Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Pandex keeps returning


  • Please log in to reply
41 replies to this topic

#1 scottpon

scottpon

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Jose, CA
  • Local time:03:24 AM

Posted 23 August 2010 - 05:15 PM

I had a computer, where Symantec endpoint didn't get installed correctly, and now, after fixing Symantec Endpoint, it is identified as having Trojan.Pandex (according to SEP). SEP catches the file that is infected. but it will not go away.

I have run Anti-malwarebytes not luck. I also have read up on other threads and ran the ComboFix. Still it has returned. So I must be missing something! So I'm starting off with the DDS and Gmer logs. I hope someone can help me fix this blasted computer!

Thanks in advance.

DDS (Ver_10-03-17.01) - NTFSx86
Run by nql at 14:18:43.79 on Mon 08/23/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2494.1763 [GMT -7:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Documents and Settings\aql\Desktop\dds.bat

============== Pseudo HJT Report ===============

uStart Page = hxxp://intranet.wa-ss.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - file://\\server11\VPHOME\clt-inst\WEBINST\WebInst.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-12-3 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-12-3 108392]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-8-19 10448]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-12-3 2477304]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-8-20 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100823.002\NAVENG.SYS [2010-8-23 85424]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100823.002\NAVEX15.SYS [2010-8-23 1362608]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-11 135664]
S3 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [2007-12-21 8192]
S3 VPREMOTE;VPRemote Install Bootstrap Service;c:\temp\clt-inst\vpremote.exe [2009-6-13 142192]
S4 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\pervasive\bin\w3dbsmgr.exe [2008-8-18 455968]

============== File Associations ===============

.scr=DWGTrueViewScriptFile

=============== Created Last 30 ================

2010-08-22 20:35:01 0 d-sh--w- c:\documents and settings\aql\IECompatCache
2010-08-21 00:03:42 0 d-----w- c:\docume~1\aql\applic~1\Malwarebytes
2010-08-20 23:26:23 0 d-sha-r- C:\cmdcons
2010-08-20 23:23:52 98816 ----a-w- c:\windows\sed.exe
2010-08-20 23:23:52 77312 ----a-w- c:\windows\MBR.exe
2010-08-20 23:23:52 256512 ----a-w- c:\windows\PEV.exe
2010-08-20 23:23:52 161792 ----a-w- c:\windows\SWREG.exe
2010-08-20 23:22:02 388608 ----a-w- c:\windows\system32\CF17582.exe
2010-08-20 09:34:27 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-08-20 09:34:27 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-08-20 09:34:27 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-08-20 09:34:27 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-08-20 08:33:59 1060864 ----a-w- c:\windows\system32\MFC71.DLL
2010-08-20 08:33:57 0 d-----w- c:\program files\Symantec
2010-08-20 07:54:52 362 ----a-w- c:\windows\Shortcut to WINDOWS.lnk
2010-08-20 07:28:54 0 d-----w- c:\program files\VS Revo Group
2010-08-20 06:49:32 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-08-20 06:49:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-08-20 06:31:14 10448 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2010-08-17 00:28:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-17 00:28:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-17 00:28:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-17 00:28:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-12 20:01:13 211072 ----a-w- c:\windows\system32\dllcache\ndis.sys
2010-08-04 15:54:44 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-08-20 06:31:23 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-08-12 20:01:13 211072 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-01-15 01:18:48 1432 ----a-w- c:\program files\DeaInstall.log

============= FINISH: 14:19:16.82 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:24 AM

Posted 29 August 2010 - 03:54 PM

Hi scottpon,

Welcome to Bleeping Computer!

My name is mpascal, and I will be helping you fix your problem.

Before we begin, I would like give a few guidelines so that we can fix your problem as quickly and efficiently as possible:
  • Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.
  • Please do not do anything or perform other steps unless I have asked you to do so.
  • Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.
  • Don't attach any logs unless asked. Posting them in the forums will make them easier to analyze.
  • If you are unsure of how to reply, or need help with anything regarding the website, please look here.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

STEP 1 - MBAM

Note: In the event that you already have MBAM installed, you do not need to reinstall it. Simply Updating it and doing a Quickscan is sufficient.

Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

STEP 2 - GMER

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

STEP 3 - OTL

Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • In the Custom Scans box, copy and paste the following:
    CODE
    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of the files, and post it with your next reply.
STEP 4 - Reply

Please reply with the following logs:
  • MBAM Log
  • GMER Log
  • OTL Log

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#3 scottpon

scottpon
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Jose, CA
  • Local time:03:24 AM

Posted 31 August 2010 - 08:20 PM

Thanks for the response, here are the items as you requested

>> Here is my MBAM log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4518

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

8/31/2010 5:20:44 PM
mbam-log-2010-08-31 (17-20-44).txt

Scan type: Quick scan
Objects scanned: 170351
Time elapsed: 8 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\Drivers\ntndis.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ipsecndis.sys (Rootkit.Agent) -> Delete on reboot.


>> Here is my Gmer.Log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-31 18:08:43
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\ADMIN6~1.WA-\LOCALS~1\Temp\pxloypog.sys


---- System - GMER 1.0.15 ----

SSDT 89D44620 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xB22656D0]

Code 8A0870E0 pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? aoovtrey.sys The system cannot find the file specified. !
.reloc C:\WINDOWS\system32\drivers\NDIS.sys section is executable [0x8A05A200, 0x3262A, 0xE0000060]
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB99E9000, 0x1C5D38, 0xE8000020]
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

? C:\WINDOWS\System32\svchost.exe[1924] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;
? C:\WINDOWS\System32\svchost.exe[1932] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] FB8401C7
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] DCE90043
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 560001B9
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] 06C7F18B
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] [0043FB84] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] 01B9CEE8
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 2444F600
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] 07740108
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] BA72E856
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 8B590001
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] EC8B5500
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] FF1475FF
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] 75FF1075
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] [5D10C483] C:\WINDOWS\system32\comctl32.dll (Common Controls Library/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] EC8B55C3
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] FF1475FF
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 75FF1075
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] 0875FF0C
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] 01BAC3E8
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 08458B00
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 0206B2E8
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 89F18B00
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] 8EE8F075
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 830001B8
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] FF00FC65
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] 4E8D0875
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] 9006C70C
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] E80043FB
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 00001F05
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] 64E8C68B
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] C2000207
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 8B560004
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 6A006AF1
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] 0C4E8D01
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] FB9006C7
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] 71E80043
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 8B000023
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 30E95ECE
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 560001B9
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] DBE8F18B
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] F6FFFFFF
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 01082444
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] E8560774
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] 0001B9CC
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 560004C2
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] 082474FF
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] 86E8F18B
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] C7FFFFFF
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] 43FB9C06
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] 5EC68B00
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] C70004C2
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] 43FB9C01
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] FFA4E900
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 8B56FFFF
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 9C06C7F1
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] E80043FB
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] FFFFFF96
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 082444F6
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] 56077401
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 01B987E8
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] C68B5900
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] 0004C25E
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] EFB8046A
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] E8004399
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 7589F18B
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 087D8BF0
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] B858E857
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] 65830001
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] C78300FC
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 4E8D570C
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] 9006C70C
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] E80043FB
IAT C:\WINDOWS\System32\svchost.exe[1924] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 00001E4D
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] FB8401C7
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] DCE90043
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 560001B9
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] 06C7F18B
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] [0043FB84] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] 01B9CEE8
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 2444F600
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] 07740108
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] BA72E856
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 8B590001
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 04C25EC6
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] EC8B5500
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] FF1475FF
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] 75FF1075
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] [5D10C483] C:\WINDOWS\system32\comctl32.dll (Common Controls Library/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] EC8B55C3
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] FF1475FF
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 75FF1075
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] 0875FF0C
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] 01BAC3E8
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 08458B00
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 0206B2E8
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 89F18B00
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] 8EE8F075
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 830001B8
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] FF00FC65
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] 4E8D0875
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] 9006C70C
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] E80043FB
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 00001F05
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] 64E8C68B
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] C2000207
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 8B560004
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 6A006AF1
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] 0C4E8D01
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] FB9006C7
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] 71E80043
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 8B000023
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 30E95ECE
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 560001B9
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] DBE8F18B
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] F6FFFFFF
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 01082444
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] E8560774
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] 0001B9CC
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 560004C2
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] 082474FF
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] 86E8F18B
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] C7FFFFFF
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] 43FB9C06
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] 5EC68B00
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] C70004C2
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] 43FB9C01
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] FFA4E900
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 8B56FFFF
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 9C06C7F1
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] E80043FB
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] FFFFFF96
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 082444F6
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] 56077401
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 01B987E8
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] C68B5900
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] 0004C25E
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] EFB8046A
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] E8004399
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 7589F18B
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 087D8BF0
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] B858E857
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] 65830001
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] C78300FC
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 4E8D570C
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] 9006C70C
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] E80043FB
IAT C:\WINDOWS\System32\svchost.exe[1932] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 00001E4D

---- Devices - GMER 1.0.15 ----

Device \Driver\NDIS \Device\Ndis [8A061982] NDIS.sys[.reloc]

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

>> Here is my OTL Log

OTL logfile created on: 8/31/2010 6:11:30 PM - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\admin6.WA-SS\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 79.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 58.57 Gb Free Space | 78.59% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 7.45 Gb Total Space | 6.41 Gb Free Space | 86.03% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DX5150-30
Current User Name: admin6
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\admin6.WA-SS\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
PRC - C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe (Logitech, Inc.)
PRC - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\UPHClean\uphclean.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\snmp.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\admin6.WA-SS\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (LBTServ) -- C:\Program Files\Common Files\LogiShrd\Bluetooth\LBTServ.exe (Logitech, Inc.)
SRV - (ccSetMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (ccEvtMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (SNAC) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE (Symantec Corporation)
SRV - (SmcService) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (Symantec Corporation)
SRV - (Symantec AntiVirus) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation)
SRV - (VPREMOTE) -- C:\TEMP\Clt-Inst\vpremote.exe (Symantec Corporation)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE (Symantec Corporation)
SRV - (psqlWGE) -- C:\Program Files\Pervasive\bin\w3dbsmgr.exe ()
SRV - (Pervasive.SQL Workgroup Engine) -- C:\WINDOWS\system32\srvany.exe ()
SRV - (UPHClean) -- C:\Program Files\UPHClean\uphclean.exe (Microsoft Corporation)
SRV - (SNMP) -- C:\WINDOWS\system32\snmp.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (WPS) -- C:\WINDOWS\System32\drivers\wpsdrvnt.sys File not found
DRV - (SysPlant) -- C:\WINDOWS\System32\Drivers\SysPlant.sys File not found
DRV - (catchme) -- C:\DOCUME~1\aql\LOCALS~1\Temp\catchme.sys File not found
DRV - (NAVEX15) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100831.002\NAVEX15.SYS (Symantec Corporation)
DRV - (NAVENG) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100831.002\NAVENG.SYS (Symantec Corporation)
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (NDIS) -- C:\WINDOWS\System32\drivers\ndis.sys ()
DRV - (LMouKE) -- C:\WINDOWS\system32\drivers\LMouKE.Sys (Logitech, Inc.)
DRV - (LMouFilt) -- C:\WINDOWS\system32\drivers\LMouFilt.Sys (Logitech, Inc.)
DRV - (LHidFilt) -- C:\WINDOWS\system32\drivers\LHidFilt.Sys (Logitech, Inc.)
DRV - (LBeepKE) -- C:\WINDOWS\system32\drivers\LBeepKE.sys (Logitech, Inc.)
DRV - (L8042mou) -- C:\WINDOWS\system32\drivers\L8042mou.Sys (Logitech, Inc.)
DRV - (L8042Kbd) -- C:\WINDOWS\system32\drivers\L8042Kbd.sys (Logitech, Inc.)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (SRTSPL) -- C:\WINDOWS\system32\drivers\srtspl.sys (Symantec Corporation)
DRV - (SRTSP) -- C:\WINDOWS\system32\drivers\srtsp.sys (Symantec Corporation)
DRV - (SRTSPX) -- C:\WINDOWS\system32\drivers\srtspx.sys (Symantec Corporation)
DRV - (SYMTDI) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS (Symantec Corporation)
DRV - (SYMREDRV) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (Symantec Corporation)
DRV - (SPBBCDrv) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)
DRV - (LHidKe) -- C:\WINDOWS\system32\drivers\LHidKE.Sys (Logitech, Inc.)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)
DRV - (Blfp) -- C:\WINDOWS\system32\drivers\baspxp32.sys (Broadcom Corporation)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (iAimFP4) -- C:\WINDOWS\system32\drivers\wVchNTxx.sys (Intel® Corporation)
DRV - (iAimFP3) -- C:\WINDOWS\system32\drivers\wSiINTxx.sys (Intel® Corporation)
DRV - (iAimTV5) -- C:\WINDOWS\system32\drivers\wATV10nt.sys (Intel® Corporation)
DRV - (iAimTV4) -- C:\WINDOWS\system32\drivers\wCh7xxNT.sys (Intel® Corporation)
DRV - (iAimTV6) -- C:\WINDOWS\system32\drivers\wATV06nt.sys (Intel® Corporation)
DRV - (iAimTV3) -- C:\WINDOWS\system32\drivers\wATV04nt.sys (Intel® Corporation)
DRV - (iAimTV1) -- C:\WINDOWS\system32\drivers\wATV02NT.sys (Intel® Corporation)
DRV - (iAimTV0) -- C:\WINDOWS\system32\drivers\wATV01nt.sys (Intel® Corporation)
DRV - (iAimFP7) -- C:\WINDOWS\system32\drivers\wADV09NT.sys (Intel® Corporation)
DRV - (iAimFP5) -- C:\WINDOWS\system32\drivers\wADV07nt.sys (Intel® Corporation)
DRV - (iAimFP6) -- C:\WINDOWS\system32\drivers\wADV08NT.sys (Intel® Corporation)
DRV - (i81x) -- C:\WINDOWS\system32\drivers\i81xnt5.sys (Intel® Corporation)
DRV - (iAimFP0) -- C:\WINDOWS\system32\drivers\wADV01nt.sys (Intel® Corporation)
DRV - (iAimFP1) -- C:\WINDOWS\system32\drivers\wADV02NT.sys (Intel® Corporation)
DRV - (iAimFP2) -- C:\WINDOWS\system32\drivers\wADV05NT.sys (Intel® Corporation)
DRV - (adpu320) -- C:\WINDOWS\system32\DRIVERS\adpu320.sys (Adaptec, Inc.)
DRV - (Symmpi) -- C:\WINDOWS\system32\DRIVERS\symmpi.sys (LSI Logic)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (ac97intc) Intel® 82801 Audio Driver Install Service (WDM) -- C:\WINDOWS\system32\drivers\ac97intc.sys (Intel Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://intranet.wa-ss.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2010/08/22 13:57:42 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
O4 - HKLM..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogOff = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} file://\\server11\VPHOME\clt-inst\WEBINST\WebInst.cab (WebBasedClientInstall Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.14
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wa-ss.com
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/08/31 18:10:21 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\admin6.WA-SS\Desktop\OTL.exe
[2010/08/24 16:33:47 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/08/24 16:33:47 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/08/24 16:33:47 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/08/24 16:33:46 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/08/24 16:26:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2010/08/24 16:22:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin6.WA-SS\Desktop\Computer Fixing
[2010/08/24 16:22:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin6.WA-SS\Desktop\WindowsXP_32-bit
[2010/08/22 13:59:47 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/08/20 16:26:23 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/08/20 16:23:52 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/08/20 16:23:52 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/08/20 16:23:52 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/08/20 16:23:52 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/08/20 16:22:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/08/20 16:22:02 | 000,388,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\CF17582.exe
[2010/08/20 16:21:48 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/08/20 02:46:56 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/08/20 02:41:05 | 000,101,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\evntagnt.dll
[2010/08/20 02:41:05 | 000,101,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\evntagnt.dll
[2010/08/20 02:41:05 | 000,092,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\evntwin.exe
[2010/08/20 02:41:05 | 000,092,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\evntwin.exe
[2010/08/20 02:41:05 | 000,039,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\hostmib.dll
[2010/08/20 02:41:05 | 000,039,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hostmib.dll
[2010/08/20 02:41:05 | 000,032,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\snmp.exe
[2010/08/20 02:41:05 | 000,032,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\snmp.exe
[2010/08/20 02:41:05 | 000,024,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\evntcmd.exe
[2010/08/20 02:41:05 | 000,024,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\evntcmd.exe
[2010/08/20 02:41:05 | 000,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\snmptrap.exe
[2010/08/20 02:41:05 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\snmpmib.dll
[2010/08/20 02:41:05 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\snmpmib.dll
[2010/08/20 02:41:01 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\lmmib2.dll
[2010/08/20 02:41:01 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lmmib2.dll
[2010/08/20 02:36:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin6.WA-SS\Local Settings\Application Data\Symantec
[2010/08/20 02:34:27 | 000,124,976 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/08/20 02:34:27 | 000,060,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/08/20 01:33:59 | 001,060,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MFC71.DLL
[2010/08/20 01:33:57 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2010/08/20 00:28:54 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2010/08/20 00:28:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin6.WA-SS\Desktop\New Folder
[2010/08/19 23:58:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin6.WA-SS\Local Settings\Application Data\Adobe
[2010/08/19 23:58:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin6.WA-SS\Application Data\Adobe
[2010/08/19 23:49:32 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/08/19 23:49:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/08/19 23:38:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin6.WA-SS\Application Data\MSNInstaller
[2010/08/19 23:31:14 | 000,010,448 | ---- | C] (Logitech, Inc.) -- C:\WINDOWS\System32\drivers\LBeepKE.sys
[2010/08/19 23:30:58 | 000,000,000 | ---D | C] -- C:\Program Files\Logitech
[2010/08/16 17:28:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin6.WA-SS\Application Data\Malwarebytes
[2010/08/16 17:28:34 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/08/16 17:28:32 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/08/16 17:28:32 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/08/16 17:28:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/08/04 08:54:44 | 000,743,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/31 18:13:02 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/08/31 17:24:34 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/31 17:23:42 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/08/31 17:23:34 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/31 17:23:07 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/31 17:22:47 | 2615,726,080 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/31 17:21:10 | 001,572,864 | -H-- | M] () -- C:\Documents and Settings\admin6.WA-SS\NTUSER.DAT
[2010/08/31 17:21:10 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\admin6.WA-SS\ntuser.ini
[2010/08/31 17:05:22 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\admin6.WA-SS\Desktop\OTL.exe
[2010/08/31 14:35:48 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{88A37ADA-15EA-4BFA-AA90-87D1C4E5A1C0}.job
[2010/08/24 16:33:30 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/08/24 16:33:30 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/08/24 16:33:30 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/08/24 16:33:29 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/08/24 16:33:29 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/08/22 13:57:48 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/22 13:57:42 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/08/20 16:26:27 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/08/20 16:21:43 | 000,388,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\CF17582.exe
[2010/08/20 02:42:11 | 006,948,098 | -H-- | M] () -- C:\Documents and Settings\admin6.WA-SS\Local Settings\Application Data\IconCache.db
[2010/08/20 02:41:12 | 000,525,286 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/20 02:41:12 | 000,444,358 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/20 02:41:12 | 000,072,108 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/20 02:34:37 | 000,124,976 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/08/20 02:34:37 | 000,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/08/20 02:34:37 | 000,007,456 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/08/20 02:34:37 | 000,000,806 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/08/20 02:20:08 | 000,000,573 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/08/20 02:20:08 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/08/20 02:04:12 | 000,007,779 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
[2010/08/20 01:21:04 | 000,161,190 | ---- | M] () -- C:\Documents and Settings\admin6.WA-SS\My Documents\cc_20100820_012101.reg
[2010/08/20 01:04:39 | 000,000,082 | ---- | M] () -- C:\Documents and Settings\admin6.WA-SS\My Documents\cc_20100820_010437.reg
[2010/08/20 00:54:52 | 000,000,362 | ---- | M] () -- C:\WINDOWS\Shortcut to WINDOWS.lnk
[2010/08/19 23:49:09 | 000,433,594 | ---- | M] () -- C:\Documents and Settings\admin6.WA-SS\My Documents\Stubexe file.pdf
[2010/08/19 23:31:23 | 000,016,400 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\System32\drivers\LNonPnP.sys
[2010/08/19 23:30:15 | 000,004,566 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/08/16 17:51:12 | 000,000,920 | RHS- | M] () -- C:\Documents and Settings\admin6.WA-SS\ntuser.pol
[2010/08/12 13:01:13 | 000,211,072 | ---- | M] () -- C:\WINDOWS\System32\drivers\ndis.sys
[2010/08/12 13:01:13 | 000,211,072 | ---- | M] () -- C:\WINDOWS\System32\dllcache\ndis.sys
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/22 13:34:47 | 000,000,418 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{88A37ADA-15EA-4BFA-AA90-87D1C4E5A1C0}.job
[2010/08/20 16:26:27 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/08/20 16:26:24 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/08/20 16:23:52 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/08/20 16:23:52 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/08/20 16:23:52 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/08/20 16:23:52 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/08/20 16:23:52 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/08/20 02:41:06 | 000,107,882 | ---- | C] () -- C:\WINDOWS\System32\mib_ii.mib
[2010/08/20 02:41:06 | 000,049,275 | ---- | C] () -- C:\WINDOWS\System32\wfospf.mib
[2010/08/20 02:41:06 | 000,048,593 | ---- | C] () -- C:\WINDOWS\System32\hostmib.mib
[2010/08/20 02:41:06 | 000,038,608 | ---- | C] () -- C:\WINDOWS\System32\nipx.mib
[2010/08/20 02:41:06 | 000,034,317 | ---- | C] () -- C:\WINDOWS\System32\msiprip2.mib
[2010/08/20 02:41:06 | 000,030,448 | ---- | C] () -- C:\WINDOWS\System32\mcastmib.mib
[2010/08/20 02:41:06 | 000,026,236 | ---- | C] () -- C:\WINDOWS\System32\wins.mib
[2010/08/20 02:41:06 | 000,026,100 | ---- | C] () -- C:\WINDOWS\System32\lmmib2.mib
[2010/08/20 02:41:06 | 000,021,386 | ---- | C] () -- C:\WINDOWS\System32\mipx.mib
[2010/08/20 02:41:06 | 000,020,079 | ---- | C] () -- C:\WINDOWS\System32\http.mib
[2010/08/20 02:41:06 | 000,015,799 | ---- | C] () -- C:\WINDOWS\System32\ipforwd.mib
[2010/08/20 02:41:06 | 000,013,767 | ---- | C] () -- C:\WINDOWS\System32\msipbtp.mib
[2010/08/20 02:41:06 | 000,010,313 | ---- | C] () -- C:\WINDOWS\System32\mripsap.mib
[2010/08/20 02:41:06 | 000,006,179 | ---- | C] () -- C:\WINDOWS\System32\ftp.mib
[2010/08/20 02:41:06 | 000,004,332 | ---- | C] () -- C:\WINDOWS\System32\smi.mib
[2010/08/20 02:41:06 | 000,000,698 | ---- | C] () -- C:\WINDOWS\System32\inetsrv.mib
[2010/08/20 02:41:06 | 000,000,581 | ---- | C] () -- C:\WINDOWS\System32\msft.mib
[2010/08/20 02:41:05 | 000,016,617 | ---- | C] () -- C:\WINDOWS\System32\authserv.mib
[2010/08/20 02:41:05 | 000,015,597 | ---- | C] () -- C:\WINDOWS\System32\accserv.mib
[2010/08/20 02:41:05 | 000,004,597 | ---- | C] () -- C:\WINDOWS\System32\dhcp.mib
[2010/08/20 02:34:27 | 000,007,456 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/08/20 02:34:27 | 000,000,806 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/08/20 02:21:04 | 2615,726,080 | -HS- | C] () -- C:\hiberfil.sys
[2010/08/20 01:40:55 | 000,007,779 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
[2010/08/20 01:21:02 | 000,161,190 | ---- | C] () -- C:\Documents and Settings\admin6.WA-SS\My Documents\cc_20100820_012101.reg
[2010/08/20 01:04:39 | 000,000,082 | ---- | C] () -- C:\Documents and Settings\admin6.WA-SS\My Documents\cc_20100820_010437.reg
[2010/08/20 00:54:52 | 000,000,362 | ---- | C] () -- C:\WINDOWS\Shortcut to WINDOWS.lnk
[2010/08/19 23:49:06 | 000,433,594 | ---- | C] () -- C:\Documents and Settings\admin6.WA-SS\My Documents\Stubexe file.pdf
[2010/08/12 13:01:13 | 000,211,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ndis.sys
[2007/12/27 18:15:15 | 000,001,432 | ---- | C] () -- C:\Program Files\DeaInstall.log
[2007/03/28 11:07:25 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2007/02/07 13:15:34 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2006/09/14 14:28:13 | 000,299,008 | ---- | C] () -- C:\WINDOWS\System32\FDUTL14.DLL
[2006/09/14 14:28:13 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\Ivtrn13.dll
[2006/09/14 14:21:19 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2006/09/01 22:21:41 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/09/01 22:16:00 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/09/01 22:03:46 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2004/08/04 01:00:00 | 000,211,072 | ---- | C] () -- C:\WINDOWS\System32\drivers\ndis.sys
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/05/08 02:12:22 | 000,001,049 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2010/08/20 02:20:08 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/08/20 16:26:27 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2010/08/22 13:59:18 | 000,014,410 | ---- | M] () -- C:\ComboFix.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1028.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1031.txt
[2007/11/07 09:00:40 | 000,010,134 | ---- | M] () -- C:\eula.1033.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1036.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1040.txt
[2007/11/07 09:00:40 | 000,000,118 | ---- | M] () -- C:\eula.1041.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1042.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.2052.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.3082.txt
[2007/11/07 09:00:40 | 000,001,110 | ---- | M] () -- C:\globdata.ini
[2010/08/31 17:22:47 | 2615,726,080 | -HS- | M] () -- C:\hiberfil.sys
[2007/11/07 09:00:40 | 000,000,843 | ---- | M] () -- C:\install.ini
[2007/11/07 09:03:18 | 000,076,304 | ---- | M] (Microsoft Corporation) -- C:\install.res.1028.dll
[2007/11/07 09:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.1031.dll
[2007/11/07 09:03:18 | 000,091,152 | ---- | M] (Microsoft Corporation) -- C:\install.res.1033.dll
[2007/11/07 09:03:18 | 000,097,296 | ---- | M] (Microsoft Corporation) -- C:\install.res.1036.dll
[2007/11/07 09:03:18 | 000,095,248 | ---- | M] (Microsoft Corporation) -- C:\install.res.1040.dll
[2007/11/07 09:03:18 | 000,081,424 | ---- | M] (Microsoft Corporation) -- C:\install.res.1041.dll
[2007/11/07 09:03:18 | 000,079,888 | ---- | M] (Microsoft Corporation) -- C:\install.res.1042.dll
[2007/11/07 09:03:18 | 000,075,792 | ---- | M] (Microsoft Corporation) -- C:\install.res.2052.dll
[2007/11/07 09:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.3082.dll
[2006/09/14 15:02:28 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2006/09/14 15:02:28 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 01:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2004/08/04 01:00:00 | 000,250,032 | RHS- | M] () -- C:\ntldr
[2010/08/31 17:22:45 | 704,643,072 | -HS- | M] () -- C:\pagefile.sys
[2010/08/24 17:06:08 | 000,000,353 | ---- | M] () -- C:\rkill.log
[2007/11/07 09:00:40 | 000,005,686 | ---- | M] () -- C:\vcredist.bmp
[2007/11/07 09:09:22 | 001,442,522 | ---- | M] () -- C:\VC_RED.cab
[2007/11/07 09:12:28 | 000,232,960 | ---- | M] () -- C:\VC_RED.MSI
[2006/09/25 16:45:30 | 000,008,194 | -H-- | M] () -- C:\_NavCClt.Log

< %systemroot%\Fonts\*.com >
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2004/08/09 06:32:58 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 05:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2005/09/01 17:14:44 | 000,069,120 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp40m.dll
[2008/12/22 15:43:24 | 000,082,256 | ---- | M] (Microsoft Corporation.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\lmdippr8.dll
[2007/04/09 14:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
[2008/07/06 03:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2010/01/14 18:18:48 | 000,001,432 | ---- | M] () -- C:\Program Files\DeaInstall.log

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2004/08/08 23:20:08 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/08/08 23:20:08 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/08/08 23:20:08 | 000,864,256 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2004/08/09 06:34:14 | 000,000,294 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
"NoAutoRebootWithLoggedOnUsers" = 1
"NoAutoUpdate" = 0
"AUOptions" = 4
"ScheduledInstallDay" = 0
"ScheduledInstallTime" = 16
"RebootRelaunchTimeoutEnabled" = 1
"RebootRelaunchTimeout" = 1440
"UseWUServer" = 1

< KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-08-12 23:00:37
< End of report >

>> Here is the OTL Extras Log:

OTL Extras logfile created on: 8/31/2010 6:11:30 PM - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\admin6.WA-SS\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 79.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 58.57 Gb Free Space | 78.59% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 7.45 Gb Total Space | 6.41 Gb Free Space | 86.03% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DX5150-30
Current User Name: admin6
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"161:UDP" = 161:UDP:*:Enabled:snmp
"162:UDP" = 162:UDP:*:Enabled:snmp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"161:UDP" = 161:UDP:*:Enabled:SNMP
"162:UDP" = 162:UDP:*:Enabled:SNMP Trap

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\DacEasy12\pvsw\W3DBSMGR.EXE" = C:\DacEasy12\pvsw\W3DBSMGR.EXE:*:Enabled:Database Service Manager -- ()
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email -- (Symantec Corporation)
"C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe" = C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:*:Enabled:SMC Service -- (Symantec Corporation)
"C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE" = C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Enabled:SNAC Service -- (Symantec Corporation)
"C:\Program Files\Pervasive\bin\w3dbsmgr.exe" = C:\Program Files\Pervasive\bin\w3dbsmgr.exe:*:Enabled:Pervasive PSQL Workgroup Engine -- ()
"C:\Program Files\FileMaker\FileMaker Pro 8.5\FileMaker Pro.exe" = C:\Program Files\FileMaker\FileMaker Pro 8.5\FileMaker Pro.exe:*:Enabled:FileMaker Pro.exe -- (FileMaker, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe" = C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:*:Enabled:SMC Service -- (Symantec Corporation)
"C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE" = C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Enabled:SNAC Service -- (Symantec Corporation)
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email -- (Symantec Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{03ADC8AB-C130-0C3D-1FF9-2C385DF25689}" = CCC Help Czech
"{041070A8-3305-4D9B-BC03-428DE0AE7C0C}" = DacEasy Version 12
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{0576A3D0-0000-0409-0000-491C453655D7}" = Autodesk Volo View 3.0
"{058B32E2-6310-4359-B2D4-1988390C3B83}" = Broadcom Management Programs
"{07021185-008D-ABF9-7716-475AC035F8B3}" = CCC Help Spanish
"{0A3238D7-AB32-4E15-B717-F3E3F18B4A8C}" = Pervasive PSQL v10 Workgroup (32-bit)
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0F8D0406-7755-AC37-6529-73AD649DBE32}" = Catalyst Control Center Graphics Previews Common
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{22072CC8-7230-96F8-52F4-05EAF3F906B6}" = CCC Help Polish
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2368ADBD-6FDF-4B9F-FE41-E20B4D78E79E}" = CCC Help Chinese Standard
"{25EF0DC4-B072-2E04-4581-A13C91423CE6}" = CCC Help Portuguese
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java™ 6 Update 21
"{26F7855C-443B-00A6-F7B8-A97A5403F617}" = CCC Help Danish
"{2CB4A925-48A7-DA65-DCEE-D4DE224B7D84}" = CCC Help English
"{2EFCC193-D915-4CCB-9201-31773A27BC06}" = Symantec Endpoint Protection
"{306D75B9-7FFF-FF65-0C76-57F2FE4FE1D6}" = Catalyst Control Center Core Implementation
"{3248F0A8-6813-11D6-A77B-00B0D0150000}" = J2SE Runtime Environment 5.0
"{32B12FE4-5A51-751A-1FB6-A14E97EBDD5C}" = CCC Help German
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{351512E5-01BD-E878-6F57-AA3E517D9ECE}" = Skins
"{354A387E-0374-21A3-6832-335674A6D7D1}" = CCC Help French
"{3C00BEE9-26D0-D9E0-A2D1-62F70D412A12}" = CCC Help Turkish
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = eReg
"{4346F7AA-3D56-0941-424C-4454E04D37F6}" = CCC Help Italian
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CAE2F2C-75CD-A0DE-7520-449BCBBCC833}" = CCC Help Korean
"{57F7F0A5-8F22-8E63-E819-803B5C9CA3A5}" = CCC Help Dutch
"{5EA437D2-7A57-B60E-E8F2-76BFAC0895A5}" = CCC Help Chinese Traditional
"{61AF4E75-050E-0304-3417-8BC16417FEB1}" = CCC Help Greek
"{632005DA-C291-5275-284C-5EE96B05C714}" = Catalyst Control Center HydraVision Full
"{6C72BE0C-3E25-CACD-0070-2FD9C02ABA14}" = ccc-core-preinstall
"{6E4D4E0B-02F6-46C1-BAE5-1B6B2E486A7B}" = Microsoft Office Live Meeting 2007
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{880BB617-914E-17E8-D877-A96BAC5794D2}" = Catalyst Control Center Graphics Full New
"{8897CF22-DB6C-8248-895C-12BFA2677F51}" = CCC Help Hungarian
"{8D7133DE-27D2-47E5-B248-4180278D32AA}" = Catalyst Control Center - Branding
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A9107C0B-65EF-49FD-B2F3-DFCD960E9BB4}" = DacEasy by Sage Version 2010
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{AAC4426A-42CD-4B4E-8057-9738C96F2C8F}" = HP Safety and Comfort Guide
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{AF710FDE-2815-8C8D-5281-8004C2654AA6}" = CCC Help Russian
"{AFF2D965-C6F2-A210-FBF7-532612AA1D23}" = CCC Help Swedish
"{B1A9CD45-A702-4E3B-91ED-8CD562869901}" = DWG TrueView 2008
"{B21336EE-4AEF-9940-4AC7-EDB89854B8D3}" = CCC Help Thai
"{B297AFDF-8483-4D90-9694-C978347C8736}" = DacEasy Version 15
"{BBA69346-61A1-BD34-E75A-4D81232DB1FE}" = Catalyst Control Center Localization All
"{BFD5ED08-F066-92D5-BE67-3B9AE5DCFF0C}" = CCC Help Japanese
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C151CE54-E7EA-4804-854B-F515368B0798}" = Athlon 64 Processor Driver
"{C4609F15-FB3C-D97E-BAA1-4F10815039C2}" = Catalyst Control Center Graphics Full Existing
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D01FAC3D-86B4-3A19-9D10-9156A0EB3EBE}" = CCC Help Finnish
"{D73722C8-3F65-C75B-A631-5D36894DAB92}" = ccc-core-static
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{DC4C464D-416A-4F42-B212-8B744C1BB4AE}" = FileMaker Pro 8.5
"{DDAD33B6-8C00-428D-087B-A7088355B9BE}" = Catalyst Control Center Graphics Light
"{E333F074-FC7F-596D-3D61-44F0EC28E8C0}" = ccc-utility
"{FA38F9E4-BED7-E021-B660-8FDFF7EC6E1A}" = CCC Help Norwegian
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"{FF77941A-2BFA-4A18-BE2E-69B9498E4D55}" = User Profile Hive Cleanup Service
"Adobe AIR" = Adobe AIR
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"CCleaner" = CCleaner
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"CutePDF Writer Installation" = CutePDF Writer 2.5
"DWG TrueView 2008" = DWG TrueView 2008
"EB88B6218325D2AB47CFFBF7170236B60A6198FF" = Windows Driver Package - Microsoft Corporation (usbvideo) Image (05/25/2007 1.0.3656.0)
"ie8" = Windows Internet Explorer 8
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Revo Uninstaller" = Revo Uninstaller 1.89
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"Software Setup" = Software Setup
"SP6" = Logitech SetPoint 6.15
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"WIC" = Windows Imaging Component
"WinLFP for DacEasy Accounting V12" = WinLFP for DacEasy Accounting V12

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/27/2010 4:35:39 PM | Computer Name = DX5150-30 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Pandex in File: C:\WINDOWS\system32\drivers\ndis.sys
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied.
Action Description: The file was left unchanged.

Error - 8/27/2010 4:38:18 PM | Computer Name = DX5150-30 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Pandex in File: C:\WINDOWS\system32\drivers\ndis.sys
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied.
Action Description: The file was left unchanged.

Error - 8/30/2010 4:06:52 PM | Computer Name = DX5150-30 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Pandex in File: C:\WINDOWS\system32\drivers\ndis.sys
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied.
Action Description: The file was left unchanged.

Error - 8/30/2010 8:02:36 PM | Computer Name = DX5150-30 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Pandex in File: C:\WINDOWS\system32\drivers\ndis.sys
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied.
Action Description: The file was left unchanged.

Error - 8/31/2010 4:32:11 PM | Computer Name = DX5150-30 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Pandex in File: C:\WINDOWS\system32\drivers\ndis.sys
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied.
Action Description: The file was left unchanged.

Error - 8/31/2010 5:16:42 PM | Computer Name = DX5150-30 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Pandex in File: C:\WINDOWS\system32\drivers\ndis.sys
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied.
Action Description: The file was left unchanged.

Error - 8/31/2010 8:14:39 PM | Computer Name = DX5150-30 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Gen in File: C:\Documents and Settings\aql\Local
Settings\temp\DWHBEF9.tmp by: Auto-Protect scan. Action: Quarantine succeeded
: Access denied. Action Description: The file was quarantined successfully.

Error - 8/31/2010 8:14:49 PM | Computer Name = DX5150-30 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Gen in File: C:\Documents and Settings\aql\Local
Settings\temp\DWHCCAA.tmp by: Auto-Protect scan. Action: Quarantine succeeded
: Access denied. Action Description: The file was quarantined successfully.

Error - 8/31/2010 8:14:58 PM | Computer Name = DX5150-30 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Gen in File: C:\Documents and Settings\aql\Local
Settings\temp\DWHD9ED.tmp by: Auto-Protect scan. Action: Quarantine succeeded
: Access denied. Action Description: The file was quarantined successfully.

Error - 8/31/2010 8:15:08 PM | Computer Name = DX5150-30 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Trojan.Gen in File: C:\Documents and Settings\aql\Local
Settings\temp\DWHE750.tmp by: Auto-Protect scan. Action: Quarantine succeeded
: Access denied. Action Description: The file was quarantined successfully.

[ System Events ]
Error - 8/27/2010 11:03:36 AM | Computer Name = DX5150-30 | Source = Service Control Manager | ID = 7000
Description = The WPS service failed to start due to the following error: %%2

Error - 8/30/2010 11:03:15 AM | Computer Name = DX5150-30 | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 8/30/2010 11:03:15 AM | Computer Name = DX5150-30 | Source = Service Control Manager | ID = 7000
Description = The WPS service failed to start due to the following error: %%2

Error - 8/30/2010 12:24:52 PM | Computer Name = DX5150-30 | Source = Print | ID = 6161
Description = The document ssord (SERVER16) owned by nql failed to print on printer
CutePDF Writer. Data type: NT EMF 1.008. Size of the spool file in bytes: 589824.
Number of bytes printed: 0. Total number of pages in the document: 2. Number of
pages printed: 0. Client machine: \\DX5150-30. Win32 error code returned by the
print processor: 6 (0x6).

Error - 8/31/2010 11:03:41 AM | Computer Name = DX5150-30 | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 8/31/2010 11:03:41 AM | Computer Name = DX5150-30 | Source = Service Control Manager | ID = 7000
Description = The WPS service failed to start due to the following error: %%2

Error - 8/31/2010 8:08:27 PM | Computer Name = DX5150-30 | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 8/31/2010 8:08:27 PM | Computer Name = DX5150-30 | Source = Service Control Manager | ID = 7000
Description = The WPS service failed to start due to the following error: %%2

Error - 8/31/2010 8:24:31 PM | Computer Name = DX5150-30 | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 8/31/2010 8:24:31 PM | Computer Name = DX5150-30 | Source = Service Control Manager | ID = 7000
Description = The WPS service failed to start due to the following error: %%2


< End of report >

#4 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:24 AM

Posted 31 August 2010 - 09:27 PM

Hi there,

STEP 1 - TFC

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean
STEP 2 - MBAM

Open Malwarebyte's Anti-Malware.
  • Under the Updates tab, click Check for Updates. Let the updates install (if any).
  • After that, under the Scanner tab, click Perform Quick Scan and then Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

STEP 3 - Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases
  • Click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View report... at the bottom.
  • Click the Save report... button.



  • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply
STEP 4 - Reply

Please reply with the following log:
  • MBAM Log
  • Kaspersky Log

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#5 scottpon

scottpon
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Jose, CA
  • Local time:03:24 AM

Posted 02 September 2010 - 08:15 PM

ALLLRIGHTY, here we go:

MBAM Log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4532

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

9/2/2010 1:57:39 PM
mbam-log-2010-09-02 (13-57-39).txt

Scan type: Quick scan
Objects scanned: 167316
Time elapsed: 5 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\Drivers\ntndis.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ipsecndis.sys (Rootkit.Agent) -> Delete on reboot.


Kaspersky Log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, September 2, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, September 02, 2010 11:57:07
Records in database: 4178649
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 57631
Threats found: 2
Infected objects found: 17
Suspicious objects found: 0
Scan duration: 01:47:25


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\04780000\4C7D9AE7.VBN Infected: Packed.Win32.Krap.gx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\04780001\4C7D9AF8.VBN Infected: Packed.Win32.Krap.gx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\04780002\4C7D9B02.VBN Infected: Packed.Win32.Krap.gx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\04780003\4C7D9B0C.VBN Infected: Packed.Win32.Krap.gx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\08480000\4C6E61EB.VBN Infected: Packed.Win32.Krap.gx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\08480001\4C6E6248.VBN Infected: Packed.Win32.Krap.gx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0CA80000\4CEE979E.VBN Infected: Packed.Win32.Krap.gx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0CA80001\4CEE97AB.VBN Infected: Packed.Win32.Krap.gx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0F1C0000\4F7F13D4.VBN Infected: Packed.Win32.Krap.gx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0F1C0001\4F7F13E0.VBN Infected: Packed.Win32.Krap.gx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0F1C0002\4F7F18AB.VBN Infected: Packed.Win32.Krap.gx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0F340000\4F75898C.VBN Infected: Packed.Win32.Krap.gx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0F340001\4F758998.VBN Infected: Packed.Win32.Krap.gx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\10D40000\5CFF0640.VBN Infected: Packed.Win32.Krap.gx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\10D40001\5CFF0651.VBN Infected: Packed.Win32.Krap.gx 1
C:\Qoobox\Quarantine\C\Documents and Settings\aql\Application Data\Xacuqy\yvoso.exe.vir Infected: Packed.Win32.Krap.ar 1
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP836\A0141534.exe Infected: Packed.Win32.Krap.ar 1

Selected area has been scanned.


Thanks in advance, I await your response.

#6 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:24 AM

Posted 03 September 2010 - 03:38 PM

Can you run MBAM again for me please and post the log here?

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#7 scottpon

scottpon
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Jose, CA
  • Local time:03:24 AM

Posted 03 September 2010 - 04:27 PM

Here's the log. Same two bad-boy files.

NOTE: This will probably be the last response before the labor day Holiday. I will check back after Labor Day (tue)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4532

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

9/3/2010 2:24:36 PM
mbam-log-2010-09-03 (14-24-36).txt

Scan type: Quick scan
Objects scanned: 169690
Time elapsed: 4 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\Drivers\ntndis.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ipsecndis.sys (Rootkit.Agent) -> Delete on reboot.

#8 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:24 AM

Posted 03 September 2010 - 04:34 PM

Hi there,

Sure, get back to me whenever you get a chance after the long weekend. I'll leave you some instructions for when you get back, it seems that we need a little more firepower on those ones.

Please download MBRCheck to your desktop.
  • Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
  • It will open a black window, please do not fix anything (if it gives you an option).
  • Exit that window and it will produce a log (MBRCheck_date_time).
  • Please post that log when you reply.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#9 scottpon

scottpon
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Jose, CA
  • Local time:03:24 AM

Posted 07 September 2010 - 12:13 PM

Here is the MBRCheck log; I was asked to fix something, but per your instructions I did NOT fix anything:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 128):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806CE000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9EEB000 fltMgr.sys
0xB9ED9000 sr.sys
0xB9EC2000 KSecDD.sys
0xB9E35000 Ntfs.sys
0x8A0B7000 NDIS.sys
0xB9DE6000 Mup.sys
0xBA128000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xB99E8000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB99D4000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB99B3000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xBA360000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB9990000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA368000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA138000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA148000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA158000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB996D000 \SystemRoot\system32\DRIVERS\ks.sys
0xB9740000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xB971C000 \SystemRoot\system32\drivers\portcls.sys
0xBA168000 \SystemRoot\system32\drivers\drmk.sys
0xBA398000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA178000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA554000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB9708000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA188000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA198000 \SystemRoot\system32\DRIVERS\L8042mou.Sys
0xB96F6000 \SystemRoot\system32\DRIVERS\LMouKE.Sys
0xBA3B0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA560000 \SystemRoot\system32\DRIVERS\L8042Kbd.sys
0xBA3C0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA744000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA1A8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA568000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB96DF000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA1B8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA3E0000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB96CE000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA3F0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA400000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB969D000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA1E8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5B2000 \SystemRoot\system32\DRIVERS\swenum.sys
0xBA58C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA1F8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA238000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5B8000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB5543000 \SystemRoot\System32\Drivers\SRTSP.SYS
0xB9DA2000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA268000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA420000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA538000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB53F7000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100902.004\NAVEX15.SYS
0xB53D2000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xB53BE000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100902.004\NAVENG.SYS
0xBA278000 \SystemRoot\System32\Drivers\SRTSPX.SYS
0xBA5C8000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA6BC000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5CC000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA460000 \SystemRoot\System32\drivers\vga.sys
0xBA5D0000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5D4000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA470000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA480000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB9689000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB538B000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB5333000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB5306000 \SystemRoot\System32\Drivers\SYMTDI.SYS
0xB52E5000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB52BD000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB529B000 \SystemRoot\System32\drivers\afd.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB51D0000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB5139000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA2E8000 \SystemRoot\System32\Drivers\Fips.SYS
0xB50DB000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xB50BE000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xBA308000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB50A6000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5E2000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xBA544000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA378000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA74C000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF065000 \SystemRoot\System32\ati2cqag.dll
0xBF0FE000 \SystemRoot\System32\atikvmag.dll
0xBF182000 \SystemRoot\System32\atiok3x2.dll
0xBF1CD000 \SystemRoot\System32\ati3duag.dll
0xBF572000 \SystemRoot\System32\ativvaxx.dll
0xB2C62000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB28B9000 \SystemRoot\system32\drivers\wdmaud.sys
0xB2B86000 \SystemRoot\system32\drivers\sysaudio.sys
0xB286A000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB279F000 \SystemRoot\system32\drivers\kmixer.sys
0xBA765000 \SystemRoot\System32\Drivers\LBeepKE.sys
0xB2510000 \SystemRoot\system32\DRIVERS\srv.sys
0xB269B000 \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
0xBA4A0000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
0xB201F000 \SystemRoot\System32\Drivers\HTTP.sys
0xBA430000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xB1F5C000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xBA3B8000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xB1B29000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 37):
0 System Idle Process
4 System
588 C:\WINDOWS\system32\smss.exe
636 csrss.exe
672 C:\WINDOWS\system32\winlogon.exe
716 C:\WINDOWS\system32\services.exe
732 C:\WINDOWS\system32\lsass.exe
900 C:\WINDOWS\system32\ati2evxx.exe
928 C:\WINDOWS\system32\svchost.exe
1000 svchost.exe
1040 C:\WINDOWS\system32\svchost.exe
1148 C:\WINDOWS\system32\ati2evxx.exe
1236 C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
1260 svchost.exe
1272 svchost.exe
1348 C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
1740 C:\WINDOWS\system32\spoolsv.exe
1804 C:\WINDOWS\explorer.exe
1872 svchost.exe
300 C:\Program Files\Java\jre6\bin\jqs.exe
396 C:\WINDOWS\system32\snmp.exe
456 C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
896 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
780 C:\Program Files\UPHClean\uphclean.exe
1204 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
1324 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
1360 C:\Program Files\Logitech\SetPointP\SetPoint.exe
1524 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
1712 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1792 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
1892 C:\WINDOWS\system32\ctfmon.exe
2100 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
2108 C:\WINDOWS\system32\wuauclt.exe
2492 C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe
2976 alg.exe
3328 C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
3792 E:\Computer Fixing\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHD080HJ/P, Rev: ZH100-46

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: BBF289AC40BA09F2CC1797655D4799D2AB148CB5


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#10 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:24 AM

Posted 07 September 2010 - 01:41 PM

What kind of computer is this?

Hi there,

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#11 scottpon

scottpon
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Jose, CA
  • Local time:03:24 AM

Posted 07 September 2010 - 02:23 PM

The computer is an HP DX5150 computer

Heres the combofix.txt contents:


ComboFix 10-09-07.01 - admin6 09/07/2010 12:05:31.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2494.2013 [GMT -7:00]
Running from: c:\documents and settings\admin6.WA-SS\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ndis.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-08-07 to 2010-09-07 )))))))))))))))))))))))))))))))
.

2010-08-24 23:33 . 2010-08-24 23:33 79488 ----a-w- c:\documents and settings\admin6.WA-SS\Application Data\Sun\Java\jre1.6.0_21\gtapi.dll
2010-08-24 23:33 . 2010-08-24 23:33 152576 ----a-w- c:\documents and settings\admin6.WA-SS\Application Data\Sun\Java\jre1.6.0_21\lzma.dll
2010-08-22 20:35 . 2010-08-22 20:35 -------- d-sh--w- c:\documents and settings\aql\IECompatCache
2010-08-21 00:03 . 2010-08-21 00:03 -------- d-----w- c:\documents and settings\aql\Application Data\Malwarebytes
2010-08-20 23:22 . 2010-08-20 23:21 388608 ----a-w- c:\windows\system32\CF17582.exe
2010-08-20 09:36 . 2010-08-20 09:36 -------- d-----w- c:\documents and settings\admin6.WA-SS\Local Settings\Application Data\Symantec
2010-08-20 09:34 . 2010-08-20 09:34 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-08-20 09:34 . 2010-08-20 09:34 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-08-20 08:33 . 2007-03-22 03:39 1060864 ----a-w- c:\windows\system32\MFC71.DLL
2010-08-20 08:33 . 2010-08-20 09:34 -------- d-----w- c:\program files\Symantec
2010-08-20 08:25 . 2010-08-20 08:25 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-08-20 07:28 . 2010-08-20 07:28 -------- d-----w- c:\program files\VS Revo Group
2010-08-20 06:58 . 2010-08-20 06:58 -------- d-----w- c:\documents and settings\admin6.WA-SS\Local Settings\Application Data\Adobe
2010-08-20 06:49 . 2010-08-20 08:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-20 06:49 . 2010-08-20 08:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-20 06:38 . 2010-08-20 06:38 -------- d-----w- c:\documents and settings\admin6.WA-SS\Application Data\MSNInstaller
2010-08-20 06:31 . 2010-08-20 06:31 53248 ----a-r- c:\documents and settings\admin6.WA-SS\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2010-08-20 06:31 . 2010-03-18 09:01 10448 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2010-08-20 06:30 . 2010-08-20 06:31 -------- d-----w- c:\program files\Logitech
2010-08-20 06:08 . 2010-08-20 06:08 503808 ----a-w- c:\documents and settings\admin6.WA-SS\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5b2a66a1-n\msvcp71.dll
2010-08-20 06:08 . 2010-08-20 06:08 499712 ----a-w- c:\documents and settings\admin6.WA-SS\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5b2a66a1-n\jmc.dll
2010-08-20 06:08 . 2010-08-20 06:08 348160 ----a-w- c:\documents and settings\admin6.WA-SS\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5b2a66a1-n\msvcr71.dll
2010-08-17 00:28 . 2010-08-17 00:28 -------- d-----w- c:\documents and settings\admin6.WA-SS\Application Data\Malwarebytes
2010-08-17 00:28 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-17 00:28 . 2010-08-17 00:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-17 00:28 . 2010-08-17 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-17 00:28 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-17 00:25 . 2010-08-17 00:25 12800 ----a-w- c:\documents and settings\admin6.WA-SS\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4beab60d-n\decora-d3d.dll
2010-08-17 00:25 . 2010-08-17 00:25 61440 ----a-w- c:\documents and settings\admin6.WA-SS\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4beab60d-n\decora-sse.dll
2010-08-12 20:01 . 2010-08-12 20:01 211072 ----a-w- c:\windows\system32\dllcache\ndis.sys
2010-08-09 17:14 . 2010-08-09 17:14 503808 ----a-w- c:\documents and settings\aql\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-721278ce-n\msvcp71.dll
2010-08-09 17:14 . 2010-08-09 17:14 499712 ----a-w- c:\documents and settings\aql\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-721278ce-n\jmc.dll
2010-08-09 17:14 . 2010-08-09 17:14 348160 ----a-w- c:\documents and settings\aql\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-721278ce-n\msvcr71.dll
2010-08-09 17:13 . 2010-08-09 17:13 61440 ----a-w- c:\documents and settings\aql\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-52ddfaed-n\decora-sse.dll
2010-08-09 17:13 . 2010-08-09 17:13 12800 ----a-w- c:\documents and settings\aql\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-52ddfaed-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-24 23:33 . 2006-09-02 05:11 -------- d-----w- c:\program files\Common Files\Java
2010-08-24 23:33 . 2010-05-04 00:40 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-24 23:33 . 2006-09-02 05:11 -------- d-----w- c:\program files\Java
2010-08-20 19:50 . 2007-11-02 20:50 -------- d-----w- c:\documents and settings\aql\Application Data\Axuvox
2010-08-20 09:35 . 2006-09-14 21:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-08-20 09:35 . 2006-09-14 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-08-20 09:34 . 2010-08-20 09:34 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-08-20 09:34 . 2010-08-20 09:34 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-08-20 06:36 . 2009-12-16 01:33 -------- d-----w- c:\program files\CCleaner
2010-08-20 06:31 . 2010-05-04 00:32 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-08-20 06:31 . 2010-05-04 00:37 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-08-20 06:31 . 2010-05-04 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2010-08-12 20:01 . 2004-08-04 08:00 211072 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-06-23 16:12 . 2010-06-23 16:12 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb8.tmp.exe
2010-06-14 14:30 . 2004-08-04 08:00 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-01-15 01:18 . 2007-12-28 01:15 1432 ----a-w- c:\program files\DeaInstall.log
.

------- Sigcheck -------

[-] 2010-08-12 20:01 . BEE37B12F3146F3C0824E0A7B9121078 . 211072 . . [------] . . c:\windows\system32\drivers\ndis.sys
[-] 2010-08-12 20:01 . BEE37B12F3146F3C0824E0A7B9121078 . 211072 . . [------] . . c:\windows\system32\dllcache\ndis.sys
[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-08-20_23.38.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-07 19:00 . 2010-09-07 19:00 16384 c:\windows\Temp\Perflib_Perfdata_5d4.dat
+ 2010-09-07 19:00 . 2010-09-07 19:00 16384 c:\windows\Temp\Perflib_Perfdata_57c.dat
+ 2010-08-24 23:33 . 2010-08-24 23:33 153376 c:\windows\system32\javaws.exe
- 2010-05-04 00:40 . 2010-04-13 00:29 153376 c:\windows\system32\javaws.exe
+ 2010-08-24 23:33 . 2010-08-24 23:33 145184 c:\windows\system32\javaw.exe
- 2010-05-04 00:40 . 2010-04-13 00:29 145184 c:\windows\system32\javaw.exe
- 2010-05-04 00:40 . 2010-04-13 00:29 145184 c:\windows\system32\java.exe
+ 2010-08-24 23:33 . 2010-08-24 23:33 145184 c:\windows\system32\java.exe
+ 2010-08-24 23:33 . 2010-08-24 23:33 180224 c:\windows\Installer\85d8d.msi
+ 2010-08-24 23:33 . 2010-08-24 23:33 677376 c:\windows\Installer\85d7f.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-09 339968]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-12-04 115560]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-01-29 21:17 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SmcService"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"161:UDP"= 161:UDP:SNMP
"162:UDP"= 162:UDP:SNMP Trap

R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [8/19/2010 11:31 PM 10448]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/20/2010 3:04 AM 102448]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2010 9:58 AM 135664]
S3 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [12/21/2007 6:40 PM 8192]
S3 VPREMOTE;VPRemote Install Bootstrap Service;c:\temp\Clt-Inst\vpremote.exe [6/13/2009 2:13 PM 142192]
S4 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive\bin\w3dbsmgr.exe [8/18/2008 5:57 PM 455968]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2010-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 16:58]

2010-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 16:58]

2010-09-07 c:\windows\Tasks\User_Feed_Synchronization-{88A37ADA-15EA-4BFA-AA90-87D1C4E5A1C0}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://intranet.wa-ss.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - file://\\server11\VPHOME\clt-inst\WEBINST\WebInst.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-07 12:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Pervasive Software\PSQL]
@Denied: ) (Everyone)
@=""

[HKEY_LOCAL_MACHINE\software\Pervasive Software\PSQL\MsiInfo\{0A3238D7-AB32-4E15-B717-F3E3F18B4A8C}\{10B550B8-E98F-4CB8-AD78-E5CE8ACACB2A}\PVSW]
@Denied: ) (Everyone)
"pvswJreIsNeeded"=""
"PVSW_PSQL_INSTDIR32"="c:\\Program Files\\Pervasive\\"
"PVSW_PSQL_CLIENT_INSTDIR32"=""
"PVSW_PSQL_WGE_INSTDIR32"="c:\\pvsw"
"PVSW_PSQL_SERVER_INSTDIR32"=""
"PVSW_JAVAHOME"=""
"PVSW_PSQL_DATADIR_PREV1"=""
"PVSW_PSQL_DATADIR_PREV2"=""
"pvswBuildID"=""
"pvswVersionLevel"=""
"PVSW_PRODUCTS_DATADIR"=""
"PVSW_PSQL_DATADIR"="c:\\Documents and Settings\\All Users\\Application Data\\Pervasive\\"
"PVSW_CFG_FILE"="c:\\DOCUME~1\\aql\\LOCALS~1\\Temp\\PVSW0\\PTKSetup.ini"
"PVSW_JRE_VER"="1.6"
"PVSW_PSQL_DATADIR_PREV3"=""
"PVSW_JRE_INST_PATH"=""
"PVSW_INSTALL_JRE"="1"
"PVSW_SRCDIR_JRE_INST_CMD_X86"=""
"PVSW_SRC_CFG_FILE"="c:\\DOCUME~1\\aql\\LOCALS~1\\Temp\\PVSW0\\PTKSetup.ini"
"PVSW_PRODUCTS_DIR32"=""
"PVSW_PSQL_DIR32"=""
"PVSW_JRE_INST_CMD_CLI"=""
"pvswRequiredJreNotFound"=""
"PVSW_JRE160000"=""
"PVSW_JRE160010"=""
"DataAccessFeatureInstalled"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
Completion time: 2010-09-07 12:12:01
ComboFix-quarantined-files.txt 2010-09-07 19:11
ComboFix2.txt 2010-08-22 20:59

Pre-Run: 62,638,755,840 bytes free
Post-Run: 62,747,766,784 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 85CEF13C0FC0C74B736D50197E9CEE5E

#12 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:24 AM

Posted 07 September 2010 - 07:42 PM

Hi there,

Can you reinstall your Network Adaptor please, it seems to have gotten infected. I've provided a link below.

http://h20000.www2.hp.com/bizsupport/TechS...Item=vc-68148-1

Once you have downloaded and installed it, try running ComboFix for me again.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#13 scottpon

scottpon
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Jose, CA
  • Local time:03:24 AM

Posted 08 September 2010 - 01:41 PM

Ok, I downloaded and installed the network adapter. Here's the Combofix log.

ComboFix 10-09-07.01 - admin6 09/08/2010 11:08:54.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2494.2027 [GMT -7:00]
Running from: c:\documents and settings\admin6.WA-SS\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ndis.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-08-08 to 2010-09-08 )))))))))))))))))))))))))))))))
.

2010-09-08 17:39 . 2010-09-08 17:39 -------- d-----w- C:\swsetup
2010-08-24 23:33 . 2010-08-24 23:33 79488 ----a-w- c:\documents and settings\admin6.WA-SS\Application Data\Sun\Java\jre1.6.0_21\gtapi.dll
2010-08-24 23:33 . 2010-08-24 23:33 152576 ----a-w- c:\documents and settings\admin6.WA-SS\Application Data\Sun\Java\jre1.6.0_21\lzma.dll
2010-08-22 20:35 . 2010-08-22 20:35 -------- d-sh--w- c:\documents and settings\aql\IECompatCache
2010-08-21 00:03 . 2010-08-21 00:03 -------- d-----w- c:\documents and settings\aql\Application Data\Malwarebytes
2010-08-20 23:22 . 2010-08-20 23:21 388608 ----a-w- c:\windows\system32\CF17582.exe
2010-08-20 09:36 . 2010-08-20 09:36 -------- d-----w- c:\documents and settings\admin6.WA-SS\Local Settings\Application Data\Symantec
2010-08-20 09:34 . 2010-08-20 09:34 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-08-20 09:34 . 2010-08-20 09:34 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-08-20 08:33 . 2007-03-22 03:39 1060864 ----a-w- c:\windows\system32\MFC71.DLL
2010-08-20 08:33 . 2010-08-20 09:34 -------- d-----w- c:\program files\Symantec
2010-08-20 08:25 . 2010-08-20 08:25 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-08-20 07:28 . 2010-08-20 07:28 -------- d-----w- c:\program files\VS Revo Group
2010-08-20 06:58 . 2010-08-20 06:58 -------- d-----w- c:\documents and settings\admin6.WA-SS\Local Settings\Application Data\Adobe
2010-08-20 06:49 . 2010-08-20 08:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-20 06:49 . 2010-08-20 08:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-20 06:38 . 2010-08-20 06:38 -------- d-----w- c:\documents and settings\admin6.WA-SS\Application Data\MSNInstaller
2010-08-20 06:31 . 2010-08-20 06:31 53248 ----a-r- c:\documents and settings\admin6.WA-SS\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2010-08-20 06:31 . 2010-03-18 09:01 10448 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2010-08-20 06:30 . 2010-08-20 06:31 -------- d-----w- c:\program files\Logitech
2010-08-20 06:08 . 2010-08-20 06:08 503808 ----a-w- c:\documents and settings\admin6.WA-SS\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5b2a66a1-n\msvcp71.dll
2010-08-20 06:08 . 2010-08-20 06:08 499712 ----a-w- c:\documents and settings\admin6.WA-SS\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5b2a66a1-n\jmc.dll
2010-08-20 06:08 . 2010-08-20 06:08 348160 ----a-w- c:\documents and settings\admin6.WA-SS\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5b2a66a1-n\msvcr71.dll
2010-08-17 00:28 . 2010-08-17 00:28 -------- d-----w- c:\documents and settings\admin6.WA-SS\Application Data\Malwarebytes
2010-08-17 00:28 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-17 00:28 . 2010-08-17 00:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-17 00:28 . 2010-08-17 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-17 00:28 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-17 00:25 . 2010-08-17 00:25 12800 ----a-w- c:\documents and settings\admin6.WA-SS\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4beab60d-n\decora-d3d.dll
2010-08-17 00:25 . 2010-08-17 00:25 61440 ----a-w- c:\documents and settings\admin6.WA-SS\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4beab60d-n\decora-sse.dll
2010-08-12 20:01 . 2010-08-12 20:01 211072 ----a-w- c:\windows\system32\dllcache\ndis.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-08 17:41 . 2006-09-02 05:13 -------- d-----w- c:\program files\Broadcom
2010-08-24 23:33 . 2006-09-02 05:11 -------- d-----w- c:\program files\Common Files\Java
2010-08-24 23:33 . 2010-05-04 00:40 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-24 23:33 . 2006-09-02 05:11 -------- d-----w- c:\program files\Java
2010-08-20 19:50 . 2007-11-02 20:50 -------- d-----w- c:\documents and settings\aql\Application Data\Axuvox
2010-08-20 09:35 . 2006-09-14 21:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-08-20 09:35 . 2006-09-14 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-08-20 09:34 . 2010-08-20 09:34 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-08-20 09:34 . 2010-08-20 09:34 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-08-20 06:36 . 2009-12-16 01:33 -------- d-----w- c:\program files\CCleaner
2010-08-20 06:31 . 2010-05-04 00:32 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-08-20 06:31 . 2010-05-04 00:37 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-08-20 06:31 . 2010-05-04 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2010-08-12 20:01 . 2004-08-04 08:00 211072 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-08-09 17:14 . 2010-08-09 17:14 503808 ----a-w- c:\documents and settings\aql\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-721278ce-n\msvcp71.dll
2010-08-09 17:14 . 2010-08-09 17:14 499712 ----a-w- c:\documents and settings\aql\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-721278ce-n\jmc.dll
2010-08-09 17:14 . 2010-08-09 17:14 348160 ----a-w- c:\documents and settings\aql\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-721278ce-n\msvcr71.dll
2010-08-09 17:13 . 2010-08-09 17:13 61440 ----a-w- c:\documents and settings\aql\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-52ddfaed-n\decora-sse.dll
2010-08-09 17:13 . 2010-08-09 17:13 12800 ----a-w- c:\documents and settings\aql\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-52ddfaed-n\decora-d3d.dll
2010-06-23 16:12 . 2010-06-23 16:12 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb8.tmp.exe
2010-06-14 14:30 . 2004-08-04 08:00 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-01-15 01:18 . 2007-12-28 01:15 1432 ----a-w- c:\program files\DeaInstall.log
.

------- Sigcheck -------

[-] 2010-08-12 20:01 . BEE37B12F3146F3C0824E0A7B9121078 . 211072 . . [------] . . c:\windows\system32\drivers\ndis.sys
[-] 2010-08-12 20:01 . BEE37B12F3146F3C0824E0A7B9121078 . 211072 . . [------] . . c:\windows\system32\dllcache\ndis.sys
[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-08-20_23.38.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-08 18:07 . 2010-09-08 18:07 16384 c:\windows\Temp\Perflib_Perfdata_650.dat
+ 2010-09-08 18:07 . 2010-09-08 18:07 16384 c:\windows\Temp\Perflib_Perfdata_570.dat
+ 2010-09-08 17:29 . 2010-09-08 17:51 8750 c:\windows\SoftwareDistribution\EventCache\{57217E8A-A9D3-4611-8536-679E3874D838}.bin
+ 2010-09-08 17:41 . 2010-09-08 17:41 3262 c:\windows\Installer\{F870B987-18BC-45FC-9BE8-35C02DCDA10F}\ARPPRODUCTICON.exe
+ 2010-09-08 17:41 . 2005-03-17 16:30 132608 c:\windows\system32\ReinstallBackups\0003\DriverFiles\b57xp32.sys
+ 2010-08-24 23:33 . 2010-08-24 23:33 153376 c:\windows\system32\javaws.exe
- 2010-05-04 00:40 . 2010-04-13 00:29 153376 c:\windows\system32\javaws.exe
- 2010-05-04 00:40 . 2010-04-13 00:29 145184 c:\windows\system32\javaw.exe
+ 2010-08-24 23:33 . 2010-08-24 23:33 145184 c:\windows\system32\javaw.exe
- 2010-05-04 00:40 . 2010-04-13 00:29 145184 c:\windows\system32\java.exe
+ 2010-08-24 23:33 . 2010-08-24 23:33 145184 c:\windows\system32\java.exe
+ 2010-09-08 17:41 . 2008-07-25 08:18 176640 c:\windows\system32\DRVSTORE\b57win32_90665E260F56889413ADE359D2D21AE72D7882DC\b57xp32.sys
+ 2010-09-08 17:41 . 2008-07-25 08:15 172016 c:\windows\system32\DRVSTORE\b57win32_90665E260F56889413ADE359D2D21AE72D7882DC\b57w2k.sys
+ 2006-09-02 05:08 . 2008-07-25 08:18 176640 c:\windows\system32\drivers\b57xp32.sys
+ 2008-04-24 22:44 . 2008-04-24 22:44 105472 c:\windows\system32\drivers\b57cdx.sys
+ 2006-09-02 05:08 . 2008-07-25 08:18 176640 c:\windows\system32\dllcache\b57xp32.sys
+ 2010-08-24 23:33 . 2010-08-24 23:33 180224 c:\windows\Installer\85d8d.msi
+ 2010-08-24 23:33 . 2010-08-24 23:33 677376 c:\windows\Installer\85d7f.msi
+ 2010-09-08 17:41 . 2010-09-08 17:41 1482752 c:\windows\Installer\d3d8a.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-09 339968]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-12-04 115560]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-01-29 21:17 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SmcService"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"161:UDP"= 161:UDP:SNMP
"162:UDP"= 162:UDP:SNMP Trap

R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [8/19/2010 11:31 PM 10448]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/20/2010 3:04 AM 102448]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2010 9:58 AM 135664]
S3 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [12/21/2007 6:40 PM 8192]
S3 VPREMOTE;VPRemote Install Bootstrap Service;c:\temp\Clt-Inst\vpremote.exe [6/13/2009 2:13 PM 142192]
S4 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive\bin\w3dbsmgr.exe [8/18/2008 5:57 PM 455968]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2010-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 16:58]

2010-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 16:58]

2010-09-08 c:\windows\Tasks\User_Feed_Synchronization-{88A37ADA-15EA-4BFA-AA90-87D1C4E5A1C0}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://intranet.wa-ss.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - file://\\server11\VPHOME\clt-inst\WEBINST\WebInst.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-08 11:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Pervasive Software\PSQL]
@Denied: ) (Everyone)
@=""

[HKEY_LOCAL_MACHINE\software\Pervasive Software\PSQL\MsiInfo\{0A3238D7-AB32-4E15-B717-F3E3F18B4A8C}\{10B550B8-E98F-4CB8-AD78-E5CE8ACACB2A}\PVSW]
@Denied: ) (Everyone)
"pvswJreIsNeeded"=""
"PVSW_PSQL_INSTDIR32"="c:\\Program Files\\Pervasive\\"
"PVSW_PSQL_CLIENT_INSTDIR32"=""
"PVSW_PSQL_WGE_INSTDIR32"="c:\\pvsw"
"PVSW_PSQL_SERVER_INSTDIR32"=""
"PVSW_JAVAHOME"=""
"PVSW_PSQL_DATADIR_PREV1"=""
"PVSW_PSQL_DATADIR_PREV2"=""
"pvswBuildID"=""
"pvswVersionLevel"=""
"PVSW_PRODUCTS_DATADIR"=""
"PVSW_PSQL_DATADIR"="c:\\Documents and Settings\\All Users\\Application Data\\Pervasive\\"
"PVSW_CFG_FILE"="c:\\DOCUME~1\\aql\\LOCALS~1\\Temp\\PVSW0\\PTKSetup.ini"
"PVSW_JRE_VER"="1.6"
"PVSW_PSQL_DATADIR_PREV3"=""
"PVSW_JRE_INST_PATH"=""
"PVSW_INSTALL_JRE"="1"
"PVSW_SRCDIR_JRE_INST_CMD_X86"=""
"PVSW_SRC_CFG_FILE"="c:\\DOCUME~1\\aql\\LOCALS~1\\Temp\\PVSW0\\PTKSetup.ini"
"PVSW_PRODUCTS_DIR32"=""
"PVSW_PSQL_DIR32"=""
"PVSW_JRE_INST_CMD_CLI"=""
"pvswRequiredJreNotFound"=""
"PVSW_JRE160000"=""
"PVSW_JRE160010"=""
"DataAccessFeatureInstalled"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
Completion time: 2010-09-08 11:15:56
ComboFix-quarantined-files.txt 2010-09-08 18:15
ComboFix2.txt 2010-09-07 19:12
ComboFix3.txt 2010-08-22 20:59

Pre-Run: 62,674,575,360 bytes free
Post-Run: 62,671,228,928 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - DC2164039120408A0214B17EF8935E18

#14 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:24 AM

Posted 09 September 2010 - 12:27 AM

Do you have a Windows disk by chance?

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#15 scottpon

scottpon
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Jose, CA
  • Local time:03:24 AM

Posted 09 September 2010 - 11:43 AM

Windows XP Disk, yes.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users