Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.Tidserv!inf.


  • This topic is locked This topic is locked
25 replies to this topic

#1 sn3akym4n

sn3akym4n

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 15 June 2010 - 11:01 PM

I've been given previous help Topic referenced is here: http://www.bleepingcomputer.com/forums/t/324014/https-tidserv-request-2-from-norton-360/ ~ OB where I used did scans with Norton 360 which finds 3 backdoor.tidserv!inf, but the malwarebytes and TDSSKiller show nothing. Posted below is my DDS log. Any advice would be much appreciated. Also when I attempted to run the GMER scan I got a blue screen that rebooted my computer. I tried again in safe mode and finally got it after a few attempts.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Mr. Rogers at 21:36:17.80 on Mon 06/14/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2046.996 [GMT -5:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskhost.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Mr. Rogers\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://tmq.bingstart.com/?cfg=2-168-0-1ipGy
uInternet Settings,ProxyOverride = *.local
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.8.0.41\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: {dbc80044-a445-435b-bc74-9c25c1c588a9} - Java™ Plug-In 2 SSV Helper
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: []
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [combofix] "c:\combo-fix\cf27026.cfxxe" /c "c:\combo-fix\C.bat"
StartupFolder: c:\users\mrc073~1.rog\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38e51477-ddb4-4aed-9d61-d0c193e10749}\inprocserver32 does not exist!
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {9C450606-ED24-4958-92BA-B8940C99D441} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\users\mrc073~1.rog\appdata\roaming\mozilla\firefox\profiles\fxeei5v6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://tmq.bingstart.com/s/?src=FF-Address&site=Bing&cfg=2-168-0-1ipGy&q=
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - component: c:\program files\search settings\ff\components\SearchSettingsFF.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-2 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-2 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-2 482432]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100604.004\IDSvix86.sys [2010-6-8 344112]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2009-12-16 375296]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-2-2 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]
R3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [2010-1-30 3768]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\n360\0308000.029\symndisv.sys [2010-2-2 48688]
S2 gupdate1caad1565fa3e54;Google Update Service (gupdate1caad1565fa3e54);c:\program files\google\update\GoogleUpdate.exe [2010-2-13 133104]
S2 PEVSystemStart;PEVSystemStart;"c:\combo-fix\pev.cfxxe" exec /i "c:\combo-fix\hidec.exe" "c:\combo-fix\swreg.exe" acl "hkey_local_machine\system\currentcontrolset\enum\root\legacy_beep" /reset /q --> c:\combo-fix\PEV.cfxxe [?]
S2 StudioPro;StudioPro webcam;c:\windows\system32\drivers\StudioPro.sys [2010-2-26 120320]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2010-6-13 23456]
S3 EuMusDesignVirtualAudioCableWdm;StudioPro audio (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2010-2-26 38784]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-12-1 34384]
S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [2010-1-30 184320]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-3 1343400]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-4-16 11520]

=============== Created Last 30 ================

2010-06-15 02:32:34 0 ----a-w- c:\users\mr. rogers\defogger_reenable
2010-06-13 15:23:13 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2010-06-13 15:18:58 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-13 15:18:45 0 d-----w- c:\programdata\Hitman Pro
2010-06-13 15:18:43 0 d-----w- c:\program files\Hitman Pro 3.5
2010-06-13 00:36:05 98816 ----a-w- c:\windows\sed.exe
2010-06-13 00:36:05 77312 ----a-w- c:\windows\MBR.exe
2010-06-13 00:36:05 256512 ----a-w- c:\windows\PEV.exe
2010-06-13 00:36:05 161792 ----a-w- c:\windows\SWREG.exe
2010-06-13 00:01:15 336 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-06-12 23:59:17 608 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-06-12 23:40:03 32768 ---ha-w- C:\SZKGFS.dat
2010-06-12 23:38:27 0 d-----w- c:\programdata\SITEguard
2010-06-12 23:37:02 0 d-----w- c:\programdata\STOPzilla!
2010-06-12 23:37:02 0 d-----w- c:\program files\common files\iS3
2010-06-12 03:18:18 0 d-----w- c:\users\mrc073~1.rog\appdata\roaming\Malwarebytes
2010-06-12 03:18:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-12 03:18:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-12 03:18:10 0 d-----w- c:\programdata\Malwarebytes
2010-06-12 03:18:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-12 02:23:01 183051940 ----a-w- c:\windows\MEMORY.DMP
2010-06-10 03:53:06 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-08 22:55:28 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-08 22:53:38 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-08 22:53:37 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-08 22:49:36 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-08 22:49:36 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-08 01:36:22 0 d-----w- c:\users\mrc073~1.rog\appdata\roaming\LolClient
2010-06-08 01:13:12 0 d-----w- C:\Riot Games
2010-06-08 00:36:09 0 d-----w- c:\programdata\PMB Files
2010-06-08 00:35:45 0 d-----w- c:\program files\Pando Networks
2010-06-06 02:56:12 86528 ----a-w- c:\windows\bnetunin.exe
2010-06-06 02:56:12 61440 ----a-w- c:\windows\diabswun.exe
2010-06-06 02:22:34 0 d-----w- c:\program files\Tunatic
2010-06-06 01:16:28 0 d-----w- c:\program files\Search Toolbar
2010-06-06 01:16:27 0 d-----w- c:\program files\Mind Quiz
2010-06-03 22:25:36 0 d-----w- c:\program files\LSoft Technologies
2010-06-01 14:58:24 77065 ----a-w- c:\windows\War3Unin.dat
2010-06-01 14:58:21 2829 ----a-w- c:\windows\War3Unin.pif
2010-06-01 14:58:21 139264 ----a-w- c:\windows\War3Unin.exe
2010-05-29 23:10:47 70992 ----a-w- c:\windows\system32\XAPOFX1_2.dll
2010-05-29 22:37:43 271360 ----a-w- c:\windows\system32\drivers\atksgt.sys
2010-05-29 22:37:27 18048 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2010-05-29 22:24:03 0 d-----w- c:\program files\Aspyr
2010-05-29 00:33:27 0 d-----w- c:\programdata\Hewlett-Packard
2010-05-25 17:51:30 2048 ----a-w- c:\windows\system32\tzres.dll

==================== Find3M ====================

2010-05-02 21:55:19 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-04-08 18:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-31 05:42:00 692437298 ----a-w- c:\program files\data2.cab
2010-03-31 05:40:10 254098 ----a-w- c:\program files\setup.inx
2010-03-31 05:40:10 1669931 ----a-w- c:\program files\setup.isn
2010-03-31 05:39:38 1079468 ----a-w- c:\program files\data1.cab
2010-03-31 05:24:42 371458 ----a-w- c:\program files\data1.hdr
2010-03-31 05:22:04 21494 ----a-w- c:\program files\0x0409.ini
2010-03-31 04:56:27 576000 ----a-w- c:\program files\ISSetup.dll
2010-03-31 04:42:13 1224 ----a-w- c:\program files\setup.ini
2010-03-31 04:29:13 473 ----a-w- c:\program files\layout.bin
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-02-01 14:48:52 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 21:36:49.37 ===============





GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-14 22:38:04
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\MRC073~1.ROG\AppData\Local\Temp\fxlyqkog.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82437AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82437104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 824373F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 824202D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8241F898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 824371DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82437958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 824376F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82437F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 824381A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82050599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82074F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000067 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:23 AM

Posted 15 June 2010 - 11:15 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  1. Do not run any other tool untill instructed to do so!
  2. Do not Attach logs unless I ask you to.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.
  6. Do not run any other tool untill instructed to do so!


In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Note** If you are having problems posting the complete log into this thread upload them here http://www.rapidshare.com/ and post the links in this thread

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Gmer is the best but can be hard to get a log lets try this and see what we get.

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"



Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 sn3akym4n

sn3akym4n
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 15 June 2010 - 11:22 PM

I didn't get that warning but here is the report and thanks for the help ahead of time!

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows 7
Version 6.1.7600
Number of processors #2
==============================================
>Drivers
==============================================
0x96422000 C:\Windows\system32\DRIVERS\nvlddmkm.sys 11583488 bytes (NVIDIA Corporation, NVIDIA Windows Kernel Mode Driver, Version 196.21 )
0x82C09000 C:\Windows\system32\ntkrnlpa.exe 4259840 bytes (Microsoft Corporation, NT Kernel & System)
0x82C09000 PnpManager 4259840 bytes
0x82C09000 RAW 4259840 bytes
0x82C09000 WMIxWDM 4259840 bytes
0x95E05000 C:\Windows\system32\drivers\RTKVHDA.sys 2740224 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0x97340000 Win32k 2400256 bytes
0x97340000 C:\Windows\System32\win32k.sys 2400256 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x89425000 C:\Windows\System32\drivers\tcpip.sys 1347584 bytes (Microsoft Corporation, TCP/IP Driver)
0x9D600000 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100615.022\NAVEX15.SYS 1343488 bytes (Symantec Corporation, AV Engine)
0x8900F000 C:\Windows\System32\Drivers\Ntfs.sys 1241088 bytes (Microsoft Corporation, NT File System Driver)
0x9610D000 C:\Windows\System32\Drivers\dump_iaStorV.sys 897024 bytes
0x88E2D000 C:\Windows\system32\DRIVERS\iaStorV.sys 897024 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32)
0x96F30000 C:\Windows\System32\drivers\dxgkrnl.sys 749568 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x8920C000 C:\Windows\system32\drivers\ndis.sys 749568 bytes (Microsoft Corporation, NDIS 6.20 driver)
0x8330D000 C:\Windows\system32\CI.dll 700416 bytes (Microsoft Corporation, Code Integrity Module)
0x8EA43000 C:\Windows\system32\drivers\peauth.sys 618496 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x824E4000 C:\Windows\system32\drivers\HTTP.sys 544768 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x8FD36000 C:\Windows\System32\Drivers\N360\0308000.029\ccHPx86.sys 503808 bytes (Symantec Corporation, Common Client Hash Provider Driver)
0x8323A000 C:\Windows\system32\mcupdate_GenuineIntel.dll 491520 bytes (Microsoft Corporation, Intel Microcode Update Library)
0x88C22000 C:\Windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0x8FCBA000 C:\Windows\system32\drivers\csc.sys 409600 bytes (Microsoft Corporation, Windows Client Side Caching Driver)
0x8FC33000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0x8917C000 C:\Windows\System32\Drivers\cng.sys 380928 bytes (Microsoft Corporation, Kernel Cryptography, Next Generation)
0x8EC18000 C:\Windows\system32\drivers\afd.sys 368640 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x8ED8A000 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100604.004\IDSvix86.sys 360448 bytes (Symantec Corporation, IDS Core Driver)
0x9CAE5000 C:\Windows\System32\Drivers\N360\0308000.029\SRTSP.SYS 339968 bytes (Symantec Corporation, Symantec AutoProtect)
0x9CA73000 C:\Windows\System32\DRIVERS\srv.sys 331776 bytes (Microsoft Corporation, Server driver)
0x9CA24000 C:\Windows\System32\DRIVERS\srv2.sys 323584 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x88F56000 C:\Windows\system32\drivers\N360\0308000.029\SYMEFA.SYS 323584 bytes (Symantec Corporation, Symantec Extended File Attributes)
0x97200000 C:\Windows\System32\ATMFD.DLL 315392 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0x8223C000 C:\Windows\system32\DRIVERS\USBPORT.SYS 307200 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x88D50000 C:\Windows\System32\drivers\volmgrx.sys 307200 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x88CA1000 C:\Windows\system32\DRIVERS\ACPI.sys 294912 bytes (Microsoft Corporation, ACPI Driver for NT)
0x82422000 C:\Windows\system32\DRIVERS\usbhub.sys 278528 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x88DB1000 C:\Windows\System32\Drivers\N360\0308000.029\BHDrvx86.sys 270336 bytes (Symantec Corporation, BASH Driver)
0x832CB000 C:\Windows\system32\CLFS.SYS 270336 bytes (Microsoft Corporation, Common Log File System Driver)
0x8ED35000 C:\Windows\system32\DRIVERS\rdbss.sys 266240 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x895A8000 C:\Windows\system32\DRIVERS\volsnap.sys 258048 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x892C3000 C:\Windows\system32\drivers\NETIO.SYS 253952 bytes (Microsoft Corporation, Network I/O Subsystem)
0x825B7000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 241664 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x88FC4000 C:\Windows\System32\drivers\dxgmms1.sys 233472 bytes (Microsoft Corporation, DirectX Graphics MMS)
0x833B8000 C:\Windows\system32\DRIVERS\e1e6032.sys 229376 bytes (Intel Corporation, Intel® PRO/1000 Adapter NDIS 6 deserialized driver)
0x83019000 ACPI_HAL 225280 bytes
0x83019000 C:\Windows\system32\halmacpi.dll 225280 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x88F11000 C:\Windows\system32\drivers\fltmgr.sys 212992 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x82384000 C:\Windows\system32\drivers\ks.sys 212992 bytes (Microsoft Corporation, Kernel CSA Library)
0x8EBB8000 C:\Windows\System32\Drivers\N360\0308000.029\SYMTDI.SYS 212992 bytes (Symantec Corporation, Network Dispatch Driver)
0x89353000 C:\Windows\System32\DRIVERS\fvevol.sys 204800 bytes (Microsoft Corporation, BitLocker Drive Encryption Driver)
0x8EC72000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x8956E000 C:\Windows\System32\drivers\fwpkclnt.sys 200704 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x8233C000 C:\Windows\system32\drivers\portcls.sys 192512 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x89326000 C:\Windows\System32\drivers\rdyboost.sys 184320 bytes (Microsoft Corporation, ReadyBoost Driver)
0x822B5000 C:\Windows\system32\DRIVERS\1394ohci.sys 180224 bytes (Microsoft Corporation, 1394 OpenHCI Driver)
0x8913E000 C:\Windows\System32\Drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x9D75C000 C:\Windows\System32\Drivers\fastfat.SYS 172032 bytes (Microsoft Corporation, Fast FAT File System Driver)
0x88CFA000 C:\Windows\system32\DRIVERS\pci.sys 172032 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x88E00000 C:\Windows\system32\DRIVERS\SCSIPORT.SYS 155648 bytes (Microsoft Corporation, SCSI Port Driver)
0x89396000 C:\Windows\system32\DRIVERS\CLASSPNP.SYS 151552 bytes (Microsoft Corporation, SCSI Class System Dll)
0x89301000 C:\Windows\System32\Drivers\ksecpkg.sys 151552 bytes (Microsoft Corporation, Kernel Security Support Provider Interface Packages)
0x893C8000 C:\Windows\system32\Drivers\SYMEVENT.SYS 151552 bytes (Symantec Corporation, Symantec Event Library)
0x960C5000 C:\Windows\System32\Drivers\usbvideo.sys 147456 bytes (Microsoft Corporation, USB Video Class Driver)
0x82594000 C:\Windows\system32\DRIVERS\mrxsmb.sys 143360 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x82200000 C:\Windows\system32\DRIVERS\ndiswan.sys 139264 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x8ED0E000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 135168 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x8EADA000 C:\Windows\System32\DRIVERS\srvnet.sys 135168 bytes (Microsoft Corporation, Server Network driver)
0x8FDBF000 C:\Windows\system32\DRIVERS\tunnel.sys 135168 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x8EB37000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x8EAFE000 C:\Windows\system32\DRIVERS\cdrom.sys 126976 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x82296000 C:\Windows\system32\DRIVERS\HDAudBus.sys 126976 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x8ECAB000 C:\Windows\system32\DRIVERS\pacer.sys 126976 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x975D0000 C:\Windows\System32\cdd.dll 122880 bytes (Microsoft Corporation, Canonical Display Driver)
0x8FC91000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 118784 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0x8248C000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x82400000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 110592 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x824A7000 C:\Windows\system32\drivers\WudfPf.sys 106496 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0x82569000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x8236B000 C:\Windows\system32\drivers\drmk.sys 102400 bytes (Microsoft Corporation, Microsoft Trusted Audio Drivers)
0x8FD1E000 C:\Windows\System32\Drivers\dfsc.sys 98304 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x822EC000 C:\Windows\system32\DRIVERS\i8042prt.sys 98304 bytes (Microsoft Corporation, i8042 Port Driver)
0x823CA000 C:\Windows\system32\DRIVERS\rasl2tp.sys 98304 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x82222000 C:\Windows\system32\DRIVERS\raspppoe.sys 98304 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x89400000 C:\Windows\system32\DRIVERS\sbp2port.sys 98304 bytes (Microsoft Corporation, SBP-2 Protocol Driver)
0x96400000 C:\Windows\system32\DRIVERS\raspptp.sys 94208 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x8FC00000 C:\Windows\system32\DRIVERS\rassstp.sys 94208 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x8EB96000 C:\Windows\system32\DRIVERS\tdx.sys 94208 bytes (Microsoft Corporation, TDI Translation Driver)
0x960AC000 C:\Windows\system32\DRIVERS\usbccgp.sys 94208 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0x960E9000 C:\Windows\system32\DRIVERS\USBSTOR.SYS 94208 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0x88D9B000 C:\Windows\System32\drivers\mountmgr.sys 90112 bytes (Microsoft Corporation, Mount Point Manager)
0x88FAF000 C:\Windows\System32\Drivers\N360\0308000.029\SYMFW.SYS 86016 bytes (Symantec Corporation, Firewall Filter Driver)
0x9D748000 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100615.022\NAVENG.SYS 81920 bytes (Symantec Corporation, AV Engine)
0x89169000 C:\Windows\System32\Drivers\ksecdd.sys 77824 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x824D1000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x8ECE1000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x823B8000 C:\Windows\system32\DRIVERS\AgileVpn.sys 73728 bytes (Microsoft Corporation, RAS Agile Vpn Miniport Call Manager)
0x8FDE0000 C:\Windows\system32\DRIVERS\intelppm.sys 73728 bytes (Microsoft Corporation, Processor Device Driver)
0x82582000 C:\Windows\System32\drivers\mpsdrv.sys 73728 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x8FC17000 C:\Windows\System32\Drivers\adfs.SYS 69632 bytes (Adobe Systems, Inc., Adobe Drive File System Driver)
0x89385000 C:\Windows\system32\DRIVERS\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x961E8000 C:\Windows\System32\Drivers\dump_dumpfve.sys 69632 bytes
0x88F45000 C:\Windows\system32\drivers\fileinfo.sys 69632 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x82470000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x88D2F000 C:\Windows\System32\drivers\partmgr.sys 69632 bytes (Microsoft Corporation, Partition Management Driver)
0x832B2000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x824C1000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x895EF000 C:\Windows\System32\Drivers\mup.sys 65536 bytes (Microsoft Corporation, Multiple UNC Provider Driver)
0x8ECF4000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Remote Desktop Server Driver)
0x88D40000 C:\Windows\system32\DRIVERS\volmgr.sys 65536 bytes (Microsoft Corporation, Volume Manager Driver)
0x82287000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x8FDB1000 C:\Windows\system32\DRIVERS\blbdrive.sys 57344 bytes (Microsoft Corporation, BLB Drive Driver)
0x8ECD3000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x8EB88000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x891D9000 C:\Windows\System32\drivers\pcw.sys 57344 bytes (Microsoft Corporation, Performance Counters for Windows Driver)
0x8EBEC000 C:\Windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS 57344 bytes (Symantec Corporation, NDIS Filter Driver)
0x96FF2000 C:\Windows\system32\DRIVERS\umbus.sys 57344 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x9D7CF000 C:\Windows\System32\Drivers\usbaapl.sys 57344 bytes (Apple, Inc., Apple Mobile Device USB Driver)
0x88C93000 C:\Windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0x82324000 C:\Windows\system32\DRIVERS\CompositeBus.sys 53248 bytes (Microsoft Corporation, Multi-Transport Composite Bus Enumerator)
0x96100000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x82311000 C:\Windows\system32\DRIVERS\kbdclass.sys 53248 bytes (Microsoft Corporation, Keyboard Class Driver)
0x82304000 C:\Windows\system32\DRIVERS\mouclass.sys 53248 bytes (Microsoft Corporation, Mouse Class Driver)
0x8FDF2000 C:\Windows\System32\drivers\tcpipreg.sys 53248 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x8EB58000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
0x8FCAE000 C:\Windows\System32\drivers\discache.sys 49152 bytes (Microsoft Corporation, System Indexer/Cache Driver)
0x8EB2B000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x822E1000 C:\Windows\system32\DRIVERS\fdc.sys 45056 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0x82481000 C:\Windows\system32\DRIVERS\monitor.sys 45056 bytes (Microsoft Corporation, Monitor Driver)
0x8EB7D000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x823E2000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8EBAD000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x96FE7000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x96417000 C:\Windows\system32\DRIVERS\VClone.sys 45056 bytes (Elaborate Bytes AG, VirtualCloneCD Driver)
0x88D24000 C:\Windows\system32\DRIVERS\vdrvroot.sys 45056 bytes (Microsoft Corporation, Virtual Drive Root Enumerator)
0x960A2000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x82466000 C:\Windows\system32\DRIVERS\flpydisk.sys 40960 bytes (Microsoft Corporation, Floppy Driver)
0x8ED80000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x8ED76000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x88FA5000 C:\Windows\System32\Drivers\PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0x823ED000 C:\Windows\system32\DRIVERS\rdpbus.sys 40960 bytes (Microsoft Corporation, Microsoft RDP Bus Device driver)
0x825F2000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x82332000 C:\Windows\system32\drivers\SndTDriverV32.sys 40960 bytes (Windows ® Codename Longhorn DDK provider, Support Device)
0x8ED04000 C:\Windows\system32\drivers\N360\0308000.029\SRTSPX.SYS 40960 bytes (Symantec Corporation, Symantec AutoProtect)
0x88F08000 C:\Windows\system32\DRIVERS\amdxata.sys 36864 bytes (Advanced Micro Devices, Storage Filter Driver)
0x9D7C6000 C:\Windows\system32\DRIVERS\asyncmac.sys 36864 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0x891E7000 C:\Windows\System32\Drivers\Fs_Rec.sys 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x9D7A7000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0x8ECCA000 C:\Windows\system32\DRIVERS\SymIMv.sys 36864 bytes (Symantec Corporation, NDIS 6.0 Filter Driver for Windows Vista)
0x975A0000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x8959F000 C:\Windows\system32\DRIVERS\vmstorfl.sys 36864 bytes (Microsoft Corporation, Virtual Storage Filter Driver)
0x88CE9000 C:\Windows\system32\DRIVERS\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x832C3000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x89418000 C:\Windows\System32\drivers\hwpolicy.sys 32768 bytes (Microsoft Corporation, Hardware Policy Driver)
0x80BA4000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Serial Kernel Debugger)
0x88CF2000 C:\Windows\system32\DRIVERS\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x8EB65000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8EB6D000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Encoder Miniport)
0x8EB75000 C:\Windows\system32\drivers\rdprefmp.sys 32768 bytes (Microsoft Corporation, RDP Reflector Driver Miniport)
0x895E7000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x8EB24000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x8EB1D000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x8ECA4000 C:\Windows\system32\DRIVERS\wfplwf.sys 28672 bytes (Microsoft Corporation, WFP NDIS 6.20 Lightweight Filter Driver)
0x8231E000 C:\Windows\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0x8ED2F000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0x8EDE2000 C:\Windows\System32\Drivers\ElbyCDIO.sys 20480 bytes (Elaborate Bytes AG, ElbyCD Windows NT/2000/XP I/O driver)
0x961F9000 C:\Windows\system32\DRIVERS\lirsgt.sys 20480 bytes
0x96F2E000 C:\Windows\system32\DRIVERS\nvBridge.kmd 8192 bytes (NVIDIA Corporation, NVIDIA Compatible Windows Vista Kernel Mode Driver, Version 196.21 )
0x823F7000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x960C3000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0x82331000 C:\Windows\system32\DRIVERS\MovRVDrv32.sys 4096 bytes (Windows ® 2000 DDK provider, Video Mirror Miniport)
!!!!!!!!!!!Hidden driver: 0x86A53AEA ?_empty_? 1302 bytes
0x86A53EC5 unknown_irp_handler 315 bytes
!!!!!!!!!!!Hidden driver: 0x86A1B300 ?_empty_? 0 bytes
==============================================
>Stealth
==============================================
0x88E2D000 WARNING: suspicious driver modification [iaStorV.sys::0x86A53AEA]
0x9D786F2E Unknown thread object [ ETHREAD 0x88782150 ] , 600 bytes


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:23 AM

Posted 15 June 2010 - 11:23 PM

Greetings

One or more of the identified infections is a Backdoor Trojan. - TDSS rootkit

This could allow hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC could be compromised and there is no way to be sure that your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. "If you would like to continue, then follow the steps below, otherwise please let me know"

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 sn3akym4n

sn3akym4n
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 16 June 2010 - 12:02 AM

So combo fix did delete some files, but maybe 3 min after surfing the web I still got the HTTPS Tidserv Request sad.gif

ComboFix 10-06-15.02 - Mr. Rogers 06/15/2010 23:41:15.1.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2046.1459 [GMT -5:00]
Running from: c:\users\Mr. Rogers\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Search Settings
c:\program files\Search Settings\FF\chrome.manifest
c:\program files\Search Settings\FF\chrome\content\plugin.js
c:\program files\Search Settings\FF\chrome\content\plugin.xul
c:\program files\Search Settings\FF\chrome\content\protection.js
c:\program files\Search Settings\FF\chrome\content\utils.js
c:\program files\Search Settings\FF\chrome\locale\en-US\searchsettingsplugin.dtd
c:\program files\Search Settings\FF\chrome\locale\en-US\searchsettingsplugin.properties
c:\program files\Search Settings\FF\components\IFBHOSearch.xpt
c:\program files\Search Settings\FF\components\IFBHOSearchHelperEngine.xpt
c:\program files\Search Settings\FF\components\IFHelperPreferences.xpt
c:\program files\Search Settings\FF\components\SearchSettingsFF.dll
c:\program files\Search Settings\FF\install.rdf
c:\program files\Search Settings\SearchSettingsRes409.dll
c:\program files\Search Toolbar
c:\program files\Search Toolbar\SearchToolbar.dll
c:\users\Mr. Rogers\AppData\Roaming\EurekaLog

.
((((((((((((((((((((((((( Files Created from 2010-05-16 to 2010-06-16 )))))))))))))))))))))))))))))))
.

2010-06-16 04:52 . 2010-06-16 04:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-16 04:27 . 2010-06-16 04:28 -------- d-----w- C:\32788R22FWJFW
2010-06-13 15:23 . 2010-06-13 15:23 -------- d-----w- c:\users\Mr. Rogers\AppData\Local\eSupport.com
2010-06-13 15:23 . 2010-06-13 15:23 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2010-06-13 15:18 . 2010-06-14 02:51 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-13 15:18 . 2010-06-13 15:18 -------- d-----w- c:\programdata\Hitman Pro
2010-06-13 15:18 . 2010-06-13 15:18 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-06-12 23:40 . 2010-06-12 23:40 32768 ---ha-w- C:\SZKGFS.dat
2010-06-12 23:38 . 2010-06-12 23:38 -------- d-----w- c:\programdata\SITEguard
2010-06-12 23:37 . 2010-06-13 00:04 -------- d-----w- c:\programdata\STOPzilla!
2010-06-12 23:37 . 2010-06-12 23:37 -------- d-----w- c:\program files\Common Files\iS3
2010-06-12 03:18 . 2010-06-12 03:18 -------- d-----w- c:\users\Mr. Rogers\AppData\Roaming\Malwarebytes
2010-06-12 03:18 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-12 03:18 . 2010-06-12 03:18 -------- d-----w- c:\programdata\Malwarebytes
2010-06-12 03:18 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-12 03:18 . 2010-06-12 03:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-11 01:55 . 2010-06-11 01:55 -------- d-----w- c:\users\Mr. Rogers\AppData\Local\Symantec
2010-06-10 03:53 . 2010-06-10 03:53 -------- d-----w- c:\program files\Common Files\Java
2010-06-10 03:53 . 2010-06-10 03:52 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-08 22:55 . 2010-05-21 05:18 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-08 22:53 . 2010-05-01 14:49 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-08 22:53 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-08 22:49 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-08 22:49 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-08 01:36 . 2010-06-08 01:36 -------- d-----w- c:\users\Mr. Rogers\AppData\Roaming\LolClient
2010-06-08 01:17 . 2010-03-31 05:47 38784 ----a-w- c:\users\Mr. Rogers\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-06-08 01:13 . 2010-06-08 01:13 -------- d-----w- C:\Riot Games
2010-06-08 00:36 . 2010-06-08 03:24 -------- d-----w- c:\users\Mr. Rogers\AppData\Local\PMB Files
2010-06-08 00:36 . 2010-06-08 00:36 -------- d-----w- c:\programdata\PMB Files
2010-06-08 00:35 . 2010-06-08 00:35 -------- d-----w- c:\program files\Pando Networks
2010-06-06 02:56 . 2010-06-06 02:56 86528 ----a-w- c:\windows\bnetunin.exe
2010-06-06 02:56 . 2010-06-06 02:56 61440 ----a-w- c:\windows\diabswun.exe
2010-06-06 02:22 . 2010-06-06 02:22 -------- d-----w- c:\program files\Tunatic
2010-06-06 01:16 . 2010-06-06 01:16 -------- d-----w- c:\program files\Mind Quiz
2010-06-05 04:48 . 2010-06-05 04:48 -------- d-----w- c:\users\Mr. Rogers\AppData\Local\ElevatedDiagnostics
2010-06-03 22:25 . 2010-06-03 22:25 -------- d-----w- c:\program files\LSoft Technologies
2010-06-01 14:58 . 2010-06-01 16:10 77065 ----a-w- c:\windows\War3Unin.dat
2010-06-01 14:58 . 2010-06-01 15:34 2829 ----a-w- c:\windows\War3Unin.pif
2010-06-01 14:58 . 2010-06-01 15:34 139264 ----a-w- c:\windows\War3Unin.exe
2010-06-01 14:54 . 2010-06-16 01:24 -------- d-----w- c:\program files\Warcraft III
2010-05-29 23:10 . 2008-10-27 15:04 514384 ----a-w- c:\windows\system32\XAudio2_3.dll
2010-05-29 22:37 . 2010-05-29 22:37 271360 ----a-w- c:\windows\system32\drivers\atksgt.sys
2010-05-29 22:37 . 2010-05-29 22:37 18048 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2010-05-29 22:24 . 2010-05-29 22:24 -------- d-----w- c:\program files\Aspyr
2010-05-29 22:24 . 2010-06-08 01:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-29 00:33 . 2010-05-29 00:33 -------- d-----w- c:\programdata\Hewlett-Packard
2010-05-25 17:51 . 2010-04-23 07:13 2048 ----a-w- c:\windows\system32\tzres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-16 03:15 . 2010-01-30 07:37 -------- d-----w- c:\users\Mr. Rogers\AppData\Roaming\Apple Computer
2010-06-15 00:36 . 2010-01-30 17:27 -------- d-----w- c:\users\Mr. Rogers\AppData\Roaming\U3
2010-06-13 00:01 . 2010-06-13 00:01 336 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-06-13 00:00 . 2010-06-12 23:59 608 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-06-12 07:42 . 2010-02-02 15:23 -------- d-----w- c:\users\Mr. Rogers\AppData\Roaming\vlc
2010-06-09 03:26 . 2010-02-03 20:08 -------- d-----w- c:\programdata\Microsoft Help
2010-06-05 02:03 . 2010-02-13 21:42 -------- d-----w- c:\program files\Steam
2010-05-27 00:56 . 2010-03-01 02:34 117760 ----a-w- c:\users\Mr. Rogers\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-13 02:16 . 2010-02-13 22:18 -------- d-----w- c:\program files\Common Files\Steam
2010-05-13 01:56 . 2010-02-23 02:54 -------- d-----w- c:\users\Mr. Rogers\AppData\Roaming\dvdcss
2010-05-12 22:06 . 2010-02-12 19:35 -------- d-----w- c:\programdata\DVD Shrink
2010-05-12 22:05 . 2010-02-12 19:35 -------- d-----w- c:\program files\DVD Shrink
2010-05-12 05:20 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-11 03:50 . 2010-05-11 00:41 -------- d-----w- c:\users\Mr. Rogers\AppData\Roaming\Free Download Manager
2010-05-11 00:41 . 2010-05-11 00:41 -------- d-----w- c:\program files\Free Download Manager
2010-05-11 00:41 . 2010-05-11 00:41 -------- d-----w- c:\programdata\FreeDownloadManager.ORG
2010-05-03 19:40 . 2010-05-03 19:39 -------- d-----w- c:\program files\iTunes
2010-05-03 19:39 . 2010-05-03 19:39 -------- d-----w- c:\program files\iPod
2010-05-03 19:39 . 2010-01-30 15:54 -------- d-----w- c:\program files\Common Files\Apple
2010-05-03 19:36 . 2010-05-03 19:36 -------- d-----w- c:\program files\Bonjour
2010-05-03 18:52 . 2010-05-03 18:52 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-02 21:55 . 2010-05-02 21:55 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-04-29 18:49 . 2010-01-30 15:56 -------- d-----w- c:\programdata\Apple Computer
2010-04-27 04:32 . 2010-04-27 04:19 -------- d-----w- c:\program files\Pinball
2010-04-08 21:49 . 2010-01-30 09:40 72720 ----a-w- c:\users\Mr. Rogers\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-31 05:47 . 2010-03-31 05:47 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-31 05:42 . 2010-03-31 03:58 692437298 ----a-w- c:\program files\data2.cab
2010-03-31 05:40 . 2010-03-31 03:58 254098 ----a-w- c:\program files\setup.inx
2010-03-31 05:40 . 2010-03-31 03:58 1669931 ----a-w- c:\program files\setup.isn
2010-03-31 05:39 . 2010-03-31 03:58 1079468 ----a-w- c:\program files\data1.cab
2010-03-31 05:24 . 2010-03-31 03:58 371458 ----a-w- c:\program files\data1.hdr
2010-03-31 05:22 . 2010-03-31 03:58 21494 ----a-w- c:\program files\0x0409.ini
2010-03-31 04:56 . 2010-03-31 03:58 576000 ----a-w- c:\program files\ISSetup.dll
2010-03-31 04:42 . 2010-03-31 03:58 1224 ----a-w- c:\program files\setup.ini
2010-03-31 04:29 . 2010-03-31 03:58 473 ----a-w- c:\program files\layout.bin
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Users^Mr. Rogers^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Mr. Rogers\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\combofix]
c:\combo-fix\CF27026.cfxxe [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-10 04:32 1238352 ----a-w- c:\program files\Steam\Steam.exe

R2 gupdate1caad1565fa3e54;Google Update Service (gupdate1caad1565fa3e54);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 133104]
R2 StudioPro;StudioPro webcam;c:\windows\system32\DRIVERS\StudioPro.sys [2007-01-06 120320]
R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]
R3 DrvAgent32;DrvAgent32;c:\windows\system32\Drivers\DrvAgent32.sys [2010-06-13 23456]
R3 EuMusDesignVirtualAudioCableWdm;StudioPro audio (WDM);c:\windows\system32\DRIVERS\vrtaucbl.sys [2007-04-23 38784]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-12-01 34384]
R3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [2008-04-17 184320]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-03 1343400]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-04-16 11520]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS [2010-01-30 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\N360\0308000.029\BHDrvx86.sys [2010-01-30 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\N360\0308000.029\ccHPx86.sys [2010-01-30 482432]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100604.004\IDSvix86.sys [2010-05-28 344112]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
S2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [2009-12-16 375296]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2010-01-30 117640]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]
S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\DRIVERS\MovRVDrv32.sys [2008-04-17 3768]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [2010-01-30 48688]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9C450606-ED24-4958-92BA-B8940C99D441}]
2009-03-04 22:32 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2010-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 01:30]

2010-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 01:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://tmq.bingstart.com/?cfg=2-168-0-1ipGy
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Mr. Rogers\AppData\Roaming\Mozilla\Firefox\Profiles\fxeei5v6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://tmq.bingstart.com/s/?src=FF-Address&site=Bing&cfg=2-168-0-1ipGy&q=
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x869DCEC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
SecurityProcedure -> 0x84eb33d0
QueryNameProcedure -> 0x84eb3560
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-06-15 23:56:46
ComboFix-quarantined-files.txt 2010-06-16 04:56

Pre-Run: 67,877,072,896 bytes free
Post-Run: 67,773,833,216 bytes free

- - End Of File - - F313BFC749F7C4F5564B2CB3BD7DC2B8


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:23 AM

Posted 16 June 2010 - 12:11 AM

Greetings

we need to run this next

TDSSKiller:
  • Please Download TDSSKiller.zip and save it on your desktop.
  • extract (unzip) its contents to your Desktop.
  • double-click the TDSSKiller Folder on your desktop.
  • right-click on TDSSKiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy the text in the codebox below.
CODE
"%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"
  • Click Start, click Run... and paste the text above into the Open: line and click OK.
  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
  • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.
  • a log file should be created on your C: drive named something like TDSSKiller 2.1.1 Dec 20 2009 02:40:02
  • To find the log click Start then Computer then Vista ( C:).
  • Please post the contents of that log in your next reply


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 sn3akym4n

sn3akym4n
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 16 June 2010 - 02:47 PM

Their was no detection of any virus!


16:55:31:972 4076 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
16:55:31:972 4076 ================================================================================
16:55:31:972 4076 SystemInfo:

16:55:31:972 4076 OS Version: 6.1.7600 ServicePack: 0.0
16:55:31:972 4076 Product type: Workstation
16:55:31:972 4076 ComputerName: MRROGERS-PC
16:55:31:972 4076 UserName: Mr. Rogers
16:55:31:972 4076 Windows directory: C:\Windows
16:55:31:972 4076 Processor architecture: Intel x86
16:55:31:972 4076 Number of processors: 2
16:55:31:972 4076 Page size: 0x1000
16:55:31:972 4076 Boot type: Normal boot
16:55:31:972 4076 ================================================================================
16:55:32:425 4076 Initialize success
16:55:32:425 4076
16:55:32:425 4076 Scanning Services ...
16:55:33:610 4076 Raw services enum returned 480 services
16:55:33:626 4076
16:55:33:626 4076 Scanning Drivers ...
16:55:33:891 4076
16:55:33:891 4076 Completed
16:55:33:891 4076
16:55:33:891 4076 Results:
16:55:33:891 4076 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:55:33:891 4076 File objects infected / cured / cured on reboot: 0 / 0 / 0
16:55:33:891 4076
16:55:33:891 4076 KLMD(ARK) unloaded successfully


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:23 AM

Posted 16 June 2010 - 09:55 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
File::
c:\windows\system32\drivers\kgpfr2.cfg
c:\windows\system32\drivers\kgpcpy.cfg


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

NOTE**
  • When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will upload files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

"information and logs"
    In your next post I need the following
    1. report from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now after running the script?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 sn3akym4n

sn3akym4n
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 16 June 2010 - 11:22 PM

The norton warning happened again while browsing the internet a few minutes after the scan sad.gif.


ComboFix 10-06-16.02 - Mr. Rogers 06/16/2010 22:58:23.2.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2046.1233 [GMT -5:00]
Running from: c:\users\Mr. Rogers\Desktop\ComboFix.exe
Command switches used :: c:\users\Mr. Rogers\Desktop\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

FILE ::
"c:\windows\system32\drivers\kgpcpy.cfg"
"c:\windows\system32\drivers\kgpfr2.cfg"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\kgpcpy.cfg
c:\windows\system32\drivers\kgpfr2.cfg

.
((((((((((((((((((((((((( Files Created from 2010-05-17 to 2010-06-17 )))))))))))))))))))))))))))))))
.

2010-06-17 04:09 . 2010-06-17 04:09 -------- d-----w- c:\users\Mr. Rogers\AppData\Local\temp
2010-06-17 04:09 . 2010-06-17 04:09 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-17 04:09 . 2010-06-17 04:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-17 03:46 . 2010-06-17 03:47 -------- d-----w- C:\32788R22FWJFW
2010-06-13 15:23 . 2010-06-13 15:23 -------- d-----w- c:\users\Mr. Rogers\AppData\Local\eSupport.com
2010-06-13 15:23 . 2010-06-13 15:23 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2010-06-13 15:18 . 2010-06-14 02:51 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-13 15:18 . 2010-06-13 15:18 -------- d-----w- c:\programdata\Hitman Pro
2010-06-13 15:18 . 2010-06-13 15:18 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-06-12 23:40 . 2010-06-12 23:40 32768 ---ha-w- C:\SZKGFS.dat
2010-06-12 23:38 . 2010-06-12 23:38 -------- d-----w- c:\programdata\SITEguard
2010-06-12 23:37 . 2010-06-13 00:04 -------- d-----w- c:\programdata\STOPzilla!
2010-06-12 23:37 . 2010-06-12 23:37 -------- d-----w- c:\program files\Common Files\iS3
2010-06-12 03:18 . 2010-06-12 03:18 -------- d-----w- c:\users\Mr. Rogers\AppData\Roaming\Malwarebytes
2010-06-12 03:18 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-12 03:18 . 2010-06-12 03:18 -------- d-----w- c:\programdata\Malwarebytes
2010-06-12 03:18 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-12 03:18 . 2010-06-12 03:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-11 01:55 . 2010-06-11 01:55 -------- d-----w- c:\users\Mr. Rogers\AppData\Local\Symantec
2010-06-10 03:53 . 2010-06-10 03:53 -------- d-----w- c:\program files\Common Files\Java
2010-06-10 03:53 . 2010-06-10 03:52 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-08 22:55 . 2010-05-21 05:18 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-08 22:53 . 2010-05-01 14:49 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-08 22:53 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-08 22:49 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-08 22:49 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-08 01:36 . 2010-06-08 01:36 -------- d-----w- c:\users\Mr. Rogers\AppData\Roaming\LolClient
2010-06-08 01:17 . 2010-03-31 05:47 38784 ----a-w- c:\users\Mr. Rogers\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-06-08 01:13 . 2010-06-08 01:13 -------- d-----w- C:\Riot Games
2010-06-08 00:36 . 2010-06-08 03:24 -------- d-----w- c:\users\Mr. Rogers\AppData\Local\PMB Files
2010-06-08 00:36 . 2010-06-08 00:36 -------- d-----w- c:\programdata\PMB Files
2010-06-08 00:35 . 2010-06-08 00:35 -------- d-----w- c:\program files\Pando Networks
2010-06-06 02:56 . 2010-06-06 02:56 86528 ----a-w- c:\windows\bnetunin.exe
2010-06-06 02:56 . 2010-06-06 02:56 61440 ----a-w- c:\windows\diabswun.exe
2010-06-06 02:22 . 2010-06-06 02:22 -------- d-----w- c:\program files\Tunatic
2010-06-06 01:16 . 2010-06-06 01:16 -------- d-----w- c:\program files\Mind Quiz
2010-06-05 04:48 . 2010-06-05 04:48 -------- d-----w- c:\users\Mr. Rogers\AppData\Local\ElevatedDiagnostics
2010-06-03 22:25 . 2010-06-03 22:25 -------- d-----w- c:\program files\LSoft Technologies
2010-06-01 14:58 . 2010-06-01 16:10 77065 ----a-w- c:\windows\War3Unin.dat
2010-06-01 14:58 . 2010-06-01 15:34 2829 ----a-w- c:\windows\War3Unin.pif
2010-06-01 14:58 . 2010-06-01 15:34 139264 ----a-w- c:\windows\War3Unin.exe
2010-06-01 14:54 . 2010-06-16 01:24 -------- d-----w- c:\program files\Warcraft III
2010-05-29 23:10 . 2008-10-27 15:04 514384 ----a-w- c:\windows\system32\XAudio2_3.dll
2010-05-29 22:37 . 2010-05-29 22:37 271360 ----a-w- c:\windows\system32\drivers\atksgt.sys
2010-05-29 22:37 . 2010-05-29 22:37 18048 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2010-05-29 22:24 . 2010-05-29 22:24 -------- d-----w- c:\program files\Aspyr
2010-05-29 22:24 . 2010-06-08 01:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-29 00:33 . 2010-05-29 00:33 -------- d-----w- c:\programdata\Hewlett-Packard
2010-05-25 17:51 . 2010-04-23 07:13 2048 ----a-w- c:\windows\system32\tzres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-16 21:26 . 2010-02-02 15:23 -------- d-----w- c:\users\Mr. Rogers\AppData\Roaming\vlc
2010-06-16 21:08 . 2010-01-30 17:27 -------- d-----w- c:\users\Mr. Rogers\AppData\Roaming\U3
2010-06-16 03:15 . 2010-01-30 07:37 -------- d-----w- c:\users\Mr. Rogers\AppData\Roaming\Apple Computer
2010-06-09 03:26 . 2010-02-03 20:08 -------- d-----w- c:\programdata\Microsoft Help
2010-06-05 02:03 . 2010-02-13 21:42 -------- d-----w- c:\program files\Steam
2010-05-27 00:56 . 2010-03-01 02:34 117760 ----a-w- c:\users\Mr. Rogers\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-13 02:16 . 2010-02-13 22:18 -------- d-----w- c:\program files\Common Files\Steam
2010-05-13 01:56 . 2010-02-23 02:54 -------- d-----w- c:\users\Mr. Rogers\AppData\Roaming\dvdcss
2010-05-12 22:06 . 2010-02-12 19:35 -------- d-----w- c:\programdata\DVD Shrink
2010-05-12 22:05 . 2010-02-12 19:35 -------- d-----w- c:\program files\DVD Shrink
2010-05-12 05:20 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-11 03:50 . 2010-05-11 00:41 -------- d-----w- c:\users\Mr. Rogers\AppData\Roaming\Free Download Manager
2010-05-11 00:41 . 2010-05-11 00:41 -------- d-----w- c:\program files\Free Download Manager
2010-05-11 00:41 . 2010-05-11 00:41 -------- d-----w- c:\programdata\FreeDownloadManager.ORG
2010-05-03 19:40 . 2010-05-03 19:39 -------- d-----w- c:\program files\iTunes
2010-05-03 19:39 . 2010-05-03 19:39 -------- d-----w- c:\program files\iPod
2010-05-03 19:39 . 2010-01-30 15:54 -------- d-----w- c:\program files\Common Files\Apple
2010-05-03 19:36 . 2010-05-03 19:36 -------- d-----w- c:\program files\Bonjour
2010-05-03 18:52 . 2010-05-03 18:52 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-02 21:55 . 2010-05-02 21:55 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-04-29 18:49 . 2010-01-30 15:56 -------- d-----w- c:\programdata\Apple Computer
2010-04-27 04:32 . 2010-04-27 04:19 -------- d-----w- c:\program files\Pinball
2010-04-08 21:49 . 2010-01-30 09:40 72720 ----a-w- c:\users\Mr. Rogers\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-31 05:47 . 2010-03-31 05:47 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-31 05:42 . 2010-03-31 03:58 692437298 ----a-w- c:\program files\data2.cab
2010-03-31 05:40 . 2010-03-31 03:58 254098 ----a-w- c:\program files\setup.inx
2010-03-31 05:40 . 2010-03-31 03:58 1669931 ----a-w- c:\program files\setup.isn
2010-03-31 05:39 . 2010-03-31 03:58 1079468 ----a-w- c:\program files\data1.cab
2010-03-31 05:24 . 2010-03-31 03:58 371458 ----a-w- c:\program files\data1.hdr
2010-03-31 05:22 . 2010-03-31 03:58 21494 ----a-w- c:\program files\0x0409.ini
2010-03-31 04:56 . 2010-03-31 03:58 576000 ----a-w- c:\program files\ISSetup.dll
2010-03-31 04:42 . 2010-03-31 03:58 1224 ----a-w- c:\program files\setup.ini
2010-03-31 04:29 . 2010-03-31 03:58 473 ----a-w- c:\program files\layout.bin
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-06-16_04.52.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-01 14:49 . 2010-06-17 03:58 21864 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2010-06-17 03:58 44624 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-07-14 04:55 . 2010-06-16 04:41 44624 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2010-01-30 09:34 . 2010-06-16 04:39 65536 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-01-30 09:34 . 2010-06-17 03:56 65536 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-06-12 05:24 . 2010-06-17 00:28 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
- 2010-06-12 05:24 . 2010-06-15 20:19 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
- 2009-07-14 04:41 . 2010-06-16 04:39 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:41 . 2010-06-17 03:56 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-06-11 00:41 . 2010-06-15 19:57 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2010-06-11 00:41 . 2010-06-16 18:24 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
- 2010-01-30 16:21 . 2010-06-16 04:41 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-01-30 16:21 . 2010-06-17 03:58 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-01-30 16:21 . 2010-06-17 03:58 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-01-30 16:21 . 2010-06-16 04:41 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-01-30 16:21 . 2010-06-16 04:41 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-01-30 16:21 . 2010-06-17 03:58 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-01-30 17:12 . 2010-06-16 04:39 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-01-30 17:12 . 2010-06-17 03:56 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-02-01 15:03 . 2010-06-16 04:08 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2010-02-01 15:03 . 2010-06-17 03:00 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2010-02-01 15:03 . 2010-06-17 03:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
- 2010-02-01 15:03 . 2010-06-16 04:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
- 2010-02-01 15:03 . 2010-06-16 04:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
+ 2010-02-01 15:03 . 2010-06-17 03:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2010-01-30 17:12 . 2010-06-16 04:39 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-01-30 17:12 . 2010-06-17 03:56 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-01-30 17:12 . 2010-06-17 03:56 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-01-30 17:12 . 2010-06-16 04:39 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-02-01 14:49 . 2010-06-17 03:58 9466 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4000315813-446636876-3932809114-1001_UserData.bin
- 2010-06-16 04:39 . 2010-06-16 04:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-06-17 03:56 . 2010-06-17 03:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-06-17 03:56 . 2010-06-17 03:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-06-16 04:39 . 2010-06-16 04:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 02:05 . 2010-06-16 21:22 615122 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2010-06-16 04:14 615122 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2010-06-16 04:14 103496 c:\windows\System32\perfc009.dat
+ 2009-07-14 02:05 . 2010-06-16 21:22 103496 c:\windows\System32\perfc009.dat
- 2010-01-30 16:14 . 2010-06-16 04:05 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2010-01-30 16:14 . 2010-06-17 01:49 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 02:03 . 2010-06-16 20:03 6815744 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2009-07-14 02:03 . 2010-06-15 03:52 6815744 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2010-01-30 09:34 . 2010-06-16 04:39 1081344 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-01-30 09:34 . 2010-06-17 03:56 1081344 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2010-01-27 256280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Users^Mr. Rogers^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Mr. Rogers\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\combofix]
c:\combo-fix\CF27026.cfxxe [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-10 04:32 1238352 ----a-w- c:\program files\Steam\Steam.exe

R2 gupdate1caad1565fa3e54;Google Update Service (gupdate1caad1565fa3e54);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 133104]
R2 StudioPro;StudioPro webcam;c:\windows\system32\DRIVERS\StudioPro.sys [2007-01-06 120320]
R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]
R3 DrvAgent32;DrvAgent32;c:\windows\system32\Drivers\DrvAgent32.sys [2010-06-13 23456]
R3 EuMusDesignVirtualAudioCableWdm;StudioPro audio (WDM);c:\windows\system32\DRIVERS\vrtaucbl.sys [2007-04-23 38784]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-12-01 34384]
R3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [2008-04-17 184320]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-03 1343400]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-04-16 11520]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS [2010-01-30 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\N360\0308000.029\BHDrvx86.sys [2010-01-30 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\N360\0308000.029\ccHPx86.sys [2010-01-30 482432]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100604.004\IDSvix86.sys [2010-05-28 344112]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
S2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [2009-12-16 375296]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2010-01-30 117640]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]
S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\DRIVERS\MovRVDrv32.sys [2008-04-17 3768]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [2010-01-30 48688]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9C450606-ED24-4958-92BA-B8940C99D441}]
2009-03-04 22:32 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2010-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 01:30]

2010-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 01:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://tmq.bingstart.com/?cfg=2-168-0-1ipGy
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Mr. Rogers\AppData\Roaming\Mozilla\Firefox\Profiles\fxeei5v6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://tmq.bingstart.com/s/?src=FF-Address&site=Bing&cfg=2-168-0-1ipGy&q=
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x869DEEC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
SecurityProcedure -> 0x84eb33d0
QueryNameProcedure -> 0x84eb3560
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-06-16 23:13:26
ComboFix-quarantined-files.txt 2010-06-17 04:13
ComboFix2.txt 2010-06-16 04:56

Pre-Run: 80,147,316,736 bytes free
Post-Run: 80,071,553,024 bytes free

- - End Of File - - 62AF7BFA01C862DE39FF90ADE7E9349C


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:23 AM

Posted 16 June 2010 - 11:31 PM

Please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!

1.Restart your computer.
2.Before Windows loads, you will be prompted to choose which Operating System to start.
3.Use the up and down arrow key to select Microsoft Windows Recovery Console
4.You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
5.At the C:\Windows prompt, type the following bolded entries, and press 'Enter' (note the spaces):
    batch look.bat


You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.

Click Start >> Run and then type the following in the run box

maxlook -sig

(note the space before the - sign)
It will produce looklog.txt on the desktop and open it.
Please post the results here.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 sn3akym4n

sn3akym4n
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 17 June 2010 - 12:02 AM

For this process are the directions different for Windows 7? Because I'm have a little trouble finding the Microsoft Windows Recovery Console.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:23 AM

Posted 17 June 2010 - 12:28 AM

yes it is - please wait
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:23 AM

Posted 17 June 2010 - 12:30 AM

First, you must verify that you can access the Windows7 Recovery Environment.
To do so, restart your computer and begin tapping the F8 key to enable the Advanced Start menu.
If the option 'Repair your computer' is available, select it.

If not available, you will need to insert your Windows7 installation dvd and restart, then press any key when prompted to boot from the cd.
At the Install Windows screen, select Repair your computer. (image below)



Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Environment.
Once you get to the System Recovery Options screen, first take note of the drive letter assigned to the operating system, then select Command Prompt.



Type the following bolded command at the x:\sources> prompt (or x:\windows\system32>) then hit Enter.

cd /d x:\windows <--- the red x represents your operating system drive letter, as shown in the image below



At the D:\Windows> prompt type the following command then hit Enter

look.bat

You will see many files copied then return to the x:\windows> prompt.
Type Exit then restart your computer and logon in normal mode.
Please run maxlook.exe again now. Note - you must run it only once!
It will produce looklog.txt on the desktop and open it.
Please post the results here.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 sn3akym4n

sn3akym4n
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 17 June 2010 - 03:09 PM

This scan is also clean! Is this normal? Right after I started to get the log file I got the Norton warning again for the Backdoor.Tidserv!inf.


Run from C:\Users\Mr. Rogers\Desktop\maxlook.exe on Thu 06/17/2010 at 15:07:23.72

No infected file found



#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:23 AM

Posted 17 June 2010 - 03:41 PM

Hello

That is not the report we should have gotten, But I see where I went wrong before I ran maxlook again I should have hade you run this

from run command
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
CODE
maxlook -cleanup
  • click ok

after you have done the above - do this again

First, you must verify that you can access the Windows7 Recovery Environment.
To do so, restart your computer and begin tapping the F8 key to enable the Advanced Start menu.
If the option 'Repair your computer' is available, select it.

If not available, you will need to insert your Windows7 installation dvd and restart, then press any key when prompted to boot from the cd.
At the Install Windows screen, select Repair your computer. (image below)



Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Environment.
Once you get to the System Recovery Options screen, first take note of the drive letter assigned to the operating system, then select Command Prompt.



Type the following bolded command at the x:\sources> prompt (or x:\windows\system32>) then hit Enter.

cd /d x:\windows <--- the red x represents your operating system drive letter, as shown in the image below



At the D:\Windows> prompt type the following command then hit Enter

look.bat

You will see many files copied then return to the x:\windows> prompt.
Type Exit then restart your computer and logon in normal mode.
Please run maxlook.exe again now. Note - you must run it only once!
It will produce looklog.txt on the desktop and open it.
Please post the results here.

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users