 1560 SLIP - ok
20:50:12.0125 1560 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
20:50:12.0125 1560 Sparrow - ok
20:50:12.0140 1560 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
20:50:12.0140 1560 splitter - ok
20:50:12.0156 1560 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
20:50:12.0156 1560 sr - ok
20:50:12.0234 1560 SRTSP (2c5fbf6a00a4a3dcf643e46e8acb20c2) C:\WINDOWS\System32\Drivers\NAV\1302000.00A\SRTSP.SYS
20:50:12.0234 1560 SRTSP - ok
20:50:12.0265 1560 SRTSPX (9034ea58552b55f370e5293a7175c5ac) C:\WINDOWS\system32\drivers\NAV\1302000.00A\SRTSPX.SYS
20:50:12.0265 1560 SRTSPX - ok
20:50:12.0296 1560 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
20:50:12.0296 1560 Srv - ok
20:50:12.0328 1560 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
20:50:12.0328 1560 streamip - ok
20:50:12.0375 1560 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:50:12.0375 1560 swenum - ok
20:50:12.0390 1560 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
20:50:12.0390 1560 swmidi - ok
20:50:12.0437 1560 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
20:50:12.0437 1560 symc810 - ok
20:50:12.0484 1560 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
20:50:12.0484 1560 symc8xx - ok
20:50:12.0546 1560 SymDS (690fa0e61b90084c4d9a721bd4f3d779) C:\WINDOWS\system32\drivers\NAV\1302000.00A\SYMDS.SYS
20:50:12.0562 1560 SymDS - ok
20:50:12.0609 1560 SymEFA (fc6d4a81b3611693f4e14e75908b6767) C:\WINDOWS\system32\drivers\NAV\1302000.00A\SYMEFA.SYS
20:50:12.0656 1560 SymEFA - ok
20:50:12.0718 1560 SymEvent (98d28d08e68145fb550ee7670b43baf2) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
20:50:12.0718 1560 SymEvent - ok
20:50:12.0765 1560 SymIRON (39c35ddbb570e9f334f239248e4de34d) C:\WINDOWS\system32\drivers\NAV\1302000.00A\Ironx86.SYS
20:50:12.0765 1560 SymIRON - ok
20:50:12.0796 1560 SYMTDI (aaae36e8235dab7da8a64bd10de281e5) C:\WINDOWS\System32\Drivers\NAV\1302000.00A\SYMTDI.SYS
20:50:12.0796 1560 SYMTDI - ok
20:50:12.0859 1560 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
20:50:12.0859 1560 sym_hi - ok
20:50:12.0906 1560 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
20:50:12.0921 1560 sym_u3 - ok
20:50:12.0953 1560 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
20:50:12.0953 1560 sysaudio - ok
20:50:13.0015 1560 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:50:13.0015 1560 Tcpip - ok
20:50:13.0046 1560 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:50:13.0046 1560 TDPIPE - ok
20:50:13.0046 1560 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
20:50:13.0046 1560 TDTCP - ok
20:50:13.0078 1560 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:50:13.0078 1560 TermDD - ok
20:50:13.0109 1560 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
20:50:13.0109 1560 TosIde - ok
20:50:13.0140 1560 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
20:50:13.0140 1560 Udfs - ok
20:50:13.0187 1560 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
20:50:13.0187 1560 ultra - ok
20:50:13.0234 1560 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
20:50:13.0250 1560 Update - ok
20:50:13.0281 1560 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:50:13.0281 1560 usbccgp - ok
20:50:13.0296 1560 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:50:13.0312 1560 usbehci - ok
20:50:13.0343 1560 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:50:13.0343 1560 usbhub - ok
20:50:13.0406 1560 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
20:50:13.0406 1560 usbohci - ok
20:50:13.0437 1560 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:50:13.0437 1560 usbprint - ok
20:50:13.0500 1560 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:50:13.0500 1560 usbscan - ok
20:50:13.0531 1560 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:50:13.0531 1560 USBSTOR - ok
20:50:13.0562 1560 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:50:13.0562 1560 usbuhci - ok
20:50:13.0593 1560 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
20:50:13.0593 1560 VgaSave - ok
20:50:13.0609 1560 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
20:50:13.0625 1560 viaagp - ok
20:50:13.0656 1560 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
20:50:13.0656 1560 ViaIde - ok
20:50:13.0703 1560 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
20:50:13.0703 1560 VolSnap - ok
20:50:13.0750 1560 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:50:13.0750 1560 Wanarp - ok
20:50:13.0796 1560 wceusbsh (4a954a20a4c73d6db13c0fe25f3f1b0c) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
20:50:13.0796 1560 wceusbsh - ok
20:50:13.0843 1560 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
20:50:13.0843 1560 Wdf01000 - ok
20:50:13.0859 1560 WDICA - ok
20:50:13.0890 1560 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
20:50:13.0890 1560 wdmaud - ok
20:50:13.0906 1560 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
20:50:13.0906 1560 WmiAcpi - ok
20:50:13.0953 1560 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
20:50:13.0953 1560 WpdUsb - ok
20:50:13.0968 1560 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
20:50:13.0968 1560 WS2IFSL - ok
20:50:14.0015 1560 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
20:50:14.0015 1560 WSTCODEC - ok
20:50:14.0062 1560 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
20:50:14.0062 1560 WudfPf - ok
20:50:14.0093 1560 MBR (0x1B8) (4bc21aabb8ea83c34000756722b7398b) \Device\Harddisk0\DR0
20:50:14.0109 1560 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
20:50:14.0109 1560 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
20:50:14.0140 1560 Boot (0x1200) (26d721ddaf559dabcc786906a55915fa) \Device\Harddisk0\DR0\Partition0
20:50:14.0140 1560 \Device\Harddisk0\DR0\Partition0 - ok
20:50:14.0140 1560 ============================================================
20:50:14.0140 1560 Scan finished
20:50:14.0140 1560 ============================================================
20:50:14.0140 1912 Detected object count: 1
20:50:14.0140 1912 Actual detected object count: 1
20:50:54.0031 1912 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
20:50:54.0031 1912 \Device\Harddisk0\DR0 - ok
20:50:54.0031 1912 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
20:51:02.0000 3176 Deinitialize success

#6 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,549
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 26 January 2012 - 09:11 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

 ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following

report from Combofix
let me know of any problems you may have had
How is the computer doing now after running the script?

Gringo

<-- Don't worry every little bit helps.

#7 Big Bird

Member

Group: Members
Posts: 19
Joined: 14-January 12

Posted 26 January 2012 - 09:30 PM

Here is the log:
ComboFix 12-01-26.03 - Eric 01/26/2012 21:19:31.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2328 [GMT -5:00]
Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Eric\Desktop\CFScript.txt
AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-27 to 2012-01-27 )))))))))))))))))))))))))))))))
.
.
2012-01-26 23:09 . 2012-01-26 23:09 664 ----a-w- c:\windows\system32\d3d9caps.tmp
2012-01-17 03:41 . 2012-01-21 14:02 -------- d-----w- c:\documents and settings\Eric\Application Data\Systweak
2012-01-15 07:20 . 2011-10-14 14:47 23040 ------w- c:\windows\system32\dllcache\mciseq.dll
2012-01-15 07:20 . 2011-10-14 14:47 176128 ------w- c:\windows\system32\dllcache\winmm.dll
2012-01-15 07:18 . 2011-11-03 15:28 386048 ------w- c:\windows\system32\dllcache\qdvd.dll
2012-01-15 07:17 . 2011-11-18 12:35 60416 ------w- c:\windows\system32\dllcache\packager.exe
2012-01-15 07:09 . 2012-01-24 02:01 -------- d-----w- c:\windows\ie8updates
2012-01-15 07:09 . 2011-11-04 19:20 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2012-01-15 07:09 . 2011-11-04 19:20 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2012-01-15 07:09 . 2011-11-04 19:20 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2012-01-15 06:16 . 2012-01-15 06:17 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\FixItCenter
2012-01-15 06:13 . 2012-01-15 06:16 -------- d-----w- c:\windows\MATS
2012-01-15 06:13 . 2012-01-15 06:16 -------- d-----w- c:\program files\Microsoft Fix it Center
2012-01-15 05:33 . 2012-01-15 05:33 -------- d-sh--w- c:\documents and settings\Eric\PrivacIE
2012-01-15 03:32 . 2012-01-15 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2012-01-15 03:32 . 2012-01-15 03:32 -------- d-----w- c:\program files\iolo
2012-01-15 03:32 . 2012-01-15 03:32 -------- d-----w- c:\documents and settings\Eric\Application Data\iolo
2012-01-15 01:59 . 2012-01-15 01:59 -------- d-----w- c:\documents and settings\Eric\Application Data\ElevatedDiagnostics
2012-01-14 14:52 . 2012-01-14 14:52 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\Safe mirror
2012-01-14 14:51 . 2012-01-14 14:51 -------- d-----w- c:\program files\Cobian Backup 10
2012-01-14 13:41 . 2012-01-14 15:45 -------- d-----w- C:\sh4ldr
2012-01-14 13:41 . 2012-01-14 13:41 -------- d-----w- c:\program files\Enigma Software Group
2012-01-14 13:40 . 2012-01-14 15:45 -------- d-----w- c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP
2012-01-14 05:54 . 2012-01-14 05:54 -------- d-----w- C:\BEER
2012-01-14 05:53 . 2012-01-14 05:55 -------- d-----w- C:\Shooting & Hunting Related
2012-01-14 05:52 . 2012-01-14 05:52 -------- d-----w- C:\PREP
2012-01-14 05:38 . 2012-01-14 05:51 -------- d-----w- C:\PICTURES
2012-01-14 05:11 . 2012-01-14 05:28 -------- d-----w- C:\Pron
2012-01-14 04:23 . 2012-01-14 04:23 -------- d-sh--w- c:\documents and settings\Eric\IECompatCache
2012-01-14 00:28 . 2012-01-14 01:13 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\NPE
2012-01-13 03:29 . 2012-01-13 03:29 -------- d-----w- c:\windows\system32\drivers\NST
2012-01-13 03:29 . 2012-01-13 03:29 -------- d-----w- c:\program files\Norton Safe Web Lite
2012-01-13 03:01 . 2012-01-13 03:01 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-01-13 03:01 . 2012-01-13 03:01 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-01-13 03:01 . 2012-01-13 03:01 -------- d-----w- c:\program files\Symantec
2012-01-13 03:01 . 2012-01-13 03:01 -------- d-----w- c:\program files\Norton AntiVirus
2012-01-13 03:01 . 2012-01-13 03:29 -------- d-----w- c:\program files\NortonInstaller
2012-01-13 02:28 . 2012-01-13 03:10 -------- d-----w- c:\windows\system32\drivers\NAV\1302000.00A
2012-01-11 16:28 . 2012-01-11 16:28 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\Symantec
2012-01-05 15:48 . 2012-01-05 15:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2012-01-03 13:22 . 2012-01-03 13:22 103864 ------w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 13:22 . 2012-01-03 13:22 103864 ------w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-12-31 00:38 . 2011-12-31 00:38 -------- d-----w- c:\program files\Winamp Detect
2011-12-31 00:37 . 2011-12-31 00:44 -------- d-----w- c:\documents and settings\Eric\Application Data\Winamp
2011-12-31 00:37 . 2011-12-31 00:38 -------- d-----w- c:\program files\Winamp
2011-12-30 22:41 . 2011-12-30 22:41 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-12-29 17:02 . 2011-12-29 17:02 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-12-29 17:01 . 2011-12-29 17:01 -------- d-sh--w- c:\documents and settings\Eric\IETldCache
2011-12-29 17:00 . 2011-12-29 17:00 -------- d--h--w- c:\windows\msdownld.tmp
2011-12-29 16:59 . 2011-10-31 23:43 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-12-29 16:59 . 2011-10-31 23:43 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-28 13:37 . 2011-11-28 13:37 1409 ------w- c:\windows\QTFont.for
2011-11-25 21:57 . 2005-08-16 10:18 293376 ------w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2005-08-16 10:18 1859584 ------w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2005-08-16 10:18 60416 ------w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2005-08-16 10:18 354816 ------w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2005-08-16 10:18 152064 ------w- c:\windows\system32\schannel.dll
2011-11-10 23:18 . 2011-06-26 22:58 414368 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-08 02:28 . 2011-11-08 02:28 56208 ------w- c:\windows\system32\drivers\RapportKELL.sys
2011-11-03 15:28 . 2005-08-16 10:18 386048 ------w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2005-08-16 10:18 1292288 ------w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2005-08-16 10:18 1288704 ------w- c:\windows\system32\ole32.dll
2011-10-31 23:43 . 2005-08-16 10:18 832512 ----a-w- c:\windows\system32\wininet.dll
2011-10-31 23:43 . 2005-08-16 10:18 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-10-31 23:43 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2011-12-21 07:24 . 2012-01-24 01:42 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-26_22.49.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-27 01:55 . 2012-01-27 01:55 16384 c:\windows\Temp\Perflib_Perfdata_738.dat
+ 2012-01-27 01:52 . 2012-01-27 01:52 16384 c:\windows\Temp\Perflib_Perfdata_5dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-05 700416]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-25 8523776]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-04-04 1236992]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152]
"DellTouch"="c:\windows\MMKeybd.exe" [2001-09-05 163840]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-22 229437]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2005-11-24 1187840]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-05 1505144]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-05 1468256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-04-26 413696]
.
c:\documents and settings\Eric\Start Menu\Programs\Startup\AutorunsDisabled
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
onenote table of contents.onetoc2 [2011-11-27 3656]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-aware]
2003-01-27 14:42 778240 ------w- c:\program files\Lavasoft\Ad-aware 6\Ad-aware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 21:18 241664 ------w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-04-26 00:14 413696 ------w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sh--r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Lavasoft\\Ad-aware 6\\Ad-aware.exe"=
"c:\\Program Files\\Napster\\napster.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [11/7/2011 9:28 PM 56208]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1302000.00A\symds.sys [1/12/2012 10:10 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1302000.00A\symefa.sys [1/12/2012 10:10 PM 897656]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\BASHDefs\20120121.002\BHDrvx86.sys [1/23/2012 8:13 PM 820344]
R1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAV\1302000.00A\ccsetx86.sys [1/12/2012 10:10 PM 132744]
R1 ccSet_NST;Norton Safe Web Lite Settings Manager;c:\windows\system32\drivers\NST\0200000.010\ccSetx86.sys [1/12/2012 10:29 PM 132744]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [11/7/2011 9:28 PM 71440]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [11/7/2011 9:28 PM 164112]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1302000.00A\ironx86.sys [1/12/2012 10:10 PM 149624]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [1/14/2012 9:51 AM 67584]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\19.2.0.10\ccsvchst.exe [1/12/2012 10:10 PM 138760]
R2 NSL;Norton Safe Web Lite;c:\program files\Norton Safe Web Lite\Engine\2.0.0.16\ccSvcHst.exe [1/12/2012 10:29 PM 138760]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [11/7/2011 9:28 PM 931640]
R3 chdrvr01;CH Control Manager Driver 1;c:\windows\system32\drivers\chdrvr01.sys [4/25/2008 7:54 AM 215104]
R3 chdrvr02;CH Control Manager Driver 2;c:\windows\system32\drivers\chdrvr02.sys [4/25/2008 7:54 AM 3744]
R3 chdrvr03;CH Control Manager Driver 3;c:\windows\system32\drivers\chdrvr03.sys [4/25/2008 7:54 AM 9024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/12/2012 10:10 PM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\IPSDefs\20120125.002\IDSXpx86.sys [1/26/2012 6:12 PM 356280]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [7/4/2011 5:36 PM 18560]
S3 mr7911;Photo Viewer ;c:\windows\system32\drivers\mr7911.sys [9/26/2009 3:56 PM 39552]
S4 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S4 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 10:09 PM 267568]
S4 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [12/15/2011 8:19 PM 228208]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2012-01-22 c:\windows\Tasks\ConfigExec.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 03:09]
.
2012-01-22 c:\windows\Tasks\DataUpload.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 03:09]
.
2012-01-15 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2005-08-16 00:12]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080207
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\6cs4x2qg.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-26 21:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\19.2.0.10\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\19.2.0.10\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NSL]
"ImagePath"="\"c:\program files\Norton Safe Web Lite\Engine\2.0.0.16\ccSvcHst.exe\" /s \"NSL\" /m \"c:\program files\Norton Safe Web Lite\Engine\2.0.0.16\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2346295851-249890667-506302795-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5d,50,48,2a,c5,fc,43,ff,55,38,b7,11,c4,81,c6,23,e2,cb,50,7b,ee,06,7a,
3c,ce,4e,69,1f,1f,7b,43,1a,d2,08,58,c2,13,ee,25,73,20,11,4e,11,ed,0e,16,5a,\
"??"=hex:1b,34,05,b0,07,e9,c1,33,9c,13,c7,d0,f6,ae,38,f4
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3232)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-01-26 21:29:16
ComboFix-quarantined-files.txt 2012-01-27 02:29
ComboFix2.txt 2012-01-26 22:57
.
Pre-Run: 600,938,795,008 bytes free
Post-Run: 601,006,129,152 bytes free
.
- - End Of File - - E8CCB30DA77E18F3C5C3EE870CABBC81

#8 Big Bird

Member

Group: Members
Posts: 19
Joined: 14-January 12

Posted 26 January 2012 - 09:32 PM

Oh, sorry, to answer your 2nd and 3rd requests; no problems running the script, and the computer is calm, no problems that I can tell.

#9 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,549
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 26 January 2012 - 10:31 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore just move to the next item on the list.

start

settings

control panel

add/remove programs

Adobe Reader 9.5.0
Browser Address Error Redirector
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 20

remove

Update Adobe Reader

http://www.adobe.com/products/acrobat/readstep2.html

Adobe Reader

here

Note:

AskBar

Install Java:

Please go here to install Java

click on the Free Java Download Button
click on Agree and start Free download
click on Run
click on run again
click on install
when install is complete click on close

TFC(Temp File Cleaner):

Please download TFC to your desktop,
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

Malwarebytes' Anti-Malware

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

Go Here to download HijackThis Installer
Save HijackThis Installer to your desktop.
Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

In your next post I need the following

Log From MBAM
report from Hijackthis
let me know of any problems you may have had
How is the computer doing now?

Gringo

<-- Don't worry every little bit helps.

#10 Big Bird

Member

Group: Members
Posts: 19
Joined: 14-January 12

Posted 27 January 2012 - 05:38 PM

Log from MBAM:
Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.27.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
Eric :: HAL [administrator]

Protection: Enabled

1/27/2012 5:07:19 PM
mbam-log-2012-01-27 (17-07-19).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 196896
Time elapsed: 14 minute(s), 54 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Log from Hijack:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:33:46 PM, on 1/27/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Norton AntiVirus\Engine\19.2.0.10\ccSvcHst.exe
C:\Program Files\Norton Safe Web Lite\Engine\2.0.0.16\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Norton AntiVirus\Engine\19.2.0.10\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080207
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\19.2.0.10\IPS\IPSBHO.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Norton Safe Web Lite BHO - {F0DA78E9-6B60-42fb-BC26-EF2CFB8C8FF3} - C:\Program Files\Norton Safe Web Lite\Engine\2.0.0.16\coIEPlg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Norton Safe Web Lite - {30CEEEA2-3742-40e4-85DD-812BF1CBB83D} - C:\Program Files\Norton Safe Web Lite\Engine\2.0.0.16\coIEPlg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: AutorunsDisabled (User 'SYSTEM')
O4 - .DEFAULT Startup: AutorunsDisabled (User 'Default user')
O4 - Startup: AutorunsDisabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://oas.support.microsoft.com/ActiveX/MSDcode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208020441859
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cobian Backup 10 Volume Shadow Copy service (cbVSCService) - CobianSoft, Luis Cobian - C:\Program Files\Cobian Backup 10\cbVSCService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton AntiVirus (NAV) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\19.2.0.10\ccSvcHst.exe
O23 - Service: Norton Safe Web Lite (NSL) - Symantec Corporation - C:\Program Files\Norton Safe Web Lite\Engine\2.0.0.16\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 10625 bytes

No problems noticed with the computer since combofix. I wanted to point out that after installing the latest adobe, I went back to add/remove programs to removed prior versions and there were no previous reader versions. But there are other adobe products including AIR, flash player 10 activeX, flash player 11 Plugin, and photoshop which I did not touch. Is this OK?

#11 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,549
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 27 January 2012 - 09:48 PM

Greetings

But there are other adobe products including AIR, flash player 10 activeX, flash player 11 Plugin, and photoshop which I did not touch. Is this OK?

that is fine

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

NOTE**You can research each of those lines >here< and see if you want to keep them or not
just copy the name between the brackets and paste into the search space
O4 - HKLM\..\Run: [IntelliPoint]

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
- Click Start
When asked, allow the ActiveX control to install
- Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options
Click Scan
Wait for the scan to finish
Click on copy to clipboard and paste the results here in this topic
you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt

Copy and paste that log as a reply to this topic

Gringo

This post has been edited by gringo_pr: 27 January 2012 - 09:51 PM

<-- Don't worry every little bit helps.

#12 Big Bird

Member

Group: Members
Posts: 19
Joined: 14-January 12

Posted 27 January 2012 - 11:47 PM

OMG - And I thought we are done! Please tell me this isn't as bad as it looks:

C:\Documents and Settings\Eric\My Documents\Downloads\winamp5622_full_emusic-7plus_en-us.exe Win32/OpenCandy application
C:\Muzak\Sony-Soundforge-70+keygen-by-ZorRo.rar a variant of Win32/Keygen.AQ application
C:\Muzak\Sony-soundforge-70+keygen-by-zorro\Sony-Soundforge-70+keygen-by-ZorRo\Sony.Sound.Forge.KeyGen\keygen.exe a variant of Win32/Keygen.AQ application
C:\Program Files\Soundforge\SoundForge 7 keygen.zip a variant of Win32/Keygen.AQ application
C:\Program Files\Soundforge\SoundForge v7.0_crk.rar a variant of Win32/Keygen.AQ application
C:\Program Files\Soundforge\SoundForge.v7.0.rar a variant of Win32/Keygen.AQ application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP651\A0436476.sys a variant of Win32/Kryptik.ZBN trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP651\A0438476.sys a variant of Win32/Kryptik.ZBN trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP651\a0438483.exe a variant of Win32/Kryptik.XTN trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP651\A0438487.sys a variant of Win32/Kryptik.ZBN trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP651\A0439487.sys a variant of Win32/Kryptik.ZBN trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP651\A0439842.sys a variant of Win32/Kryptik.ZBN trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP651\A0440512.sys a variant of Win32/Kryptik.ZBN trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP651\A0440862.sys a variant of Win32/Kryptik.ZBN trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP651\A0441097.sys a variant of Win32/Kryptik.ZBN trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP665\A0537035.sys a variant of Win32/Rootkit.Kryptik.HQ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP665\A0537262.sys a variant of Win32/Rootkit.Kryptik.HQ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP665\A0537989.sys a variant of Win32/Rootkit.Kryptik.HQ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP665\A0538758.sys a variant of Win32/Rootkit.Kryptik.HQ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP665\A0539758.sys a variant of Win32/Rootkit.Kryptik.HQ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP665\A0540703.sys a variant of Win32/Rootkit.Kryptik.HQ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP665\A0541703.sys a variant of Win32/Rootkit.Kryptik.HQ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP666\A0542079.sys a variant of Win32/Rootkit.Kryptik.HQ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP666\A0543499.sys a variant of Win32/Rootkit.Kryptik.HQ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP666\A0543656.sys a variant of Win32/Rootkit.Kryptik.HQ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP666\A0543767.sys a variant of Win32/Rootkit.Kryptik.HQ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP666\A0544547.exe Win32/OpenCandy application
C:\WINDOWS\system32\drivers\netbt.sys_backup a variant of Win32/Rootkit.Kryptik.HQ trojan

#13 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,549
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 28 January 2012 - 03:31 AM

Hello

There are some minor things in your online scan that should be removed.

Not bad at all just a couple of torrent files and that is it.

delete files

Copy all text in the quote box (below)...to Notepad.

Quote
@echo off
del /f /s /q "C:\Documents and Settings\Eric\My Documents\Downloads\winamp5622_full_emusic-7plus_en-us.exe"
del /f /s /q "C:\Muzak\Sony-Soundforge-70+keygen-by-ZorRo.rar"
del /f /s /q "C:\Muzak\Sony-soundforge-70+keygen-by-zorro\Sony-Soundforge-70+keygen-by-ZorRo\Sony.Sound.Forge.KeyGen\keygen.exe"
del /f /s /q "C:\Program Files\Soundforge\SoundForge 7 keygen.zip"
del /f /s /q "C:\Program Files\Soundforge\SoundForge v7.0_crk.rar"
del /f /s /q "C:\Program Files\Soundforge\SoundForge.v7.0.rar"
del %0
Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
It should look like this: <--XP<--vista
Double click on delfile.bat to execute it.
A black CMD window will flash, then disappear...this is normal.
The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.

The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.

Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

DeFogger

The application window will appear
Click the Re-enable button to re-enable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK

:Uninstall ComboFix:

turn off all active protection software
push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
please copy and past the following into the box ComboFix /Uninstall and click OK.
Note the space between the X and the /Uninstall, it needs to be there.

:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
If asked to restart the computer, please do so

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:Make your Internet Explorer more secure:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

:Make Firefox more secure:

How to Secure Firefox

Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector

:Turn On Automatic Updates:

Start

Run,

sysdm.cpl

ENTER

Automatic Updates

Automatic (recommended)

http://www.windowsupdate.com

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need?

Tech Support Forum

COMPUTER SECURITY - a short guide to staying safer online

Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

Gringo