Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Virus


  • This topic is locked This topic is locked
25 replies to this topic

#1 RussellJB

RussellJB

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 21 August 2010 - 06:23 PM

I picked up a virus from a -- yup, a torrent -- and had it on my comp for a couple of months. I had noticed some odd behavior on the comp but could never locate the (probable) source of the virus until I used Housecall. While it found the two hidden files and the virus and deleted them, the program isn't good at identifying the virii names so I don't know what it was. And since I re-formatted I can't get any info on the virus. Sorry.

I re-formatted both my C drive and my secondary drive and re-installed my XP Pro. The disc had SP 2 on it and I ordered SP3 over the phone so I was able to install them before having to go back online. I was also able to re-install Norton Anti-virus 2010 before going back online. Then I did all the usual updates.

I also have Zone Alarm, Spyware Blaster, HijackThis, and Malwarebytes installed (all free versions).

I did all the re-installing last nite and I've noticed some odd behavior, some old, some new. I only installed Zone Alarm last week, after I found the virus, but after re-formatting I've twice noticed that the anti-phishing has been turned off.

Also -- and this might be a seperate problem -- after re-installing Office 2003 I got a message from Zone Alarm saying that I was now hooked up to a new computer. Oddly, the IP was different from the one I was on. It was 24.185.208.0. When I clicked the connection icon in my quick launch area, it said I was using a different IP (sorry, I don't have the IP address).

The above IP is from my area and the same service provider I use. Besides any virus problems, am I possibly accidentally hooked up to a neighbor's comp? I don't have a wireless router but maybe I have a wireless card? I am using a "CNet PRO200WL PCI Fast Ethernet."

For one thing, it would explain why my mouse occaisionally jumps around wildly. It was doing that before the re-formatting but I had chalked it up to the virus. But it's already happened a couple of times today. And I notice it's running slow, sometimes very slow. It's also frozen a couple of times. It probably shouldn't be doing that with a newly formatted drive.

I followed all the instructions in the Prep Guide, except for the 1st where it says to create a backup. I figure at this point I can re-install. But I left my Zone Alarm on. If this created a mess in the gmer or other txt files please LMK and I'll turn it off and riun everything again. I would have done it in the first place but as you can probably understand, I'm a bit gun shy right now.

Thank you! And believe me, after having the hackers access my debit and credit cards, they tried to run up a $1000 tab, I'm staying away from torrents!

- Russell

DDS (Ver_10-03-17.01) - NTFSx86
Run by baedtmtien at 18:16:26.70 on Sat 08/21/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.376 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Downloads\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Downloads\Logitech Mouse\SetPointP\SetPoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\baedtmtien\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.7.0.12\IPSBHO.DLL
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ZoneAlarm Client] "c:\downloads\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [Lexmark X73 Button Monitor] c:\progra~1\lexmar~1\ACMonitor_X73.exe
mRun: [Lexmark X73 Button Manager] c:\progra~1\lexmar~1\AcBtnMgr_X73.exe
mRun: [PrinTray] c:\windows\system32\spool\drivers\w32x86\3\printray.exe
mRun: [EvtMgr6] c:\downloads\logitech mouse\setpointp\SetPoint.exe /launchGaming
StartupFolder: c:\docume~1\baedtm~1\startm~1\programs\startup\logite~1.lnk - c:\program files\common files\logishrd\ereg\setpoint\eReg.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1282370977203
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1282416536265
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2100-02-23 18:35:34 768 ----a-w- c:\windows\x73_lut.dat
2100-02-08 19:53:34 1441 ----a-w- c:\windows\GtX73.ini
2010-08-21 22:14:35 0 ----a-w- c:\documents and settings\baedtmtien\defogger_reenable
2010-08-21 20:29:26 28040 ----a-w- c:\windows\system32\mdimon.dll
2010-08-21 19:07:30 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-08-21 19:07:30 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-08-21 19:07:17 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-08-21 19:05:33 10448 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2010-08-21 19:00:48 0 d-----w- c:\docume~1\baedtm~1\applic~1\Logishrd
2010-08-21 18:43:56 0 d-----w- c:\windows\system32\NtmsData
2010-08-21 18:37:22 376 ----a-w- c:\windows\ODBC.INI
2010-08-21 18:34:42 0 d-----w- c:\program files\Microsoft ActiveSync
2010-08-21 18:31:52 0 d-----w- c:\windows\SHELLNEW
2010-08-21 11:33:20 0 d-----w- C:\Games
2010-08-21 10:06:36 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-08-21 10:06:36 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2010-08-21 09:51:38 0 d-----w- c:\docume~1\baedtm~1\applic~1\Windows Desktop Search
2010-08-21 09:50:33 0 d-----w- c:\program files\Windows Desktop Search
2010-08-21 09:50:32 0 d-----w- c:\windows\system32\GroupPolicy
2010-08-21 09:49:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-08-21 09:49:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-08-21 09:49:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-08-21 09:05:25 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2010-08-21 08:29:23 0 d-----w- c:\windows\system32\XPSViewer
2010-08-21 08:27:53 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-08-21 08:27:53 117760 ------w- c:\windows\system32\prntvpt.dll
2010-08-21 08:27:52 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-08-21 08:27:52 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-08-21 08:27:52 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-08-21 08:27:52 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-08-21 08:27:52 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-08-21 08:19:15 0 d-----w- c:\windows\system32\URTTemp
2010-08-21 08:15:47 0 d-----w- c:\program files\CONEXANT
2010-08-21 08:02:15 0 d-sh--w- c:\documents and settings\baedtmtien\PrivacIE
2010-08-21 07:58:49 0 d-sh--w- c:\documents and settings\baedtmtien\IETldCache
2010-08-21 07:49:21 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-08-21 07:49:20 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-08-21 07:49:20 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-08-21 07:49:20 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-08-21 07:49:20 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-08-21 07:49:20 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-08-21 07:49:20 11077120 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-08-21 07:49:12 0 d-----w- c:\windows\ie8updates
2010-08-21 07:49:07 16896 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-08-21 07:46:13 0 dc-h--w- c:\windows\ie8
2010-08-21 07:26:07 0 d-----w- c:\docume~1\baedtm~1\applic~1\Malwarebytes
2010-08-21 07:25:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-21 07:25:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-21 07:25:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-21 07:10:00 354304 -c----w- c:\windows\system32\dllcache\srv.sys
2010-08-21 07:09:36 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-08-21 07:09:36 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-08-21 07:09:00 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-08-21 07:07:51 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-08-21 07:05:54 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-08-21 07:04:16 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-21 07:02:07 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-08-21 06:59:21 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-08-21 06:57:40 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-08-21 06:54:52 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2010-08-21 06:54:08 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-08-21 06:54:07 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-08-21 06:54:06 110592 -c----w- c:\windows\system32\dllcache\services.exe
2010-08-21 06:54:04 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-08-21 06:54:01 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-08-21 06:53:54 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-08-21 06:53:50 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2010-08-21 06:53:43 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-08-21 06:53:40 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-08-21 06:53:27 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-08-21 06:53:16 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-08-21 06:53:05 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-08-21 06:50:20 13646 ----a-w- c:\windows\system32\wpa.bak
2010-08-21 06:50:09 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-08-21 06:49:15 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-08-21 06:49:15 337408 ----a-w- c:\windows\system32\SET95.tmp
2010-08-21 06:46:59 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-08-21 06:46:55 1206508 -c----w- c:\windows\system32\dllcache\sysmain.sdb
2010-08-21 06:46:54 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-08-21 06:46:51 726528 -c--a-w- c:\windows\system32\dllcache\jscript.dll
2010-08-21 06:37:08 0 d-----w- c:\windows\system32\PreInstall
2010-08-21 06:37:05 0 d--h--w- c:\windows\$hf_mig$
2010-08-21 06:10:06 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2010-08-21 06:10:04 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2010-08-21 06:10:03 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-08-21 06:10:03 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-08-21 06:10:03 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-08-21 06:09:35 0 d-sh--w- c:\documents and settings\baedtmtien\UserData
2010-08-21 05:54:12 360054 ----a-w- c:\windows\bound.bmp
2010-08-21 05:49:59 299520 ----a-w- c:\windows\uninst.exe
2010-08-21 05:49:57 0 d-----w- c:\documents and settings\baedtmtien\WINDOWS
2010-08-21 05:49:01 86016 ----a-w- c:\windows\unvise32.exe
2010-08-21 05:45:23 0 d-----w- c:\program files\Lexmark
2010-08-21 05:43:19 0 d-----w- c:\program files\LexmarkX73
2010-08-21 05:28:27 0 d-----w- c:\docume~1\baedtm~1\applic~1\CheckPoint
2010-08-21 05:27:51 0 d-----w- c:\program files\CheckPoint
2010-08-21 05:27:38 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-08-21 05:27:06 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-08-21 05:27:06 0 d-----w- c:\windows\system32\ZoneLabs
2010-08-21 05:27:03 421443 ----a-w- c:\windows\system32\vsconfig.xml
2010-08-21 05:26:25 0 d-----w- C:\Downloads
2010-08-21 05:25:49 0 d-----w- c:\windows\Internet Logs
2010-08-21 05:23:31 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-08-21 05:23:31 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-08-21 05:23:31 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-08-21 05:23:31 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-08-21 05:23:31 0 d-----w- c:\program files\common files\Symantec Shared
2010-08-21 05:23:30 0 d-----w- c:\program files\Symantec
2010-08-21 05:22:23 0 d-----w- c:\windows\system32\drivers\NAV
2010-08-21 05:22:17 0 d-----w- c:\program files\Norton AntiVirus
2010-08-21 05:22:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-08-21 05:21:58 0 d-----w- c:\program files\NortonInstaller
2010-08-21 05:21:58 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-08-21 05:20:54 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2010-08-21 05:10:59 0 d-----w- c:\windows\system32\en
2010-08-21 05:10:58 0 d-----w- c:\windows\system32\bits
2010-08-21 05:08:24 0 d-----w- c:\windows\ServicePackFiles
2010-08-21 05:07:54 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2010-08-21 05:03:00 19569 ----a-w- c:\windows\002865_.tmp
2010-08-21 05:02:32 0 d-----w- c:\windows\system32\ReinstallBackups
2010-08-21 05:02:17 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-08-21 04:27:04 0 d-sh--w- c:\documents and settings\all users\DRM
2010-08-21 04:26:34 0 d--h--w- c:\program files\WindowsUpdate
2010-08-21 04:25:35 0 d-----w- c:\program files\common files\MSSoap
2010-08-21 04:23:43 0 d-----w- c:\program files\Online Services
2010-08-21 04:23:33 0 d-----w- c:\program files\Messenger
2010-08-21 04:23:30 0 d-----w- c:\program files\MSN Gaming Zone
2010-08-21 04:22:52 0 d-----w- c:\program files\Windows NT
2010-08-21 00:05:02 0 d-----w- c:\program files\common files\ODBC
2010-08-21 00:04:58 0 d-----w- c:\program files\common files\SpeechEngines
2010-08-21 00:04:29 0 d-----r- c:\documents and settings\all users\Documents

==================== Find3M ====================

2010-08-21 04:24:26 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:10:44 81920 ------w- c:\windows\system32\ieencode.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll

============= FINISH: 18:17:53.65 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:51 PM

Posted 27 August 2010 - 08:10 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 RussellJB

RussellJB
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 28 August 2010 - 12:09 PM

Hi m0le, I'm here. smile.gif

Thank you for your help!

- Russell

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:51 PM

Posted 28 August 2010 - 04:54 PM

Hello Russell,

No Torrent warnings then. tongue.gif

The fact that you are reformatting and still having problems sounds like we might be looking at an MBR rootkit.

Please run MBRCheck

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#5 RussellJB

RussellJB
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 29 August 2010 - 02:39 PM

M0le, here's the results:

QUOTE
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000063d

Kernel Drivers (total 156):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF7D63000 \WINDOWS\system32\KDCOM.DLL
0xF7C73000 \WINDOWS\system32\BOOTVID.dll
0xF7814000 ACPI.sys
0xF7D65000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7803000 pci.sys
0xF7863000 isapnp.sys
0xF7E2B000 PCIIde.sys
0xF7AE3000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF7D67000 intelide.sys
0xF7873000 MountMgr.sys
0xF77E4000 ftdisk.sys
0xF7D69000 dmload.sys
0xF77BE000 dmio.sys
0xF7AEB000 PartMgr.sys
0xF7883000 VolSnap.sys
0xF77A6000 atapi.sys
0xF7893000 disk.sys
0xF78A3000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7786000 fltmgr.sys
0xF7730000 SYMDS.SYS
0xF771E000 sr.sys
0xF76F1000 SYMEFA.SYS
0xF76DA000 KSecDD.sys
0xF764D000 Ntfs.sys
0xF7620000 NDIS.sys
0xF7606000 Mup.sys
0xF78B3000 agp440.sys
0xF79F3000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF74F7000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF74E3000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7B5B000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF74BF000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7B63000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF74AE000 \SystemRoot\system32\DRIVERS\basic2.sys
0xF7A03000 \SystemRoot\system32\DRIVERS\SOAR.SYS
0xF7A13000 \SystemRoot\system32\DRIVERS\rksample.sys
0xF7427000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF7401000 \SystemRoot\system32\DRIVERS\AmosNt.SYS
0xF7B6B000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7B73000 \SystemRoot\system32\DRIVERS\DM9PCI5.SYS
0xF7A23000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7D2B000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF7B7B000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF73BD000 \SystemRoot\system32\DRIVERS\parport.sys
0xF7A33000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7B83000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7A43000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7A53000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7A63000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF739A000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7325000 \SystemRoot\system32\drivers\smwdm.sys
0xF7EB4000 \SystemRoot\system32\drivers\SENSUPGD.SYS
0xF7301000 \SystemRoot\system32\drivers\portcls.sys
0xF7A83000 \SystemRoot\system32\drivers\drmk.sys
0xF7D97000 \SystemRoot\system32\drivers\aeaudio.sys
0xF7EB8000 \SystemRoot\system32\DRIVERS\audstub.sys


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:51 PM

Posted 29 August 2010 - 02:48 PM

That is the not the whole log, Russell. smile.gif
Posted Image
m0le is a proud member of UNITE

#7 RussellJB

RussellJB
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 30 August 2010 - 02:37 PM

Duh! I'm sorry, M0le! I didn't give the program enough time to run.

QUOTE
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000063d

Kernel Drivers (total 156):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF7D63000 \WINDOWS\system32\KDCOM.DLL
0xF7C73000 \WINDOWS\system32\BOOTVID.dll
0xF7814000 ACPI.sys
0xF7D65000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7803000 pci.sys
0xF7863000 isapnp.sys
0xF7E2B000 PCIIde.sys
0xF7AE3000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF7D67000 intelide.sys
0xF7873000 MountMgr.sys
0xF77E4000 ftdisk.sys
0xF7D69000 dmload.sys
0xF77BE000 dmio.sys
0xF7AEB000 PartMgr.sys
0xF7883000 VolSnap.sys
0xF77A6000 atapi.sys
0xF7893000 disk.sys
0xF78A3000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7786000 fltmgr.sys
0xF7730000 SYMDS.SYS
0xF771E000 sr.sys
0xF76F1000 SYMEFA.SYS
0xF76DA000 KSecDD.sys
0xF764D000 Ntfs.sys
0xF7620000 NDIS.sys
0xF7606000 Mup.sys
0xF78B3000 agp440.sys
0xF79F3000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF74F7000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF74E3000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7B5B000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF74BF000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7B63000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF74AE000 \SystemRoot\system32\DRIVERS\basic2.sys
0xF7A03000 \SystemRoot\system32\DRIVERS\SOAR.SYS
0xF7A13000 \SystemRoot\system32\DRIVERS\rksample.sys
0xF7427000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF7401000 \SystemRoot\system32\DRIVERS\AmosNt.SYS
0xF7B6B000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7B73000 \SystemRoot\system32\DRIVERS\DM9PCI5.SYS
0xF7A23000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7D2B000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF7B7B000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF73BD000 \SystemRoot\system32\DRIVERS\parport.sys
0xF7A33000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7B83000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7A43000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7A53000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7A63000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF739A000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7325000 \SystemRoot\system32\drivers\smwdm.sys
0xF7EB4000 \SystemRoot\system32\drivers\SENSUPGD.SYS
0xF7301000 \SystemRoot\system32\drivers\portcls.sys
0xF7A83000 \SystemRoot\system32\drivers\drmk.sys
0xF7D97000 \SystemRoot\system32\drivers\aeaudio.sys
0xF7EB8000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7A93000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7D47000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF72EA000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7AA3000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7AB3000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7B93000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF72D9000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7AC3000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7B9B000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7BA3000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7209000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7AD3000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7BAB000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7D99000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF7183000 \SystemRoot\system32\DRIVERS\update.sys
0xF75E2000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF78E3000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7923000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7D9B000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7CFF000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF7BBB000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF7DAD000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7EF3000 \SystemRoot\System32\Drivers\Null.SYS
0xF7DAF000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7BCB000 \SystemRoot\System32\drivers\vga.sys
0xF7DB1000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7DB3000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7BD3000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7BDB000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7D13000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA67CD000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA6774000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA671D000 \SystemRoot\System32\Drivers\NAV\1107000.00C\SYMTDI.SYS
0xA66F8000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xA66A3000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\20100827.001\IDSxpx86.sys
0xA667D000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7953000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA6655000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA65D4000 \SystemRoot\System32\vsdatant.sys
0xA65B2000 \SystemRoot\System32\drivers\afd.sys
0xF7963000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA64F3000 \SystemRoot\system32\drivers\NAV\1107000.00C\Ironx86.SYS
0xF7973000 \SystemRoot\system32\drivers\NAV\1107000.00C\SRTSPX.SYS
0xA64A0000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA6430000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7983000 \SystemRoot\System32\Drivers\Fips.SYS
0xA63D2000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xA63B5000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xA6336000 \SystemRoot\system32\drivers\NAV\1107000.00C\ccHPx86.sys
0xA628A000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20100810.004\BHDrvx86.sys
0xF7BFB000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF79A3000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF7C53000 \SystemRoot\System32\Drivers\LUsbFilt.Sys
0xF79B3000 \SystemRoot\System32\Drivers\WDFLDR.SYS
0xA6219000 \SystemRoot\System32\Drivers\wdf01000.sys
0xF715B000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF79C3000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF7C5B000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7C63000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
0xF75D2000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF7C6B000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
0xF75BE000 \SystemRoot\System32\Drivers\Lxarscan.sys
0xF7B03000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xA6201000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7D7F000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF7D0F000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7B0B000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7F67000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF048000 \SystemRoot\System32\ati2cqag.dll
0xBF080000 \SystemRoot\System32\ati3duag.dll
0xBF24E000 \SystemRoot\System32\ativvaxx.dll
0xA61B5000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA60A9000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF7B43000 \??\C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
0xA5CD8000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7DA7000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xA5C69000 \SystemRoot\system32\DRIVERS\fallback.sys
0xA5C4C000 \SystemRoot\system32\DRIVERS\fsksnt.sys
0xA5BEC000 \SystemRoot\system32\DRIVERS\k56nt.sys
0xF7E7F000 \SystemRoot\System32\Drivers\LBeepKE.sys
0xA5B95000 \SystemRoot\system32\DRIVERS\srv.sys
0xA5E05000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA5B14000 \SystemRoot\system32\DRIVERS\faxnt.sys
0xA5B02000 \SystemRoot\system32\DRIVERS\spkpnt.sys
0xA6582000 \SystemRoot\system32\DRIVERS\tonesnt.sys
0xA5A62000 \SystemRoot\system32\DRIVERS\v124nt.sys
0xA57A5000 \SystemRoot\system32\drivers\wdmaud.sys
0xA5962000 \SystemRoot\system32\drivers\sysaudio.sys
0xA5360000 \SystemRoot\System32\Drivers\NAV\1107000.00C\SRTSP.SYS
0xA4D5F000 \SystemRoot\System32\Drivers\HTTP.sys
0xA3173000
0xA2FFF000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100830.002\NAVEX15.SYS
0xA2FEB000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100830.002\NAVENG.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 34):
0 System Idle Process
4 System
464 C:\WINDOWS\system32\smss.exe
528 csrss.exe
552 C:\WINDOWS\system32\winlogon.exe
596 C:\WINDOWS\system32\services.exe
608 C:\WINDOWS\system32\lsass.exe
764 C:\WINDOWS\system32\svchost.exe
820 svchost.exe
864 C:\WINDOWS\system32\svchost.exe
996 svchost.exe
1048 svchost.exe
1084 C:\WINDOWS\system32\ZoneLabs\vsmon.exe
1304 C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
1372 C:\WINDOWS\system32\LEXBCES.EXE
1404 C:\WINDOWS\system32\spoolsv.exe
1484 svchost.exe
1584 C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccsvchst.exe
1768 C:\WINDOWS\system32\searchindexer.exe
2112 alg.exe
656 C:\WINDOWS\system32\wuauclt.exe
3688 C:\WINDOWS\system32\searchprotocolhost.exe
204 C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccsvchst.exe
2724 C:\WINDOWS\explorer.exe
392 C:\Downloads\Zone Labs\ZoneAlarm\zlclient.exe
3128 C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
2888 C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
2496 C:\WINDOWS\system32\spool\drivers\w32x86\3\printray.exe
1856 C:\Downloads\Logitech Mouse\SetPointP\SetPoint.exe
496 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
2868 C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe
3388 C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
3508 C:\Documents and Settings\baedtmtien\Desktop\MBRCheck.exe
856 searchfilterhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`01f60800 (NTFS)
\\.\J: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\K: --> \\.\PhysicalDrive1 at offset 0x00000018`ffeafc00 (NTFS)

PhysicalDrive0 Model Number: MAXTOR6L080J4, Rev: A93.0500
PhysicalDrive1 Model Number: WDCWD5000AAKB-00H8A0, Rev: 05.04E05

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
465 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:51 PM

Posted 30 August 2010 - 04:51 PM

That scan is negative so that's encouraging.

Please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 RussellJB

RussellJB
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 01 September 2010 - 07:57 AM

Here's the results:

One question -- is it OK to run these programs while being a user with admin privileges instead of the actual Administrator? Because that's what I've been doing. wacko.gif

QUOTE
ComboFix 10-08-31.02 - baedtmtien 09/01/2010 8:34.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.609 [GMT -4:00]
Running from: c:\documents and settings\baedtmtien\Desktop\comfix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-08-01 to 2010-09-01 )))))))))))))))))))))))))))))))
.

2100-02-23 18:35 . 2001-02-22 13:54 768 ----a-w- c:\windows\x73_lut.dat
2010-08-29 19:19 . 2010-08-29 19:19 -------- d-----w- c:\documents and settings\baedtmtien\Application Data\GlarySoft
2010-08-29 19:14 . 2010-08-29 19:14 -------- d-sh--w- c:\documents and settings\Russkull\IECompatCache
2010-08-29 01:20 . 2010-08-29 01:20 -------- d-----w- c:\documents and settings\Russkull\Application Data\Malwarebytes
2010-08-28 17:37 . 2010-08-28 17:37 -------- d-----w- c:\documents and settings\Russkull\Application Data\GlarySoft
2010-08-27 20:20 . 2010-08-27 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-08-27 20:20 . 2010-08-27 20:20 -------- d-----w- c:\program files\NOS
2010-08-22 19:35 . 2008-04-14 04:15 6272 -c--a-w- c:\windows\system32\dllcache\splitter.sys
2010-08-22 19:35 . 2008-04-14 04:15 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-08-22 19:33 . 2002-05-28 20:17 3744 ----a-r- c:\windows\system32\drivers\smsens.sys
2010-08-22 19:33 . 2002-05-28 16:08 2619 ----a-r- c:\windows\system32\drivers\sensupgd.sys
2010-08-22 19:33 . 2002-04-01 17:15 4816 ----a-r- c:\windows\system32\drivers\aeaudio.sys
2010-08-22 19:33 . 2001-09-19 18:32 720896 -c--a-w- c:\windows\system32\dllcache\a3d.dll
2010-08-22 19:33 . 2001-09-19 18:32 720896 ----a-r- c:\windows\system32\a3d.dll
2010-08-22 19:33 . 2002-05-28 19:18 500568 ----a-r- c:\windows\system32\drivers\smwdm.sys
2010-08-22 19:33 . 2008-04-14 04:49 146048 -c--a-w- c:\windows\system32\dllcache\portcls.sys
2010-08-22 19:33 . 2008-04-14 04:49 146048 ----a-w- c:\windows\system32\drivers\portcls.sys
2010-08-22 19:33 . 2008-04-14 04:15 60160 -c--a-w- c:\windows\system32\dllcache\drmk.sys
2010-08-22 19:33 . 2008-04-14 04:15 60160 ----a-w- c:\windows\system32\drivers\drmk.sys
2010-08-22 16:58 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-08-22 08:08 . 2010-08-22 08:08 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-08-22 08:05 . 2010-08-22 08:08 -------- d-----w- c:\windows\SHELLNEW
2010-08-22 07:53 . 2010-08-22 07:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-08-22 07:09 . 2010-08-22 07:09 -------- d-sh--w- c:\documents and settings\Russkull\PrivacIE
2010-08-22 07:09 . 2010-08-22 07:09 -------- d-----w- c:\documents and settings\Russkull\Application Data\Logitech
2010-08-21 20:29 . 2007-04-09 17:23 28552 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2010-08-21 20:29 . 2007-04-09 17:23 28040 ----a-w- c:\windows\system32\mdimon.dll
2010-08-21 19:09 . 2010-08-21 19:09 -------- d-----w- c:\documents and settings\baedtmtien\Application Data\Leadertech
2010-08-21 19:09 . 2010-08-21 19:09 53248 ----a-r- c:\documents and settings\baedtmtien\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2010-08-21 19:07 . 2010-08-21 19:07 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-08-21 19:07 . 2008-11-07 22:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-08-21 19:05 . 2010-03-18 09:01 10448 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2010-08-21 19:04 . 2010-08-21 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2010-08-21 19:01 . 2010-08-21 19:09 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-08-21 19:00 . 2010-08-21 19:09 -------- d-----w- c:\documents and settings\baedtmtien\Application Data\Logitech
2010-08-21 19:00 . 2010-08-21 19:01 -------- d-----w- c:\documents and settings\baedtmtien\Application Data\Logishrd
2010-08-21 18:43 . 2010-08-21 18:44 -------- d-----w- c:\windows\system32\NtmsData
2010-08-21 17:55 . 2010-08-21 17:55 -------- d-----w- c:\documents and settings\Russkull\Local Settings\Application Data\Identities
2010-08-21 17:55 . 2010-08-21 17:55 -------- d-----w- c:\documents and settings\Russkull\Application Data\Windows Desktop Search
2010-08-21 17:55 . 2010-08-21 17:55 -------- d-----w- c:\documents and settings\Russkull\Application Data\CheckPoint
2010-08-21 11:33 . 2010-08-21 11:33 -------- d-----w- C:\Games
2010-08-21 10:06 . 2010-09-01 12:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-21 10:06 . 2010-01-10 23:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-08-21 09:51 . 2010-08-21 09:51 -------- d-----w- c:\documents and settings\baedtmtien\Local Settings\Application Data\Identities
2010-08-21 09:51 . 2010-08-21 09:51 -------- d-----w- c:\documents and settings\baedtmtien\Application Data\Windows Desktop Search
2010-08-21 09:50 . 2010-08-21 09:58 -------- d-----w- c:\program files\Windows Desktop Search
2010-08-21 09:50 . 2010-08-22 20:08 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-08-21 09:49 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-08-21 09:49 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-08-21 09:49 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-08-21 09:11 . 2010-08-21 09:49 -------- d-----w- c:\documents and settings\baedtmtien\Local Settings\Application Data\ApplicationHistory
2010-08-21 08:42 . 2010-08-22 08:04 -------- d-----w- c:\program files\Microsoft.NET
2010-08-21 08:29 . 2010-08-21 08:29 -------- d-----w- c:\windows\system32\XPSViewer
2010-08-21 08:29 . 2010-08-21 08:29 -------- d-----w- c:\program files\MSBuild
2010-08-21 08:28 . 2010-08-21 08:28 -------- d-----w- c:\program files\Reference Assemblies
2010-08-21 08:28 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-08-21 08:27 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-08-21 08:27 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-08-21 08:27 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-08-21 08:27 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-08-21 08:27 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-08-21 08:27 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-08-21 08:27 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-08-21 08:27 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-08-21 08:19 . 2010-08-21 08:20 -------- d-----w- c:\windows\system32\URTTemp
2010-08-21 08:15 . 2010-08-21 08:15 -------- d-----w- c:\program files\CONEXANT
2010-08-21 08:02 . 2010-08-21 08:02 -------- d-sh--w- c:\documents and settings\baedtmtien\PrivacIE
2010-08-21 07:58 . 2010-08-21 07:58 -------- d-sh--w- c:\documents and settings\baedtmtien\IETldCache
2010-08-21 07:49 . 2010-06-24 12:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-08-21 07:49 . 2010-06-24 21:51 11077120 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-08-21 07:49 . 2010-06-24 12:21 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-08-21 07:49 . 2010-06-24 12:21 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-08-21 07:49 . 2010-06-24 12:21 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-08-21 07:49 . 2010-06-24 12:21 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-08-21 07:49 . 2010-06-24 12:21 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-08-21 07:49 . 2010-08-21 08:09 -------- d-----w- c:\windows\ie8updates
2010-08-21 07:49 . 2010-06-18 11:39 16896 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-08-21 07:46 . 2010-08-21 07:49 -------- dc-h--w- c:\windows\ie8
2010-08-21 07:26 . 2010-08-21 07:26 -------- d-----w- c:\documents and settings\baedtmtien\Application Data\Malwarebytes
2010-08-21 07:25 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-21 07:25 . 2010-08-21 07:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-21 07:25 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-21 07:10 . 2010-06-21 15:27 354304 -c----w- c:\windows\system32\dllcache\srv.sys
2010-08-21 07:09 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-08-21 07:09 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-08-21 07:09 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-08-21 07:07 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-08-21 07:05 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-08-21 07:04 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-21 07:02 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-08-21 06:59 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-08-21 06:57 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-08-21 06:54 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-08-21 06:54 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-08-21 06:54 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2010-08-21 06:54 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-08-21 06:54 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-08-21 06:53 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-08-21 06:53 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2010-08-21 06:53 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-08-21 06:53 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-08-21 06:53 . 2010-04-27 13:59 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-08-21 06:53 . 2010-04-28 02:25 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-08-21 06:53 . 2010-04-27 13:05 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-08-21 06:50 . 2010-06-18 13:36 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-08-21 06:49 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-08-21 06:46 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-08-21 06:46 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-08-21 06:46 . 2009-12-09 05:53 726528 -c--a-w- c:\windows\system32\dllcache\jscript.dll
2010-08-21 06:37 . 2010-08-21 08:09 -------- d--h--w- c:\windows\$hf_mig$
2010-08-21 06:10 . 2009-08-06 23:24 44768 ----a-w- c:\windows\system32\wups2.dll
2010-08-21 06:09 . 2010-08-21 06:09 -------- d-sh--w- c:\documents and settings\baedtmtien\UserData
2010-08-21 06:05 . 2010-08-21 06:05 -------- d-----w- c:\documents and settings\baedtmtien\Local Settings\Application Data\Help
2010-08-21 05:49 . 1997-04-09 00:08 299520 ----a-w- c:\windows\uninst.exe
2010-08-21 05:49 . 2010-08-21 05:49 -------- d-----w- c:\documents and settings\baedtmtien\WINDOWS
2010-08-21 05:49 . 1999-12-17 13:13 86016 ----a-w- c:\windows\unvise32.exe
2010-08-21 05:45 . 2010-08-21 05:45 -------- d-----w- c:\program files\Lexmark
2010-08-21 05:43 . 2010-08-21 05:56 -------- d-----w- c:\program files\LexmarkX73
2010-08-21 05:33 . 2010-08-21 05:34 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-21 05:28 . 2010-08-21 05:28 -------- d-----w- c:\documents and settings\baedtmtien\Application Data\CheckPoint
2010-08-21 05:27 . 2010-08-21 05:27 -------- d-----w- c:\program files\CheckPoint
2010-08-21 05:27 . 2010-08-21 05:27 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-08-21 05:27 . 2010-06-23 17:51 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-08-21 05:27 . 2010-06-23 17:51 103936 ----a-w- c:\windows\system32\zlcommdb.dll
2010-08-21 05:27 . 2010-08-21 05:28 -------- d-----w- c:\windows\system32\ZoneLabs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-21 19:41 . 2010-08-21 19:42 2063360 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2010-08-21 19:41 . 2010-08-21 19:42 2063360 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2010-08-21 19:07 . 2010-08-21 19:07 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-08-21 05:23 . 2010-08-21 05:23 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-08-21 05:23 . 2010-08-21 05:23 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-08-21 05:15 . 2010-08-21 04:27 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-08-21 04:29 . 2010-08-21 04:29 -------- d-----w- c:\program files\microsoft frontpage
2010-08-21 04:24 . 2010-08-21 04:24 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:10 . 2010-06-24 12:10 81920 ------w- c:\windows\system32\ieencode.dll
2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2010-08-21 04:25 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\downloads\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600]
"Lexmark X73 Button Monitor"="c:\progra~1\LEXMAR~1\ACMonitor_X73.exe" [2001-10-08 53248]
"Lexmark X73 Button Manager"="c:\progra~1\LEXMAR~1\AcBtnMgr_X73.exe" [2001-07-11 53248]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-12 36864]
"EvtMgr6"="c:\downloads\Logitech Mouse\SetPointP\SetPoint.exe" [2010-06-26 1311312]

c:\documents and settings\baedtmtien\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files\Common Files\LogiShrd\eReg\SetPoint\eReg.exe [2009-11-16 517384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1107000.00C\symds.sys [8/21/2010 3:04 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1107000.00C\symefa.sys [8/21/2010 3:04 AM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20100810.004\BHDrvx86.sys [8/10/2010 1:16 AM 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1107000.00C\cchpx86.sys [8/21/2010 3:04 AM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1107000.00C\ironx86.sys [8/21/2010 3:04 AM 116784]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [5/26/2010 9:35 AM 26352]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [5/26/2010 9:35 AM 493032]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [8/21/2010 3:05 PM 10448]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.7.0.12\ccsvchst.exe [8/21/2010 3:02 AM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/21/2010 2:56 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\20100830.002\IDSXpx86.sys [9/1/2010 7:43 AM 331640]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 8:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-09-01 c:\windows\Tasks\GlaryInitialize.job
- c:\downloads\Glary Utilities\initialize.exe [2010-08-28 15:21]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-01 08:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(612)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(3244)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
.
Completion time: 2010-09-01 08:50:07
ComboFix-quarantined-files.txt 2010-09-01 12:50

Pre-Run: 66,802,061,312 bytes free
Post-Run: 66,862,645,248 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 25BD36882AF685C62D203221E8DFB788


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:51 PM

Posted 01 September 2010 - 06:12 PM

It's okay to run this as user with admin privileges smile.gif

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


So far, there isn't much to write home about.

Please download TCPView

When the log comes up click Save and save the file to your desktop and attach the file to your next reply
Posted Image
m0le is a proud member of UNITE

#11 RussellJB

RussellJB
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 02 September 2010 - 05:17 PM

I thought so about the Admin status but I just wanted to make sure. wacko.gif

Thank you very much, M0le, for all the work you are doing! smile.gif

QUOTE
ComboFix 10-08-31.02 - baedtmtien 09/02/2010 17:28:10.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.559 [GMT -4:00]
Running from: c:\documents and settings\baedtmtien\Desktop\comfix.exe
Command switches used :: c:\documents and settings\baedtmtien\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-08-02 to 2010-09-02 )))))))))))))))))))))))))))))))
.

2100-02-23 18:35 . 2001-02-22 13:54 768 ----a-w- c:\windows\x73_lut.dat
2010-08-29 19:19 . 2010-08-29 19:19 -------- d-----w- c:\documents and settings\baedtmtien\Application Data\GlarySoft
2010-08-29 19:14 . 2010-08-29 19:14 -------- d-sh--w- c:\documents and settings\Russkull\IECompatCache
2010-08-29 01:20 . 2010-08-29 01:20 -------- d-----w- c:\documents and settings\Russkull\Application Data\Malwarebytes
2010-08-28 17:37 . 2010-08-28 17:37 -------- d-----w- c:\documents and settings\Russkull\Application Data\GlarySoft
2010-08-27 20:20 . 2010-08-27 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-08-27 20:20 . 2010-08-27 20:20 -------- d-----w- c:\program files\NOS
2010-08-22 19:35 . 2008-04-14 04:15 6272 -c--a-w- c:\windows\system32\dllcache\splitter.sys
2010-08-22 19:35 . 2008-04-14 04:15 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-08-22 19:33 . 2002-05-28 20:17 3744 ----a-r- c:\windows\system32\drivers\smsens.sys
2010-08-22 19:33 . 2002-05-28 16:08 2619 ----a-r- c:\windows\system32\drivers\sensupgd.sys
2010-08-22 19:33 . 2002-04-01 17:15 4816 ----a-r- c:\windows\system32\drivers\aeaudio.sys
2010-08-22 19:33 . 2001-09-19 18:32 720896 -c--a-w- c:\windows\system32\dllcache\a3d.dll
2010-08-22 19:33 . 2001-09-19 18:32 720896 ----a-r- c:\windows\system32\a3d.dll
2010-08-22 19:33 . 2002-05-28 19:18 500568 ----a-r- c:\windows\system32\drivers\smwdm.sys
2010-08-22 19:33 . 2008-04-14 04:49 146048 -c--a-w- c:\windows\system32\dllcache\portcls.sys
2010-08-22 19:33 . 2008-04-14 04:49 146048 ----a-w- c:\windows\system32\drivers\portcls.sys
2010-08-22 19:33 . 2008-04-14 04:15 60160 -c--a-w- c:\windows\system32\dllcache\drmk.sys
2010-08-22 19:33 . 2008-04-14 04:15 60160 ----a-w- c:\windows\system32\drivers\drmk.sys
2010-08-22 16:58 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-08-22 08:08 . 2010-08-22 08:08 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-08-22 08:05 . 2010-08-22 08:08 -------- d-----w- c:\windows\SHELLNEW
2010-08-22 07:53 . 2010-08-22 07:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-08-22 07:09 . 2010-08-22 07:09 -------- d-sh--w- c:\documents and settings\Russkull\PrivacIE
2010-08-22 07:09 . 2010-08-22 07:09 -------- d-----w- c:\documents and settings\Russkull\Application Data\Logitech
2010-08-21 20:29 . 2007-04-09 17:23 28552 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2010-08-21 20:29 . 2007-04-09 17:23 28040 ----a-w- c:\windows\system32\mdimon.dll
2010-08-21 19:09 . 2010-08-21 19:09 -------- d-----w- c:\documents and settings\baedtmtien\Application Data\Leadertech
2010-08-21 19:09 . 2010-08-21 19:09 53248 ----a-r- c:\documents and settings\baedtmtien\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2010-08-21 19:07 . 2010-08-21 19:07 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-08-21 19:07 . 2008-11-07 22:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-08-21 19:05 . 2010-03-18 09:01 10448 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2010-08-21 19:04 . 2010-08-21 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2010-08-21 19:01 . 2010-08-21 19:09 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-08-21 19:00 . 2010-08-21 19:09 -------- d-----w- c:\documents and settings\baedtmtien\Application Data\Logitech
2010-08-21 19:00 . 2010-08-21 19:01 -------- d-----w- c:\documents and settings\baedtmtien\Application Data\Logishrd
2010-08-21 18:43 . 2010-08-21 18:44 -------- d-----w- c:\windows\system32\NtmsData
2010-08-21 17:55 . 2010-08-21 17:55 -------- d-----w- c:\documents and settings\Russkull\Local Settings\Application Data\Identities
2010-08-21 17:55 . 2010-08-21 17:55 -------- d-----w- c:\documents and settings\Russkull\Application Data\Windows Desktop Search
2010-08-21 17:55 . 2010-08-21 17:55 -------- d-----w- c:\documents and settings\Russkull\Application Data\CheckPoint
2010-08-21 11:33 . 2010-08-21 11:33 -------- d-----w- C:\Games
2010-08-21 10:06 . 2010-09-01 12:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-21 10:06 . 2010-01-10 23:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-08-21 09:51 . 2010-08-21 09:51 -------- d-----w- c:\documents and settings\baedtmtien\Local Settings\Application Data\Identities
2010-08-21 09:51 . 2010-08-21 09:51 -------- d-----w- c:\documents and settings\baedtmtien\Application Data\Windows Desktop Search
2010-08-21 09:50 . 2010-08-21 09:58 -------- d-----w- c:\program files\Windows Desktop Search
2010-08-21 09:50 . 2010-08-22 20:08 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-08-21 09:49 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-08-21 09:49 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-08-21 09:49 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-08-21 09:11 . 2010-08-21 09:49 -------- d-----w- c:\documents and settings\baedtmtien\Local Settings\Application Data\ApplicationHistory
2010-08-21 08:42 . 2010-08-22 08:04 -------- d-----w- c:\program files\Microsoft.NET
2010-08-21 08:29 . 2010-08-21 08:29 -------- d-----w- c:\windows\system32\XPSViewer
2010-08-21 08:29 . 2010-08-21 08:29 -------- d-----w- c:\program files\MSBuild
2010-08-21 08:28 . 2010-08-21 08:28 -------- d-----w- c:\program files\Reference Assemblies
2010-08-21 08:28 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-08-21 08:27 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-08-21 08:27 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-08-21 08:27 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-08-21 08:27 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-08-21 08:27 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-08-21 08:27 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-08-21 08:27 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-08-21 08:27 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-08-21 08:19 . 2010-08-21 08:20 -------- d-----w- c:\windows\system32\URTTemp
2010-08-21 08:15 . 2010-08-21 08:15 -------- d-----w- c:\program files\CONEXANT
2010-08-21 08:02 . 2010-08-21 08:02 -------- d-sh--w- c:\documents and settings\baedtmtien\PrivacIE
2010-08-21 07:58 . 2010-08-21 07:58 -------- d-sh--w- c:\documents and settings\baedtmtien\IETldCache
2010-08-21 07:49 . 2010-06-24 12:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-08-21 07:49 . 2010-06-24 21:51 11077120 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-08-21 07:49 . 2010-06-24 12:21 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-08-21 07:49 . 2010-06-24 12:21 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-08-21 07:49 . 2010-06-24 12:21 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-08-21 07:49 . 2010-06-24 12:21 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-08-21 07:49 . 2010-06-24 12:21 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-08-21 07:49 . 2010-08-21 08:09 -------- d-----w- c:\windows\ie8updates
2010-08-21 07:49 . 2010-06-18 11:39 16896 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-08-21 07:46 . 2010-08-21 07:49 -------- dc-h--w- c:\windows\ie8
2010-08-21 07:26 . 2010-08-21 07:26 -------- d-----w- c:\documents and settings\baedtmtien\Application Data\Malwarebytes
2010-08-21 07:25 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-21 07:25 . 2010-08-21 07:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-21 07:25 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-21 07:10 . 2010-06-21 15:27 354304 -c----w- c:\windows\system32\dllcache\srv.sys
2010-08-21 07:09 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-08-21 07:09 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-08-21 07:09 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-08-21 07:07 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-08-21 07:05 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-08-21 07:04 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-21 07:02 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-08-21 06:59 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-08-21 06:57 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-08-21 06:54 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-08-21 06:54 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-08-21 06:54 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2010-08-21 06:54 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-08-21 06:54 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-08-21 06:53 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-08-21 06:53 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2010-08-21 06:53 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-08-21 06:53 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-08-21 06:53 . 2010-04-27 13:59 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-08-21 06:53 . 2010-04-28 02:25 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-08-21 06:53 . 2010-04-27 13:05 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-08-21 06:50 . 2010-06-18 13:36 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-08-21 06:49 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-08-21 06:46 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-08-21 06:46 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-08-21 06:46 . 2009-12-09 05:53 726528 -c--a-w- c:\windows\system32\dllcache\jscript.dll
2010-08-21 06:37 . 2010-08-21 08:09 -------- d--h--w- c:\windows\$hf_mig$
2010-08-21 06:10 . 2009-08-06 23:24 44768 ----a-w- c:\windows\system32\wups2.dll
2010-08-21 06:09 . 2010-08-21 06:09 -------- d-sh--w- c:\documents and settings\baedtmtien\UserData
2010-08-21 06:05 . 2010-08-21 06:05 -------- d-----w- c:\documents and settings\baedtmtien\Local Settings\Application Data\Help
2010-08-21 05:49 . 1997-04-09 00:08 299520 ----a-w- c:\windows\uninst.exe
2010-08-21 05:49 . 2010-08-21 05:49 -------- d-----w- c:\documents and settings\baedtmtien\WINDOWS
2010-08-21 05:49 . 1999-12-17 13:13 86016 ----a-w- c:\windows\unvise32.exe
2010-08-21 05:45 . 2010-08-21 05:45 -------- d-----w- c:\program files\Lexmark
2010-08-21 05:43 . 2010-08-21 05:56 -------- d-----w- c:\program files\LexmarkX73
2010-08-21 05:33 . 2010-08-21 05:34 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-21 05:28 . 2010-08-21 05:28 -------- d-----w- c:\documents and settings\baedtmtien\Application Data\CheckPoint
2010-08-21 05:27 . 2010-08-21 05:27 -------- d-----w- c:\program files\CheckPoint
2010-08-21 05:27 . 2010-08-21 05:27 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-08-21 05:27 . 2010-06-23 17:51 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-08-21 05:27 . 2010-06-23 17:51 103936 ----a-w- c:\windows\system32\zlcommdb.dll
2010-08-21 05:27 . 2010-08-21 05:28 -------- d-----w- c:\windows\system32\ZoneLabs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-21 19:41 . 2010-08-21 19:42 2063360 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2010-08-21 19:41 . 2010-08-21 19:42 2063360 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2010-08-21 19:07 . 2010-08-21 19:07 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-08-21 05:23 . 2010-08-21 05:23 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-08-21 05:23 . 2010-08-21 05:23 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-08-21 05:15 . 2010-08-21 04:27 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-08-21 04:29 . 2010-08-21 04:29 -------- d-----w- c:\program files\microsoft frontpage
2010-08-21 04:24 . 2010-08-21 04:24 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:10 . 2010-06-24 12:10 81920 ------w- c:\windows\system32\ieencode.dll
2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2010-08-21 04:25 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\downloads\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600]
"Lexmark X73 Button Monitor"="c:\progra~1\LEXMAR~1\ACMonitor_X73.exe" [2001-10-08 53248]
"Lexmark X73 Button Manager"="c:\progra~1\LEXMAR~1\AcBtnMgr_X73.exe" [2001-07-11 53248]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-12 36864]
"EvtMgr6"="c:\downloads\Logitech Mouse\SetPointP\SetPoint.exe" [2010-06-26 1311312]

c:\documents and settings\baedtmtien\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files\Common Files\LogiShrd\eReg\SetPoint\eReg.exe [2009-11-16 517384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1107000.00C\symds.sys [8/21/2010 3:04 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1107000.00C\symefa.sys [8/21/2010 3:04 AM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20100810.004\BHDrvx86.sys [8/10/2010 1:16 AM 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1107000.00C\cchpx86.sys [8/21/2010 3:04 AM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1107000.00C\ironx86.sys [8/21/2010 3:04 AM 116784]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [5/26/2010 9:35 AM 26352]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [5/26/2010 9:35 AM 493032]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [8/21/2010 3:05 PM 10448]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.7.0.12\ccsvchst.exe [8/21/2010 3:02 AM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/21/2010 2:56 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\20100830.002\IDSXpx86.sys [9/1/2010 7:43 AM 331640]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 8:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-09-02 c:\windows\Tasks\GlaryInitialize.job
- c:\downloads\Glary Utilities\initialize.exe [2010-08-28 15:21]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-02 17:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(612)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(1024)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-09-02 17:42:00
ComboFix-quarantined-files.txt 2010-09-02 21:41
ComboFix2.txt 2010-09-01 12:50

Pre-Run: 66,909,200,384 bytes free
Post-Run: 66,936,975,360 bytes free

- - End Of File - - 3BBD20B68991BFFEEB64828E31B1098C

Attached Files



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:51 PM

Posted 02 September 2010 - 07:54 PM

Hmm, nothing there. Let's see if we have TDSS in some form here.
  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#13 RussellJB

RussellJB
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 02 September 2010 - 08:24 PM

It didn't find anything, M0le. smile.gif

QUOTE
2010/09/02 21:19:16.0531 TDSS rootkit removing tool 2.4.1.4 Aug 31 2010 16:55:25
2010/09/02 21:19:16.0531 ================================================================================
2010/09/02 21:19:16.0531 SystemInfo:
2010/09/02 21:19:16.0531
2010/09/02 21:19:16.0531 OS Version: 5.1.2600 ServicePack: 3.0
2010/09/02 21:19:16.0531 Product type: Workstation
2010/09/02 21:19:16.0531 ComputerName: BETTE-31C76376D
2010/09/02 21:19:16.0546 UserName: baedtmtien
2010/09/02 21:19:16.0546 Windows directory: C:\WINDOWS
2010/09/02 21:19:16.0546 System windows directory: C:\WINDOWS
2010/09/02 21:19:16.0546 Processor architecture: Intel x86
2010/09/02 21:19:16.0546 Number of processors: 1
2010/09/02 21:19:16.0546 Page size: 0x1000
2010/09/02 21:19:16.0546 Boot type: Normal boot
2010/09/02 21:19:16.0546 ================================================================================
2010/09/02 21:19:17.0562 Initialize success
2010/09/02 21:19:31.0750 ================================================================================
2010/09/02 21:19:31.0750 Scan started
2010/09/02 21:19:31.0750 Mode: Manual;
2010/09/02 21:19:31.0750 ================================================================================
2010/09/02 21:19:32.0718 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/09/02 21:19:32.0906 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/09/02 21:19:33.0296 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2010/09/02 21:19:33.0562 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/09/02 21:19:33.0890 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/09/02 21:19:34.0234 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/09/02 21:19:36.0031 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/09/02 21:19:36.0265 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/09/02 21:19:36.0734 ati2mtag (8759322ffc1a50569c1e5528ee8026b7) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/09/02 21:19:37.0000 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/09/02 21:19:37.0234 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/09/02 21:19:37.0531 basic2 (9372cc48814a17e67c28945eb4acc189) C:\WINDOWS\system32\DRIVERS\basic2.sys
2010/09/02 21:19:37.0750 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/09/02 21:19:38.0031 BHDrvx86 (8f6d9ce8af24f09de6b020b2c09e27d9) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20100810.004\BHDrvx86.sys
2010/09/02 21:19:38.0484 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/09/02 21:19:38.0781 ccHP (e941e709847fa00e0dd6d58d2b8fb5e1) C:\WINDOWS\system32\drivers\NAV\1107000.00C\ccHPx86.sys
2010/09/02 21:19:39.0093 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/09/02 21:19:39.0281 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/09/02 21:19:39.0515 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/09/02 21:19:40.0375 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/09/02 21:19:40.0500 DM9102 (51ef6ca3d57055fed6ab99021d562443) C:\WINDOWS\system32\DRIVERS\DM9PCI5.SYS
2010/09/02 21:19:40.0656 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/09/02 21:19:40.0906 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/09/02 21:19:41.0078 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/09/02 21:19:41.0296 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/09/02 21:19:41.0671 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/09/02 21:19:41.0859 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2010/09/02 21:19:42.0031 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2010/09/02 21:19:42.0375 Fallback (9ea76a7f28cd968f8adc709e479f23b2) C:\WINDOWS\system32\DRIVERS\fallback.sys
2010/09/02 21:19:42.0562 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/09/02 21:19:42.0781 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/09/02 21:19:43.0015 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/09/02 21:19:43.0281 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/09/02 21:19:43.0531 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/09/02 21:19:43.0718 Fsks (b7b262d0431374f3afd1349e35b368d9) C:\WINDOWS\system32\DRIVERS\fsksnt.sys
2010/09/02 21:19:43.0906 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/09/02 21:19:44.0109 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/09/02 21:19:44.0281 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/09/02 21:19:44.0562 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/09/02 21:19:44.0984 HSFHWBS2 (970178e8e003eb1481293830069624b9) C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys
2010/09/02 21:19:45.0328 HSF_DP (ebb354438a4c5a3327fb97306260714a) C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys
2010/09/02 21:19:45.0593 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/09/02 21:19:46.0140 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/09/02 21:19:46.0375 IDSxpx86 (231c3f6d5c520e99924e1e37401a90c4) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\20100830.002\IDSxpx86.sys
2010/09/02 21:19:46.0593 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/09/02 21:19:46.0921 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/09/02 21:19:47.0093 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/09/02 21:19:47.0343 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/09/02 21:19:47.0546 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/09/02 21:19:47.0718 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/09/02 21:19:47.0921 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/09/02 21:19:48.0093 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/09/02 21:19:48.0359 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/09/02 21:19:48.0578 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/09/02 21:19:48.0703 ISWKL (2e41433579de4381f1b0f7b30b013ddc) C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
2010/09/02 21:19:48.0906 K56 (a4e3277398c8aba999483d4c658c9696) C:\WINDOWS\system32\DRIVERS\k56nt.sys
2010/09/02 21:19:49.0109 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/09/02 21:19:49.0375 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/09/02 21:19:49.0546 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/09/02 21:19:49.0828 LBeepKE (ca63fe81705ad660e482bef210bf2c73) C:\WINDOWS\system32\Drivers\LBeepKE.sys
2010/09/02 21:19:50.0234 LHidFilt (b68309f25c5787385da842eb5b496958) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
2010/09/02 21:19:50.0453 LMouFilt (63d3b1d3cd267fcc186a0146b80d453b) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
2010/09/02 21:19:50.0671 LUsbFilt (0c62957912d4df1e4ba9795e6be3ed38) C:\WINDOWS\system32\Drivers\LUsbFilt.Sys
2010/09/02 21:19:50.0890 LXARScan (e8d15acd2f65a2e8756768353e08a9a0) C:\WINDOWS\system32\Drivers\Lxarscan.sys
2010/09/02 21:19:51.0203 mdmxsdk (195741aee20369980796b557358cd774) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/09/02 21:19:51.0609 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/09/02 21:19:51.0859 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/09/02 21:19:52.0031 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/09/02 21:19:52.0250 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/09/02 21:19:52.0453 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/09/02 21:19:52.0671 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/09/02 21:19:53.0062 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/09/02 21:19:53.0312 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/09/02 21:19:53.0578 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/09/02 21:19:53.0781 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/09/02 21:19:53.0984 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/09/02 21:19:54.0234 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/09/02 21:19:54.0500 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/09/02 21:19:54.0718 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/09/02 21:19:55.0031 NAVENG (0953bb24c1e70a99c315f44f15993c17) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100902.004\NAVENG.SYS
2010/09/02 21:19:55.0421 NAVEX15 (3ddb0bef60b65df6b110c23e17cd67dc) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100902.004\NAVEX15.SYS
2010/09/02 21:19:55.0656 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/09/02 21:19:55.0796 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/09/02 21:19:56.0015 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/09/02 21:19:56.0250 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/09/02 21:19:56.0453 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/09/02 21:19:56.0609 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/09/02 21:19:56.0796 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/09/02 21:19:57.0093 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/09/02 21:19:57.0375 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/09/02 21:19:57.0562 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/09/02 21:19:57.0765 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/09/02 21:19:57.0968 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/09/02 21:19:58.0218 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/09/02 21:19:58.0421 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/09/02 21:19:58.0703 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/09/02 21:19:58.0906 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/09/02 21:19:59.0265 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2010/09/02 21:19:59.0421 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/09/02 21:20:00.0546 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/09/02 21:20:00.0765 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/09/02 21:20:00.0953 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/09/02 21:20:01.0843 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/09/02 21:20:02.0062 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/09/02 21:20:02.0265 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/09/02 21:20:02.0500 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/09/02 21:20:02.0703 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/09/02 21:20:02.0875 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/09/02 21:20:03.0078 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/09/02 21:20:03.0296 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/09/02 21:20:03.0562 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/09/02 21:20:03.0781 Rksample (4c35e57300a2dc5932a8e29efa527c32) C:\WINDOWS\system32\DRIVERS\rksample.sys
2010/09/02 21:20:04.0015 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/09/02 21:20:04.0234 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/09/02 21:20:04.0453 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/09/02 21:20:04.0687 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/09/02 21:20:05.0093 smwdm (12d9287937366bf1c9ad7007b5407deb) C:\WINDOWS\system32\drivers\smwdm.sys
2010/09/02 21:20:05.0359 SoftFax (413cfa795cad19a010889df0ec060408) C:\WINDOWS\system32\DRIVERS\faxnt.sys
2010/09/02 21:20:05.0640 SpeakerPhone (c11082c80723771c1979eacf7fdde1c3) C:\WINDOWS\system32\DRIVERS\spkpnt.sys
2010/09/02 21:20:06.0734 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/09/02 21:20:07.0187 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/09/02 21:20:07.0515 SRTSP (ec5c3c6260f4019b03dfaa03ec8cbf6a) C:\WINDOWS\System32\Drivers\NAV\1107000.00C\SRTSP.SYS
2010/09/02 21:20:07.0843 SRTSPX (55d5c37ed41231e3ac2063d16df50840) C:\WINDOWS\system32\drivers\NAV\1107000.00C\SRTSPX.SYS
2010/09/02 21:20:08.0109 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/09/02 21:20:08.0375 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/09/02 21:20:08.0562 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/09/02 21:20:09.0125 SymDS (56890bf9d9204b93042089d4b45ae671) C:\WINDOWS\system32\drivers\NAV\1107000.00C\SYMDS.SYS
2010/09/02 21:20:09.0390 SymEFA (1c91df5188150510a6f0cf78f7d94b69) C:\WINDOWS\system32\drivers\NAV\1107000.00C\SYMEFA.SYS
2010/09/02 21:20:09.0640 SymEvent (961b48b86f94d4cc8ceb483f8aa89374) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2010/09/02 21:20:09.0890 SymIRON (dc80fbf0a348e54853ef82eed4e11e35) C:\WINDOWS\system32\drivers\NAV\1107000.00C\Ironx86.SYS
2010/09/02 21:20:10.0171 SYMTDI (41aad61f87ca8e3b5d0f7fe7fba0797d) C:\WINDOWS\System32\Drivers\NAV\1107000.00C\SYMTDI.SYS
2010/09/02 21:20:10.0656 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/09/02 21:20:10.0859 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/09/02 21:20:11.0125 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/09/02 21:20:11.0359 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/09/02 21:20:11.0593 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/09/02 21:20:11.0781 Tones (e0f10a379239b4fab319c55a9cd6bc96) C:\WINDOWS\system32\DRIVERS\tonesnt.sys
2010/09/02 21:20:12.0156 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/09/02 21:20:12.0562 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/09/02 21:20:12.0812 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/09/02 21:20:13.0015 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/09/02 21:20:13.0234 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/09/02 21:20:13.0406 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/09/02 21:20:13.0656 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/09/02 21:20:13.0875 V124 (177b65899d418f8c8f037b20567a99d6) C:\WINDOWS\system32\DRIVERS\v124nt.sys
2010/09/02 21:20:14.0125 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/09/02 21:20:14.0437 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/09/02 21:20:14.0609 vsdatant (050c38ebb22512122e54b47dc278bccd) C:\WINDOWS\system32\vsdatant.sys
2010/09/02 21:20:14.0859 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/09/02 21:20:15.0093 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
2010/09/02 21:20:15.0421 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/09/02 21:20:15.0671 winachsf (a941aa38e3951058e584c4bbddd56ed9) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/09/02 21:20:15.0984 ================================================================================
2010/09/02 21:20:15.0984 Scan finished
2010/09/02 21:20:15.0984 ================================================================================


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:51 PM

Posted 02 September 2010 - 08:26 PM

It's looking good then. thumbup2.gif

Run MBAM next

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then run ESET's online scanner
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

Posted Image
m0le is a proud member of UNITE

#15 RussellJB

RussellJB
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 02 September 2010 - 08:59 PM

M0le, I forgot to add that I saved TDSSKiller to:

C:\Documents and Settings\baedtmtien\Desktop

Is that the correct procedure?

I already have Malwarebytes but I'll uninstall it and install yours, just in case something was disabled in mine via a virus. I'll be back in a bit. smile.gif

Edited by RussellJB, 02 September 2010 - 09:06 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users