Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Probable rootkit infection


  • This topic is locked This topic is locked
14 replies to this topic

#1 mphilbrick

mphilbrick

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 29 December 2010 - 11:52 PM

Greetings,

This is about a Gateway laptop running Vista with SP2. Google searches redirect routinely in Firefox. Windows Update consistently fails with an "unknown error" - Code 80072EFE. IE blue screens on launch with the error "IRQL_Not_Less_or_equal". The machine is running extremely slow (DDS took over 20 minutes), and has constant hard disk activity, even with no programs explicitly running. GMER blue screened with the message "Page_fault_in_nonpaged_area". Before it did, though it detected a rootkit even before I pressed the scan button, \Device\Harddisk0\DR0, sector 00 (MBR, rootkit-like behavior. Similar messages for sectors 32, 63, and 156301232. It asked whether I wanted a full scan, said no in order to uncheck the IAT/EAT box. Saved that portion of the log as gmer_partial.log, which is attached. Tried GMER again, ran for much longer, but eventually blue screened, couldn't catch the error message, but it was different.

So, hopefully this will give you enough to start with. Thanks in advance for your assistance.

Mark

Here's the DDS.txt:


DDS (Ver_10-12-05.01) - NTFSx86
Run by Cal Robotics at 19:46:17.89 on Wed 12/29/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.1021.159 [GMT -8:00]

AV: Symantec AntiVirus *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec AntiVirus *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\downloads\dds.scr
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=CX210X
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=CX210X
uInternet Settings,ProxyOverride = *.local;<local>
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=CX210X
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRunOnce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\calrob~1\appdata\roaming\mozilla\firefox\profiles\tw2gz495.default\
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-5-12 59280]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-12-4 102448]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [2007-3-13 24736]
R3 MSTabBtn;Quanta Computer Tablet PC Buttons HID Driver;c:\windows\system32\drivers\mstabbtn.sys [2007-3-13 10368]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-4 135664]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 42368]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

=============== Created Last 30 ================

2010-12-07 00:42:03 6273872 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{d4ef979b-2680-4ace-a00a-ed8065c3f71e}\mpengine.dll
2010-12-07 00:35:05 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-12-05 09:21:49 -------- d-----w- c:\program files\STOPzilla!
2010-12-05 09:21:45 -------- d-----w- c:\program files\common files\iS3
2010-12-05 09:21:44 -------- d-----w- c:\progra~2\STOPzilla!
2010-12-05 08:11:22 -------- d-----w- c:\users\calrob~1\appdata\roaming\Malwarebytes
2010-12-05 08:07:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-05 08:07:47 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-05 08:07:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-05 08:07:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-05 02:21:39 137216 ----a-w- c:\users\calrob~1\appdata\roaming\dwm.exe

==================== Find3M ====================

2010-11-23 00:56:42 546256 ----a-r- c:\windows\system32\SZComp5.dll
2010-11-23 00:56:42 452048 ----a-r- c:\windows\system32\SZBase5.dll
2010-11-23 00:56:42 398800 ----a-r- c:\windows\system32\IS3DBA5.dll
2010-11-23 00:56:42 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
2010-11-23 00:56:42 22992 ----a-r- c:\windows\system32\SZIO5.dll
2010-11-23 00:56:42 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
2010-11-23 00:56:40 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
2010-11-23 00:56:40 99792 ----a-r- c:\windows\system32\IS3Inet5.dll
2010-11-23 00:56:40 738768 ----a-r- c:\windows\system32\IS3Base5.dll
2010-11-23 00:56:40 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
2010-11-23 00:56:40 390608 ----a-r- c:\windows\system32\IS3UI5.dll
2010-11-23 00:56:40 230864 ----a-r- c:\windows\system32\IS3Win325.dll
2010-11-14 23:08:53 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-11-14 23:08:26 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-10-19 19:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: HTS72108 rev.MC4O -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85EC5446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85ecb504]; MOV EAX, [0x85ecb580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x81C78962] -> \Device\Harddisk0\DR0[0x8591A528]
3 CLASSPNP[0x865C98B3] -> ntkrnlpa!IofCallDriver[0x81C78962] -> [0x83D6E818]
5 acpi[0x822956BC] -> ntkrnlpa!IofCallDriver[0x81C78962] -> [0x83D76030]
\Driver\iaStor[0x85B200E8] -> IRP_MJ_CREATE -> 0x85EC5446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskHTS721080G9SA00_________________________MC4OC10V#4&1d3d6b80&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\iaStor DriverStartIo -> 0x85EC5292
user != kernel MBR !!!
sectors 156301486 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 20:03:21.24 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 mphilbrick

mphilbrick
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 30 December 2010 - 05:02 AM

Greetings,

A bit of an update. I got GMER to run to completion in safe mode, log is attached. I also uninstalled StopZilla (it had expired anyway), and ran a full Symantec scan, which found three risks, two of which were ancient and can be ignored. The one of interest was Backdoor.cycbot!gen2. It reported all of them as cleaned. In any case, I ran dds again to reflect these changes, ran much faster this time, and the logs are below. Also, a further detail, I frequently get messages saying that the "Host Process for Windows services stopped working and was closed". The Symantec logs report blocking it because it targets running Symantec processes. Don't know if that helps, but when that happens, Windows wants to get updates, which of course aren't working, so it makes matters worse. Finally, IE has stopped blue-screening for some reason, but definitely has the redirect problem as well.

I totally understand the need not to have a moving target, and will not tamper with the system except at your direction once we start working together.

Thanks again,

Mark


DDS (Ver_10-12-05.01) - NTFSx86
Run by Cal Robotics at 1:08:51.97 on Thu 12/30/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.1021.163 [GMT -8:00]

AV: Symantec AntiVirus *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec AntiVirus *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Symantec AntiVirus\SavUI.exe
C:\downloads\dds.scr
C:\Windows\system32\rundll32.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=CX210X
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=CX210X
uInternet Settings,ProxyOverride = *.local;<local>
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=CX210X
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\calrob~1\appdata\roaming\mozilla\firefox\profiles\tw2gz495.default\
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R2 MSSQL$QSRNVIVO8;SQL Server (QSRNVIVO8);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-12-29 102448]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [2007-3-13 24736]
R3 MSTabBtn;Quanta Computer Tablet PC Buttons HID Driver;c:\windows\system32\drivers\mstabbtn.sys [2007-3-13 10368]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-4 135664]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 42368]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

=============== Created Last 30 ================

2010-12-07 00:42:03 6273872 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{d4ef979b-2680-4ace-a00a-ed8065c3f71e}\mpengine.dll
2010-12-07 00:35:05 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-12-05 09:21:44 -------- d-----w- c:\progra~2\STOPzilla!
2010-12-05 08:11:22 -------- d-----w- c:\users\calrob~1\appdata\roaming\Malwarebytes
2010-12-05 08:07:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-05 08:07:47 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-05 08:07:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-05 08:07:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-11-14 23:08:53 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-11-14 23:08:26 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-10-19 19:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: HTS72108 rev.MC4O -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85E63446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85e69504]; MOV EAX, [0x85e69580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x81C46962] -> \Device\Harddisk0\DR0[0x858B8AC8]
3 CLASSPNP[0x865C28B3] -> ntkrnlpa!IofCallDriver[0x81C46962] -> [0x83D521A8]
5 acpi[0x822946BC] -> ntkrnlpa!IofCallDriver[0x81C46962] -> [0x83D7C030]
\Driver\iaStor[0x859BB338] -> IRP_MJ_CREATE -> 0x85E63446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskHTS721080G9SA00_________________________MC4OC10V#4&1d3d6b80&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\iaStor DriverStartIo -> 0x85E63292
user != kernel MBR !!!
sectors 156301486 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 1:13:24.39 ===============

Attached Files



#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:13 PM

Posted 30 December 2010 - 07:22 PM

Hello Mark ,

Posted Image

Download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 mphilbrick

mphilbrick
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 30 December 2010 - 08:59 PM

Tea,

Thanks much for your reply. Ran TDSS, log below. After reboot, Windows Update got to 27% downloaded before I killed it, didn't want to proceed further without direction from you. That's the first time since this problem started that it has ever made any progress, though. Did several Google searches in Firefox, couple in IE, no redirects yet.

So, next step is to go ahead with the Windows Updates (haven't been able to do that for more than a month), or do you want to do something else first?

Thanks again,

Mark

2010/12/30 17:21:28.0940 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2010/12/30 17:21:28.0940 ================================================================================
2010/12/30 17:21:28.0940 SystemInfo:
2010/12/30 17:21:28.0940
2010/12/30 17:21:28.0940 OS Version: 6.0.6002 ServicePack: 2.0
2010/12/30 17:21:28.0940 Product type: Workstation
2010/12/30 17:21:28.0940 ComputerName: HALDIR
2010/12/30 17:21:28.0940 UserName: Cal Robotics
2010/12/30 17:21:28.0940 Windows directory: C:\Windows
2010/12/30 17:21:28.0940 System windows directory: C:\Windows
2010/12/30 17:21:28.0940 Processor architecture: Intel x86
2010/12/30 17:21:28.0940 Number of processors: 2
2010/12/30 17:21:28.0940 Page size: 0x1000
2010/12/30 17:21:28.0940 Boot type: Normal boot
2010/12/30 17:21:28.0940 ================================================================================
2010/12/30 17:21:30.0047 Initialize success
2010/12/30 17:21:40.0156 ================================================================================
2010/12/30 17:21:40.0156 Scan started
2010/12/30 17:21:40.0156 Mode: Manual;
2010/12/30 17:21:40.0156 ================================================================================
2010/12/30 17:21:42.0059 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2010/12/30 17:21:42.0137 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2010/12/30 17:21:42.0215 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2010/12/30 17:21:42.0356 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2010/12/30 17:21:42.0434 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2010/12/30 17:21:42.0543 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2010/12/30 17:21:42.0699 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
2010/12/30 17:21:42.0761 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2010/12/30 17:21:42.0824 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
2010/12/30 17:21:42.0871 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
2010/12/30 17:21:42.0917 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
2010/12/30 17:21:43.0073 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2010/12/30 17:21:43.0136 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
2010/12/30 17:21:43.0214 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2010/12/30 17:21:43.0432 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2010/12/30 17:21:43.0510 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/12/30 17:21:43.0573 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2010/12/30 17:21:43.0729 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2010/12/30 17:21:43.0838 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2010/12/30 17:21:43.0916 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2010/12/30 17:21:44.0041 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2010/12/30 17:21:44.0119 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2010/12/30 17:21:44.0165 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2010/12/30 17:21:44.0228 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2010/12/30 17:21:44.0290 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2010/12/30 17:21:44.0431 BthEnum (6d39c954799b63ba866910234cf7d726) C:\Windows\system32\DRIVERS\BthEnum.sys
2010/12/30 17:21:44.0524 BTHMODEM (9a966a8e86d1771911ae34a20d11bff3) C:\Windows\system32\DRIVERS\bthmodem.sys
2010/12/30 17:21:44.0602 BthPan (5904efa25f829bf84ea6fb045134a1d8) C:\Windows\system32\DRIVERS\bthpan.sys
2010/12/30 17:21:44.0821 BTHPORT (5a3abaa2f8eece7aefb942773766e3db) C:\Windows\system32\Drivers\BTHport.sys
2010/12/30 17:21:44.0883 BTHUSB (94e2941280e3756a5e0bcb467865c43a) C:\Windows\system32\Drivers\BTHUSB.sys
2010/12/30 17:21:44.0961 btwaudio (0cf62c498d60253a4fc3b2aff0e6373e) C:\Windows\system32\drivers\btwaudio.sys
2010/12/30 17:21:45.0023 btwavdt (d094142ade0da18463609ae656b1f3ed) C:\Windows\system32\drivers\btwavdt.sys
2010/12/30 17:21:45.0195 btwrchid (511159fcb07fd7442e7f399c94a3b408) C:\Windows\system32\DRIVERS\btwrchid.sys
2010/12/30 17:21:45.0304 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2010/12/30 17:21:45.0460 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2010/12/30 17:21:45.0523 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2010/12/30 17:21:45.0601 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2010/12/30 17:21:45.0694 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2010/12/30 17:21:45.0819 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
2010/12/30 17:21:45.0897 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2010/12/30 17:21:45.0944 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2010/12/30 17:21:46.0006 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2010/12/30 17:21:46.0115 CSC (9bdb2e89be8d0ef37b1f25c3d3fc192c) C:\Windows\system32\drivers\csc.sys
2010/12/30 17:21:46.0334 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2010/12/30 17:21:46.0490 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2010/12/30 17:21:46.0677 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2010/12/30 17:21:46.0771 DXGKrnl (fb85f7f69e9b109820409243f578cc4d) C:\Windows\System32\drivers\dxgkrnl.sys
2010/12/30 17:21:46.0880 e1express (908ed85b7806e8af3af5e9b74f7809d4) C:\Windows\system32\DRIVERS\e1e6032.sys
2010/12/30 17:21:47.0020 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2010/12/30 17:21:47.0129 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2010/12/30 17:21:47.0270 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2010/12/30 17:21:47.0613 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2010/12/30 17:21:47.0785 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2010/12/30 17:21:47.0956 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2010/12/30 17:21:48.0034 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2010/12/30 17:21:48.0112 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2010/12/30 17:21:48.0206 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2010/12/30 17:21:48.0346 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2010/12/30 17:21:48.0409 FinePnt (eb65efbe82110329cac8836364d3e3e1) C:\Windows\system32\DRIVERS\FpHidDrv.sys
2010/12/30 17:21:48.0471 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/12/30 17:21:48.0549 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2010/12/30 17:21:48.0611 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2010/12/30 17:21:48.0674 fvevol (fecf4c2e42440a8d132bf94eee3c3fc9) C:\Windows\system32\DRIVERS\fvevol.sys
2010/12/30 17:21:48.0783 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2010/12/30 17:21:48.0908 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2010/12/30 17:21:49.0001 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/12/30 17:21:49.0126 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2010/12/30 17:21:49.0173 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2010/12/30 17:21:49.0267 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2010/12/30 17:21:49.0313 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2010/12/30 17:21:49.0376 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2010/12/30 17:21:49.0532 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2010/12/30 17:21:49.0610 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/12/30 17:21:49.0719 ialm (8318e04a6455ced1020bcc5039b62cfa) C:\Windows\system32\DRIVERS\ialmnt5.sys
2010/12/30 17:21:49.0891 iaStor (e9f704ca833bd24bfaa3b4a59707633a) C:\Windows\system32\DRIVERS\iaStor.sys
2010/12/30 17:21:49.0953 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2010/12/30 17:21:50.0015 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2010/12/30 17:21:50.0125 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2010/12/30 17:21:50.0265 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2010/12/30 17:21:50.0343 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/12/30 17:21:50.0468 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2010/12/30 17:21:50.0515 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2010/12/30 17:21:50.0686 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2010/12/30 17:21:50.0717 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
2010/12/30 17:21:50.0795 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/12/30 17:21:50.0827 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2010/12/30 17:21:50.0873 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2010/12/30 17:21:50.0951 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/12/30 17:21:51.0107 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
2010/12/30 17:21:51.0201 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2010/12/30 17:21:51.0341 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2010/12/30 17:21:51.0419 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2010/12/30 17:21:51.0560 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2010/12/30 17:21:51.0607 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2010/12/30 17:21:51.0685 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2010/12/30 17:21:51.0731 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2010/12/30 17:21:51.0809 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2010/12/30 17:21:51.0903 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2010/12/30 17:21:52.0028 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2010/12/30 17:21:52.0090 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2010/12/30 17:21:52.0153 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2010/12/30 17:21:52.0215 MpFilter (c98301ad8173a2235a9ab828955c32bb) C:\Windows\system32\DRIVERS\MpFilter.sys
2010/12/30 17:21:52.0277 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2010/12/30 17:21:52.0418 MpNWMon (aeb186afff5d9cfed823c15d846aac3b) C:\Windows\system32\DRIVERS\MpNWMon.sys
2010/12/30 17:21:52.0480 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2010/12/30 17:21:52.0511 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2010/12/30 17:21:52.0574 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2010/12/30 17:21:52.0636 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/12/30 17:21:52.0683 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/12/30 17:21:52.0792 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/12/30 17:21:52.0855 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
2010/12/30 17:21:52.0886 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2010/12/30 17:21:52.0964 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2010/12/30 17:21:53.0042 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2010/12/30 17:21:53.0182 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2010/12/30 17:21:53.0229 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/12/30 17:21:53.0276 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2010/12/30 17:21:53.0354 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2010/12/30 17:21:53.0525 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/12/30 17:21:53.0603 MSTabBtn (7016fadc0e946ce3aa82360d969ec64f) C:\Windows\system32\DRIVERS\mstabbtn.sys
2010/12/30 17:21:53.0666 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2010/12/30 17:21:53.0744 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2010/12/30 17:21:53.0915 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2010/12/30 17:21:54.0103 NAVENG (c8ef74e4d8105b1d02d58ea4734cf616) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20101229.004\NAVENG.SYS
2010/12/30 17:21:54.0181 NAVEX15 (94b3164055d821a62944d9fe84036470) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20101229.004\NAVEX15.SYS
2010/12/30 17:21:54.0383 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2010/12/30 17:21:54.0446 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/12/30 17:21:54.0508 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/12/30 17:21:54.0555 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/12/30 17:21:54.0602 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2010/12/30 17:21:54.0758 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2010/12/30 17:21:54.0836 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2010/12/30 17:21:55.0039 NETw2v32 (6e9edc1020b319e7676387b8cdf2398c) C:\Windows\system32\DRIVERS\NETw2v32.sys
2010/12/30 17:21:55.0319 NETw3v32 (ea30bd026a7d1b745a37516880c4ac1b) C:\Windows\system32\DRIVERS\NETw3v32.sys
2010/12/30 17:21:55.0678 NETw5v32 (8de67bd902095a13329fd82c85a1fa09) C:\Windows\system32\DRIVERS\NETw5v32.sys
2010/12/30 17:21:55.0943 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2010/12/30 17:21:56.0021 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2010/12/30 17:21:56.0099 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2010/12/30 17:21:56.0193 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2010/12/30 17:21:56.0396 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2010/12/30 17:21:56.0474 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2010/12/30 17:21:56.0521 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2010/12/30 17:21:56.0567 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
2010/12/30 17:21:56.0614 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
2010/12/30 17:21:56.0755 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
2010/12/30 17:21:56.0879 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2010/12/30 17:21:56.0942 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2010/12/30 17:21:56.0989 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2010/12/30 17:21:57.0035 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2010/12/30 17:21:57.0082 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys
2010/12/30 17:21:57.0160 pcmcia (3bb2244f343b610c29c98035504c9b75) C:\Windows\system32\DRIVERS\pcmcia.sys
2010/12/30 17:21:57.0332 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2010/12/30 17:21:57.0597 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2010/12/30 17:21:57.0644 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2010/12/30 17:21:57.0722 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2010/12/30 17:21:57.0815 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2010/12/30 17:21:57.0987 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2010/12/30 17:21:58.0065 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2010/12/30 17:21:58.0221 R300 (9afa62db7f553a0f1f52c70b738b0064) C:\Windows\system32\DRIVERS\atikmdag.sys
2010/12/30 17:21:58.0455 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2010/12/30 17:21:58.0517 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/12/30 17:21:58.0611 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/12/30 17:21:58.0642 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2010/12/30 17:21:58.0689 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2010/12/30 17:21:58.0798 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/12/30 17:21:58.0876 rdpdr (943b18305eae3935598a9b4a3d560b4c) C:\Windows\system32\DRIVERS\rdpdr.sys
2010/12/30 17:21:58.0907 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2010/12/30 17:21:59.0017 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2010/12/30 17:21:59.0204 RFCOMM (6482707f9f4da0ecbab43b2e0398a101) C:\Windows\system32\DRIVERS\rfcomm.sys
2010/12/30 17:21:59.0266 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2010/12/30 17:21:59.0313 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2010/12/30 17:21:59.0407 sdbus (4339a2585708c7d9b0c0ce5aad3dd6ff) C:\Windows\system32\DRIVERS\sdbus.sys
2010/12/30 17:21:59.0453 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2010/12/30 17:21:59.0500 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2010/12/30 17:21:59.0625 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\DRIVERS\serial.sys
2010/12/30 17:21:59.0687 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2010/12/30 17:21:59.0750 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
2010/12/30 17:21:59.0812 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
2010/12/30 17:21:59.0843 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
2010/12/30 17:21:59.0890 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2010/12/30 17:22:00.0031 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
2010/12/30 17:22:00.0077 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2010/12/30 17:22:00.0140 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2010/12/30 17:22:00.0233 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2010/12/30 17:22:00.0311 smserial (63b3b77bdb67ee674771c0e6fb96da9e) C:\Windows\system32\DRIVERS\smserial.sys
2010/12/30 17:22:00.0483 SPBBCDrv (905782bcf15b6e5af9905b77923c7fa2) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2010/12/30 17:22:00.0623 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2010/12/30 17:22:00.0701 SRTSP (1b2a1c6bc76e1ebe8bc2f4a4f3d43e23) C:\Windows\system32\Drivers\SRTSP.SYS
2010/12/30 17:22:00.0733 SRTSPL (f01a7f6e60e95fe83345cf92728a32d4) C:\Windows\system32\Drivers\SRTSPL.SYS
2010/12/30 17:22:00.0795 SRTSPX (d02812f89e18c6fb32f901be1e10bc17) C:\Windows\system32\Drivers\SRTSPX.SYS
2010/12/30 17:22:00.0857 srv (0debafcc0e3591fca34f077cab62f7f7) C:\Windows\system32\DRIVERS\srv.sys
2010/12/30 17:22:01.0013 srv2 (6b6f3658e0a58c6c50c5f7fbdf3df633) C:\Windows\system32\DRIVERS\srv2.sys
2010/12/30 17:22:01.0060 srvnet (0c5ab1892ae0fa504218db094bf6d041) C:\Windows\system32\DRIVERS\srvnet.sys
2010/12/30 17:22:01.0154 STHDA (569758fbaba0330d1b7f1e141b8bc2a0) C:\Windows\system32\drivers\stwrt.sys
2010/12/30 17:22:01.0325 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2010/12/30 17:22:01.0403 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2010/12/30 17:22:01.0481 SymEvent (9d98270b5f10a4c84e8da417c30756e1) C:\Windows\system32\Drivers\SYMEVENT.SYS
2010/12/30 17:22:01.0544 SYMREDRV (7f4011a719bf30e3dbd84d3a0a45c91c) C:\Windows\System32\Drivers\SYMREDRV.SYS
2010/12/30 17:22:01.0669 SYMTDI (2f03cbdb0f22278d05d5d616c993ab58) C:\Windows\System32\Drivers\SYMTDI.SYS
2010/12/30 17:22:01.0731 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2010/12/30 17:22:01.0793 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2010/12/30 17:22:01.0856 SynTP (1f452f22df0c00dd2529867e1ea0dc25) C:\Windows\system32\DRIVERS\SynTP.sys
2010/12/30 17:22:01.0981 Tcpip (48cbe6d53632d0067c2d6b20f90d84ca) C:\Windows\system32\drivers\tcpip.sys
2010/12/30 17:22:02.0199 Tcpip6 (48cbe6d53632d0067c2d6b20f90d84ca) C:\Windows\system32\DRIVERS\tcpip.sys
2010/12/30 17:22:02.0261 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2010/12/30 17:22:02.0402 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2010/12/30 17:22:02.0464 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2010/12/30 17:22:02.0542 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2010/12/30 17:22:02.0605 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2010/12/30 17:22:02.0698 tifm21 (f779ba4cd37963ab4600c9871b7752a3) C:\Windows\system32\drivers\tifm21.sys
2010/12/30 17:22:02.0885 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/12/30 17:22:02.0948 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2010/12/30 17:22:03.0026 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2010/12/30 17:22:03.0088 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2010/12/30 17:22:03.0166 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2010/12/30 17:22:03.0338 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
2010/12/30 17:22:03.0400 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2010/12/30 17:22:03.0463 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2010/12/30 17:22:03.0525 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2010/12/30 17:22:03.0619 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2010/12/30 17:22:03.0775 usbccgp (8bd3ae150d97ba4e633c6c5c51b41ae1) C:\Windows\system32\drivers\usbccgp.sys
2010/12/30 17:22:03.0821 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2010/12/30 17:22:03.0915 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2010/12/30 17:22:03.0962 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2010/12/30 17:22:04.0024 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2010/12/30 17:22:04.0133 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys
2010/12/30 17:22:04.0196 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/12/30 17:22:04.0258 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/12/30 17:22:04.0289 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/12/30 17:22:04.0336 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2010/12/30 17:22:04.0367 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
2010/12/30 17:22:04.0430 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2010/12/30 17:22:04.0555 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
2010/12/30 17:22:04.0633 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2010/12/30 17:22:04.0711 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2010/12/30 17:22:04.0789 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2010/12/30 17:22:04.0851 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2010/12/30 17:22:04.0991 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2010/12/30 17:22:05.0054 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/12/30 17:22:05.0085 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/12/30 17:22:05.0132 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2010/12/30 17:22:05.0194 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2010/12/30 17:22:05.0350 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
2010/12/30 17:22:05.0506 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2010/12/30 17:22:05.0615 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/12/30 17:22:05.0725 yukonwlh (7d1f3b131d503ef43ee594b5a2b9b427) C:\Windows\system32\DRIVERS\yk60x86.sys
2010/12/30 17:22:05.0803 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/12/30 17:22:06.0661 ================================================================================
2010/12/30 17:22:06.0661 Scan finished
2010/12/30 17:22:06.0661 ================================================================================
2010/12/30 17:22:06.0676 Detected object count: 1
2010/12/30 17:22:24.0772 \HardDisk0 - will be cured after reboot
2010/12/30 17:22:24.0772 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/12/30 17:22:29.0827 Deinitialize success

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:13 PM

Posted 30 December 2010 - 10:14 PM

Hi Mark :)

Go ahead and update if you can. :thumbup2: Could you please post a new DDS log so I can make sure everything is all right?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 mphilbrick

mphilbrick
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 30 December 2010 - 10:44 PM

Tea,

Here's the new DDS log. Have a post-TDSS GMER log as well if you need that. Have initiated Windows Update, it's moving (download 72% complete), which it absolutely would not do before we ran TDSSKiller. Will probably take a while, but I'll still be here at the functioning machine if you want to do something else in the interim.

tks,

Mark


DDS (Ver_10-12-05.01) - NTFSx86
Run by Cal Robotics at 19:17:42.44 on Thu 12/30/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.1021.237 [GMT -8:00]

AV: Symantec AntiVirus *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec AntiVirus *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WUDFHost.exe
C:\downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=CX210X
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=CX210X
uInternet Settings,ProxyOverride = *.local;<local>
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=CX210X
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRunOnce: [Malwarebytes' Anti-Malware (registration)] regsvr32.exe /s "c:\program files\malwarebytes' anti-malware\mbamext.dll"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [InnoSetupRegFile.0000000001] "c:\windows\is-1JKNN.exe" /REG /REGSVRMODE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\calrob~1\appdata\roaming\mozilla\firefox\profiles\tw2gz495.default\
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R2 MSSQL$QSRNVIVO8;SQL Server (QSRNVIVO8);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-12-29 102448]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [2007-3-13 24736]
R3 MSTabBtn;Quanta Computer Tablet PC Buttons HID Driver;c:\windows\system32\drivers\mstabbtn.sys [2007-3-13 10368]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-4 135664]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 42368]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

=============== Created Last 30 ================

2010-12-30 10:04:59 709456 ----a-w- c:\windows\is-1JKNN.exe
2010-12-07 00:42:03 6273872 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{d4ef979b-2680-4ace-a00a-ed8065c3f71e}\mpengine.dll
2010-12-07 00:35:05 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-12-05 09:21:44 -------- d-----w- c:\progra~2\STOPzilla!
2010-12-05 08:11:22 -------- d-----w- c:\users\calrob~1\appdata\roaming\Malwarebytes
2010-12-05 08:07:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-05 08:07:47 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-05 08:07:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-05 08:07:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-11-14 23:08:53 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-11-14 23:08:26 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-10-19 19:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe

============= FINISH: 19:19:44.65 ===============

Attached Files



#7 mphilbrick

mphilbrick
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 31 December 2010 - 12:37 AM

Tea,

Critical Windows Updates completed successfully. There's a little more out there in terms of possible updates, but this is most of it, and seemed a good checkpoint. I've included the standard DDS logs from immediately after the updates. Absent correction from you, my next step would be to upgrade Firefox to the most current version. However, that is not critically urgent, and I'd be totally happy to do whatever we need to in order to ensure that this machine is clean. I'm inclined to start another full scan using Symantec, including a Live Update, just to see, but would be totally happy to abort that if you recommend other courses of action. Please advise at your convenience.

Mark


DDS (Ver_10-12-05.01) - NTFSx86
Run by Cal Robotics at 21:15:24.68 on Thu 12/30/2010
Internet Explorer: 8.0.6001.18999
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.1021.197 [GMT -8:00]

AV: Symantec AntiVirus *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec AntiVirus *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=CX210X
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=CX210X
uInternet Settings,ProxyOverride = *.local;<local>
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=CX210X
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRunOnce: [Malwarebytes' Anti-Malware (registration)] regsvr32.exe /s "c:\program files\malwarebytes' anti-malware\mbamext.dll"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [InnoSetupRegFile.0000000001] "c:\windows\is-1JKNN.exe" /REG /REGSVRMODE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\calrob~1\appdata\roaming\mozilla\firefox\profiles\tw2gz495.default\
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-12-29 102448]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [2007-3-13 24736]
R3 MSTabBtn;Quanta Computer Tablet PC Buttons HID Driver;c:\windows\system32\drivers\mstabbtn.sys [2007-3-13 10368]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 42368]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

=============== Created Last 30 ================

2010-12-31 05:06:27 -------- d-----w- c:\program files\Windows Portable Devices
2010-12-31 05:01:14 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2010-12-31 05:01:14 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2010-12-31 05:01:14 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-12-31 05:01:07 134144 ----a-w- c:\program files\windows portable devices\sqmapi.dll
2010-12-31 05:01:04 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2010-12-31 05:01:00 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2010-12-31 05:01:00 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2010-12-31 05:01:00 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2010-12-31 05:01:00 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2010-12-31 05:01:00 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2010-12-31 05:01:00 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2010-12-31 05:00:59 350208 ----a-w- c:\windows\system32\WPDSp.dll
2010-12-31 05:00:59 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2010-12-31 04:58:59 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-12-31 04:58:56 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-12-31 04:58:56 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-12-31 04:21:22 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-12-31 04:21:22 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-12-31 04:21:22 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-12-31 04:21:22 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-12-31 04:21:22 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-12-31 04:04:31 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
2010-12-31 04:01:44 72704 ----a-w- c:\windows\system32\admparse.dll
2010-12-31 03:53:11 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-31 03:51:48 168960 ----a-w- c:\program files\windows media player\wmplayer.exe
2010-12-31 03:51:47 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-12-31 03:51:12 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-12-31 03:51:10 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-12-31 03:51:10 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-12-31 03:47:55 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-12-31 03:47:53 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-31 03:46:37 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2010-12-31 03:46:19 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-12-31 03:46:19 17920 ----a-w- c:\windows\system32\netevent.dll
2010-12-31 03:46:19 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-12-31 03:46:19 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-12-31 03:46:19 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-12-31 03:45:41 502272 ----a-w- c:\windows\system32\usp10.dll
2010-12-31 03:45:26 231424 ----a-w- c:\windows\system32\msshsq.dll
2010-12-31 03:45:15 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-12-31 03:45:14 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-12-31 03:45:10 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-12-31 03:44:41 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-12-31 03:44:32 10926592 ----a-w- c:\program files\movie maker\MOVIEMK.dll
2010-12-31 03:44:30 150016 ----a-w- c:\program files\movie maker\MOVIEMK.exe
2010-12-31 03:44:17 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-12-31 03:44:09 867328 ----a-w- c:\windows\system32\wmpmde.dll
2010-12-31 03:44:03 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-12-31 03:43:55 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-12-31 03:43:50 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-12-31 03:43:43 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-12-31 03:35:50 339968 ----a-w- c:\program files\windows nt\accessories\wordpad.exe
2010-12-31 03:35:49 1316864 ----a-w- c:\windows\system32\ole32.dll
2010-12-31 01:50:23 739328 ----a-w- c:\windows\system32\inetcomm.dll
2010-12-31 01:50:14 128000 ----a-w- c:\windows\system32\spoolsv.exe
2010-12-30 10:04:59 709456 ----a-w- c:\windows\is-1JKNN.exe
2010-12-07 00:42:03 6273872 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{d4ef979b-2680-4ace-a00a-ed8065c3f71e}\mpengine.dll
2010-12-07 00:35:05 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-12-05 09:21:44 -------- d-----w- c:\progra~2\STOPzilla!
2010-12-05 08:11:22 -------- d-----w- c:\users\calrob~1\appdata\roaming\Malwarebytes
2010-12-05 08:07:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-05 08:07:47 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-05 08:07:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-05 08:07:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-11-14 23:08:53 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-11-14 23:08:26 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 06:01:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-02 05:57:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-02 05:57:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-02 05:57:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-11-02 05:57:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-11-02 05:01:31 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 04:26:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-11-02 04:24:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-10-28 15:44:56 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-10-28 13:27:47 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-10-19 19:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-18 13:37:35 81920 ----a-w- c:\windows\system32\consent.exe
2010-10-18 13:31:24 2038272 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 21:19:35.44 ===============

Attached Files



#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:13 PM

Posted 31 December 2010 - 01:53 AM

Hello Mark :)

You can do all that, and add to it updating Adobe......old versions are vulnerable and yours is out of date.

Let me know how it goes. I do think if all that goes well then you're in the clear. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 mphilbrick

mphilbrick
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 31 December 2010 - 01:57 AM

Tea,

Excellent. Running Symantec fullscan now. If no problems, will update Firefox, Acrobat, and then Thunderbird. Will post DDS logs when all of that is complete. Totally appreciate your help, and will make a donation when we are done.

tks,

m

p.s. delete kids (y)

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:13 PM

Posted 31 December 2010 - 02:05 AM

You're most welcome. :) Post when you're ready.

p.s. delete kids (y)

hehehehehe......
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 mphilbrick

mphilbrick
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 31 December 2010 - 05:07 PM

Tea,

All updates now complete, most recent logs posted per usual. Is there anything else we need to do?

Mark


DDS (Ver_10-12-05.01) - NTFSx86
Run by Cal Robotics at 13:58:28.18 on Fri 12/31/2010
Internet Explorer: 8.0.6001.18999
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.1021.268 [GMT -8:00]

AV: Symantec AntiVirus *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec AntiVirus *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=CX210X
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=CX210X
uInternet Settings,ProxyOverride = *.local;<local>
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=PTB&M=CX210X
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Malwarebytes' Anti-Malware (registration)] regsvr32.exe /s "c:\program files\malwarebytes' anti-malware\mbamext.dll"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [InnoSetupRegFile.0000000001] "c:\windows\is-1JKNN.exe" /REG /REGSVRMODE
mRunOnce: [Uninstall Adobe Download Manager] "c:\program files\nos\bin\getPlusUninst_Adobe.exe" /Get1noarp
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\calrob~1\appdata\roaming\mozilla\firefox\profiles\tw2gz495.default\
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\users\cal robotics\appdata\roaming\mozilla\firefox\profiles\tw2gz495.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\calrob~1\appdata\roaming\mozilla\firefox\profiles\tw2gz495.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\users\calrob~1\appdata\roaming\mozilla\firefox\profiles\tw2gz495.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-12-29 102448]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [2007-3-13 24736]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 42368]
R3 MSTabBtn;Quanta Computer Tablet PC Buttons HID Driver;c:\windows\system32\drivers\mstabbtn.sys [2007-3-13 10368]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

=============== Created Last 30 ================

2010-12-31 21:40:34 6273872 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2010-12-31 21:39:28 6273872 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{10714b34-8109-4f05-b182-e74358bc091a}\mpengine.dll
2010-12-31 20:58:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-12-31 07:34:18 -------- d-----w- c:\progra~2\McAfee Security Scan
2010-12-31 07:34:14 -------- d-----w- c:\program files\McAfee Security Scan
2010-12-31 07:29:03 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2010-12-31 07:29:03 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2010-12-31 05:06:27 -------- d-----w- c:\program files\Windows Portable Devices
2010-12-31 05:01:14 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2010-12-31 05:01:14 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2010-12-31 05:01:14 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-12-31 05:01:07 134144 ----a-w- c:\program files\windows portable devices\sqmapi.dll
2010-12-31 05:01:04 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2010-12-31 05:01:00 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2010-12-31 05:01:00 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2010-12-31 05:01:00 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2010-12-31 05:01:00 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2010-12-31 05:01:00 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2010-12-31 05:01:00 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2010-12-31 05:00:59 350208 ----a-w- c:\windows\system32\WPDSp.dll
2010-12-31 05:00:59 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2010-12-31 04:58:59 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-12-31 04:58:56 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-12-31 04:58:56 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-12-31 04:21:22 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-12-31 04:21:22 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-12-31 04:21:22 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-12-31 04:21:22 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-12-31 04:21:22 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-12-31 04:04:31 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
2010-12-31 04:01:44 72704 ----a-w- c:\windows\system32\admparse.dll
2010-12-31 03:53:11 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-31 03:51:48 168960 ----a-w- c:\program files\windows media player\wmplayer.exe
2010-12-31 03:51:47 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-12-31 03:51:12 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-12-31 03:51:10 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-12-31 03:51:10 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-12-31 03:47:55 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-12-31 03:47:53 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-31 03:46:37 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2010-12-31 03:46:19 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-12-31 03:46:19 17920 ----a-w- c:\windows\system32\netevent.dll
2010-12-31 03:46:19 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-12-31 03:46:19 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-12-31 03:46:19 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-12-31 03:45:41 502272 ----a-w- c:\windows\system32\usp10.dll
2010-12-31 03:45:26 231424 ----a-w- c:\windows\system32\msshsq.dll
2010-12-31 03:45:15 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-12-31 03:45:14 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-12-31 03:45:10 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-12-31 03:44:41 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-12-31 03:44:32 10926592 ----a-w- c:\program files\movie maker\MOVIEMK.dll
2010-12-31 03:44:30 150016 ----a-w- c:\program files\movie maker\MOVIEMK.exe
2010-12-31 03:44:17 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-12-31 03:44:09 867328 ----a-w- c:\windows\system32\wmpmde.dll
2010-12-31 03:44:03 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-12-31 03:43:55 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-12-31 03:43:50 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-12-31 03:43:43 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-12-31 03:35:50 339968 ----a-w- c:\program files\windows nt\accessories\wordpad.exe
2010-12-31 03:35:49 1316864 ----a-w- c:\windows\system32\ole32.dll
2010-12-31 01:50:23 739328 ----a-w- c:\windows\system32\inetcomm.dll
2010-12-31 01:50:14 128000 ----a-w- c:\windows\system32\spoolsv.exe
2010-12-30 10:04:59 709456 ----a-w- c:\windows\is-1JKNN.exe
2010-12-07 00:35:05 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-12-05 09:21:44 -------- d-----w- c:\progra~2\STOPzilla!
2010-12-05 08:11:22 -------- d-----w- c:\users\calrob~1\appdata\roaming\Malwarebytes
2010-12-05 08:07:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-05 08:07:47 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-05 08:07:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-05 08:07:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-11-14 23:08:53 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-11-14 23:08:26 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 06:01:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-02 05:57:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-02 05:57:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-02 05:57:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-11-02 05:57:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-11-02 05:01:31 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 04:26:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-11-02 04:24:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-10-28 15:44:56 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-10-28 13:27:47 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-18 13:37:35 81920 ----a-w- c:\windows\system32\consent.exe
2010-10-18 13:31:24 2038272 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 14:01:02.40 ===============

Attached Files



#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:13 PM

Posted 31 December 2010 - 08:31 PM

Ho there,

Do you know what this file is? c:\windows\is-1JKNN.exeI'm not finding anything on it.

Only thing left that I can see is minor.....I see bits of McAfee, and I know you're running Norton. Might want to get rid of the leftover bits of McAfee just to tidy up. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 mphilbrick

mphilbrick
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 31 December 2010 - 08:51 PM

Tea,

The associated .lst file for is-1JKNN.exe shows that it was output by MBAM, so I assume it's ok. Got rid of McAfee, not sure what it was doing on this machine. Thanks again, and Happy New Year. You should have already received notice of my donation.

Mark

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:13 PM

Posted 31 December 2010 - 08:52 PM

I did, thank you. :inlove:

Take care then,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:13 PM

Posted 03 January 2011 - 02:31 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users