Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.Tidserv!inf


  • This topic is locked This topic is locked
23 replies to this topic

#1 Nick Saint

Nick Saint

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 01 June 2010 - 12:59 PM

Hi

My laptop is currently infected with the Backdoor.Tidserv!inf trojan which is re-directing searches to money making web sites.

This has now been going on for a few days and I have recently posted my problems here.

I have now backed up my data and created the necessary logs which I have pasted and attached to this post.

I appreciate any further help or assistance,

Many thanks,

Nick


DDS (Ver_10-03-17.01) - NTFSx86
Run by Nick at 18:10:24.36 on 01/06/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3062.1894 [GMT 1:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Norton 360\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Norton 360\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Nick\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.thetechguys.com/welcome
uDefault_Page_URL = hxxp://www.thetechguys.com/welcome
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\norton 360\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\norton 360\engine\3.8.0.41\IPSBHO.DLL
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\norton 360\engine\3.8.0.41\coIEPlg.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [<NO NAME>]
mRun: [UpdateP2GShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\5.0"
mRun: [Skytel] Skytel.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\norton 360\engine\3.8.0.41\CoIEPlg.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-5-13 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-5-13 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-5-13 482432]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100520.001\IDSvix86.sys [2009-10-28 343088]
R2 N360;Norton 360;c:\program files\norton 360\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-5-13 117640]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-5-26 1153368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\n360\0308000.029\symndisv.sys [2010-5-13 48688]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]

=============== Created Last 30 ================

2010-06-01 17:03:06 20 ----a-w- c:\users\nick\defogger_reenable
2010-05-28 20:46:55 0 d-----r- c:\program files\Norton Support
2010-05-27 21:37:04 0 d-----w- c:\program files\VirtualDJ
2010-05-26 15:30:27 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-26 15:30:27 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-25 17:11:20 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-21 21:45:27 0 d-----w- C:\PFiles
2010-05-21 20:17:56 38 ----a-w- c:\windows\avisplitter.ini
2010-05-21 20:17:56 165376 ----a-w- c:\windows\system32\unrar.dll
2010-05-21 20:17:55 414 ----a-w- c:\windows\system32\lame_acm.xml
2010-05-21 20:17:54 839680 ----a-w- c:\windows\system32\lameACM.acm
2010-05-21 20:17:54 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2010-05-21 20:17:54 151552 ----a-w- c:\windows\system32\ac3acm.acm
2010-05-21 20:17:53 881664 ----a-w- c:\windows\system32\xvidcore.dll
2010-05-21 20:17:53 205824 ----a-w- c:\windows\system32\xvidvfw.dll
2010-05-21 20:17:51 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-05-21 20:17:51 547 ----a-w- c:\windows\system32\ff_vfw.dll.manifest
2010-05-21 20:17:49 0 d-----w- c:\program files\K-Lite Codec Pack
2010-05-21 15:52:36 0 d-----w- c:\programdata\Apple Computer
2010-05-21 15:51:16 0 d-----w- c:\programdata\Apple
2010-05-19 23:38:14 249856 ------w- c:\windows\Setup1.exe
2010-05-19 23:38:12 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-05-19 23:31:21 0 d-----w- c:\users\nick\appdata\roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-05-19 23:24:07 0 d-----w- c:\programdata\NOS
2010-05-18 16:51:20 0 d-----w- c:\program files\Windows Portable Devices
2010-05-18 06:20:07 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-05-18 06:20:04 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-05-18 06:20:04 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-05-18 06:18:21 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-05-18 06:16:52 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-05-18 06:16:51 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-05-18 06:16:51 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-05-18 03:02:54 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-05-18 03:02:54 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-05-18 03:02:54 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-05-17 22:05:09 0 d-----w- c:\windows\system32\eu-ES
2010-05-17 22:05:09 0 d-----w- c:\windows\system32\ca-ES
2010-05-17 22:05:08 0 d-----w- c:\windows\system32\vi-VN
2010-05-17 09:53:51 0 d-----w- c:\windows\system32\EventProviders
2010-05-16 21:09:05 0 d-----w- c:\program files\Xiph.Org
2010-05-16 17:33:53 0 d-----w- c:\program files\Recycle
2010-05-16 17:33:12 331263 ----a-w- c:\windows\LOOP.exe
2010-05-16 05:30:01 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2010-05-16 05:28:59 618496 ----a-w- c:\windows\system32\mswstr10.dll
2010-05-16 05:27:59 980 ----a-w- c:\windows\system32\wbem\WmiPerfInst.mof
2010-05-15 20:45:57 368640 ----a-w- c:\windows\system32\ReWire.dll
2010-05-15 20:45:57 233472 ------w- c:\windows\system32\REX Shared Library.dll
2010-05-15 20:37:53 0 d-----w- c:\programdata\Propellerhead Software
2010-05-15 19:31:01 497664 ----a-w- c:\windows\system32\ac3filter.acm
2010-05-15 18:33:35 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-15 18:33:10 0 d-----w- c:\program files\DAEMON Tools Lite
2010-05-15 18:31:58 0 d-----w- c:\users\nick\appdata\roaming\DAEMON Tools Lite
2010-05-15 18:31:50 0 d-----w- c:\programdata\DAEMON Tools Lite
2010-05-15 18:03:38 0 d-----w- c:\windows\pss
2010-05-14 00:20:57 0 d-----w- c:\programdata\Symantec
2010-05-14 00:11:04 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-05-13 20:55:29 0 d-----w- c:\program files\common files\PX Storage Engine
2010-05-13 20:55:05 0 d-----w- c:\program files\common files\DivX Shared
2010-05-13 20:50:35 0 d-----w- c:\programdata\DivX
2010-05-13 20:46:24 0 d-----w- c:\program files\common files\xing shared
2010-05-13 20:46:02 0 d-----w- c:\program files\common files\Real
2010-05-13 20:46:01 0 d-----w- c:\programdata\Real
2010-05-13 09:43:32 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-05-13 09:43:32 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-05-13 09:43:29 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-05-13 09:43:25 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-13 09:43:25 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-13 09:43:25 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-13 09:43:09 0 d-----w- c:\program files\common files\Symantec Shared
2010-05-13 09:42:33 0 d-----w- c:\windows\system32\drivers\N360
2010-05-13 09:42:30 0 d-----w- c:\programdata\Norton
2010-05-13 09:41:25 0 d-----w- c:\programdata\NortonInstaller
2010-05-13 09:39:06 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-05-13 09:38:05 0 d-----w- c:\programdata\Skype
2010-05-13 08:45:46 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-05-13 00:22:49 18904 ----a-w- c:\windows\system32\StructuredQuerySchemaTrivial.bin
2010-05-13 00:22:47 11967524 ----a-w- c:\windows\system32\korwbrkr.lex
2010-05-13 00:15:32 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-05-13 00:15:31 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-05-13 00:15:31 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-05-12 09:23:11 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-05-12 09:23:11 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-12 09:23:11 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-12 09:23:11 23552 ----a-w- c:\windows\system32\lpk.dll
2010-05-12 09:23:11 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-05-12 09:23:11 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-05-12 09:23:07 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-05-12 09:23:06 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-05-12 09:21:25 623616 ----a-w- c:\windows\system32\localspl.dll
2010-05-12 09:20:53 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-05-12 09:12:19 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-11 23:42:53 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-05-11 23:42:52 98304 ----a-w- c:\windows\system32\cabview.dll
2010-05-11 23:38:28 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-05-11 23:38:18 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-05-11 23:38:09 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-05-11 23:38:09 171608 ----a-w- c:\windows\system32\wuwebv.dll
2010-05-11 23:34:14 0 d-----w- c:\programdata\Adobe
2010-05-11 22:09:05 12 ----a-w- c:\windows\bthservsdp.dat

==================== Find3M ====================

2010-05-18 16:51:04 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-18 16:51:03 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-18 16:50:59 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-18 16:50:59 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-17 10:02:50 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-05-13 20:46:06 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-09 16:25:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42:17 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-08 17:59:18 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-03-04 17:33:45 430080 ----a-w- c:\windows\system32\vbscript.dll
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-04-21 14:46:25 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 18:11:29.16 ===============


Thanks again =)

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:51 PM

Posted 02 June 2010 - 03:09 PM

Hello.

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We are going to start with Combofix here.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Nick Saint

Nick Saint
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 02 June 2010 - 06:02 PM

Hi EB,

I have run ComboFix and have included the log below. One thing worth mentioning however is that upon restarting my laptop Spybot reports an important registry entry having been changed. Is this a result of ComboFix or maybe something more sinister? It states Category: System Startup user entry Change: Value added Entry : NoDrives New data: 0 I have allowed the registry change just in case it is something that ComboFix has done. If however it is not then should I run the .exe again?

Thanks for your time and kind help, here is the requested log.

Regards,

Nick


ComboFix 10-06-02.01 - Nick 02/06/2010 23:29:06.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3062.1971 [GMT 1:00]
Running from: c:\users\Nick\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-05-02 to 2010-06-02 )))))))))))))))))))))))))))))))
.

2010-06-02 22:34 . 2010-06-02 22:34 -------- d-----w- c:\users\Nick\AppData\Local\temp
2010-06-02 22:34 . 2010-06-02 22:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-28 20:46 . 2010-05-28 20:46 -------- d-----r- c:\program files\Norton Support
2010-05-28 20:25 . 2010-05-28 20:25 1 ----a-w- c:\users\Nick\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-27 21:37 . 2010-05-27 21:37 -------- d-----w- c:\program files\VirtualDJ
2010-05-26 15:30 . 2010-05-26 16:14 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-26 15:30 . 2010-05-26 15:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-25 17:11 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-21 21:45 . 2010-05-21 21:45 -------- d-----w- C:\PFiles
2010-05-21 20:19 . 2010-05-21 20:20 -------- d-----w- c:\users\Nick\AppData\Roaming\Media Player Classic
2010-05-21 20:17 . 2010-03-15 09:31 165376 ----a-w- c:\windows\system32\unrar.dll
2010-05-21 20:17 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2010-05-21 20:17 . 2009-05-29 21:37 205824 ----a-w- c:\windows\system32\xvidvfw.dll
2010-05-21 20:17 . 2009-05-29 21:31 881664 ----a-w- c:\windows\system32\xvidcore.dll
2010-05-21 20:17 . 2010-04-16 18:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-05-21 20:17 . 2010-05-21 20:18 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-05-21 16:03 . 2010-05-21 16:03 -------- d-----w- c:\users\Nick\AppData\Roaming\Apple Computer
2010-05-21 15:52 . 2010-05-21 15:52 -------- d-----w- c:\programdata\Apple Computer
2010-05-21 15:51 . 2010-05-21 15:51 -------- d-----w- c:\program files\Common Files\Apple
2010-05-21 15:51 . 2010-05-21 15:51 -------- d-----w- c:\programdata\Apple
2010-05-19 23:38 . 2010-05-28 20:15 249856 ------w- c:\windows\Setup1.exe
2010-05-19 23:38 . 2010-05-28 20:14 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-05-19 23:31 . 2010-05-19 23:31 -------- d-----w- c:\users\Nick\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-05-19 23:27 . 2010-02-01 01:45 38784 ----a-w- c:\users\Nick\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-05-19 23:27 . 2010-02-01 01:45 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-05-19 23:27 . 2010-05-19 23:27 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-05-19 23:24 . 2010-05-19 23:24 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-05-19 23:24 . 2010-05-19 23:51 -------- d-----w- c:\programdata\NOS
2010-05-18 16:51 . 2010-05-18 16:51 -------- d-----w- c:\program files\Windows Portable Devices
2010-05-18 06:20 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-05-18 06:20 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-05-18 06:20 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-05-18 06:18 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-05-18 06:18 . 2009-10-01 01:02 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2010-05-18 06:18 . 2009-10-01 01:01 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2010-05-18 06:18 . 2009-10-01 01:01 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2010-05-18 06:18 . 2009-10-01 01:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2010-05-18 06:18 . 2009-10-01 01:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2010-05-18 06:18 . 2009-10-01 01:01 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2010-05-18 06:18 . 2009-10-01 01:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2010-05-18 06:18 . 2009-10-01 01:01 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2010-05-18 06:18 . 2009-10-01 01:01 350208 ----a-w- c:\windows\system32\WPDSp.dll
2010-05-18 06:18 . 2009-10-01 01:01 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2010-05-18 06:18 . 2009-10-01 01:01 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2010-05-18 06:16 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-05-18 06:16 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-05-18 06:16 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-05-18 03:02 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-05-18 03:02 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-05-18 03:02 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-05-17 22:05 . 2010-05-17 22:05 -------- d-----w- c:\windows\system32\ca-ES
2010-05-17 22:05 . 2010-05-17 22:05 -------- d-----w- c:\windows\system32\eu-ES
2010-05-17 22:05 . 2010-05-17 22:05 -------- d-----w- c:\windows\system32\vi-VN
2010-05-17 09:53 . 2010-05-17 09:53 -------- d-----w- c:\windows\system32\EventProviders
2010-05-16 21:09 . 2010-05-16 21:09 -------- d-----w- c:\program files\Xiph.Org
2010-05-16 17:33 . 2010-05-16 17:33 -------- d-----w- c:\program files\Recycle
2010-05-16 17:33 . 2004-02-07 00:48 331263 ----a-w- c:\windows\LOOP.exe
2010-05-16 05:30 . 2009-04-11 05:03 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2010-05-16 05:28 . 2009-04-11 06:28 56320 ----a-w- c:\windows\system32\xmlfilter.dll
2010-05-16 05:27 . 2009-04-11 06:22 7168 ----a-w- c:\windows\system32\f3ahvoas.dll
2010-05-16 05:27 . 2009-04-11 04:27 2560 ----a-w- c:\windows\system32\msimsg.dll
2010-05-16 05:27 . 2009-04-11 06:28 83968 ----a-w- c:\windows\system32\wbem\wmiutils.dll
2010-05-16 05:27 . 2009-04-11 06:28 744448 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2010-05-16 05:27 . 2009-04-11 06:28 30208 ----a-w- c:\windows\system32\wbem\wbemprox.dll
2010-05-16 05:27 . 2009-04-11 06:28 265728 ----a-w- c:\windows\system32\wbem\repdrvfs.dll
2010-05-16 05:27 . 2009-04-11 06:28 189440 ----a-w- c:\windows\system32\wbem\mofd.dll
2010-05-16 05:27 . 2009-04-11 06:28 614912 ----a-w- c:\windows\system32\wbem\fastprox.dll
2010-05-16 05:27 . 2009-04-11 06:28 265728 ----a-w- c:\windows\system32\wbem\esscli.dll
2010-05-16 05:27 . 2009-04-11 06:28 705536 ----a-w- c:\windows\system32\SmiEngine.dll
2010-05-16 05:27 . 2009-04-11 06:28 218624 ----a-w- c:\windows\system32\wdscore.dll
2010-05-16 05:27 . 2009-04-11 06:27 130560 ----a-w- c:\windows\system32\PkgMgr.exe
2010-05-16 05:27 . 2009-04-11 06:28 247808 ----a-w- c:\windows\system32\drvstore.dll
2010-05-15 20:45 . 2010-05-15 20:45 368640 ----a-w- c:\windows\system32\ReWire.dll
2010-05-15 20:45 . 2010-05-15 20:45 233472 ------w- c:\windows\system32\REX Shared Library.dll
2010-05-15 20:37 . 2010-05-16 17:34 -------- d-----w- c:\programdata\Propellerhead Software
2010-05-15 18:33 . 2010-05-15 18:33 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-15 18:33 . 2010-05-15 18:33 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-05-15 18:31 . 2010-05-15 18:45 -------- d-----w- c:\users\Nick\AppData\Roaming\DAEMON Tools Lite
2010-05-15 18:31 . 2010-05-15 18:32 -------- d-----w- c:\programdata\DAEMON Tools Lite
2010-05-14 00:20 . 2010-05-14 00:20 -------- d-----w- c:\programdata\Symantec
2010-05-14 00:11 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-05-13 21:01 . 2010-05-13 21:01 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-13 20:50 . 2010-05-16 21:46 -------- d-----w- c:\programdata\DivX
2010-05-13 09:43 . 2010-05-13 09:42 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-05-13 09:43 . 2010-05-13 09:42 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-05-13 09:43 . 2010-05-13 09:43 -------- dc----w- c:\windows\system32\DRVSTORE
2010-05-13 09:43 . 2010-05-13 09:42 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-05-13 09:43 . 2010-05-13 09:43 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-13 09:43 . 2010-05-14 00:29 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-13 09:42 . 2010-05-15 09:48 -------- d-----w- c:\windows\system32\drivers\N360
2010-05-13 09:42 . 2010-05-13 09:42 -------- d-----w- c:\programdata\Norton
2010-05-13 09:41 . 2010-05-13 09:41 -------- d-----w- c:\programdata\NortonInstaller
2010-05-13 09:38 . 2010-05-13 09:38 -------- d-----w- c:\program files\Common Files\Skype
2010-05-13 09:38 . 2010-05-13 09:38 -------- d-----w- c:\programdata\Skype
2010-05-13 09:17 . 2010-05-13 09:17 -------- d-----w- c:\windows\system32\Macromed
2010-05-13 08:45 . 2010-02-12 10:48 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-05-13 00:22 . 2008-05-27 04:59 18904 ----a-w- c:\windows\system32\StructuredQuerySchemaTrivial.bin
2010-05-13 00:15 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-05-13 00:15 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-05-13 00:15 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-05-12 09:23 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-05-12 09:23 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-05-12 09:23 . 2009-06-15 14:52 23552 ----a-w- c:\windows\system32\lpk.dll
2010-05-12 09:23 . 2009-06-15 14:51 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-05-12 09:23 . 2009-06-15 12:42 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-12 09:23 . 2009-04-11 06:28 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-12 09:23 . 2009-12-11 11:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-05-12 09:23 . 2009-12-11 11:43 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-05-12 09:21 . 2009-04-23 12:14 623616 ----a-w- c:\windows\system32\localspl.dll
2010-05-12 09:20 . 2009-08-14 13:27 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-05-12 09:12 . 2010-05-06 09:36 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-11 23:42 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-05-11 23:42 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-05-11 23:38 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2010-05-11 23:38 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2010-05-11 23:38 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2010-05-11 23:38 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-05-11 23:38 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2010-05-11 23:38 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2010-05-11 23:38 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-05-11 23:38 . 2009-08-06 18:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2010-05-11 23:38 . 2009-08-06 17:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-05-11 23:35 . 2010-05-28 20:17 76904 ----a-w- c:\users\Nick\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-11 23:34 . 2010-05-12 09:21 -------- d-----w- c:\users\Nick\AppData\Local\VirtualStore
2010-05-11 23:34 . 2010-05-23 20:10 -------- d-----w- c:\users\Nick\AppData\Local\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-02 22:18 . 2010-04-26 15:09 -------- d-----w- c:\users\Nick\AppData\Roaming\Skype
2010-06-02 21:27 . 2010-04-26 15:12 -------- d-----w- c:\users\Nick\AppData\Roaming\skypePM
2010-05-29 13:23 . 2009-01-15 00:07 -------- d-----w- c:\users\Nick\AppData\Roaming\uTorrent
2010-05-29 13:23 . 2008-05-30 19:29 -------- d-----w- c:\program files\Microsoft Works
2010-05-21 15:52 . 2010-04-21 00:04 -------- d-----w- c:\program files\QuickTime
2010-05-21 15:51 . 2009-03-07 14:50 -------- d-----w- c:\program files\Apple Software Update
2010-05-18 16:51 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-17 22:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-05-17 22:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-05-17 22:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-05-17 22:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-05-17 22:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-05-17 22:05 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-17 22:05 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-05-16 17:34 . 2008-10-16 19:06 -------- d-----w- c:\users\Nick\AppData\Roaming\Propellerhead Software
2010-05-15 19:31 . 2010-01-08 00:26 -------- d-----w- c:\program files\AC3Filter
2010-05-15 19:15 . 2009-01-04 18:10 -------- d-----w- c:\program files\OpenOffice.org 3
2010-05-15 18:48 . 2009-01-15 00:07 -------- d-----w- c:\program files\uTorrent
2010-05-14 00:07 . 2009-01-15 20:43 -------- d-----w- c:\users\Nick\AppData\Roaming\DivX
2010-05-13 20:46 . 2010-05-13 20:46 49152 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-05-13 20:46 . 2010-05-13 20:46 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-05-13 20:46 . 2010-05-13 20:46 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-05-13 20:46 . 2010-05-13 20:46 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-05-13 20:46 . 2010-05-13 20:46 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-05-13 20:46 . 2010-05-13 20:46 40960 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-05-13 20:46 . 2010-05-13 20:46 308808 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-05-13 20:46 . 2010-05-13 20:46 14848 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-05-13 20:46 . 2010-05-13 20:46 341600 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-05-13 20:46 . 2010-05-13 20:46 -------- d-----w- c:\program files\Common Files\Real
2010-05-13 20:46 . 2009-01-15 11:02 -------- d-----w- c:\program files\Real
2010-05-13 20:46 . 2010-05-13 20:46 -------- d-----w- c:\program files\Common Files\xing shared
2010-05-13 20:46 . 2008-05-30 19:26 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-05-13 09:43 . 2010-01-06 14:05 -------- d-----w- c:\program files\Symantec
2010-05-13 09:43 . 2010-05-13 09:43 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-13 09:43 . 2010-05-13 09:43 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-13 09:42 . 2010-01-06 14:04 -------- d-----w- c:\program files\Norton 360
2010-05-13 09:39 . 2010-05-13 09:39 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-05-13 09:38 . 2010-04-26 15:09 -------- d-----r- c:\program files\Skype
2010-05-13 08:53 . 2009-09-05 08:38 -------- d-----w- c:\program files\Opera
2010-05-12 09:21 . 2008-05-30 19:22 -------- d-----w- c:\program files\Windows Live
2010-05-12 09:21 . 2008-05-30 18:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-02 13:20 . 2010-05-02 13:20 -------- d-----w- c:\users\Nick\AppData\Roaming\Toshiba
2010-04-30 19:50 . 2009-01-06 21:16 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-30 13:51 . 2010-04-30 13:47 -------- d-----w- c:\program files\Microsoft ATS
2010-04-30 10:23 . 2010-04-30 10:23 -------- d-----w- c:\program files\Toshiba
2010-04-15 09:32 . 2010-01-03 21:15 -------- d-----w- c:\program files\Google
2010-03-09 16:25 . 2010-05-12 09:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42 . 2010-05-12 09:21 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2008-04-21 14:46 . 2008-04-21 14:46 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 4468736]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-23 857648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-04 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-04 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-04 133912]
"UpdateP2GShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504]
"Skytel"="Skytel.exe" [2007-05-07 1826816]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-4-14 2979144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-02 18:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-04-12 22:46 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder_MUI]
2008-04-16 11:12 1081344 ----a-w- c:\applications\OEM\Reminder\Reminder_MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-07 09:13 26211624 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpareMessaging]
2007-11-28 15:43 42824 ----a-w- c:\program files\Spare Messaging\MessagingApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-05-13 20:46 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:5a,ab,5e,fd,0d,f6,ca,01

R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-05-15 691696]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS [2010-05-13 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\N360\0308000.029\BHDrvx86.sys [2010-05-13 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\N360\0308000.029\ccHPx86.sys [2010-05-13 482432]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100528.003\IDSvix86.sys [2010-05-28 344112]
S2 N360;Norton 360;c:\program files\Norton 360\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2010-05-13 117640]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-26 102448]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [2010-05-13 48688]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-06-02 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.thetechguys.com/welcome
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4424)
c:\windows\system32\authui.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-06-02 23:38:33
ComboFix-quarantined-files.txt 2010-06-02 22:38

Pre-Run: 53,747,720,192 bytes free
Post-Run: 53,755,707,392 bytes free

- - End Of File - - 0F3D52A93CC5B540D5A1781FF02C1831


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:51 PM

Posted 02 June 2010 - 07:45 PM

Hello.

QUOTE
I have run ComboFix and have included the log below. One thing worth mentioning however is that upon restarting my laptop Spybot reports an important registry entry having been changed. Is this a result of ComboFix or maybe something more sinister? It states Category: System Startup user entry Change: Value added Entry : NoDrives New data: 0 I have allowed the registry change just in case it is something that ComboFix has done. If however it is not then should I run the .exe again?

I wouldn't worry about that. Nothing major or bad.


Can you run GMER once more for me. Post the log once done.

Then, please proceed with running Malwarebytes...

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Nick Saint

Nick Saint
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 03 June 2010 - 03:39 PM

Hi EB,

Here is the GMER log as requested. System seems to be slightly better (not had a single re-direct as yet) however Norton still warns of Backdoor.Tidserv!inf being present.

I am about to run MalwareBytes so will post further results after it's done.

Thanks again for your time and much appreciated help,

Regards,

Nick

Attached Files

  • Attached File  ark.txt   10.21KB   9 downloads


#6 Nick Saint

Nick Saint
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 03 June 2010 - 04:08 PM

Hi EB,

Here are all the other logs you have requested. Hopefully now all clear and done away with this trojan.

If there is anything else I need to do please let me know though I am currently in the middle of moving hose so may not be able to act on any requests for a day or so.

Here is the MalWareBytes Log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4168

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

03/06/2010 21:52:37
mbam-log-2010-06-03 (21-52-37).txt

Scan type: Quick scan
Objects scanned: 125823
Time elapsed: 4 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



DDS (Ver_10-03-17.01) - NTFSx86
Run by Nick at 22:00:06.90 on 03/06/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3062.1459 [GMT 1:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Norton 360\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Norton 360\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Opera\opera.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Nick\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.thetechguys.com/welcome
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\norton 360\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\norton 360\engine\3.8.0.41\IPSBHO.DLL
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\norton 360\engine\3.8.0.41\coIEPlg.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [UpdateP2GShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\5.0"
mRun: [Skytel] Skytel.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\norton 360\engine\3.8.0.41\CoIEPlg.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-5-13 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-5-13 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-5-13 482432]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100528.003\IDSvix86.sys [2010-5-28 344112]
R2 N360;Norton 360;c:\program files\norton 360\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-5-13 117640]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-5-26 1153368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\n360\0308000.029\symndisv.sys [2010-5-13 48688]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]

=============== Created Last 30 ================

2010-06-03 20:47:15 0 d-----w- c:\users\nick\appdata\roaming\Malwarebytes
2010-06-03 20:47:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-03 20:47:00 0 d-----w- c:\programdata\Malwarebytes
2010-06-03 20:46:59 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-03 20:46:59 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-02 22:38:04 0 d-sh--w- C:\$RECYCLE.BIN
2010-06-02 22:27:21 98816 ----a-w- c:\windows\sed.exe
2010-06-02 22:27:21 77312 ----a-w- c:\windows\MBR.exe
2010-06-02 22:27:21 256512 ----a-w- c:\windows\PEV.exe
2010-06-02 22:27:21 161792 ----a-w- c:\windows\SWREG.exe
2010-06-02 22:27:16 0 d-----w- C:\ComboFix
2010-06-01 17:03:06 20 ----a-w- c:\users\nick\defogger_reenable
2010-05-28 20:46:55 0 d-----r- c:\program files\Norton Support
2010-05-27 21:37:04 0 d-----w- c:\program files\VirtualDJ
2010-05-26 15:30:27 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-26 15:30:27 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-25 17:11:20 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-21 21:45:27 0 d-----w- C:\PFiles
2010-05-21 20:17:56 38 ----a-w- c:\windows\avisplitter.ini
2010-05-21 20:17:56 165376 ----a-w- c:\windows\system32\unrar.dll
2010-05-21 20:17:55 414 ----a-w- c:\windows\system32\lame_acm.xml
2010-05-21 20:17:54 839680 ----a-w- c:\windows\system32\lameACM.acm
2010-05-21 20:17:54 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2010-05-21 20:17:54 151552 ----a-w- c:\windows\system32\ac3acm.acm
2010-05-21 20:17:53 881664 ----a-w- c:\windows\system32\xvidcore.dll
2010-05-21 20:17:53 205824 ----a-w- c:\windows\system32\xvidvfw.dll
2010-05-21 20:17:51 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-05-21 20:17:51 547 ----a-w- c:\windows\system32\ff_vfw.dll.manifest
2010-05-21 20:17:49 0 d-----w- c:\program files\K-Lite Codec Pack
2010-05-21 15:52:36 0 d-----w- c:\programdata\Apple Computer
2010-05-21 15:51:16 0 d-----w- c:\programdata\Apple
2010-05-19 23:38:14 249856 ------w- c:\windows\Setup1.exe
2010-05-19 23:38:12 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-05-19 23:31:21 0 d-----w- c:\users\nick\appdata\roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-05-19 23:24:07 0 d-----w- c:\programdata\NOS
2010-05-18 16:51:20 0 d-----w- c:\program files\Windows Portable Devices
2010-05-18 06:20:07 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-05-18 06:20:04 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-05-18 06:20:04 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-05-18 06:18:21 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-05-18 06:16:52 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-05-18 06:16:51 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-05-18 06:16:51 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-05-18 03:02:54 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-05-18 03:02:54 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-05-18 03:02:54 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-05-17 22:05:09 0 d-----w- c:\windows\system32\eu-ES
2010-05-17 22:05:09 0 d-----w- c:\windows\system32\ca-ES
2010-05-17 22:05:08 0 d-----w- c:\windows\system32\vi-VN
2010-05-17 09:53:51 0 d-----w- c:\windows\system32\EventProviders
2010-05-16 21:09:05 0 d-----w- c:\program files\Xiph.Org
2010-05-16 17:33:53 0 d-----w- c:\program files\Recycle
2010-05-16 17:33:12 331263 ----a-w- c:\windows\LOOP.exe
2010-05-16 05:30:01 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2010-05-16 05:28:59 618496 ----a-w- c:\windows\system32\mswstr10.dll
2010-05-16 05:27:59 980 ----a-w- c:\windows\system32\wbem\WmiPerfInst.mof
2010-05-15 20:45:57 368640 ----a-w- c:\windows\system32\ReWire.dll
2010-05-15 20:45:57 233472 ------w- c:\windows\system32\REX Shared Library.dll
2010-05-15 20:37:53 0 d-----w- c:\programdata\Propellerhead Software
2010-05-15 19:31:01 497664 ----a-w- c:\windows\system32\ac3filter.acm
2010-05-15 18:33:35 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-15 18:33:10 0 d-----w- c:\program files\DAEMON Tools Lite
2010-05-15 18:31:58 0 d-----w- c:\users\nick\appdata\roaming\DAEMON Tools Lite
2010-05-15 18:31:50 0 d-----w- c:\programdata\DAEMON Tools Lite
2010-05-15 18:03:38 0 d-----w- c:\windows\pss
2010-05-14 00:20:57 0 d-----w- c:\programdata\Symantec
2010-05-14 00:11:04 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-05-13 20:55:29 0 d-----w- c:\program files\common files\PX Storage Engine
2010-05-13 20:55:05 0 d-----w- c:\program files\common files\DivX Shared
2010-05-13 20:50:35 0 d-----w- c:\programdata\DivX
2010-05-13 20:46:24 0 d-----w- c:\program files\common files\xing shared
2010-05-13 20:46:02 0 d-----w- c:\program files\common files\Real
2010-05-13 20:46:01 0 d-----w- c:\programdata\Real
2010-05-13 09:43:32 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-05-13 09:43:32 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-05-13 09:43:29 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-05-13 09:43:25 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-13 09:43:25 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-13 09:43:25 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-13 09:43:09 0 d-----w- c:\program files\common files\Symantec Shared
2010-05-13 09:42:33 0 d-----w- c:\windows\system32\drivers\N360
2010-05-13 09:42:30 0 d-----w- c:\programdata\Norton
2010-05-13 09:41:25 0 d-----w- c:\programdata\NortonInstaller
2010-05-13 09:39:06 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-05-13 09:38:05 0 d-----w- c:\programdata\Skype
2010-05-13 08:45:46 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-05-13 00:22:49 18904 ----a-w- c:\windows\system32\StructuredQuerySchemaTrivial.bin
2010-05-13 00:22:47 11967524 ----a-w- c:\windows\system32\korwbrkr.lex
2010-05-13 00:15:32 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-05-13 00:15:31 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-05-13 00:15:31 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-05-12 09:23:11 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-05-12 09:23:11 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-12 09:23:11 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-12 09:23:11 23552 ----a-w- c:\windows\system32\lpk.dll
2010-05-12 09:23:11 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-05-12 09:23:11 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-05-12 09:23:07 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-05-12 09:23:06 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-05-12 09:21:25 623616 ----a-w- c:\windows\system32\localspl.dll
2010-05-12 09:20:53 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-05-12 09:12:19 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-11 23:42:53 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-05-11 23:42:52 98304 ----a-w- c:\windows\system32\cabview.dll
2010-05-11 23:38:28 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-05-11 23:38:18 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-05-11 23:38:09 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-05-11 23:38:09 171608 ----a-w- c:\windows\system32\wuwebv.dll
2010-05-11 23:34:14 0 d-----w- c:\programdata\Adobe
2010-05-11 22:09:05 12 ----a-w- c:\windows\bthservsdp.dat

==================== Find3M ====================

2010-05-18 16:51:04 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-18 16:51:03 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-18 16:50:59 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-18 16:50:59 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-17 10:02:50 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-05-13 20:46:06 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-09 16:25:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42:17 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-08 17:59:18 94208 ----a-w- c:\windows\system32\dpl100.dll
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-04-21 14:46:25 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 22:00:31.65 ===============


Once again many thanks.

Regards,

Nick

Attached Files



#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:51 PM

Posted 03 June 2010 - 04:28 PM

Hello.

That's looking good so far.

QUOTE
System seems to be slightly better (not had a single re-direct as yet) however Norton still warns of Backdoor.Tidserv!inf being present.

Good to hear. What norton detected could of been what we already quarantined. Can you let me know what it is that it's detecting?

Let me know.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 Nick Saint

Nick Saint
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 03 June 2010 - 04:39 PM

Hi EB,

Norton 360 is warning that Backdoor.Tidserv!inf is still present. It was reporting 2 affected areas (1 File and 1 browser cache). It said the affected file was at c:\windows\system32\drivers\rdpencdd.sys I have since restarted my laptop to see if this would clear anything that may have previously been quarantined but Norton still detects and is still suggesting manual removal. Is there anything more I can do or now is my only option to re-install windows?

Thanks,

Regards,

Nick

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:51 PM

Posted 03 June 2010 - 07:31 PM

Hello.

Can you do the following...

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    CODE
    :filefind
    rdpencdd.sys
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task


Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 Nick Saint

Nick Saint
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 03 June 2010 - 07:36 PM

EB,

Latest results

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 01:34 on 04/06/2010 by Nick (Administrator - Elevation successful)

========== filefind ==========

Searching for "rdpencdd.sys"
C:\Windows\System32\drivers\RDPENCDD.sys --a--- 6144 bytes [02:24 21/01/2008] [02:24 21/01/2008] (Unable to calculate MD5)
C:\Windows\winsxs\x86_microsoft-windows-t..llaboration-drivers_31bf3856ad364e35_6.0.6001.18000_none_06cf4b56d5c130dc\RDPENCDD.sys --a--- 6144 bytes [02:24 21/01/2008] [02:24 21/01/2008] (Unable to calculate MD5)

-=End Of File=-

cheers,

Nick

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:51 PM

Posted 05 June 2010 - 11:31 AM

Hello.

A replacement copy of that would be needed.

Can you run Systemlook once again but use the following script instead:

CODE
:filefind
rdpencdd.*


Then I want you to run TDSSKiller and post the log so I can take a look.

Download and Run TDSSKiller
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 Nick Saint

Nick Saint
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 06 June 2010 - 09:31 AM

Hi CB,

Here is the latest systemlook report:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 15:30 on 06/06/2010 by Nick (Administrator - Elevation successful)

========== filefind ==========

Searching for "rdpencdd.*"
C:\Windows\System32\drivers\RDPENCDD.sys --a--- 6144 bytes [02:24 21/01/2008] [02:24 21/01/2008] (Unable to calculate MD5)
C:\Windows\System32\RDPENCDD.dll --a--- 118272 bytes [02:24 21/01/2008] [02:24 21/01/2008] 4707976BDBA8B5999A0006C7609505CB
C:\Windows\winsxs\x86_microsoft-windows-t..llaboration-drivers_31bf3856ad364e35_6.0.6001.18000_none_06cf4b56d5c130dc\RDPENCDD.dll --a--- 118272 bytes [02:24 21/01/2008] [02:24 21/01/2008] 4707976BDBA8B5999A0006C7609505CB
C:\Windows\winsxs\x86_microsoft-windows-t..llaboration-drivers_31bf3856ad364e35_6.0.6001.18000_none_06cf4b56d5c130dc\RDPENCDD.sys --a--- 6144 bytes [02:24 21/01/2008] [02:24 21/01/2008] (Unable to calculate MD5)

-=End Of File=-


Thanks again for your time and help,

Regards,

Nick

#13 Nick Saint

Nick Saint
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 06 June 2010 - 09:53 AM

CB,

Here is the TDDSKiller log:

15:38:00:891 3780 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
15:38:00:891 3780 ================================================================================
15:38:00:891 3780 SystemInfo:

15:38:00:891 3780 OS Version: 6.0.6002 ServicePack: 2.0
15:38:00:891 3780 Product type: Workstation
15:38:00:891 3780 ComputerName: MY-LAPTOP
15:38:00:891 3780 UserName: Nick
15:38:00:891 3780 Windows directory: C:\Windows
15:38:00:891 3780 Processor architecture: Intel x86
15:38:00:891 3780 Number of processors: 2
15:38:00:891 3780 Page size: 0x1000
15:38:00:891 3780 Boot type: Normal boot
15:38:00:891 3780 ================================================================================
15:38:01:702 3780 Initialize success
15:38:01:702 3780
15:38:01:717 3780 Scanning Services ...
15:38:02:497 3780 Raw services enum returned 434 services
15:38:02:513 3780
15:38:02:513 3780 Scanning Drivers ...
15:38:03:480 3780 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
15:38:03:636 3780 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
15:38:03:761 3780 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
15:38:03:855 3780 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
15:38:03:901 3780 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
15:38:03:979 3780 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
15:38:04:135 3780 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
15:38:04:338 3780 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
15:38:04:494 3780 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
15:38:04:557 3780 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
15:38:04:588 3780 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
15:38:04:635 3780 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
15:38:04:666 3780 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
15:38:04:697 3780 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
15:38:04:728 3780 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
15:38:04:759 3780 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
15:38:04:822 3780 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
15:38:04:900 3780 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
15:38:05:040 3780 BHDrvx86 (76154fa6a742c613b44bb636b1a7c057) C:\Windows\System32\Drivers\N360\0308000.029\BHDrvx86.sys
15:38:05:165 3780 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
15:38:05:243 3780 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
15:38:05:337 3780 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
15:38:05:383 3780 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
15:38:05:415 3780 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
15:38:05:461 3780 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
15:38:05:524 3780 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
15:38:05:586 3780 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
15:38:05:649 3780 BthEnum (6d39c954799b63ba866910234cf7d726) C:\Windows\system32\DRIVERS\BthEnum.sys
15:38:05:758 3780 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
15:38:05:820 3780 BthPan (5904efa25f829bf84ea6fb045134a1d8) C:\Windows\system32\DRIVERS\bthpan.sys
15:38:05:914 3780 BTHPORT (73d53f8e90550ba81e2cf44a0873b410) C:\Windows\system32\Drivers\BTHport.sys
15:38:06:023 3780 BTHUSB (32045a4bb143bbc5bab1298c4e9e309a) C:\Windows\system32\Drivers\BTHUSB.sys
15:38:06:210 3780 ccHP (8973ff34b83572d867b5b928905ad5ac) C:\Windows\System32\Drivers\N360\0308000.029\ccHPx86.sys
15:38:06:288 3780 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
15:38:06:397 3780 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
15:38:06:507 3780 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
15:38:06:585 3780 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
15:38:06:678 3780 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
15:38:06:756 3780 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
15:38:06:865 3780 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
15:38:06:928 3780 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
15:38:06:975 3780 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
15:38:07:053 3780 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
15:38:07:177 3780 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
15:38:07:318 3780 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
15:38:07:396 3780 DXGKrnl (5c7e2097b91d689ded7a6ff90f0f3a25) C:\Windows\System32\drivers\dxgkrnl.sys
15:38:07:443 3780 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
15:38:07:521 3780 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
15:38:07:677 3780 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
15:38:07:848 3780 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
15:38:07:911 3780 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
15:38:07:989 3780 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
15:38:08:051 3780 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
15:38:08:176 3780 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
15:38:08:285 3780 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
15:38:08:363 3780 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
15:38:08:457 3780 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
15:38:08:550 3780 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
15:38:08:659 3780 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
15:38:08:722 3780 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
15:38:08:847 3780 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
15:38:08:925 3780 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
15:38:09:034 3780 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
15:38:09:112 3780 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
15:38:09:190 3780 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
15:38:09:299 3780 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
15:38:09:393 3780 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
15:38:09:408 3780 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
15:38:09:533 3780 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
15:38:09:736 3780 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
15:38:09:876 3780 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
15:38:10:001 3780 ialm (1b954f2bcb244596da704dc8c7729930) C:\Windows\system32\DRIVERS\igdkmd32.sys
15:38:10:126 3780 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
15:38:10:313 3780 IDSVix86 (2edd3504457691a10328079da011d0b8) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100528.003\IDSvix86.sys
15:38:10:516 3780 igfx (1b954f2bcb244596da704dc8c7729930) C:\Windows\system32\DRIVERS\igdkmd32.sys
15:38:10:578 3780 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
15:38:10:703 3780 IntcAzAudAddService (5d854cbac8b7b4b964406f9808c95fae) C:\Windows\system32\drivers\RTKVHDA.sys
15:38:10:828 3780 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
15:38:10:953 3780 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
15:38:11:015 3780 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
15:38:11:093 3780 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
15:38:11:155 3780 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
15:38:11:280 3780 irda (e50a95179211b12946f7e035d60af560) C:\Windows\system32\DRIVERS\irda.sys
15:38:11:343 3780 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
15:38:11:405 3780 irsir (5896b5ff6332ab2be1582523e9656a67) C:\Windows\system32\DRIVERS\irsir.sys
15:38:11:483 3780 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
15:38:11:561 3780 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
15:38:11:655 3780 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
15:38:11:733 3780 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
15:38:11:795 3780 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
15:38:11:857 3780 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
15:38:11:935 3780 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\Windows\system32\drivers\klmd.sys
15:38:12:029 3780 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
15:38:12:185 3780 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
15:38:12:247 3780 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
15:38:12:403 3780 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
15:38:12:513 3780 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
15:38:12:575 3780 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
15:38:12:622 3780 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
15:38:12:700 3780 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
15:38:12:793 3780 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
15:38:12:871 3780 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
15:38:12:903 3780 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
15:38:12:996 3780 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
15:38:13:043 3780 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
15:38:13:137 3780 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
15:38:13:230 3780 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
15:38:13:308 3780 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
15:38:13:371 3780 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
15:38:13:527 3780 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
15:38:13:839 3780 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
15:38:14:057 3780 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
15:38:14:135 3780 msahci (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
15:38:14:244 3780 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
15:38:14:291 3780 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
15:38:14:369 3780 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
15:38:14:400 3780 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
15:38:14:494 3780 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
15:38:14:556 3780 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
15:38:14:619 3780 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
15:38:14:743 3780 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
15:38:14:775 3780 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
15:38:14:868 3780 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
15:38:14:977 3780 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
15:38:15:118 3780 NAVENG (83518e6cc82bdc3c3db0c12d1c9a2275) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100606.003\NAVENG.SYS
15:38:15:211 3780 NAVEX15 (85cf37740fe06c7a2eaa7f6c81f0819c) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100606.003\NAVEX15.SYS
15:38:15:367 3780 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
15:38:15:445 3780 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
15:38:15:523 3780 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
15:38:15:601 3780 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
15:38:15:757 3780 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
15:38:15:820 3780 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
15:38:15:929 3780 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
15:38:16:069 3780 NETw3v32 (35d5458d9a1b26b2005abffbf4c1c5e7) C:\Windows\system32\DRIVERS\NETw3v32.sys
15:38:16:335 3780 NETw4v32 (cb3af516a6797b27725e3f1e73f3496c) C:\Windows\system32\DRIVERS\NETw4v32.sys
15:38:16:553 3780 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
15:38:16:647 3780 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
15:38:16:725 3780 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
15:38:16:818 3780 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
15:38:16:959 3780 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
15:38:17:037 3780 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
15:38:17:083 3780 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
15:38:17:161 3780 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
15:38:17:224 3780 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
15:38:17:395 3780 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
15:38:17:473 3780 Parport (8a79fdf04a73428597e2caf9d0d67850) C:\Windows\system32\DRIVERS\parport.sys
15:38:17:536 3780 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
15:38:17:629 3780 Parvdm (6c580025c81caf3ae9e3617c22cad00e) C:\Windows\system32\DRIVERS\parvdm.sys
15:38:17:770 3780 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
15:38:17:910 3780 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
15:38:17:973 3780 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
15:38:18:129 3780 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
15:38:18:222 3780 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
15:38:18:285 3780 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
15:38:18:378 3780 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
15:38:18:534 3780 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
15:38:18:675 3780 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
15:38:18:753 3780 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
15:38:18:831 3780 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
15:38:18:909 3780 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
15:38:19:002 3780 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
15:38:19:080 3780 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
15:38:19:143 3780 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
15:38:19:236 3780 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
15:38:19:330 3780 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
15:38:19:423 3780 RDPENCDD (d33be6ba99f70b8c219ab69e2ef11705) C:\Windows\system32\drivers\rdpencdd.sys
15:38:19:564 3780 Suspicious file (NoAccess): C:\Windows\system32\drivers\rdpencdd.sys. md5: d33be6ba99f70b8c219ab69e2ef11705
15:38:19:564 3780 File "C:\Windows\system32\drivers\rdpencdd.sys" infected by TDSS rootkit ... 15:38:21:295 3780 Backup copy not found, trying to cure infected file..
15:38:21:295 3780 Cure success, using it..
15:38:21:373 3780 will be cured on next reboot
15:38:21:483 3780 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
15:38:21:576 3780 RFCOMM (6482707f9f4da0ecbab43b2e0398a101) C:\Windows\system32\DRIVERS\rfcomm.sys
15:38:21:685 3780 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
15:38:21:795 3780 RTL8169 (904fd29ec1ff2709099ae2cd1c09a913) C:\Windows\system32\DRIVERS\Rtlh86.sys
15:38:21:935 3780 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
15:38:21:997 3780 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
15:38:22:107 3780 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
15:38:22:153 3780 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
15:38:22:216 3780 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
15:38:22:309 3780 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
15:38:22:419 3780 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
15:38:22:450 3780 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
15:38:22:481 3780 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
15:38:22:575 3780 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
15:38:22:637 3780 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
15:38:22:746 3780 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
15:38:22:855 3780 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
15:38:22:949 3780 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
15:38:23:074 3780 sptd (cdddec541bc3c96f91ecb48759673505) C:\Windows\System32\Drivers\sptd.sys
15:38:23:277 3780 SRTSP (e81f6caeab9ad5732e94c07c97866aa2) C:\Windows\System32\Drivers\N360\0308000.029\SRTSP.SYS
15:38:23:417 3780 SRTSPX (e28de499d942b08058bffac69d4122b6) C:\Windows\system32\drivers\N360\0308000.029\SRTSPX.SYS
15:38:23:526 3780 srv (0debafcc0e3591fca34f077cab62f7f7) C:\Windows\system32\DRIVERS\srv.sys
15:38:23:651 3780 srv2 (6b6f3658e0a58c6c50c5f7fbdf3df633) C:\Windows\system32\DRIVERS\srv2.sys
15:38:23:745 3780 srvnet (0c5ab1892ae0fa504218db094bf6d041) C:\Windows\system32\DRIVERS\srvnet.sys
15:38:23:854 3780 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
15:38:24:010 3780 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
15:38:24:322 3780 SymEFA (d0885f6e24259a6c65e68d6ad749910a) C:\Windows\system32\drivers\N360\0308000.029\SYMEFA.SYS
15:38:24:743 3780 SymEvent (a54ff04bd6e75dc4d8cb6f3e352635e0) C:\Windows\system32\Drivers\SYMEVENT.SYS
15:38:24:899 3780 SYMFW (1e825026436c4eac3e1a11d1e9c33f2c) C:\Windows\System32\Drivers\N360\0308000.029\SYMFW.SYS
15:38:24:961 3780 SymIM (34f1c9d5dcc19df1e824d6b73767b8af) C:\Windows\system32\DRIVERS\SymIMv.sys
15:38:25:102 3780 SYMNDISV (dcbf73da96cce94933c8cc6eded3c98b) C:\Windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS
15:38:25:164 3780 SYMTDI (e4fa8bbb96e314e9508865de1a767538) C:\Windows\System32\Drivers\N360\0308000.029\SYMTDI.SYS
15:38:25:258 3780 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
15:38:25:351 3780 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
15:38:25:507 3780 SynTP (c1777074592bbb55b1f1a2fbc7a60498) C:\Windows\system32\DRIVERS\SynTP.sys
15:38:25:648 3780 Tcpip (48cbe6d53632d0067c2d6b20f90d84ca) C:\Windows\system32\drivers\tcpip.sys
15:38:25:804 3780 Tcpip6 (48cbe6d53632d0067c2d6b20f90d84ca) C:\Windows\system32\DRIVERS\tcpip.sys
15:38:25:882 3780 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
15:38:25:991 3780 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
15:38:26:022 3780 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
15:38:26:085 3780 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
15:38:26:225 3780 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
15:38:26:350 3780 tosporte (2c15b4856f929ac7dd144044d8334b54) C:\Windows\system32\DRIVERS\tosporte.sys
15:38:26:677 3780 tosrfbd (cd6e9c27adc6b37b0b3df29cc83e15a7) C:\Windows\system32\DRIVERS\tosrfbd.sys
15:38:26:833 3780 tosrfbnp (181e217a7a326817d97946d045b3cb46) C:\Windows\system32\Drivers\tosrfbnp.sys
15:38:26:958 3780 Tosrfcom (4579b035ae3ac8044df72621af734894) C:\Windows\system32\Drivers\tosrfcom.sys
15:38:27:036 3780 Tosrfhid (d3f87c46c7c9e5db99fbd3d17121b891) C:\Windows\system32\DRIVERS\Tosrfhid.sys
15:38:27:083 3780 tosrfnds (c52fd27b9adf3a1f22cb90e6bcf9b0cb) C:\Windows\system32\DRIVERS\tosrfnds.sys
15:38:27:192 3780 TosRfSnd (156d63f6898e4d95f2962f2b72862868) C:\Windows\system32\drivers\tosrfsnd.sys
15:38:27:301 3780 Tosrfusb (f6680c77be134c81cc67f91986022701) C:\Windows\system32\DRIVERS\tosrfusb.sys
15:38:27:411 3780 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
15:38:27:457 3780 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
15:38:27:551 3780 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
15:38:27:645 3780 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
15:38:27:769 3780 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
15:38:27:863 3780 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
15:38:27:925 3780 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
15:38:27:988 3780 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
15:38:28:081 3780 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
15:38:28:175 3780 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
15:38:28:253 3780 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
15:38:28:315 3780 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
15:38:28:393 3780 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
15:38:28:518 3780 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
15:38:28:643 3780 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
15:38:28:752 3780 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys
15:38:28:830 3780 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
15:38:28:924 3780 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
15:38:29:017 3780 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
15:38:29:080 3780 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
15:38:29:111 3780 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
15:38:29:173 3780 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
15:38:29:236 3780 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
15:38:29:329 3780 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
15:38:29:439 3780 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
15:38:29:517 3780 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
15:38:29:641 3780 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
15:38:29:766 3780 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
15:38:29:891 3780 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
15:38:29:938 3780 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
15:38:29:969 3780 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
15:38:30:016 3780 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
15:38:30:078 3780 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
15:38:30:187 3780 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\drivers\wmiacpi.sys
15:38:30:297 3780 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
15:38:30:312 3780 Reboot required for cure complete..
15:38:30:687 3780 Cure on reboot scheduled successfully
15:38:30:687 3780
15:38:30:687 3780 Completed
15:38:30:702 3780
15:38:30:702 3780 Results:
15:38:30:702 3780 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
15:38:30:702 3780 File objects infected / cured / cured on reboot: 1 / 0 / 1
15:38:30:702 3780
15:38:30:733 3780 KLMD(ARK) unloaded successfully


Regards,

Nick

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:51 PM

Posted 06 June 2010 - 02:28 PM

Thanks.

Do you have your Vista disk with you still?

Can you do the following.

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c "mbr -t" >Log.txt&Log.txt&del Log.txt

A Notepad file will open. Post the contents of Log.txt in your next reply
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 Nick Saint

Nick Saint
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 06 June 2010 - 03:57 PM

Hi CB,

I have a recovery partition on my HDD so don't have the Vista DVD sorry but here is the latest request,

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
kernel: error reading MBR


Regards,

Nick




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users