Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect virus


  • This topic is locked This topic is locked
122 replies to this topic

#1 jub_69

jub_69

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 26 October 2010 - 06:08 PM

here is my log file can any one help me please?
Scan saved at 8:07:45 PM, on 10/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17091)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Norton AntiVirus\Engine\17.8.0.5\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Vongo\VongoService.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Norton AntiVirus\Engine\17.8.0.5\ccSvcHst.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Documents and Settings\George Trainor\My Documents\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\17.8.0.5\IPSBHO.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1270236872765
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Norton AntiVirus (NAV) - Unknown owner - C:\Program Files\Norton AntiVirus\Engine\17.8.0.5\ccSvcHst.exe" /s "NAV" /m "C:\Program Files\Norton AntiVirus\Engine\17.8.0.5\diMaster.dll" /prefetch:1 (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe

BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:48 PM

Posted 26 October 2010 - 06:17 PM

Hi, jub_69 :)

:welcome:

Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 jub_69

jub_69
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 26 October 2010 - 11:55 PM

Here's the results
Rootkit scan 2010-10-27 01:54:22
Windows 5.1.2600 Service Pack 3
Running: wyerysik.exe; Driver: C:\DOCUME~1\GEORGE~1\LOCALS~1\Temp\fwldqpob.sys


---- System - GMER 1.0.15 ----

SSDT 89CE5CD0 ZwAlertResumeThread
SSDT 89D35848 ZwAlertThread
SSDT 89DDEEB8 ZwAllocateVirtualMemory
SSDT 89C23420 ZwAssignProcessToJobObject
SSDT 89EDAB30 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB6C7B210]
SSDT 89C08B40 ZwCreateMutant
SSDT 89DCF6B0 ZwCreateSymbolicLinkObject
SSDT 89E450B0 ZwCreateThread
SSDT 89C23908 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB6C7B490]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB6C7B9F0]
SSDT 89BFF390 ZwDuplicateObject
SSDT 89DDE698 ZwFreeVirtualMemory
SSDT 89DC5448 ZwImpersonateAnonymousToken
SSDT 89D07810 ZwImpersonateThread
SSDT 89C6F158 ZwLoadDriver
SSDT 89DDE4F8 ZwMapViewOfSection
SSDT 89CFA7E8 ZwOpenEvent
SSDT 89BFF670 ZwOpenProcess
SSDT 8A0129E0 ZwOpenProcessToken
SSDT 89CED470 ZwOpenSection
SSDT 89BFF520 ZwOpenThread
SSDT 89DCFD80 ZwProtectVirtualMemory
SSDT 89EB5CD0 ZwResumeThread
SSDT 89D12B38 ZwSetContextThread
SSDT 89EE7F40 ZwSetInformationProcess
SSDT 89CEE908 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB6C7BC40]
SSDT 89C306D8 ZwSuspendProcess
SSDT 89E65AD8 ZwSuspendThread
SSDT 89D3A5E8 ZwTerminateProcess
SSDT 89DC3B60 ZwTerminateThread
SSDT 89C812D0 ZwUnmapViewOfSection
SSDT 89DDEAA8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2DAC 80504648 4 Bytes CALL D6DA15F4
.text ntkrnlpa.exe!ZwCallbackReturn + 2FA4 80504840 4 Bytes JMP AE68D213
.text ntkrnlpa.exe!ZwCallbackReturn + 2FE8 80504884 8 Bytes CALL E0DA1C2E
.text ntkrnlpa.exe!ZwCallbackReturn + 3038 805048D4 4 Bytes JMP 4B0889DD
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xBA154360, 0x2212DD, 0xE8000020]
init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xB9F93EBF]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[1512] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 023D003A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 08: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 312581607 (+199): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:48 PM

Posted 27 October 2010 - 01:05 AM

I would suggest you backup your important documents before proceeding.

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 jub_69

jub_69
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 27 October 2010 - 10:44 AM

2010/10/27 12:39:27.0031 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/27 12:39:27.0031 ================================================================================
2010/10/27 12:39:27.0031 SystemInfo:
2010/10/27 12:39:27.0031
2010/10/27 12:39:27.0031 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/27 12:39:27.0031 Product type: Workstation
2010/10/27 12:39:27.0031 ComputerName: GEORGET
2010/10/27 12:39:27.0031 UserName: George Trainor
2010/10/27 12:39:27.0031 Windows directory: C:\WINDOWS
2010/10/27 12:39:27.0031 System windows directory: C:\WINDOWS
2010/10/27 12:39:27.0031 Processor architecture: Intel x86
2010/10/27 12:39:27.0031 Number of processors: 2
2010/10/27 12:39:27.0031 Page size: 0x1000
2010/10/27 12:39:27.0031 Boot type: Normal boot
2010/10/27 12:39:27.0031 ================================================================================
2010/10/27 12:39:28.0609 Initialize success
2010/10/27 12:39:36.0937 ================================================================================
2010/10/27 12:39:36.0937 Scan started
2010/10/27 12:39:36.0937 Mode: Manual;
2010/10/27 12:39:36.0937 ================================================================================
2010/10/27 12:39:38.0421 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/10/27 12:39:38.0484 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/27 12:39:38.0515 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/10/27 12:39:38.0593 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/10/27 12:39:38.0671 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/27 12:39:38.0703 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/27 12:39:38.0765 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/10/27 12:39:38.0796 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/10/27 12:39:38.0859 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/10/27 12:39:38.0890 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/10/27 12:39:38.0921 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/10/27 12:39:39.0015 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/10/27 12:39:39.0078 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/10/27 12:39:39.0109 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/10/27 12:39:39.0140 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/10/27 12:39:39.0234 AnyDVD (c4cf2de04d26371d1a079b628acff1fd) C:\WINDOWS\system32\Drivers\AnyDVD.sys
2010/10/27 12:39:39.0421 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/10/27 12:39:39.0484 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/10/27 12:39:39.0500 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/10/27 12:39:39.0531 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/10/27 12:39:39.0609 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/27 12:39:39.0687 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/27 12:39:39.0781 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/27 12:39:39.0843 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/27 12:39:39.0953 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/27 12:39:40.0234 BHDrvx86 (5138da8715da5f9823b753b6cb36a9a9) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20101001.001\BHDrvx86.sys
2010/10/27 12:39:40.0640 BTWUSB (7024e11dab9410b31a37547575249dd7) C:\WINDOWS\system32\Drivers\btwusb.sys
2010/10/27 12:39:40.0796 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/10/27 12:39:40.0828 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/27 12:39:40.0921 ccHP (e941e709847fa00e0dd6d58d2b8fb5e1) C:\WINDOWS\system32\drivers\NAV\1108000.005\ccHPx86.sys
2010/10/27 12:39:41.0000 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/10/27 12:39:41.0140 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/27 12:39:41.0234 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/27 12:39:41.0312 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/27 12:39:41.0437 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/10/27 12:39:41.0500 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/10/27 12:39:41.0562 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/10/27 12:39:41.0593 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/10/27 12:39:41.0656 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/10/27 12:39:41.0687 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/10/27 12:39:41.0718 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/27 12:39:41.0781 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/27 12:39:41.0812 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/27 12:39:41.0843 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\DRIVERS\DMLOAD.SYS
2010/10/27 12:39:41.0906 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/27 12:39:41.0984 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/10/27 12:39:42.0000 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/27 12:39:42.0062 E100B (6ca101f9aa3d845ba31f6e13c01301a8) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/10/27 12:39:42.0093 eabfiltr (b5cb3084046146fd2587d8c9b219feb4) C:\WINDOWS\system32\DRIVERS\eabfiltr.sys
2010/10/27 12:39:42.0109 eabusb (231f4547ae1e4b3e60eca66c3a96d218) C:\WINDOWS\system32\DRIVERS\eabusb.sys
2010/10/27 12:39:42.0281 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2010/10/27 12:39:42.0578 ElbyCDIO (309ac30471a0f1c3a89dee1c81230576) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
2010/10/27 12:39:42.0625 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2010/10/27 12:39:42.0843 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/27 12:39:42.0875 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/10/27 12:39:42.0906 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/27 12:39:42.0921 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/10/27 12:39:43.0031 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/27 12:39:43.0109 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/27 12:39:43.0140 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/27 12:39:43.0203 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/10/27 12:39:43.0250 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/27 12:39:43.0312 HBtnKey (4d4d97671c63c3af869b3518e6054204) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
2010/10/27 12:39:43.0343 HdAudAddService (bb42bb78bbbc1e83292ef26973598daf) C:\WINDOWS\system32\drivers\CHDAud.sys
2010/10/27 12:39:43.0453 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/10/27 12:39:43.0515 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/27 12:39:43.0546 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/10/27 12:39:43.0609 HSFHWAZL (89e256c5f5346be265d9f86ac8625d4f) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2010/10/27 12:39:43.0656 HSF_DPV (0e44af3828111d4c3e73c33ac95226d8) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2010/10/27 12:39:43.0734 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/27 12:39:43.0796 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/10/27 12:39:43.0828 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/10/27 12:39:43.0890 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/27 12:39:43.0953 iaStor (309c4d86d989fb1fcf64bd30dc81c51b) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2010/10/27 12:39:44.0218 IDSxpx86 (74e8463447101ecf0165ddc7e5168b7e) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20101026.001\IDSxpx86.sys
2010/10/27 12:39:44.0515 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/27 12:39:44.0625 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/10/27 12:39:44.0671 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/10/27 12:39:44.0781 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/10/27 12:39:44.0828 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/10/27 12:39:44.0859 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/27 12:39:44.0890 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/27 12:39:44.0953 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/27 12:39:45.0031 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/27 12:39:45.0109 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/27 12:39:45.0171 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/27 12:39:45.0187 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/27 12:39:45.0218 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/27 12:39:45.0312 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/27 12:39:45.0421 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/27 12:39:45.0625 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
2010/10/27 12:39:45.0656 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
2010/10/27 12:39:45.0687 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2010/10/27 12:39:45.0718 mdmxsdk (74f4372af97a587ecec527ec34955712) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/10/27 12:39:45.0796 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2010/10/27 12:39:45.0843 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/27 12:39:45.0937 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/27 12:39:46.0031 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/27 12:39:46.0187 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/27 12:39:46.0546 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/27 12:39:46.0703 MQAC (eee50bf24caeedb515a8f3b22756d3bb) C:\WINDOWS\system32\drivers\mqac.sys
2010/10/27 12:39:46.0875 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/10/27 12:39:46.0890 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/27 12:39:46.0968 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/27 12:39:47.0000 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/27 12:39:47.0062 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/27 12:39:47.0093 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/27 12:39:47.0109 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/27 12:39:47.0171 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/27 12:39:47.0265 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/27 12:39:47.0625 NAVENG (49d802531e5984cf1fe028c6c129b9d8) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20101026.048\NAVENG.SYS
2010/10/27 12:39:47.0687 NAVEX15 (158676a5758c1fa519563b3e72fbf256) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20101026.048\NAVEX15.SYS
2010/10/27 12:39:47.0968 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/27 12:39:48.0015 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/27 12:39:48.0031 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/27 12:39:48.0046 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/27 12:39:48.0078 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/27 12:39:48.0156 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/27 12:39:48.0203 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/27 12:39:48.0281 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/10/27 12:39:48.0312 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/27 12:39:48.0343 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/27 12:39:48.0406 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/27 12:39:48.0609 nv (88d8f8d4c3243e0bb0ed57496868e52e) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/10/27 12:39:48.0687 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/27 12:39:48.0718 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/27 12:39:48.0781 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/10/27 12:39:48.0859 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/10/27 12:39:48.0875 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/27 12:39:48.0890 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/27 12:39:48.0921 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/27 12:39:48.0953 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/10/27 12:39:48.0968 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/10/27 12:39:49.0062 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/10/27 12:39:49.0093 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/10/27 12:39:49.0187 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/27 12:39:49.0218 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/27 12:39:49.0265 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/27 12:39:49.0359 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/10/27 12:39:49.0421 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/10/27 12:39:49.0468 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/10/27 12:39:49.0500 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/10/27 12:39:49.0515 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/10/27 12:39:49.0531 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/10/27 12:39:49.0593 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/27 12:39:49.0671 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/27 12:39:49.0703 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/27 12:39:49.0718 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/27 12:39:49.0750 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/27 12:39:49.0765 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/27 12:39:49.0828 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/27 12:39:49.0890 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/27 12:39:49.0984 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/27 12:39:50.0093 RMCAST (96f7a9a7bf0c9c0440a967440065d33c) C:\WINDOWS\system32\drivers\RMCast.sys
2010/10/27 12:39:50.0171 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2010/10/27 12:39:50.0250 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2010/10/27 12:39:50.0375 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/27 12:39:50.0437 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/10/27 12:39:50.0515 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/27 12:39:50.0609 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/10/27 12:39:50.0656 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/10/27 12:39:50.0718 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/27 12:39:50.0765 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/27 12:39:50.0875 SRTSP (ec5c3c6260f4019b03dfaa03ec8cbf6a) C:\WINDOWS\System32\Drivers\NAV\1108000.005\SRTSP.SYS
2010/10/27 12:39:50.0906 SRTSPX (55d5c37ed41231e3ac2063d16df50840) C:\WINDOWS\system32\drivers\NAV\1108000.005\SRTSPX.SYS
2010/10/27 12:39:51.0125 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/27 12:39:51.0296 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2010/10/27 12:39:51.0359 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/27 12:39:51.0421 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/27 12:39:51.0500 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/10/27 12:39:51.0546 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/10/27 12:39:51.0625 SymDS (56890bf9d9204b93042089d4b45ae671) C:\WINDOWS\system32\drivers\NAV\1108000.005\SYMDS.SYS
2010/10/27 12:39:51.0687 SymEFA (1c91df5188150510a6f0cf78f7d94b69) C:\WINDOWS\system32\drivers\NAV\1108000.005\SYMEFA.SYS
2010/10/27 12:39:51.0750 SymEvent (961b48b86f94d4cc8ceb483f8aa89374) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2010/10/27 12:39:51.0968 SymIRON (dc80fbf0a348e54853ef82eed4e11e35) C:\WINDOWS\system32\drivers\NAV\1108000.005\Ironx86.SYS
2010/10/27 12:39:52.0281 SYMTDI (41aad61f87ca8e3b5d0f7fe7fba0797d) C:\WINDOWS\System32\Drivers\NAV\1108000.005\SYMTDI.SYS
2010/10/27 12:39:52.0390 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/10/27 12:39:52.0406 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/10/27 12:39:52.0453 SynTP (c9a1785cc0d7a040dd0fdbfeaa8be135) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2010/10/27 12:39:52.0562 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/27 12:39:52.0609 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/27 12:39:52.0671 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/27 12:39:52.0718 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/27 12:39:52.0812 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/27 12:39:52.0906 tifm21 (9179e07503630d6fb2e4162ff0196191) C:\WINDOWS\system32\drivers\tifm21.sys
2010/10/27 12:39:52.0984 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/10/27 12:39:53.0046 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/27 12:39:53.0109 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/10/27 12:39:53.0187 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/27 12:39:53.0265 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/10/27 12:39:53.0328 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/27 12:39:53.0468 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/27 12:39:53.0578 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/27 12:39:53.0609 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/10/27 12:39:53.0656 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/27 12:39:53.0734 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/27 12:39:53.0812 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/27 12:39:53.0875 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/10/27 12:39:53.0937 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/10/27 12:39:53.0984 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/27 12:39:54.0109 w39n51 (4e7b07653f4f9937cf62ad2869fba520) C:\WINDOWS\system32\DRIVERS\w39n51.sys
2010/10/27 12:39:54.0156 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/27 12:39:54.0203 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/27 12:39:54.0250 winachsf (214bc3ad84907ad6ad655ac5465f449a) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/10/27 12:39:54.0375 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/10/27 12:39:54.0468 ================================================================================
2010/10/27 12:39:54.0468 Scan finished
2010/10/27 12:39:54.0468 ================================================================================

#6 jub_69

jub_69
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 27 October 2010 - 10:46 AM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0300003c

Kernel Drivers (total 157):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF7358000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7347000 pci.sys
0xF7487000 isapnp.sys
0xF7497000 ohci1394.sys
0xF74A7000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF789B000 compbatt.sys
0xF789F000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF798B000 intelide.sys
0xF798D000 viaide.sys
0xF798F000 aliide.sys
0xF7329000 pcmcia.sys
0xF74B7000 MountMgr.sys
0xF730A000 ftdisk.sys
0xF7991000 DMLOAD.SYS
0xF72E4000 dmio.sys
0xF78A3000 ACPIEC.sys
0xF7A50000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF770F000 PartMgr.sys
0xF74C7000 VolSnap.sys
0xF72CC000 atapi.sys
0xF71F6000 iaStor.sys
0xF74D7000 disk.sys
0xF74E7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF71D6000 fltmgr.sys
0xF7180000 SYMDS.SYS
0xF716E000 sr.sys
0xF7141000 SYMEFA.SYS
0xF7717000 PxHelp20.sys
0xF712A000 KSecDD.sys
0xF709D000 Ntfs.sys
0xF7070000 NDIS.sys
0xF74F7000 Serial.sys
0xF7056000 Mup.sys
0xF7517000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF7537000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF797B000 \SystemRoot\system32\DRIVERS\cpqbttn.sys
0xF7547000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF77EF000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF797F000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xBA154000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xBA140000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA118000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB9FBB000 \SystemRoot\system32\DRIVERS\w39n51.sys
0xF77F7000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9F97000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF77FF000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB9F6F000 \SystemRoot\system32\drivers\tifm21.sys
0xB9F5B000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xB9F34000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF7026000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF7557000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7807000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB9F04000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF79BD000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF780F000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7567000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB9EEC000 \SystemRoot\System32\Drivers\AnyDVD.sys
0xF7577000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7587000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB9EC9000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7817000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF7AAC000 \SystemRoot\system32\DRIVERS\lmimirr.sys
0xF79BF000 \SystemRoot\system32\DRIVERS\serscan.sys
0xF7AAD000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7597000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF701E000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB9EB2000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF75A7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF75B7000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF781F000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB9EA1000 \SystemRoot\system32\DRIVERS\psched.sys
0xF75C7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7827000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF782F000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF75D7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79C1000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9D7B000 \SystemRoot\system32\DRIVERS\update.sys
0xBA4F6000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA4F2000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF75E7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB6FBE000 \SystemRoot\system32\drivers\CHDAud.sys
0xB6F9A000 \SystemRoot\system32\drivers\portcls.sys
0xF7607000 \SystemRoot\system32\drivers\drmk.sys
0xB6F68000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
0xB6E6B000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xB6DBB000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF7837000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7657000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7957000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF79D5000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7BB3000 \SystemRoot\System32\Drivers\Null.SYS
0xF79D7000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7887000 \SystemRoot\System32\drivers\vga.sys
0xF79D9000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79DB000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF788F000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7727000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF795B000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB6D88000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB6D2F000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB6CB0000 \SystemRoot\System32\Drivers\NAV\1108000.005\SYMTDI.SYS
0xB6C8A000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7677000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB6C65000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xF7687000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xB6BE5000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB6BC3000 \SystemRoot\System32\drivers\afd.sys
0xF7697000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF79DD000 \SystemRoot\system32\DRIVERS\eabfiltr.sys
0xB6B92000 \SystemRoot\system32\drivers\NAV\1108000.005\Ironx86.SYS
0xF76A7000 \SystemRoot\system32\drivers\NAV\1108000.005\SRTSPX.SYS
0xB6AC7000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB6A57000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF76B7000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7767000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
0xB69F9000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xB69DC000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xB695D000 \SystemRoot\system32\drivers\NAV\1108000.005\ccHPx86.sys
0xB68B1000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20101001.001\BHDrvx86.sys
0xB6865000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB6854000 \SystemRoot\System32\Drivers\Udfs.SYS
0xB683C000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79F1000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB9D5F000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7797000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7A51000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB5C5B000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB49E6000 \SystemRoot\system32\drivers\wdmaud.sys
0xB5B23000 \SystemRoot\system32\drivers\sysaudio.sys
0xB4873000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB467A000 \SystemRoot\System32\Drivers\HTTP.sys
0xB45FA000 \SystemRoot\system32\DRIVERS\srv.sys
0xF7A11000 \??\C:\Program Files\LogMeIn\x86\RaInfo.sys
0xB5B53000 \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
0xB45CE000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB4403000 \??\C:\WINDOWS\system32\drivers\mqac.sys
0xB4309000 \??\C:\WINDOWS\system32\drivers\RMCast.sys
0xF776F000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xB3A26000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xB274B000 \SystemRoot\System32\Drivers\NAV\1108000.005\SRTSP.SYS
0xAE5BB000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20101026.001\IDSxpx86.sys
0xAD3EA000 \??\C:\DOCUME~1\GEORGE~1\LOCALS~1\Temp\fwldqpob.sys
0xAC26F000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20101026.048\NAVEX15.SYS
0xAC25B000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20101026.048\NAVENG.SYS
0xAC230000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 44):
0 System Idle Process
4 System
792 C:\WINDOWS\system32\smss.exe
888 csrss.exe
916 C:\WINDOWS\system32\winlogon.exe
960 C:\WINDOWS\system32\services.exe
972 C:\WINDOWS\system32\lsass.exe
1160 C:\WINDOWS\system32\svchost.exe
1224 svchost.exe
1368 C:\WINDOWS\system32\svchost.exe
1504 svchost.exe
1596 svchost.exe
1852 C:\WINDOWS\system32\spoolsv.exe
496 svchost.exe
532 msdtc.exe
616 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
632 C:\Program Files\Bonjour\mDNSResponder.exe
684 C:\WINDOWS\ehome\ehrecvr.exe
748 C:\WINDOWS\ehome\ehSched.exe
1304 C:\Program Files\Java\jre6\bin\jqs.exe
1328 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
1700 C:\WINDOWS\explorer.exe
1892 C:\Program Files\LogMeIn\x86\ramaint.exe
2020 C:\Program Files\LogMeIn\x86\LogMeIn.exe
212 C:\Program Files\LogMeIn\x86\LMIGuardian.exe
208 C:\Program Files\Norton AntiVirus\Engine\17.8.0.5\ccsvchst.exe
1108 C:\WINDOWS\system32\nvsvc32.exe
396 C:\WINDOWS\system32\HPZipm12.exe
688 svchost.exe
740 C:\WINDOWS\system32\svchost.exe
1120 C:\Program Files\Vongo\VongoService.exe
2252 mcrdsvc.exe
2348 C:\WINDOWS\system32\mqsvc.exe
2648 C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
3144 C:\Program Files\Norton AntiVirus\Engine\17.8.0.5\ccsvchst.exe
3212 C:\WINDOWS\system32\mqtgsvc.exe
3404 C:\WINDOWS\system32\dllhost.exe
4012 alg.exe
2200 C:\WINDOWS\system32\svchost.exe
1364 C:\WINDOWS\system32\ctfmon.exe
2028 C:\WINDOWS\system32\WISPTIS.EXE
3088 C:\WINDOWS\system32\wscntfy.exe
1712 C:\Program Files\Mozilla Firefox\firefox.exe
2176 C:\Documents and Settings\George Trainor\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000021`915d6e00 (FAT32)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
Here is the mbr check
PhysicalDrive0 Model Number: ST9160310AS, Rev: 0303
PhysicalDrive1 Model Number: SAMSUNGHM500JI, Rev: 2AC101C4

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: D0919EC9044E217466E4B6B4F0D4E99E29BDE3F9
465 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:48 PM

Posted 27 October 2010 - 12:27 PM

Lets try Combofix.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 jub_69

jub_69
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 27 October 2010 - 05:30 PM

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2015 [GMT -3:00]
Running from: c:\documents and settings\George Trainor\My Documents\Downloads\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
.

((((((((((((((((((((((((( Files Created from 2010-09-27 to 2010-10-27 )))))))))))))))))))))))))))))))
.

2010-10-17 19:49 . 2010-10-17 19:48 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-17 19:49 . 2010-10-17 19:48 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-17 19:49 . 2010-10-17 19:48 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-15 00:54 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-15 00:54 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-15 00:54 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-15 00:53 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 15:23 . 2004-08-10 15:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-10 15:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-10 15:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-10 15:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38 . 2004-08-10 15:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2004-08-10 15:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2004-08-10 15:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2004-08-10 15:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 15:57 . 2004-08-10 15:00 389120 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51 . 2004-08-10 15:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-10 15:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2005-10-18 05:14 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-10 15:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2005-05-10 08:17 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-04-03 19:47 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-10 15:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-10 15:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-10 15:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-15 7561216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-3-14 73728]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-3-14 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-09 20:55 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^George Trainor^Start Menu^Programs^StartUp^Vongo Tray.lnk]
backup=c:\windows\pss\Vongo Tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2010-04-09 14:15 3378112 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-27 22:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2006-02-22 15:03 40960 ----a-w- c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 05:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2006-04-18 11:29 61952 ----a-w- c:\windows\system32\CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 06:11 49152 ----a-w- c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2006-02-15 02:49 454656 ----a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-08-11 23:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-08-11 23:30 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 04:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2008-08-11 15:41 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
2009-06-25 18:36 177152 ----a-w- c:\windows\system32\mqrt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 18:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-04-15 18:26 7561216 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-04-15 18:26 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-04-15 18:26 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2006-03-07 20:38 131072 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2006-04-12 04:54 102400 ----a-w- c:\program files\Hp\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 00:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 14:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-03-04 05:46 761948 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-05-18 05:13 322352 ----a-w- F:\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WmiApSrv"=3 (0x3)
"Wmi"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"Vongo Service"=2 (0x2)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"UMWdf"=3 (0x3)
"TrkWks"=2 (0x2)
"TlntSvr"=3 (0x3)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"SSDPSRV"=2 (0x2)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"PlugPlay"=2 (0x2)
"ose"=3 (0x3)
"NVSvc"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"NBService"=3 (0x3)
"NAV"=2 (0x2)
"napagent"=3 (0x3)
"MSMQTriggers"=2 (0x2)
"MSMQ"=2 (0x2)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"MHN"=3 (0x3)
"McrdSvc"=2 (0x2)
"LogMeIn"=2 (0x2)
"LMIMaint"=2 (0x2)
"LmHosts"=2 (0x2)
"LightScribeService"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"ImapiService"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"HTTPFilter"=3 (0x3)
"hpqwmiex"=2 (0x2)
"hkmsvc"=3 (0x3)
"helpsvc"=2 (0x2)
"FontCache3.0.0.0"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)
"EapHost"=3 (0x3)
"Dot3svc"=3 (0x3)
"Dnscache"=2 (0x2)
"dmserver"=2 (0x2)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"ClipSrv"=3 (0x3)
"CiSvc"=3 (0x3)
"Browser"=2 (0x2)
"Bonjour Service"=2 (0x2)
"BITS"=2 (0x2)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"ALG"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1108000.005\symds.sys [9/21/2010 5:40 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1108000.005\symefa.sys [9/21/2010 5:40 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20101001.001\BHDrvx86.sys [10/5/2010 7:09 PM 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1108000.005\cchpx86.sys [9/21/2010 5:40 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1108000.005\ironx86.sys [9/21/2010 5:40 PM 116784]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.8.0.5\ccsvchst.exe [9/21/2010 5:40 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 10:11 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20101026.001\IDSXpx86.sys [10/19/2010 5:36 PM 341880]

--- Other Services/Drivers In Memory ---

*Deregistered* - fwldqpob
*Deregistered* - klmd25
.
Contents of the 'Scheduled Tasks' folder

2010-10-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 14:50]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\George Trainor\Application Data\Mozilla\Firefox\Profiles\hbvc1h56.default\
FF - prefs.js: browser.startup.homepage - hxxp://ca.msn.com/
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-27 19:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(1308)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-10-27 19:22:02
ComboFix-quarantined-files.txt 2010-10-27 22:21
ComboFix2.txt 2010-10-26 20:24
ComboFix3.txt 2010-10-18 01:24
ComboFix4.txt 2010-10-18 00:42
ComboFix5.txt 2010-10-27 22:13

Pre-Run: 36,163,039,232 bytes free
Post-Run: 36,155,699,200 bytes free

- - End Of File - - 12B4A69AB354B374A2510712EC7130F6

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:48 PM

Posted 27 October 2010 - 10:37 PM

Still being redirected?

Run MBRCheck.exe once again.

You will be presented with the following dialog:

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Enter Y and press Enter.

The following dialog will be presented:

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:


Enter 1 and press Enter

The following dialog will be presented:

Enter the physical disk number to fix (0-99, -1 to cancel):


Enter >>choice<< and press Enter

The program will ask for the file name to dump to, type dump.dat and Press Enter. You should see a Dumped successfully message. Type -1 and press Enter twice to exit the program. Save the dump.dat file to your desktop then zip it (Right click on it and select Send to -> Compressed folder) and attach it on your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 jub_69

jub_69
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 27 October 2010 - 11:08 PM

I am still getting redirected but it is not near as bad.I am geting pop ups now tooAttached File  dump.zip   499bytes   3 downloads

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:48 PM

Posted 28 October 2010 - 07:53 AM

I am having the dump file checked. Will post as soon as I received an answer.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:48 PM

Posted 28 October 2010 - 11:02 PM

A colleague checked the dump file and seems is clean.

Flush the DNS resolver:

Go to Start -> Run, type CMD and click OK. Copy and paste the following commands and press enter after each line:

ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
Exit


Restart the computer and test. Let me know the outcome.

Edited by JSntgRvr, 28 October 2010 - 11:03 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 jub_69

jub_69
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 31 October 2010 - 02:23 AM

Hi I tryed what you said in the last post it is working better but it is still redirecting me to other web sites

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:48 PM

Posted 31 October 2010 - 01:01 PM

You have many services disabled. Certain applications need those services to be able to work properly. Run Msconfig, Select Normal Startup -> Apply ->Close, restart when prompted.

Once done, run Combofix once again and post its report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 jub_69

jub_69
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 01 November 2010 - 10:17 AM

ComboFix 10-10-26.02 - George Trainor 11/01/2010 12:06:27.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1990 [GMT -3:00]
Running from: c:\documents and settings\George Trainor\My Documents\Downloads\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
.

((((((((((((((((((((((((( Files Created from 2010-10-01 to 2010-11-01 )))))))))))))))))))))))))))))))
.

2010-10-17 19:49 . 2010-10-17 19:48 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-17 19:49 . 2010-10-17 19:48 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-17 19:49 . 2010-10-17 19:48 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-15 00:54 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-15 00:54 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-15 00:54 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-15 00:53 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 15:23 . 2004-08-10 15:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-10 15:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-10 15:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-10 15:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38 . 2004-08-10 15:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2004-08-10 15:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2004-08-10 15:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2004-08-10 15:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 15:57 . 2004-08-10 15:00 389120 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51 . 2004-08-10 15:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-10 15:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2005-10-18 05:14 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-10 15:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2005-05-10 08:17 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-04-03 19:47 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-10 15:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-10 15:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-10 15:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-10-27_22.20.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-01 15:01 . 2010-11-01 15:01 16384 c:\windows\temp\Perflib_Perfdata_cc.dat
+ 2010-11-01 15:03 . 2010-11-01 15:03 16384 c:\windows\temp\Perflib_Perfdata_400.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="F:\uTorrent.exe" [2010-10-30 328056]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2010-04-09 3378112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-15 7561216]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072]
"nwiz"="nwiz.exe" [2006-04-15 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-04-15 86016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"MsmqIntCert"="mqrt.dll" [2009-06-25 177152]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 61952]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-3-14 73728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-3-14 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-09 20:55 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\startupfolder\C:^Documents and Settings^George Trainor^Start Menu^Programs^StartUp^Vongo Tray.lnk]
backup=c:\windows\pss\Vongo Tray.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1108000.005\symds.sys [9/21/2010 5:40 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1108000.005\symefa.sys [9/21/2010 5:40 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20101001.001\BHDrvx86.sys [10/5/2010 7:09 PM 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1108000.005\cchpx86.sys [9/21/2010 5:40 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1108000.005\ironx86.sys [9/21/2010 5:40 PM 116784]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.8.0.5\ccsvchst.exe [9/21/2010 5:40 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 10:11 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20101028.001\IDSXpx86.sys [10/19/2010 5:36 PM 341880]
.
Contents of the 'Scheduled Tasks' folder

2010-10-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 14:50]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\George Trainor\Application Data\Mozilla\Firefox\Profiles\hbvc1h56.default\
FF - prefs.js: browser.startup.homepage - hxxp://ca.msn.com/
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-01 12:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????\??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(2260)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-11-01 12:15:23
ComboFix-quarantined-files.txt 2010-11-01 15:15
ComboFix2.txt 2010-10-27 22:22
ComboFix3.txt 2010-10-26 20:24
ComboFix4.txt 2010-10-18 01:24
ComboFix5.txt 2010-11-01 15:05

Pre-Run: 35,986,857,984 bytes free
Post-Run: 35,994,456,064 bytes free

- - End Of File - - F313A3B97F2F3BC8452F12A7CE0580D7




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users