Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Probably Rootkit


  • This topic is locked This topic is locked
12 replies to this topic

#1 ecko

ecko

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 12 September 2010 - 08:54 PM

here is the original thread i started in reference to my suspected problem:

http://www.bleepingcomputer.com/forums/topic346332.html

in an effort not to complicate things, i followed steps 6-9 (although gmer would not complete its scan). below is the dds log, and attached is the additional output from dds. please let me know how best to proceed, thanks!

--

DDS (Ver_10-03-17.01) - NTFSx86
Run by eddie at 21:12:33.64 on Sun 09/12/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2466 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
"C:\WINDOWS\System32\svchost.exe"
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Documents and Settings\eddie\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = <local>
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagItBHO.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagItIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [Google Update] "c:\documents and settings\eddie\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [dscactivate] "%ProgramFiles%\Dell Support Center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [LELA] "c:\program files\linksys\linksys easylink advisor\Linksys EasyLink Advisor.exe" /minimized
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\eddie\applic~1\mozilla\firefox\profiles\amyjnkil.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\eddie\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\eddie\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\eddie\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {527AF9A3-C210-4A6E-8096-C8DB25D4282C} - c:\documents and settings\eddie\local settings\application data\{527af9a3-c210-4a6e-8096-c8db25d4282c}\
FF - HiddenExtension: XULRunner: {220D251D-2F8A-4FB5-BF2D-2D30CC08C2BB} - c:\documents and settings\eddie\local settings\application data\{220d251d-2f8a-4fb5-bf2d-2d30cc08c2bb}\
FF - HiddenExtension: XULRunner: {82A31B56-CEE4-4BE0-B4F0-E5386041C664} - c:\documents and settings\eddie\local settings\application data\{82a31b56-cee4-4be0-b4f0-e5386041c664}\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-7-20 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-7-20 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-7-20 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-20 308136]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-4-18 204800]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-3-5 24652]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-7-19 18544]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\930.tmp --> c:\windows\system32\930.tmp [?]

=============== Created Last 30 ================

2010-09-13 01:11:53 0 ----a-w- c:\documents and settings\eddie\defogger_reenable
2010-09-09 21:36:05 23992 ----a-w- c:\windows\system32\drivers\pnarp.sys
2010-09-09 21:35:59 25272 ----a-w- c:\windows\system32\drivers\purendis.sys
2010-09-09 21:35:55 0 d-----w- c:\program files\common files\Pure Networks Shared
2010-09-09 21:35:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Pure Networks
2010-09-07 23:36:43 54016 ----a-w- c:\windows\system32\drivers\qudcbwo.sys

==================== Find3M ====================

2010-09-13 01:12:41 768000 ----a-w- c:\windows\system32\drivers\somnn.sys
2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-07-21 04:13:35 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-21 00:23:09 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-21 00:23:02 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-21 00:22:38 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-03-04 04:47:30 604 ---ha-w- c:\program files\STLL Notifier
2008-02-27 16:08:39 76 --sh--r- c:\windows\CT4CET.bin
2008-09-30 15:45:48 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008093020081001\index.dat

============= FINISH: 21:13:39.82 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:33 AM

Posted 18 September 2010 - 07:35 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 ecko

ecko
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 19 September 2010 - 06:02 AM

hey m0le, thanks for looking into this, its quite apparent you guys are swamped. im ready to go whenever!

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:33 AM

Posted 19 September 2010 - 06:15 AM

Can we start by eliminating rootkits on the system.


Please run MBRCheck

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.


Now run TDSSKiller
  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#5 ecko

ecko
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 19 September 2010 - 01:56 PM

reports below:

---

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 161):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xB85A8000 \WINDOWS\system32\KDCOM.DLL
0xB84B8000 \WINDOWS\system32\BOOTVID.dll
0xB7F79000 ACPI.sys
0xB85AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB7F68000 pci.sys
0xB80A8000 isapnp.sys
0xB7EA6000 somnn.sys
0xB84BC000 compbatt.sys
0xB84C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xB8670000 pciide.sys
0xB8328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB80B8000 MountMgr.sys
0xB7E87000 ftdisk.sys
0xB8330000 PartMgr.sys
0xB80C8000 VolSnap.sys
0xB7E6F000 atapi.sys
0xB7DB1000 iaStor.sys
0xB80D8000 disk.sys
0xB80E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB7D91000 fltmgr.sys
0xB7D7F000 sr.sys
0xB7D69000 DRVMCDB.SYS
0xB80F8000 PxHelp20.sys
0xB7D52000 KSecDD.sys
0xB7D3F000 WudfPf.sys
0xB7CB2000 Ntfs.sys
0xB7C85000 NDIS.sys
0xB8108000 ohci1394.sys
0xB8118000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB7C6B000 Mup.sys
0xB8138000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB8318000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB6FA4000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB6F90000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB83E8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB6F6C000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB83F0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB6F44000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB6D28000 \SystemRoot\system32\DRIVERS\NETw4x32.sys
0xB8148000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xB6D14000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xB8158000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0xB6D00000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0xB6CAF000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0xB8168000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB6C7D000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xB85E0000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB83F8000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB8400000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB8178000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB85E2000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0xB8188000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB8198000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB6C5A000 \SystemRoot\system32\DRIVERS\ks.sys
0xB81A8000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xB85A4000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xB7C47000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xB6B89000 \SystemRoot\system32\DRIVERS\btkrnl.sys
0xB8785000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB81B8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB7C43000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB6B72000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB81C8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB81D8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB8408000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB6B61000 \SystemRoot\system32\DRIVERS\psched.sys
0xB81E8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB8410000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB8418000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB81F8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB85E4000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB697F000 \SystemRoot\system32\DRIVERS\update.sys
0xB7C37000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB8420000 \SystemRoot\system32\DRIVERS\btport.sys
0xB68FF000 \SystemRoot\system32\drivers\btaudio.sys
0xB68DB000 \SystemRoot\system32\drivers\portcls.sys
0xB8208000 \SystemRoot\system32\drivers\drmk.sys
0xB82A8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB77E3000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB5795000 \SystemRoot\system32\drivers\sthda.sys
0xB577B000 \SystemRoot\system32\drivers\dxec02.sys
0xB5747000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
0xB5655000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xB55A2000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xB8428000 \SystemRoot\System32\Drivers\Modem.SYS
0xB8570000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xB85F4000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB8704000 \SystemRoot\System32\Drivers\Null.SYS
0xB85F6000 \SystemRoot\System32\Drivers\Beep.SYS
0xB8438000 \SystemRoot\System32\Drivers\DLARTL_M.SYS
0xB8440000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB8448000 \SystemRoot\System32\drivers\vga.sys
0xB85F8000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB85FA000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB8450000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB8458000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB8578000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB551F000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB54C6000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB548C000 \SystemRoot\System32\Drivers\avgtdix.sys
0xB5466000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB5173000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB5151000 \SystemRoot\System32\drivers\afd.sys
0xB7793000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB8468000 \SystemRoot\System32\Drivers\SCDEmu.SYS
0xB50FE000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB508E000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB7773000 \SystemRoot\System32\Drivers\Fips.SYS
0xB8470000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xB4D16000 \SystemRoot\System32\Drivers\avgldx86.sys
0xB68B3000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB7753000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB559A000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB5596000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB8218000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB8228000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xB8480000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB4756000 \SystemRoot\system32\DRIVERS\OEM02Dev.sys
0xB85FE000 \SystemRoot\system32\DRIVERS\OEM02Vfx.sys
0xB8568000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
0xB8248000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB473E000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xB860C000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB554A000 \SystemRoot\System32\drivers\Dxapi.sys
0xB8490000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xB87A7000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB47C0000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xB877D000 \SystemRoot\System32\DLA\DLADResM.SYS
0xB32E6000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0xB84A0000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0xB861E000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0xB84B0000 \SystemRoot\System32\DLA\DLABMFSM.SYS
0xB8340000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0xB32D0000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0xB32B9000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0xB8378000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xB31C5000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB8380000 \SystemRoot\system32\DRIVERS\pnarp.sys
0xB8388000 \SystemRoot\system32\DRIVERS\purendis.sys
0xB31AD000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xB2E04000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB85B8000 \SystemRoot\system32\DRIVERS\datunidr.sys
0xB2C95000 \SystemRoot\system32\DRIVERS\srv.sys
0xB2DF4000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB2668000 \SystemRoot\system32\drivers\wdmaud.sys
0xB298D000 \SystemRoot\system32\drivers\sysaudio.sys
0xB23FD000 \SystemRoot\System32\Drivers\HTTP.sys
0xB1FBD000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0xB83B8000 \??\C:\Program Files\PeerBlock\pbfilter.sys
0xA3B2B000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB8390000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xAB678000 \SystemRoot\System32\Drivers\btwusb.sys
0x8B85C000 \SystemRoot\system32\drivers\kmixer.sys
0x8BB8E000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 66):
0 System Idle Process
4 System
824 C:\WINDOWS\system32\smss.exe
892 csrss.exe
924 C:\WINDOWS\system32\winlogon.exe
968 C:\WINDOWS\system32\services.exe
988 C:\WINDOWS\system32\lsass.exe
1176 C:\WINDOWS\system32\nvsvc32.exe
1200 C:\WINDOWS\system32\svchost.exe
1268 svchost.exe
1312 C:\WINDOWS\system32\svchost.exe
1344 C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
1384 C:\WINDOWS\system32\svchost.exe
1448 C:\Program Files\AVG\AVG9\avgchsvx.exe
1456 C:\Program Files\AVG\AVG9\avgrsx.exe
1580 C:\Program Files\AVG\AVG9\avgcsrvx.exe
1592 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
1912 svchost.exe
208 svchost.exe
692 C:\WINDOWS\system32\spoolsv.exe
776 svchost.exe
800 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
832 C:\Program Files\AVG\AVG9\avgwdsvc.exe
864 C:\Program Files\Bonjour\mDNSResponder.exe
120 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
1340 C:\Program Files\Java\jre6\bin\jqs.exe
1640 C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
1708 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
1776 C:\WINDOWS\system32\svchost.exe
1788 C:\WINDOWS\system32\java.exe
2052 C:\Program Files\Viewpoint\Common\ViewpointService.exe
2212 C:\Program Files\AVG\AVG9\avgnsx.exe
2404 C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
2748 C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
4048 alg.exe
2148 C:\WINDOWS\explorer.exe
2740 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2668 C:\WINDOWS\OEM02Mon.exe
2996 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
3140 C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
3316 C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
3668 C:\Program Files\Dell\QuickSet\quickset.exe
3752 C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
3944 C:\WINDOWS\stsystra.exe
716 C:\WINDOWS\system32\KADxMain.exe
3444 C:\Program Files\Dell\MediaDirect\PCMService.exe
3472 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
3488 wmiprvse.exe
3640 C:\WINDOWS\system32\rundll32.exe
3648 C:\WINDOWS\system32\rundll32.exe
3704 C:\PROGRA~1\AVG\AVG9\avgtray.exe
3800 C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
816 C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
3824 C:\Program Files\PeerBlock\peerblock.exe
3992 C:\WINDOWS\system32\ctfmon.exe
3916 C:\WINDOWS\system32\wuauclt.exe
3460 C:\Program Files\Mozilla Firefox\firefox.exe
2960 PresentationFontCache.exe
3716 C:\WINDOWS\system32\svchost.exe
2680 C:\WINDOWS\system32\svchost.exe
380 C:\WINDOWS\system32\svchost.exe
4888 C:\Program Files\iPod\bin\iPodService.exe
5144 C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
5116 C:\Program Files\Mozilla Firefox\plugin-container.exe
9388 C:\Documents and Settings\eddie\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
8728 C:\Documents and Settings\eddie\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`04e71400 (NTFS)
\\.\E: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: TOSHIBAMK8046GSX, Rev: LB312D
PhysicalDrive1 Model Number: WD6400BEV External, Rev: 1.75

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
596 GB \\.\PhysicalDrive1 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

---

2010/09/19 14:48:12.0328 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44
2010/09/19 14:48:12.0328 ================================================================================
2010/09/19 14:48:12.0328 SystemInfo:
2010/09/19 14:48:12.0328
2010/09/19 14:48:12.0328 OS Version: 5.1.2600 ServicePack: 3.0
2010/09/19 14:48:12.0328 Product type: Workstation
2010/09/19 14:48:12.0328 ComputerName: EKIM
2010/09/19 14:48:12.0328 UserName: eddie
2010/09/19 14:48:12.0328 Windows directory: C:\WINDOWS
2010/09/19 14:48:12.0328 System windows directory: C:\WINDOWS
2010/09/19 14:48:12.0328 Processor architecture: Intel x86
2010/09/19 14:48:12.0328 Number of processors: 2
2010/09/19 14:48:12.0328 Page size: 0x1000
2010/09/19 14:48:12.0328 Boot type: Normal boot
2010/09/19 14:48:12.0328 ================================================================================
2010/09/19 14:48:12.0546 Initialize success
2010/09/19 14:48:16.0578 ================================================================================
2010/09/19 14:48:16.0578 Scan started
2010/09/19 14:48:16.0578 Mode: Manual;
2010/09/19 14:48:16.0578 ================================================================================
2010/09/19 14:48:21.0187 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/09/19 14:48:21.0250 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/09/19 14:48:21.0296 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/09/19 14:48:21.0359 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/09/19 14:48:21.0421 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/09/19 14:48:21.0500 AegisP (a1ad1a4a9f18d900ca9c93fa3efdcb56) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2010/09/19 14:48:21.0609 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/09/19 14:48:21.0671 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/09/19 14:48:21.0734 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/09/19 14:48:21.0796 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/09/19 14:48:21.0875 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/09/19 14:48:21.0937 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/09/19 14:48:21.0953 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/09/19 14:48:22.0000 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/09/19 14:48:22.0031 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/09/19 14:48:22.0046 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/09/19 14:48:22.0109 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
2010/09/19 14:48:22.0203 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/09/19 14:48:22.0250 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/09/19 14:48:22.0265 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/09/19 14:48:22.0296 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/09/19 14:48:22.0343 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/09/19 14:48:22.0406 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/09/19 14:48:22.0515 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/09/19 14:48:22.0562 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/09/19 14:48:22.0625 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\system32\Drivers\avgldx86.sys
2010/09/19 14:48:22.0687 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\system32\Drivers\avgmfx86.sys
2010/09/19 14:48:22.0750 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\system32\Drivers\avgtdix.sys
2010/09/19 14:48:22.0796 bcm4sbxp (cd4646067cc7dcba1907fa0acf7e3966) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
2010/09/19 14:48:22.0828 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/09/19 14:48:22.0953 btaudio (ecdc40cc54603c711e1a7a1c9255184a) C:\WINDOWS\system32\drivers\btaudio.sys
2010/09/19 14:48:23.0015 BTDriver (58a49bd10e08d3d4333a60dedcb1ced8) C:\WINDOWS\system32\DRIVERS\btport.sys
2010/09/19 14:48:23.0125 BTKRNL (885b6d0f826a216eee4c3ad883809012) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2010/09/19 14:48:23.0203 BTWDNDIS (b1d350f3f13cf340fce93912d2ba1ebf) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
2010/09/19 14:48:23.0218 btwhid (e48668b4a6a5cf68b33aecad18ee8e1e) C:\WINDOWS\system32\DRIVERS\btwhid.sys
2010/09/19 14:48:23.0234 btwmodem (8bcd7bfe9c70a8ff7444263435b18aa1) C:\WINDOWS\system32\DRIVERS\btwmodem.sys
2010/09/19 14:48:23.0265 BTWUSB (57e91e9925976bbc98984eebaaf1d84c) C:\WINDOWS\system32\Drivers\btwusb.sys
2010/09/19 14:48:23.0328 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/09/19 14:48:23.0343 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/09/19 14:48:23.0390 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/09/19 14:48:23.0437 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/09/19 14:48:23.0500 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/09/19 14:48:23.0546 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/09/19 14:48:23.0562 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/09/19 14:48:23.0609 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/09/19 14:48:23.0671 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/09/19 14:48:23.0703 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/09/19 14:48:23.0734 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/09/19 14:48:23.0812 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/09/19 14:48:23.0875 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/09/19 14:48:23.0937 datunidr (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\datunidr.sys
2010/09/19 14:48:24.0000 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/09/19 14:48:24.0078 DLABMFSM (0659e6e0a95564f958d9df7313f7701e) C:\WINDOWS\system32\DLA\DLABMFSM.SYS
2010/09/19 14:48:24.0109 DLABOIOM (8691c78908f0bd66170669db268369f2) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
2010/09/19 14:48:24.0125 DLACDBHM (76167b5eb2dffc729edc36386876b40b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2010/09/19 14:48:24.0171 DLADResM (5615744a1056933b90e6ac54feb86f35) C:\WINDOWS\system32\DLA\DLADResM.SYS
2010/09/19 14:48:24.0187 DLAIFS_M (1aeca2afa5005ce4a550cf8eb55a8c88) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
2010/09/19 14:48:24.0218 DLAOPIOM (840e7f6abb885c72b9ffddb022ef5b6d) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
2010/09/19 14:48:24.0234 DLAPoolM (0294d18731ac05da80132ce88f8a876b) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
2010/09/19 14:48:24.0359 DLARTL_M (91886fed52a3f9966207bce46cfd794f) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
2010/09/19 14:48:24.0390 DLAUDFAM (cca4e121d599d7d1706a30f603731e59) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
2010/09/19 14:48:24.0468 DLAUDF_M (7dab85c33135df24419951da4e7d38e5) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
2010/09/19 14:48:24.0546 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/09/19 14:48:24.0671 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/09/19 14:48:24.0750 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/09/19 14:48:24.0796 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/09/19 14:48:24.0843 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/09/19 14:48:24.0859 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/09/19 14:48:24.0921 DRVMCDB (c00440385cf9f3d142917c63f989e244) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2010/09/19 14:48:24.0968 DRVNDDM (6e6ab29d3c06e64ce81feacda85394b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2010/09/19 14:48:25.0031 DXEC02 (0c8762b91b967a91373e0e022b62acfc) C:\WINDOWS\system32\drivers\dxec02.sys
2010/09/19 14:48:25.0078 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/09/19 14:48:25.0093 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/09/19 14:48:25.0140 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/09/19 14:48:25.0187 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/09/19 14:48:25.0218 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/09/19 14:48:25.0265 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/09/19 14:48:25.0359 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/09/19 14:48:25.0453 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/09/19 14:48:25.0500 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/09/19 14:48:25.0562 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/09/19 14:48:25.0609 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/09/19 14:48:25.0625 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/09/19 14:48:25.0671 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/09/19 14:48:25.0781 HSFHWAZL (290cdbb05903742ea06b7203c5a662f5) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2010/09/19 14:48:25.0921 HSF_DPV (7ab812355f98858b9ecdd46e6fcc221f) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2010/09/19 14:48:26.0000 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/09/19 14:48:26.0046 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/09/19 14:48:26.0093 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/09/19 14:48:26.0156 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/09/19 14:48:26.0187 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\WINDOWS\system32\drivers\iaStor.sys
2010/09/19 14:48:26.0203 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/09/19 14:48:26.0250 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/09/19 14:48:26.0281 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/09/19 14:48:26.0453 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/09/19 14:48:26.0656 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/09/19 14:48:26.0937 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/09/19 14:48:26.0968 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/09/19 14:48:27.0015 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/09/19 14:48:27.0031 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/09/19 14:48:27.0078 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/09/19 14:48:27.0109 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/09/19 14:48:27.0156 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/09/19 14:48:27.0250 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/09/19 14:48:27.0328 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/09/19 14:48:27.0375 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/09/19 14:48:27.0453 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/09/19 14:48:27.0500 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/09/19 14:48:27.0578 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/09/19 14:48:27.0640 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/09/19 14:48:27.0687 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/09/19 14:48:27.0734 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/09/19 14:48:27.0765 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/09/19 14:48:27.0781 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/09/19 14:48:27.0843 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/09/19 14:48:27.0890 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/09/19 14:48:27.0984 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/09/19 14:48:28.0015 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/09/19 14:48:28.0031 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/09/19 14:48:28.0046 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/09/19 14:48:28.0078 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/09/19 14:48:28.0078 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/09/19 14:48:28.0109 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/09/19 14:48:28.0234 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/09/19 14:48:28.0328 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/09/19 14:48:28.0359 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/09/19 14:48:28.0390 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/09/19 14:48:28.0406 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/09/19 14:48:28.0453 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/09/19 14:48:28.0468 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/09/19 14:48:28.0515 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/09/19 14:48:28.0750 NETw4x32 (b5ab1108b377b5f3d37409fabda01453) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
2010/09/19 14:48:28.0859 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/09/19 14:48:28.0953 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/09/19 14:48:28.0984 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/09/19 14:48:29.0031 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/09/19 14:48:29.0390 nv (406ddab2b05d94d4818e97ff050d1bc6) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/09/19 14:48:29.0812 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/09/19 14:48:29.0828 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/09/19 14:48:29.0921 OEM02Dev (9d20fa5d8875f6063aa5e1c44446f698) C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys
2010/09/19 14:48:29.0953 OEM02Vfx (86326062a90494bdd79ce383511d7d69) C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys
2010/09/19 14:48:29.0984 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/09/19 14:48:30.0031 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/09/19 14:48:30.0109 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/09/19 14:48:30.0156 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/09/19 14:48:30.0281 pbfilter (14bb963561db904a159a58e79c867995) C:\Program Files\PeerBlock\pbfilter.sys
2010/09/19 14:48:30.0328 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/09/19 14:48:30.0375 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/09/19 14:48:30.0484 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/09/19 14:48:30.0546 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/09/19 14:48:30.0562 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/09/19 14:48:30.0609 pnarp (dea06627596015263360097c2608384e) C:\WINDOWS\system32\DRIVERS\pnarp.sys
2010/09/19 14:48:30.0671 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/09/19 14:48:30.0687 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/09/19 14:48:30.0750 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/09/19 14:48:30.0859 PTproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellAutomatedPCTuneUp\GTAction\triggers\PTproct.sys
2010/09/19 14:48:31.0000 purendis (c0cdb9f7ce42c3487f0bea409bf5d153) C:\WINDOWS\system32\DRIVERS\purendis.sys
2010/09/19 14:48:31.0046 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/09/19 14:48:31.0109 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/09/19 14:48:31.0109 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/09/19 14:48:31.0125 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/09/19 14:48:31.0140 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/09/19 14:48:31.0156 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/09/19 14:48:31.0296 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/09/19 14:48:31.0328 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/09/19 14:48:31.0359 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/09/19 14:48:31.0437 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/09/19 14:48:31.0453 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/09/19 14:48:31.0500 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/09/19 14:48:31.0546 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/09/19 14:48:31.0671 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/09/19 14:48:31.0703 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/09/19 14:48:31.0750 rimmptsk (d85e3fa9f5b1f29bb4ed185c450d1470) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
2010/09/19 14:48:31.0812 rimsptsk (db8eb01c58c9fada00c70b1775278ae0) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
2010/09/19 14:48:31.0828 rismxdp (6c1f93c0760c9f79a1869d07233df39d) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
2010/09/19 14:48:31.0890 s24trans (eadfb87f911a7a75d1b80617f92901e8) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2010/09/19 14:48:31.0953 SCDEmu (612a3d69e603dbbe5c3c1079186a0393) C:\WINDOWS\system32\drivers\SCDEmu.sys
2010/09/19 14:48:32.0062 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2010/09/19 14:48:32.0125 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/09/19 14:48:32.0171 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/09/19 14:48:32.0187 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/09/19 14:48:32.0250 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
2010/09/19 14:48:32.0265 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
2010/09/19 14:48:32.0359 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/09/19 14:48:32.0390 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/09/19 14:48:32.0406 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/09/19 14:48:32.0406 Suspicious service (NoAccess): somnn
2010/09/19 14:48:32.0484 somnn (b7e2234d097b9fdc827eaa8a8b559090) C:\WINDOWS\system32\drivers\somnn.sys
2010/09/19 14:48:32.0484 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\somnn.sys. md5: b7e2234d097b9fdc827eaa8a8b559090
2010/09/19 14:48:32.0484 somnn - detected Locked service (1)
2010/09/19 14:48:32.0531 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/09/19 14:48:32.0625 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/09/19 14:48:32.0656 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/09/19 14:48:32.0734 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/09/19 14:48:32.0843 STHDA (58f855684e163466a5c565adf0865536) C:\WINDOWS\system32\drivers\sthda.sys
2010/09/19 14:48:33.0015 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/09/19 14:48:33.0062 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/09/19 14:48:33.0078 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/09/19 14:48:33.0125 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/09/19 14:48:33.0140 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/09/19 14:48:33.0218 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/09/19 14:48:33.0328 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/09/19 14:48:33.0359 SynTP (936cd58395d36659bb798b961ef7357f) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2010/09/19 14:48:33.0531 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/09/19 14:48:33.0609 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/09/19 14:48:33.0656 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/09/19 14:48:33.0781 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/09/19 14:48:33.0875 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/09/19 14:48:33.0921 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/09/19 14:48:33.0953 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/09/19 14:48:34.0015 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/09/19 14:48:34.0109 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/09/19 14:48:34.0234 USBAAPL (60a68a5ea173a97971ee9f1ff49eb2b3) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/09/19 14:48:34.0296 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/09/19 14:48:34.0328 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/09/19 14:48:34.0375 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/09/19 14:48:34.0406 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/09/19 14:48:34.0453 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/09/19 14:48:34.0531 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2010/09/19 14:48:34.0609 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/09/19 14:48:34.0656 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/09/19 14:48:34.0750 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/09/19 14:48:34.0796 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/09/19 14:48:34.0859 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/09/19 14:48:34.0890 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/09/19 14:48:34.0984 winachsf (a8596cf86d445269a42ecc08b7066a4c) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/09/19 14:48:35.0093 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/09/19 14:48:35.0171 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/09/19 14:48:35.0234 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/09/19 14:48:35.0296 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/09/19 14:48:35.0328 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/09/19 14:48:35.0359 ================================================================================
2010/09/19 14:48:35.0359 Scan finished
2010/09/19 14:48:35.0359 ================================================================================
2010/09/19 14:48:35.0359 Detected object count: 1
2010/09/19 14:48:42.0734 HKLM\SYSTEM\ControlSet003\services\somnn - will be deleted after reboot
2010/09/19 14:48:42.0734 HKLM\SYSTEM\ControlSet004\services\somnn - will be deleted after reboot
2010/09/19 14:48:42.0734 C:\WINDOWS\system32\drivers\somnn.sys - will be deleted after reboot
2010/09/19 14:48:42.0734 Locked service(somnn) - User select action: Delete
2010/09/19 14:48:46.0812 Deinitialize success


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:33 AM

Posted 19 September 2010 - 06:39 PM

Please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 ecko

ecko
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 19 September 2010 - 08:03 PM

ComboFix 10-09-19.01 - eddie 09/19/2010 20:48:39.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2660 [GMT -4:00]
Running from: c:\documents and settings\eddie\Desktop\comfix.exe.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-08-20 to 2010-09-20 )))))))))))))))))))))))))))))))
.

2010-09-09 21:36 . 2008-04-09 04:14 23992 ----a-w- c:\windows\system32\drivers\pnarp.sys
2010-09-09 21:35 . 2008-04-09 04:14 25272 ----a-w- c:\windows\system32\drivers\purendis.sys
2010-09-09 21:35 . 2010-09-09 21:35 -------- d-----w- c:\program files\Common Files\Pure Networks Shared
2010-09-09 21:35 . 2010-09-09 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks
2010-08-31 16:11 . 2010-08-31 16:11 3401880 ----a-w- c:\documents and settings\eddie\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-08-31 15:55 . 2010-08-31 15:55 275096 ----a-w- c:\documents and settings\eddie\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-08-31 15:39 . 2010-08-31 15:39 3734536 ----a-w- c:\documents and settings\eddie\Application Data\Mozilla\plugins\Google Talk Plugin Extras\d3dx9_36.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-20 00:42 . 2010-07-20 01:01 -------- d-----w- c:\program files\PeerBlock
2010-09-20 00:41 . 2009-10-21 22:51 -------- d-----w- c:\documents and settings\eddie\Application Data\vlc
2010-09-19 21:24 . 2008-03-21 00:25 -------- d-----w- c:\documents and settings\eddie\Application Data\Azureus
2010-09-19 21:23 . 2009-02-18 18:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-18 22:25 . 2008-02-27 15:48 138271 ----a-w- c:\windows\system32\nvModes.dat
2010-09-18 22:23 . 2008-03-07 23:58 -------- d-----w- c:\program files\World of Warcraft
2010-09-16 03:47 . 2008-03-07 23:58 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-09-10 03:22 . 2008-03-04 06:18 85800 ----a-w- c:\documents and settings\eddie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-09 21:37 . 2008-02-27 16:04 -------- d-----w- c:\program files\Java
2010-09-09 21:36 . 2010-07-21 04:14 -------- d-----w- c:\program files\Common Files\Java
2010-09-09 21:35 . 2008-02-27 16:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-09 21:34 . 2009-02-06 23:36 -------- d-----w- c:\program files\Linksys
2010-09-07 23:18 . 2010-07-05 20:24 1337936 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-08-04 22:08 . 2009-04-19 20:36 -------- d-----w- c:\documents and settings\eddie\Application Data\LimeWire
2010-08-04 01:50 . 2008-04-19 17:52 -------- d-----w- c:\program files\Steam
2010-07-21 04:14 . 2010-07-21 04:14 61440 ----a-w- c:\documents and settings\eddie\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-11feebbc-n\decora-sse.dll
2010-07-21 04:14 . 2010-07-21 04:14 12800 ----a-w- c:\documents and settings\eddie\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-11feebbc-n\decora-d3d.dll
2010-07-21 04:14 . 2010-07-21 04:14 503808 ----a-w- c:\documents and settings\eddie\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-60d40e9b-n\msvcp71.dll
2010-07-21 04:14 . 2010-07-21 04:14 499712 ----a-w- c:\documents and settings\eddie\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-60d40e9b-n\jmc.dll
2010-07-21 04:14 . 2010-07-21 04:14 348160 ----a-w- c:\documents and settings\eddie\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-60d40e9b-n\msvcr71.dll
2010-07-21 04:13 . 2010-07-21 04:14 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-21 04:12 . 2010-07-21 04:12 79488 ----a-w- c:\documents and settings\eddie\Application Data\Sun\Java\jre1.6.0_21\gtapi.dll
2010-07-21 04:12 . 2010-07-21 04:12 152576 ----a-w- c:\documents and settings\eddie\Application Data\Sun\Java\jre1.6.0_21\lzma.dll
2010-07-21 00:23 . 2010-07-21 00:23 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-21 00:23 . 2010-07-21 00:23 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-21 00:23 . 2010-07-21 00:23 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-07-21 00:22 . 2010-07-21 00:22 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-18 22:46 . 2010-07-18 22:46 120 ----a-w- c:\windows\Tbibejivuluyet.dat
2010-07-18 22:46 . 2010-07-18 22:46 0 ----a-w- c:\windows\Vpiqovoxad.bin
2009-03-04 04:47 . 2009-03-04 04:47 604 ---ha-w- c:\program files\STLL Notifier
2008-02-27 16:08 . 2008-02-27 16:08 76 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\eddie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-21 133104]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-06-10 1843312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-10 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
"NVHotkey"="nvHotkey.dll" [2009-05-01 86016]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-21 2065760]
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" [2008-05-01 131072]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 648504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-21 00:23 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-07-18 13:31 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2010-04-19 20:54 3972440 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellAutomatedPCTuneUp]
2007-10-11 15:49 465136 ----a-w- c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 22:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 18:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-05-01 04:31 1657376 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 15:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-08 01:07 1238352 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"stllssvr"=3 (0x3)
"SavRoam"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\steamapps\\ejk2101@columbia.edu\\half-life\\hl.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\eddie\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\eddie\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Steam\\steamapps\\ejk2101@columbia.edu\\counter-strike\\hl.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"67:UDP"= 67:UDP:DHCP Discovery Service
"5003:TCP"= 5003:TCP:TCP Port 5003
"5003:UDP"= 5003:UDP:UDP Port 5003

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/20/2010 8:23 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/20/2010 8:22 PM 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/20/2010 8:22 PM 308136]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/5/2008 8:33 PM 24652]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [7/19/2010 9:01 PM 18544]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [4/18/2008 5:30 AM 204800]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\930.tmp --> c:\windows\system32\930.tmp [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*NewlyCreated* - PBFILTER
*Deregistered* - klmdb
.
Contents of the 'Scheduled Tasks' folder

2010-09-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2010-09-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4199806129-2577499642-3620559833-1006Core.job
- c:\documents and settings\eddie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-21 06:22]

2010-09-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4199806129-2577499642-3620559833-1006UA.job
- c:\documents and settings\eddie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-21 06:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\eddie\Application Data\Mozilla\Firefox\Profiles\amyjnkil.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\eddie\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\eddie\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\eddie\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\eddie\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {527AF9A3-C210-4A6E-8096-C8DB25D4282C} - c:\documents and settings\eddie\Local Settings\Application Data\{527AF9A3-C210-4A6E-8096-C8DB25D4282C}\
FF - HiddenExtension: XULRunner: {220D251D-2F8A-4FB5-BF2D-2D30CC08C2BB} - c:\documents and settings\eddie\Local Settings\Application Data\{220D251D-2F8A-4FB5-BF2D-2D30CC08C2BB}\
FF - HiddenExtension: XULRunner: {82A31B56-CEE4-4BE0-B4F0-E5386041C664} - c:\documents and settings\eddie\Local Settings\Application Data\{82A31B56-CEE4-4BE0-B4F0-E5386041C664}\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-19 20:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\930.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4199806129-2577499642-3620559833-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:00,39,ad,6c,f5,13,32,0a,38,77,35,eb,07,4d,5e,61,1e,32,e1,3a,fc,7f,c5,
08,de,a3,a2,bf,e4,b6,36,3d,11,1e,47,01,71,53,1b,d2,62,70,72,d6,61,bd,b0,45,\
"??"=hex:10,f0,8b,78,24,b3,7a,3a,6e,69,e3,aa,61,06,ef,17
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3936)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-09-19 20:56:17
ComboFix-quarantined-files.txt 2010-09-20 00:56
ComboFix2.txt 2010-08-03 01:55

Pre-Run: 7,244,402,688 bytes free
Post-Run: 7,369,519,104 bytes free

- - End Of File - - 6A69F98FB01B80F5F1EDCE07DD3971C2


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:33 AM

Posted 20 September 2010 - 08:54 AM

Nearly clean there.

Use Windows Explorer to find and delete these files:

c:\windows\Tbibejivuluyet.dat
c:\windows\Vpiqovoxad.bin

As an example:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete



Now please run ESET's online scanner
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.


Posted Image
m0le is a proud member of UNITE

#9 ecko

ecko
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 21 September 2010 - 06:31 PM

the two files were found and deleted

log below

---
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSvchost1.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\eddie\Application Data\Sun\Java\Deployment\cache\6.0\12\308c10c-7f57f865 multiple threats deleted - quarantined
C:\Documents and Settings\eddie\Application Data\Sun\Java\Deployment\cache\6.0\19\19e0df93-49ab22e5 a variant of Java/Rowindal.A trojan deleted - quarantined
C:\Documents and Settings\eddie\Application Data\Sun\Java\Deployment\cache\6.0\25\7b7b6759-798e7a75 multiple threats deleted - quarantined
C:\Documents and Settings\eddie\Application Data\Sun\Java\Deployment\cache\6.0\31\743fee9f-403264d9 multiple threats deleted - quarantined
C:\Documents and Settings\eddie\Application Data\Sun\Java\Deployment\cache\6.0\34\187b0ca2-20bb9437 probably a variant of Win32/Agent.FPEXZHL trojan deleted - quarantined
C:\Documents and Settings\eddie\Application Data\Sun\Java\Deployment\cache\6.0\37\bbcdb65-5a773fbb a variant of Java/Exploit.Agent.NAC trojan deleted - quarantined
C:\Documents and Settings\eddie\Application Data\Sun\Java\Deployment\cache\6.0\43\752509ab-779fd7d7 probably a variant of Win32/Agent.HRYTTOE trojan deleted - quarantined
C:\Documents and Settings\eddie\Application Data\Sun\Java\Deployment\cache\6.0\56\3ae66678-1ee50f0d multiple threats deleted - quarantined
C:\Documents and Settings\eddie\Application Data\Sun\Java\Deployment\cache\6.0\62\38e4f6fe-1c984a47 multiple threats deleted - quarantined


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:33 AM

Posted 21 September 2010 - 06:47 PM

All these were already quarantined or are copies of malware and therefore at the moment they are not live. The PC is clean as far as I can tell.

Are you having any problems with the machine at present?
Posted Image
m0le is a proud member of UNITE

#11 ecko

ecko
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 21 September 2010 - 08:03 PM

seemingly not, peerblock is not longer going crazy when my computer is idle, performance seems normal. only last thing id ask is regarding the fact that the malware files were in my java folder... should i be concerned that updating java or something will revive the virus(es)?

otherwise, it looks like im all set, thanks for all your help through this!

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:33 AM

Posted 22 September 2010 - 04:45 AM

The malware is actually in your Java cache. They are essentially cached copies of the malware and not active.

To Clear the Java Runtime Environment (JRE) cache, do this:
  • Click Start > Settings > Control Panel.
  • Double-click the Java icon. If you don't see it, go to Other options in the left panel or change to Classic View
    -The Java Control Panel appears.
  • Click "Settings" under Temporary Internet Files.
    -The Temporary Files Settings dialog box appears.
  • Click "Delete Files".
    -The Delete Temporary Files dialog box appears.
    -There are three options on this window to clear the cache.
    • Delete Files
    • Applications and applets
    • Trace and log files
  • Click "OK" on Delete Temporary Files window.
    -Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click "OK" on Temporary Files Settings window.
  • Close the Java Control Panel.
You can also view these instructions along with screenshots here.

Looks like we're done here. Please follow the instructions that follow.

You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


We Need to Clean Up our Mess
Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

Use this next program to check for updates for programs already on your system. Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically, make sure that updates on any that are flagged are carried out as soon as possible

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it ecko, you are welcome for the help. Happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:33 AM

Posted 26 September 2010 - 06:50 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users